I am an IT student and I am now in the 3rd year in university,until now we are studing a lot of subjects related to computer in general (Programming,Algorithms,Computer architecture,maths....etc).
But there is a whole world called security we are very far from it ,I mean here security in general(Computers Security,Interner Security,Networks Security,hacking,cracking...etc).
I am very sure that nobody can learn every thing about security but sure there is a "minimum" knowledge every programmer or IT student should know about it and my question is what is this minimum knowledge ? can you suggest some E-books or courses or any thing can help to start with this road ?
views:
465answers:
7
+2
A:
- Why is is important.
- It is all about trade-offs.
- Cryptography is largely a distraction from security.
Richard
2010-05-08 12:27:24
+4
A:
A good starter course might be the MIT course in Computer Networks and Security. One thing that I would suggest is to not forget about privacy. Privacy, in some senses, is really foundational to security and isn't often covered in technical courses on security. You might find some material on privacy in this course on Ethics and the Law as it relates to the internet.
tvanfosson
2010-05-08 12:30:41
+11
A:
Rule #1 of security for programmers: Don't roll your own
Unless you are yourself a security expert and/or cryptographer, always use a well-designed, well-tested, and mature security platform, framework, or library to do the work for you. These things have spent years being thought out, patched, updated, and examined by experts and hackers alike. You want to gain those advantages, not dismiss them by trying to reinvent the wheel.
Now, that's not to say you don't need to learn anything about security. You certainly need to know enough to understand what you're doing and make sure you're using the tools correctly. However, if you ever find yourself about to start writing your own cryptography algorithm, authentication system, input sanitizer, etc, stop, take a step back, and remember rule #1.
Tyler McHenry
2010-05-08 12:30:50
+16
A:
Principles to keep in mind if you want your applications to be secure:
- Never trust user input!
- Validate input from all untrusted sources - use whitelists not blacklists
- Plan for security from the start - it's not something you can bolt on at the end
- Keep it simple - complexity increases the likelihood of security holes
- Keep your attack surface to a minimum
- Make sure you fail securely
- Use defence in depth
- Adhere to the principle of least privilege
- Use threat modelling
- Compartmentalize - so your system is not all or nothing
- Hiding secrets is hard - and secrets hidden in code won't stay secret for long
- Don't write your own crypto
- Using crypto doesn't mean you're secure (attackers will look for a weaker link)
- Be aware of buffer overflows and how to protect against them
There are some excellent books and articles online about making your applications secure:
- Writng Secure Code 2nd Edition - I think every programmer should read this
- Building Secure Software: How to Avoid Security Problems the Right Way
- Secure Programming Cookbook
- Exploiting Software
- Security Engineering - an excellent read
- Secure Programming for Linux and Unix HOWTO
bignum
2010-05-08 12:44:34
+1 "exploiting software: how to break code" is a great book, however that slide show you linked to is horrible.
Rook
2010-05-08 17:46:42
However, unfortunately it's almost impossible to instantiate the principle of least privilege in any modern system. For example, the Linux kernel (source I'm currently using) contains over 9.4 million lines of C code and over 400K lines of assembly, all of which run in an unrestricted context. A simple miscalculation (perhaps intentional) in one of these millions of lines will compromise the entire system. Perhaps in the next century or two a solution will emerge, perhaps not, as nobody actually cares about creating secure OS/languages/frameworks.
Longpoke
2010-08-29 18:13:21
+4
A:
Every programmer should know how to write exploit code.
Without knowing how systems are exploited you are accentually stopping vulnerabilities. Knowing how to patch code is absolutely meaningless unless you know how to test your patches. Security isn't just a bunch of thought experiments, you must be scientific and test your experiments.
Rook
2010-05-08 17:34:10
+3
A:
I suggest reviewing CWE/SANS TOP 25 Most Dangerous Programming Errors. It was updated for 2010 with the promise of regular updates in the future. The 2009 revision is available as well.
From http://cwe.mitre.org/top25/index.html
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.
jschmier
2010-05-09 20:02:42
+3
A:
Security is a process, not a product.
Many seem to forget about this obvious matter of fact.
eteubert
2010-05-10 11:06:49