Aphasia wrote:Security is one of those things that you need to have in mind as an overall methodology over the whole development, including design, building and review/testing. Doing it as an afterthought or fix on something already built usually leads to bad results or at least incomplete coverage.
I agree. I'm hoping this will be an introduction into that, and I'll pick up a bunch of good resources. There is tons of stuff out there about writing code, but there isn't as much about writing code defensively to prevent vulnerabilities. I feel this is a gap in my knowledge, and I'm like to fill it in, a little bit.
The idea is. I'll write some vulnerable code, and write a test for it to show that it's broken. Then write some good code and show the test doesn't work.
Not having that process in use, is one of the things that leads to the tons of vulnerabilities that are available in various kinds of software. Just looking at a bunch of other software and known exploits can easily let you see parts of what is needed to be vary against.
I really admire what the OpenBSD guys have done for advancing security practices. Now that I think about it, I should see what guidelines the OpenBSD project has for code.
I'd forgotten about OWASP. I remember seeing some criticisms about it being out of date. Any thoughts?
If you are interested in the testing and more the penetration-testing part of it, the metasploit framework and backtrack is a good starting point for open source solutions, but that is just about a whole discipline in itself and people take a lot of time in specializing skills around that. Not to mention the commercial software used for exploitation usually are VERY expensive and also revolves not only on the testing part, but also the accounting and documentation of said tests. Another part of that piece is vulnerability testing which is often used as a precursor to actual pentesting in that you usually scan for vulnerabilities first before you determine how to use them, etc.
Hmmm.... The testing part may be more complicated than I thought.
I'd like to get a base working knowledge of pen-testing, but I'm going to save that for later. I'm trying to temper my ambitions and keep my goals manageable. It would be fun, but it may be a bit much for three credit hours. I have a full time job, and I'll be taking AI in addition to this.