WebApp Sec mailing list archives
RE: Training for web developers?
From: "Arian J. Evans" <arian () anachronic com>
Date: Tue, 11 Nov 2003 21:29:36 -0600
Mark,
We run a half-day Secure Web Programming course in New Zealand for our clients. The aim is to try and get developers to think a bit more like a hacker and look for security holes.
We do about the same thing as Nicholas described, other than it's a full day. The first half of the day is OSI, architecture, the evolution of web vulns and examples of what the threat and vuln landscape for applications really is (e.g.- who has been hacked and how). The second half of the day is hacking, covering the OWASP spectrum. We focus really hard on the fact that this is nothing new. It's new some new mystical security land. It's about strongly typing data, and validating input for both type and integrity (if handed off to the client). It's about good QA. In other words, it is a difference of /degree/, not of /kind/, compared to any other input *bug*. Hey, Rob's report doesn't run right. Injecting SQL into the report query is potentially a much bigger issue than just failing to return the proper data due to a *normal* bug, but it's the same thing. We focus on predictable and dependable behavior (not "Security(tm)"), and good unit testing aka agile/extreme programming approach to unit testing. This approach seems to work; not sure what part of the world you are in but I suspect there's a number of us out there offering these type of services, probably some in your area. Cheers, Arian J. Evans (http://www.fishnetsecurity.com) (arian.evans () fishnetsecurity com)
Current thread:
- Training for web developers? Mark G. Spencer (Nov 11)
- Re: Training for web developers? Jeff Williams @ Aspect (Nov 13)
- <Possible follow-ups>
- RE: Training for web developers? von Dadelszen, Nicholas (NZ - Wellington) (Nov 11)
- RE: Training for web developers? Arian J. Evans (Nov 13)
- RE: Training for web developers? Larry Smith (Nov 13)
- RE: Training for web developers? Scovetta, Michael V (Nov 13)