OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dana Epp (dana_at_vulscan.com)
Date: Tue Nov 26 2002 - 18:41:04 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    With all the talk of development libraries one common thread has continued
    to pop up with which there has been little debate. And that is that the
    weakest link is the human factor, and that better education is required. In
    many cases, the question not answered is how do we do this in the corporate
    environment, educating existing developers.

    I don't want to single out any one person as we have all had/have to deal
    with this in our own teams. But with Microsoft's latest push on better code
    quality with a "security-oriented developer's boot camp" I am wondering if
    anyone from the Secure Windows Initiative or the Trustworthy Computing arena
    at the campus would like to share with us the approach that was taking for
    the Microsoft boot camp. I need to apologize immediately to Michael as I
    have cc'd him on this as he is one of the few people at the Microsoft campus
    that can speak authoritatively on such endeavours, but unsure what the
    corporate policy would be on divulging this sort of information. ( Michael,
    I'll buy you a beer next time I am in Seattle and you can chastise me then
    :-P )

    So how about it? Instead of continuing to beat a dead horse about the length
    of pointers and the power of the sizeof op (*sigh* will guys ever get over
    that... this discussion has been going on since the 80's ;-) ) perhaps we
    could have a constructive thread on approaches used in existing teams to
    "re-educate" them. Now, we could of course spew forth material from books
    like "Writing Secure Code", "Security Engineering" and the likes but I would
    be more interested in the real world application to educate existing
    developers. It would be interesting to see what sort of materials the "MS
    Boot camp" used, but can fully understand if they would not wish to disclose
    such information. More to the point, I bet a lot of us would be interested
    in how other work places have gone about doing this. Not just Microsoft.

    On top of that, this may help Michael with the Security Education thread he
    had about real world examples. Outside of understanding the real world
    application of knowing how to use the sizeof of (oh hell.. now I am hanging
    on about it.. shame on me) perhaps techniques taught in the work place could
    be applied to examples that could be placed in good books like WSC.

    Feel free to fire the flames to /dev/null. All other constructive criticisms
    on why this would or would not be a good idea are welcomed. If we get enough
    good feedback I would love to publish this information on the web for others
    to read in the future. Including some of the good examples we may be able to
    cultivate from this. 

    ---
Regards,
Dana M. Epp