- What does Cisco have against Quebec?
- Attrition.org nails another nitwit
- Diary of a deliberately spammed housewife
- Seven cloud-computing security risks
- 20 great Windows open source projects
News | Newsletters | Podcasts | Chats | Opinions | RSS Feeds | This Week In Print | IT Careers | Community | Reports | Downloads | Slideshows | New Data Center
Partner Sites:App Performance | On Demand Security | Networking Solution | SOA | Value of WDS
A group of secure-programming experts plans a series of documents that outline the skills coders need to write Web applications that are better able to withstand attacks.
The first of these is being made public Tuesday and sets down what the Secure Programming Council believes are essential capabilities these programmers must have to write Java and JavaEE code that is free of flaws that hackers might exploit.
While schools and other groups offer courses that teach secure coding, the curriculums are designed in isolation based on instructors’ best efforts, says Alan Paller, director of research for the SANS Institute, the information security training and research organization. They don’t adhere to industry standards for what they ought to include, he says.
The series of documents from Secure Programming Council hopes to address this shortcoming by drawing on existing texts and input from secure-coding trainers as well as businesses that are making similar efforts for their in-house programmers, Paller says. “It’s a common body of what people need to know, benchmarks for employers and teachers,” he says.
The group hopes that teachers will adjust their syllabuses to incorporate the recommendations, he says.
The council is issuing Essential Skills for Secure Programmers Using Java/ JavaEE now, and plans follow-ups for other languages including C, C++, and .Net languages as well as Perl and PHP. The Java paper is open for public comment until Dec. 1 at spa@sans.org.
While secure-programming can help, it’s not enough, Paller notes. In addition to training, programmers need tools that assist in writing safe code and automatically test the code for vulnerabilities once it is written.
Ryan Berg, a member of the Secure Programming Council steering committee on Java and JavaEE and chief scientist at Ounce Labs, says guidelines are sorely needed. “Programmers don’t have a place to go to find out, ‘What do I need to know in order to write secure code,?’” Berg says. Ounce Labs makes software that reads other software to look for weaknesses.
He says that each programming language has its own characteristics and weaknesses that developers using it need to know if they want to keep it safe from attacks. “Programmers need to understand the languages and the facilities provided by the languages to promote sound software design,” Berg says.
IBM spent all that money on a mass rollout of PGP Whole Disk Encryption, just when its discovered that...- Anonymous
Partner Content
CA Network & Voice Resource Center
Comprehensive Network & Voice Management Visit CA Network & Voice Management Resource Center and get insights into industry best practices, information that helps you to address your challenges.
CA Network & Voice Management Resource Center
Managing Voice Over IP for Successful Convergence
Voice over IP (VoIP) has much to offer in cost savings but some customers have concerns about VoIP call quality compared to the quality of traditional voice services. This white paper will help you learn how to take the right steps so that voice quality is assured.
Managing VoIP for Successful Convergence
The Changing Face of Network Management
Managing your network is serious business. This paper discusses the benefits of integrating configuration change-awareness into your network fault management solution
Download Whitepaper
Comments (3)
2 centsBy Anonymous on November 22, 2007, 11:21 pmThey are talking about programming practices they refer to as "industry standards" they will claim when used reduce release of vulnerable code. How to solve infra-structure...
Reply | Read entire comment
Don't bother with these guysBy Anonymous on November 22, 2007, 11:10 amThey mention the dangers of SQL injection, but not those of command line injection via Runtime.exec. They also don't discuss how to structure/process dynamic requests...
Reply | Read entire comment
RE: Standards suggested for writing secure JavaBy anatilim on November 21, 2007, 1:13 amjava
Reply | Read entire comment
View all comments