I'm excited that Microsoft is reaching out and providing this learning aid.
Most people I interview don't know how to spot some pretty simply vulnerable
code constructs. I'll even have my newbies subscribe to this RSS for a
spell, in hopes that their attack toolkit may be augmented.
But, some advice for Microsoft if they're listening:
When the initial entrées are so ridiculously simple that they don't even
bear a full minute of scrutiny, they are best served in sets of 10. That
gives the audience enough problems to puzzle through that they can mentally
engage.
Long-term, I don't fear the validity of the approach because some
exploitable constructs are very subtle.
-----
John Steven
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 404 9295 - Fax
Cigital Inc. | jsteven@cigital.com
4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
From: Mark Curphey <mark@curphey.com>
If you fancy yourself as a good code reviewer you can play spot the bug at
MSDN. They will be getting harder !
http://msdn.microsoft.com/security/
----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged. The information contained herein is intended
solely for the recipient and use by any other party is not authorized. If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited. If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message. Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------
