Experts Announce Agreement on the 25 Most Dangerous Programming Errors - And How to Fix Them

SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

http://www.sans.org/top25errors/

Hands on security training

It's at least very hard, if not impossible, to learn how to recognize security problems in applications without seeing what they look like. Knowing how they work (what the vulnerability is) is all well and good but the practical aspect of seeing what caused the vulnerability is, to steal a phrase, priceless. To that end the Open Web Application Security Project (OWASP) has created a demonstration application called WebGoat. Why do that? Well OWASP believes that although there are plenty of live applications out there you could learn on, it isn't really advisable or ethical to attack an application without permission, regardless of your intent.

What does WebGoat do? Here's part of the description exerpted from the project home page.

WebGoat is a full J2EE web application designed to teach web application security lessons. In each lesson, users must demonstrate their understanding by exploiting a real vulnerability on the local system. The system is even clever enough to provide hints and show the user cookies, parameters and the underlying Java code if they choose. Examples of lessons include SQL injection to a fake credit card database, where the user creates the attack and steals the credit card numbers.

The Six Dumbest Ideas in Computer Security

Here's an excellent article by Marcus Ranum about a number of seemingly logical mistakes we make when thinking about strategies for improving the security of our systems. I'll just whet your appetite with the high level. Here are Ranum's six dumbest ideas.

1. Default Permit
2. Enumerating Badness
3. Penetrate and Patch
4. Hacking Is Cool
5. Educating Users
6. Action Is Better Than Inaction