News and Notes - 2007-07-05

I've not posted in awhile because I've not spent the time (my own fault) to put together a good post about any of these items. All links are worth a look-see, and probably worth a post in their own right.

  • Brian Chess and Jacob West's new book Secure Programming with Static Analysis has been released. Pick up your copy today. I don't agree with them 100% on some of their philosophies, but the book is going to be worth the read, and will hopefully lend some weight to those who are trying to make static analysis a regular and vital part of their SDLC.
  • Christian Matthies has put together a really excellent explanation of DNS pinning, anti-DNS pinning, anti-anti-DNS pinning, and anti-anti-anti-DNS pinning. For those who have been curious, but never read a whole post on the two (anti- and anti-anti-anti-), this one's prolly worth keeping bookmarked for anybody you're bringing up to speed.
  • SANS has finalized round one of their GIAC Secure Software Programmer certification. I was very happy to hear about an exam they were developing with a couple of universities last autumn, and it's now coming to fruition. It's still operated like any other GIAC offering, so there's not yet a corporate installment of it where you get all your coders certified at once. But it's certainly worth the look - and they do have sample questions. For you C people, it is specific on the different types of overruns. You need to learn all the different ways a buffer overrun happens (off-by-one, fencepost, etc., etc.).
  • sla.ckers.org has had a couple of interesting threads of late. First, Internet Exploder globs for the language of choice in scripting. Short story there, whitelist input validation and proper output filtering. The real vulnerability there is because people actually filter for "javascript" or somesuch. Second, Firefox hasn't corrected (completely) the non-alpha-non-digit issue. Again, same rules apply. If you're making sure the input is good, as opposed to not-bad, and if you're properly output filtering, you should be fine.
That should be enough to keep you reading for a bit.