Originally, I sat down to write this entry with the plan to make fun of the new DHS BuildSecurityIn site. But I’m not going to, because it’s actually pretty good.
Here’s the background: the DHS has partnered with Carnegie Melon to provide a software security portal. Those of you that read this blog know that I’ve been pretty critical about the DHS – particularly when it comes to information security. However, even though I think the DHS does have some dirty laundry in their hamper, I have to give credit where it’s due – and this site deserves credit.
For example, check out the “don’t use strcpy” article. Yeah, you’ve probably heard about not using strcpy only about a gadzillion times, but this article isn’t just more noise – there are references (and good ones at that), there are both positive and negative code examples, there are descriptions of the problem on a number of architectures, there are solutions for the most common platforms, and there are all sorts of mitigation techiques – all in under two pages. Score one for the DHS.
Another example – check out the source code scanning content. OK, granted it’s from Cigital (maybe a bit biased toward one particular services set), but it’s still really honking thorough and really honking useful.
Overall, I really recommend that folks check out this site. The DHS is trying to move us forward, and the fact that they are doing so without placing blame indicates to me that they actually have something real to say. While other folks blame researchers or blame the consumer, the DHS is trying to move us forward rather than pass the buck. Kudos to them for doing the community a noble service.
Friday September 10, 2010
Diana Kelley's profile