Where do I go to find out about security issues in some detail?

views:

answers:

+1 Q:

Where do I go to find out about security issues in some detail?

I have long been of the opinion that the time and resources it would take to write a piece of malicious software, of whatever type, could better be spent on other things. However, as a developer I am constantly worried about the possible security flaws in systems I work on.

Of course I know about validating input, I understand fully how code and sql injection can work and obsessively sanitise against these risks. Also, whenever I am able, I bone up on new security risks with whatever resources are to hand (e.g. articles, whitepapers, presentations etc.) but I often feel I'm missing the point, maybe because most of my knowledge could well be classed as "new-fangled" (C#, MSSQL, PHP, some Python, a smattering of Ruby): the oldest language I know is Classic ASP.

Sometimes when I read about things like Cross Site Scripting and URL hijacking I read the articles upon which they are based but I feel like I'm not following 100%.

What are the best resources you know to get to grips with security concerns and really understand how they work? Could be anything, books, websites, other types of resource. I know I don't know enough about these issues so where could I go to learn more?

+2 A:

http://www.owasp.org/

S.Lott 2009-01-20 12:47:16

Worth the price of admission. Excellent suggestion, I never knew this even existed! Sir, you have enriched my life in a meaningful way. Seriously.

2009-01-20 13:25:40

+2 A:

Well, you could start with a recent post from Jeff: Top 25 Most Dangerous Programming Mistakes and work your way forward from there.

Sven Lilienthal 2009-01-20 12:49:13

Oh yeah, saw another riff on that list on /. I was thinking more technical from the get go. But yeah, good shout.

2009-01-20 13:02:12

+1 A:

Try James Whittaker's How to break software security

Shane MacLaughlin 2009-01-20 12:53:01

One Monkey,

The fact that you are asking the question means you are well on your way. The real issue is that so many don't ask, are not worried as you are.

One thing I would modify is change the thought that you know some security issues fully. There are some really devious little jerk-offs out there. I am of the opinion you are better off assuming they are smarter than you and so bolt things down as tight as possible. I find it is a better mindset.

Two resources you should look at: XSS Cheat Sheet

A good example of SQL Injection

Flory 2009-01-20 15:45:24

Good points. Thanks for the input.

2009-01-21 10:15:44

I must admit to being somewhat surprised at the lukewarm response to this query. Does this mean:

a) everyone else knew about OWASP and I'm way behind the curve?
b) everyone else is confident enough in the security of their code to not need a little help staying up to date?
c) no one else cares?
d) other?

I have found the reference to OWASP most helpful, so far I'm about to install some of their project software to see how it works, once I feel that I'm better off security wise for having a look at their site I'm marking that answer as accepted, unless something better comes in in the meanwhile.

2009-01-21 11:56:22

Well it is not a or b (for certain) so I am going to accept c. Personally, I think the margin of developers who actually care about anything beyond the thing they were just assigned is small.

Flory 2009-01-21 14:47:04

http://www.securityfocus.com/ and the categorised mailing lists.

Aron Rotteveel 2009-01-21 11:58:31

ansaurus

tags:

views:

answers:

Where do I go to find out about security issues in some detail?

related questions