Writing Secure Code - Links - October 10, 2008
By Mark Wilcox - CTO - Oracle Consulting Security-Oracle on Oct 08, 2008
Posting early since I'm taking Friday off.
Crisis Begets accountability and transparency -- While not directly about software code it is an article that can be used as a "teachable moment" across many disciplines. From a programming perspective, the lesson to be learned here is that accountability and transparency helps to make for a more secure environment. Additionally we will likely see more monitoring across different systems and changing of organizational structures. Thus we're going to need more code in more places that interoperate with each other to help security become a cohesive whole. Thus make sure you are taking steps to integrate secure auditing (such as Oracle Audit Vault), logging and of course enabling external fine grain access control leveraging standards like XACML.
ISC2 To Offer Certification For Software Lifecycle Security -- The organization that provides CISSP certification is launching a new certification for developers. It is a rather explicit industry acknowledgement that developer's are not taught security as a core competency. And thus it's not ingrained into training or expectations. It also (IMHO) acknowledges that CISSP is not about dealing with code-level security. They are two different types of disciplines and just because one is competent in one discipline does not necessarily mean you will be competent in another even though they maybe related.
Upcoming PHP 5.3 beefs up security -- If you are writing code in PHP - you will want to learn more about a couple of changes being made that likely will make your code more secure but may break some of your scripts.