secure coding

Rafal has a very nice post up that explores why security folks have such a hard time getting application developers to care about secure coding.

As I was reading that post, two ideas merged in my poor little head. This was cause for celebration because it doesn't happen very often :)

Thought #1: Ask, Don't Tell

I recently attended a class provided by my employer called Adaptive Leadership. One of the tenets of this class is that is often more productive to ask than to tell. What does that mean?

When we tell somebody to do something or give specific instructions, they have no investment in the outcome.

However, if we ask the right questions and lead their thoughts down the right path, we give them the opportunity to invest in the outcome. If we do this well, we then have somebody who has convinced themselves that this is the right thing to do, whatever that right thing may be.

Thought #2: Engagement

This video, RSA Animate - Drive, is a synopsis of Daniel Pink's book Drive. I have just started reading it so don't have detailed knowledge of the thoughts ideas introduced in the book yet. One thought I did get from the video is that engagement is key to performance, performance, in this case, being caring about secure coding practices.

Engagement means that the individual cares about what they are doing. That they are invested in the outcome.

Thought Merge: Ask, Don't Tell To Get Engagement

If we can use 'ask, don't tell' to get people invested in something and getting people invested in outcomes produces engagement, might we not end up with developers who care about producing secure code?

Thoughts?

-Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. This is a great article that peeks into the realities of whether secure coding is less expensive than fixing vulnerabilities after they are detected in production.
    Jeremiah Grossman: Mythbusting, Secure code is less expensive to develop
    Tags: ( cost secure-coding )
  2. You should be aware that you may get IE8 whether you want it or not.
    Security Fix - Microsoft Pushing Out IE8 Through Auto Update
    Tags: ( microsoft patches ie8 )
  3. A nice how-to on using nmap and Nessus together to produce command line Nessus scans.
    Tenable Network Security: Using Nmap Results With Nessus Batch Scanning
    Tags: ( nmap nessus )
  4. Bill gives us some really good advice on how to avoid being the one that needs to look for that new job.
    Career Advice for Security Geeks, Part 1 : The Security Catalyst
    Tags: ( career )
  5. A very nice article regarding what happens when nothing happens.
    The Irony Of Preventing Security Failures - Hacked Off - Dark Reading
    Tags: ( spending )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Good afternoon everybody! I hope your day is going well.

Here are today's Interesting Information Security Bits from around the web.

  1. F-Secure has a great Q&A posted about Conficker. Short version: Like the good book [Hitchhiker's Guide to the Galaxy] says, "Don't Panic!"
    Questions and Answers: Conficker and April 1st - F-Secure Weblog : News from the Lab
    Tags: ( malware conficker )
  2. A very thoughtful and thought generating piece by Jeremiah. The comments are also worth reading. I am very interested to see where this goes and hope to be a part of it in some small way.
    Jeremiah Grossman: Website security needs a strategy
    Tags: ( webappsec )
  3. Some nice guidance for when you decide to develop that file upload utility.
    SecuriTeam Blogs >> File upload security recommendations
    Tags: ( secure-coding )
  4. Lorrie reviews Michael's book which I have also reviewed. I agree with everything she says.
    Why you must dive Into the Breach
    Tags: ( books reviews )
  5. Time to patch OpenSSL.
    OpenSSL patches three security holes | Zero Day | ZDNet.com
    Tags: ( vulnerability patches openssl )
  6. Daniel puts together a very good set of observations regarding information security as an enabler. Like Daniel, I am not a proponent of presenting information security as a enabler. Except for specific cases where information security related activities/products actually produce your revenue stream, it does not increase revenue, provide efficiencies, or other wise make it 'easier' to do business. It IS a vital part of doing all the above safely and responsibly however.
    The Problem With Selling Information Security as a "Business Enabler" | dmiessler.com
    Tags: ( opinion )
  7. More yummy goodness from Synjunkie on abusing Citrix servers.
    Syn: Abusing Citrix - Part 4
    Tags: ( hacking citrix )
  8. Andrew is tackling a topic that is near and dear to us all, being provided development opportunities by our employers.
    A Multipart Letter to Employers of Security Professionals : The Security Catalyst
    Tags: ( general )
  9. Go give your six words on security. I will be.
    6 words on Security: A Challenge : The Security Catalyst
    Tags: ( general )

That's it for today. Have fun!

Subscribe to my RSS Feed if you enjoy these daily Interesting Bits posts.

Kevin

{ 0 comments }

Top 25 Coding Errors Released

by kriggins on January 12, 2009

in Educational, programming, Tools

In today's Bits post, I mentioned that a top 25 coding errors report was going to be issued today. Well, it's happened. From the SANS website:

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.

The web page listing all the information about the project is here.

There is good stuff there that should be looked at by all who are involved in information security, not to mention those involved in developing programs.

-Kevin

, ,

Reblog this post [with Zemanta]

{ 0 comments }