I’ve never been one to use my blog to link to vendors and or their products but I received an email last week that was intriguing enough to get me to take a further look. I liked what I saw and decided to pass it on. It’s nothing earth shattering or new just some good ole common sense that we can pass on. One thing that I have come to realize as I work more and more with developers is that there really is a lack of understanding in how to write secure code. It’s not taught in school and many businesses and development shops are more focused on getting code written and out the door. As a result of this we see the same basic things pop up again and again and again. At work we see this as we review new code that is hoping to be put in production. SQLi, XSS, XFS, etc.… it’s like security groundhog day. You find it, get it fixed, tell the developers how to avoid it and start all over again. Much of this is due to developers being project oriented and many time they are contractors who come in long enough to write their piece and then move on. So what you taught them may never come to fruition for you.
Anyway, Veracode has put together 5 cheat sheets on common coding issues and they are pretty decent. They explain the problem, what it does, why it’s bad and give you some tips on how to avoid it in your code. There is also video and sample scripts and code for you to look at. It may not be anything for you but it is something that you can pass on to the developers that you support or work with. Who knows it may save you some time and headache as the number of issues is reduced because you took the time to pass this on.