I was watching tptacek talk on crypto/pen testing and he mentioned that a flaw published 15 years ago, is still being put into the wild by general web developers, in big companies who should know better.
And I was also reminded of the checklist manifesto - where the Boeing (?) flight safety team analyse each crash report, and produce checklists for pilots that are pushed out around the world and actually read
so here is a silly idea
A kick-starter that funds a group to guide writing of real actual best practise in software engineering - broken down into silos like realtime or web or os. It can be updated and informed wiki style but is aimed at spreading actionable, immediate choices, with the background reading to educate later on,
> A kick-starter that funds a group to guide writing of real actual best practise in software engineering - broken down into silos like realtime or web or os.
There are enough reasonable guides to writing better code (security and otherwise). How would this effort be different? And more importantly, why would Random J. Programmer go there if he didn't go to any of the previous ones?
A good answer for that will cause me to chip in (even though I'm not a fan of the "kickstart everything" craze)
I think your comment, why would J Random go there if he did not go to the others is the killer comment - ultimately programming either has a professional body to enforce this, or everyone learns to program a few years after they learn to read.
What's easier and more plausible to happen - Random J. reading a long processing-cycles-demanding guide or just following a checklist?
Random J. seeing a link to/start of a guide: "that seems long and intricate... I don't have time to grok this and it seems like that kind of thing that to apply you need to grok and understand."
Random J. seeing a checklist: "ah, just following the steps. I can do this."
Maybe it's an inconvenient truth, but such checklists would be an overall boost to software security. Having straight-forward checklist to mechanically follow > Having no checklist.
Me and you would want to go behind that. Random J. Programmer wouldn't.
Well, OP didn't suggest a checklist (he did refer to the Boeing one as inspiration, so he might have thought about that).
And while they might be a hundred times more likely to follow a checklist, a hundred times (almost zero) is still (almost zero).
Let me re-iterate the question/problem:
> Random J. seeing a checklist: "ah, just following the steps. I can do this."
The question is: why would Random J. see the checklist? This is the crux that needs to be addressed. The content and existence of the list, while important, is a much easier problem to solve.
It's true that there are people not being aware of the information now and they'll be people not aware of it in the future. But I think[1] there's a large group of people who are aware that the information exists, but are just ignoring it as they deem that info too complex/time consuming to learn. Enabling better security practices for this group would be an overall net gain.
And I was also reminded of the checklist manifesto - where the Boeing (?) flight safety team analyse each crash report, and produce checklists for pilots that are pushed out around the world and actually read
so here is a silly idea
A kick-starter that funds a group to guide writing of real actual best practise in software engineering - broken down into silos like realtime or web or os. It can be updated and informed wiki style but is aimed at spreading actionable, immediate choices, with the background reading to educate later on,
Maybe I need more (or less) coffee