I notice certs like CISSP when hiring. It says the person has a basic
understanding of all IS security areas. Nothing more. If someone can't pass
the CISSP then I have to wonder why.
-Original Message-
From: Paco Hope
To: "SC-L@securecoding.org"
Date: Thu, 19 Mar 2009 11:36:45 -0
We are still struggling on simple definitions. I frequently hear names like
"lack of input filtering" and "csrf" referred to as vulnerabilities when in
reality one is an attack vector and the other an attack. You (correctly in
my opinion) refer to input validation and encoding as countermeasur
> If I use Parameterized queries w/ binding of all variables, I'm 100%
> immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
jt
-Original Message-
From: Jim Man
Best practices vs mitigating risk. Enumerating best practices is much
easier and will most likely be the test's theme. White list validation
is the answer to everything except the difficult choices developers have
to make and often get wrong. Too many times, the white list has to
include those
Fortify is a company with several products. Which product are you
referring to? I've used some of thier products (and think highly of
them), but I have not used all of them. What I like most about thier
approach is they are trying to address all parts of the life cycle. The
IDE plug-in enforces
Depending on the specific certification, some do have benefits. Depending
on the degree, some do have benefits. Neither guarantees that an
individual can play a good game, only that they can talk a good game. If
the job requires talking a good game then degrees and certs are great.
I've met way too