WebApp Sec: Re: Secure Coding? Bah!

[Juridian <Juridian () Juridian com>]

The SANS/GIAC security essentials course online lasts about 6 months but can 
be done in less.  That course provides a general security overview covering 
many areas including windows, unix, intrusion detection, auditing, web 
security, and the cissp cbk.  I think that most major institutions could 
cobble together something similar that they could teach in a quarter or two 
at the very least if they don't have one already.

Something similar could be done for a class to teach secure software 
development practices.

I think part of the problem stems from the fact that a majority of the books 
out there that teach development teach bad habits.  A prime example that a 
colleague pointed out to me today is that the majority of ASP 3.0 books teach 
people to use inline sql (ignoring stored procedures) and rarely if ever show 
the reader how to check the validity of the input much less protect against 
sql injection.

Knowledge of security keeps you from making silly mistakes that open your 
company up to liability when your users private information becomes not so 
private due to poor configuration of your application servers, or poor coding 
practices opening you up to sql injection attacks, or poor authentication 
techniques.  It even keeps fraud to a minimum on your favorite multiplayer 
online game.  That is what I want.

- Ernie


> However, there is more to computer science than security!  A full course of
> study focusing on security may not be as useful as it sounds.  Don't forget
> data structures, algorithms, databases, graphics, etc.  When you look at
> it, security doesn't really DO anything.  Do you really want a program that
> doesn't accomplish anything, other than being secure?