[Owasp-o2-platform] Great O2 quote on Jeremiah's blog "Why Speed & Frequency of Software Security Testing Matter, A LOT"

dinis cruz dinis.cruz at owasp.org
Thu Dec 16 21:02:20 EST 2010

Jeremiah has a great blog entry on *"Why Speed & Frequency of Software
Security Testing Matter, A
*which includes a couple very nice quotes on O2 :)

*"...I also wanted to briefly touch on the differences between act of
"writing secure code" and "testing the security of code." I don’t recall
when or where, but Dinis Cruz <http://twitter.com/diniscruz>, OWASP Board
Member and visionary behind the 02
said something a while back that stuck with me. Dinis said developers need
to be provided exactly the right security knowledge at exactly the time they
need it. Asking developers to read and recall veritable mountains of
defensive programming do’s and don’ts as they carry out their day job isn’t
effective or scalable.

For example, it would be much better if when a developer is interacting with
database they are automatically reminded to use parameterized SQL
statements. When handling user-supplied input, pop-ups immediately point to
the proper data validation routines. Or, how about printing to screen? Warn
the developer about the mandatory use of the context aware output filtering
method. This type of just-in-time guidance needs to be baked into their IDE,
which is one of the OWASP O2 Platform’s design objectives. "Writing secure
code” using this approach would seem to be the future..."*

I think Jeremiah makes some great points on that analysis. I would
be interested to know about the time that it took to fix issues that
required complex resolutions (for example an UrlEncoding change, that once
added to fix a vulnerability in entry point X, would also break the
application in entry point W,Y and Z)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20101217/dad364f8/attachment.html 

More information about the Owasp-o2-platform mailing list