I'm not sure how I missed Mary Ann Davidson's original blog posting on the subject of making fixing security by fixing how developers learn to write software (and much more), but I came across Dennis Howlett's response to it on ZDNet recently. Both postings are on the long side, but are must reads if you are involved in enterprise software as a creator or consumer.
By a coincidence I also received an email from a colleague about a short white paper from HP covering common Web 2.0 security flaws. It's more an overview than a guide, but provides a nice overview of issues, such as cross-site scripting, that may not be familiar to developers that lack knowledge of core security concepts. The white paper is available here (after a very detailed registration process), but to tie back to the articles above, nearly all of these flaws can be avoided with the right developer mindset, training, and processes.
Some problems will go away as we sediment complexity into lower layers, but the days of developers writing code with obviously poor security will only come to an end when we can fundamentally change the way security is written into applications in the first place.
Technorati Tags:
security
