On Fri, 26 Oct 2007 14:28:28 +0200, Nico Golde <[EMAIL PROTECTED]> wrote: > > Does the (testing) security team have a comprehensive page with > > security best and worst practices? To be able to point people at it, > > so one [doesn't] have to point at "random" wikipedia pages or google > > hits? > > No, but I can recommend [<http://tinyurl.com/2sennu>] > for some secure coding notes regarding the c language.
... which is huge and complex, and still not by any measure "comprehensive". This should tell you something about the reason security problems aren't all that rare, and give you some idea why the idea of a simple checklist usually cannot replace the one cure security researchers have tried unsuccessfully now for many years: proper education (while the other approach, architectures and designs which leave less room for error, is in principle good, but very slow to pick up steam, for somewhat obvious reasons). Having said that, if you want checklist-type stuff, Lincoln D. Stein's Web Security FAQ <http://www.w3.org/Security/Faq/> certainly ought to be on the required reading list. More generally, google for "secure CGI" and don't stop reading. There should be about 9,830,000 documents in the result set. Hope this helps (-: /* era */ -- If this were a real .signature, it would suck less. Well, maybe not. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
