I know some folks here don't like watching videos, so here are the points I'd take away (and I think they echo pretty strongly what Thomas has been saying here):
* Don't do your own cryptography, use SSL and GPG. If your problem isn't able to be expressed using either of these, you should probably refactor it.
* Don't read Applied Cryptography (but do read Practical Cryptography), it's responsible for a great deal of the shittiness of our industry.
* The Art of Software Security Assessment should be required reading by everyone in Canada (the talk was given in Canada)
* If you're into CS, you should seriously consider getting into the security industry (it pays well, and lets you work on much cooler stuff than you might otherwise get to work on)
* If you want to get into the security industry, you should find an open source project (or any project) and try to find vulnerabilities in it. Report them in a non-doushy way and you'll be off to a good start. Also, pick something to become specialized in (dsp, etc.) and you'll have a greater chance of getting the industry's attention.
* Writing secure software is ridiculously hard. Even software designed to be secure will have bugs, and bugs can more often than not lead to vulnerabilities. This bodes well for people in the security industry.
I recommend watching the video, it's nice hearing Thomas talk about this stuff, and while his advice shouldn't really need to be vouched for, I agree with what he says.
2 comments
[ 2.6 ms ] story [ 12.2 ms ] threadIt's a talk by tptacek on software security given at the CUSEC conference last January.
* Don't do your own cryptography, use SSL and GPG. If your problem isn't able to be expressed using either of these, you should probably refactor it.
* Don't read Applied Cryptography (but do read Practical Cryptography), it's responsible for a great deal of the shittiness of our industry.
* The Art of Software Security Assessment should be required reading by everyone in Canada (the talk was given in Canada)
* If you're into CS, you should seriously consider getting into the security industry (it pays well, and lets you work on much cooler stuff than you might otherwise get to work on)
* If you want to get into the security industry, you should find an open source project (or any project) and try to find vulnerabilities in it. Report them in a non-doushy way and you'll be off to a good start. Also, pick something to become specialized in (dsp, etc.) and you'll have a greater chance of getting the industry's attention.
* Writing secure software is ridiculously hard. Even software designed to be secure will have bugs, and bugs can more often than not lead to vulnerabilities. This bodes well for people in the security industry.
I recommend watching the video, it's nice hearing Thomas talk about this stuff, and while his advice shouldn't really need to be vouched for, I agree with what he says.