Well, this topic gets muddy pretty quickly since I agree with many of
the comments made on this thread. We have to be careful with hype and
claims made by new models (BSIMM and OpenSAMM in particular) since
depending on how the 'rest of the world' sees them speaks directly to
our credibility as
Now that you mention it
I was listening to the CERT podcast where you and a couple of others
discussed the BSIMM (probably a while back since I am well behind on
those). You made a statement along these lines and I immediately
thought that I disagreed! :)
I don't think software
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at