Darkreading: Secure Coding Certification (starting point)

[arian.evans at anachronic.com (Arian J. Evans)]

1. This is a great first step. While it sounds so 2003: I still deal with
developers all the time that simply have no idea what to do or where to
begin for *very basic* issues. Input validation. Output encoding. Or try to
solve by doing crazy wild wrong things ("dangerous-string" blacklists,
case-changes for case-sensitive language injection (xhtml/js) etc).

2. Most of the world is still not getting the "bug parade". >50%. You (Gary)
may see a biased sample of more edjumacated folks by reading SC-L and
working with a client sample that may be in the upper bounds of secure
software knowledge.

3. Focusing on weak implementation practices ("bugs") is just fine. That's
what most developers do. Implement.

4. Design and Pattern weaknesses are definitely essential. But that's not
what most developers do.

5. SANS could and should have some separate, additional certifications:

+ "Non-dangerous requirements-gathering for Product Evangelists"

+ "Strong Software Design Principles for Business Owners"

+ "Strong Software Design Patterns for Software Architects/Lead Developers"

+ "How to describe mis-use case and dangerous omissions for people writing
functional specifications"

Those are all separate pieces of knowledge that, depending on the size of
the organization, may all be separate people.

Certainly most of the developers I've worked with over the years would find
the above in the "WTF does this have to do with me?" category, and I can't
say I blame them.

And of course SANS makes money. Everything Allen Paller does is really good
about getting lots of free community effort to generate data sets and/or
tools they can charge other folks a lot of money for (CIS, SANS, SSI,
Dshield, etc.).

Sounds pretty smart to me. And I'd sure rather have someone following CIS
guidelines or using SANS course-ware content than *nothing at all*.

Cheers

-- 
Arian Evans
solipsistic software security sophist

"I love deadlines. I like the whooshing sound they make as they fly by." -
Douglas Adams


On 5/15/07, Gary McGraw <gem at cigital.com> wrote:
> Hi Yo (and everyone else),
>
> I'm afraid that the current test focuses all of its attention on BUGS (in
> C/C++ and Java).  While we certainly need to erradicate simple security
> bugs, there is much more to software security than the bug parade.  Plus
> when you look into the material, the multiple choice format makes
> determining the correct answer impossible at times.
>
> I would rather move away from learning about bugs to learning about
> defensive programming to avoid bugs in the first place.  The SANS material
> focuses entirely on the negative as far as I can tell.  Here's a bug,
> there's a bug, everywhere a bug bug.  Better than nothing?  Maybe.
>
> SANS is very good an soliciting everyone's opinion, piling it all up in a
> nice package, and then charging users for the result.  SANS is a for profit
> entity, not a university or a non-profit.  Please don't forget that.
>
> As much as I would love to see a way to determine whether a random coder
> has security clue, I'm afraid all we will get out of this effort is perhaps
> a bit more awareness.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
> On Behalf Of Johan Peeters
> Sent: Saturday, May 12, 2007 6:11 AM
> To: SC-L at securecoding.org
> Subject: Re: [SC-L] Darkreading: Secure Coding Certification
>
> I agree that multiple choice alone is inadequate to test the true
> breadth and depth of someone's security knowledge. Having contributed
> a few questions to the SANS pool, I take issue with Gary's article
> when it implies that you can pass the GSSP test while clueless.
>
> There is indeed a body of knowledge that is being tested. SANS has
> been soliciting comments on the document.
>
> kr,
>
> Yo
>
> On 5/11/07, Gary McGraw <gem at cigital.com> wrote:
> > Hi all,
> >
> > As readers of the list know, SANS recently announced a certification
> scheme for secure programming.  Many vendors and consultants jumped on the
> bandwagon.  I'm not so sure the bandwagon is going anywhere.  I explain why
> in my latest darkreading column:
> > http://www.darkreading.com/document.asp?doc_id=123606
> >
> > What do you think?  Can we test someone's software security knowledge
> with a multiple choice test?  Anybody seen the body of knowledge behind the
> test?
> > gem
> >
> > company www.cigital.com
> > podcast www.cigital.com/silverbullet
> > blog www.cigital.com/justiceleague
> > book www.swsec.com
> >
> > _______________________________________________
> > Secure Coding mailing list (SC-L) SC-L at securecoding.org
> > List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> > List charter available at - http://www.securecoding.org/list/charter.php
> > SC-L is hosted and moderated by KRvW Associates, LLC (
> http://www.KRvW.com)
> > as a free, non-commercial service to the software security community.
> > _______________________________________________
>
>
> --
> Johan Peeters
> http://johanpeeters.com
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
>
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070515/6c0f3c4c/attachment.html