I tend to think that the security of a system should be tested before any other area (usually) so it’s not surprising that Neil Daswani‘s talk What Every Engineer Needs to Know About Security and Where to Learn It caught my eye. Unfortunately, if this is truely what every engineer needs to know about security then it is no surprise why so much insecure coade is floating around. Seems what every engineer needs to know is how to buy his book and/or visit his learn security website.
I did take some notes through.
- I did not know, or did not know I knew, that XSS, SQL Injection and classical buffer overflows are in the same bucket of attack class; command injection. For some reason I thought they were independent but this does make a certain amount of sense.
- According to the Security Focus Vulnerability database the following types of problems are increasing
- Design Errors
- Boundary Conditions
- Exception Handling
- Using the same data set, input and access validation problem rates are holding steady
- Like most things, there is more than one such data set and they all measure things differently, however the top 4 problems seem to be
- XSS
- Various Injection holes
- Memory corruption
- DoD
- Regardless of where the data is coming from there is an increase in the number of detected vulnerabilities. Of course, does that mean that we’re just better at detecting these or is the number being written increasing? (Likely both)
- Neil thinks every engineer should be knowledgable in the following areas
- Secure Design – least priviledge, fail-safe stance, weakest link, etc.
- Technical Flaws (that can result in attacks) – cause, effect
- Universities don’t teach security. A sweeping statement, but generally true
- Security is a process, not a product – Bruce Schneier
- Recommended Courses
- Avi Rubin’s CS600.443 and CS600.643
- UCB CS161
- Recommended Books
- Security Engineering by Ross Anderson
- Building Secure Software by Gary McGraw and John Viega
- Foundations of Security by Neil Daswani, Christoph Kern and Anita Kesavan
- Hacking Exposed Web 2.0 by Rich Cannings, Himanshu Dwivedi and Zane Lackey
- Secure Programming Cookbook by John Viega and Matt Messier
- Recommended sites
Direct link here