Software Security Education
The authors make a good point here in that academic institutions are lagging when it comes to teaching secure application development. On page 232 of my book “Outsourcing Information Security,” I recount a May 2004 conversation with Ken van Wyk, another world-reputed leader in this space, regarding the lack of any coursework, even in top-flight universities, on how to write secure code. The surprise here is that, some five years later, we seem to have not made any progress in this regard.
Fuzz Testing
This is a new name for an old practice. I remember an unusually-capable QA manager who, some twenty years ago, would spend a couple of days at the tail end of testing an application just randomly keying in characters to see how the application responded. Wouldn’t you know that, virtually every time that he did this, he would discover some theretofore-undetected bugs?
There are many other issues to discuss in the BSIMM report and ancillary articles … and no doubt there will be a forthcoming book with even more points for discussion. But these will have to wait for future columns.
Popularity: 2%
