<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 4/21/2017 10:52 AM, leam hall wrote:<br>
<blockquote
cite="mid:CACv9p5qNUzsGX9HWz0BE2kfi8CCgJZOjfqkEhcoh9=CjdUBEzw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On Fri, Apr 21, 2017 at 10:40 AM,
Alex Carver <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><span class="gmail-">On
2017-04-21 07:19, DJ-Pfulio wrote:<br>
> Be careful where you learn to code. Not all
tutorials are equal,<br>
> especially for web-app scripted languages.<br>
><br>
> <a moz-do-not-send="true"
href="https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/"
rel="noreferrer" target="_blank">https://www.helpnetsecurity.<wbr>com/2017/04/21/programming-<wbr>tutorials-vulnerabilities/</a><br>
<br>
</span>That MySQL example on the page is just awful. I've
seen some written<br>
this way but with large warning boxes below the example
that explicitly<br>
say this method is insecure and only intended to show a
process flow<br>
(checking against a count of users).<br>
<br>
Doesn't matter the language, the basic concept of
sanitizing user input<br>
should be universal whether by using sanitizing functions,
stored<br>
procedures for DBs, casting or anything else.<br>
<div class="gmail-HOEnZb">
<div class="gmail-h5"><br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>An issue is that new coders need to not learn security
until they learn the basics, but they need to learn that
security is important before they put code into
production. Very few code communities seem hyped about
security as a worthwhile learning path. I've been looking
into it more for my own needs and would happily take
recommendations on more resources. Especially Ruby, not
Rails. :)</div>
<div><br>
</div>
<div>This from 2003: <a moz-do-not-send="true"
href="http://shop.oreilly.com/product/9780596002428.do">http://shop.oreilly.com/product/9780596002428.do</a></div>
<div><br>
</div>
<div>Video: <a moz-do-not-send="true"
href="http://shop.oreilly.com/product/0636920047179.do">http://shop.oreilly.com/product/0636920047179.do</a></div>
<div><br>
</div>
<div>OReilly site: <a moz-do-not-send="true"
href="https://www.oreilly.com/topics/security">https://www.oreilly.com/topics/security</a></div>
<div><br>
</div>
<div>Personally I'd recommed communities build mentorship
programs. Security is just one aspect of professional
coder growth. <br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
I think the problem is more systemic from my POV... Security has
always been an afterthought for coders and usually only after a
major vulnerability is exploited. Further to that, as I've seen far
too often in the corporate space there is the push to get products
out so corners (like security) are cut to increase deliverable with
the promise "we'll go back and fix it later" but turns out that the
those tech debts just keep building up and rarely if ever get worked
on. This leads to bad code getting out there and then never being
cleaned up. I've fought this battle in several jobs where I tried to
get things done properly because I knew once it went out it wouldn't
ever change and 9 times out of 10 that was precisely what happened.<br>
</body>
</html>