Ron talks security with Alik in ARCast.net – Defending the Application. If you want to hear some practical advice on security, listen to Alik. He’s in the field doing security every day with customers. It doesn’t get anymore real-world than that.
The key take-away for me is the focus on proven practices. I have a belief that focusing on a set of core practices is more effective than chasing all the variations of bad symptoms. For example, if you adopt a practice of constraining, rejecting and sanitizing input, and you verify input for length, range, format and type, you tackle injection issues (cross-site scripting, SQL injection, SQL truncation … etc.) at the source.
At one point in the interview, Ron mentions that attackers share information all the time. Unfortunately, security is a game of what you don’t know can hurt you. That’s why I think community efforts and knowledge bases are a must. I’m glad to see more information sharing in blogs. I’m also glad to see efforts like the Open Web Application Security Project (OWASP). It’s also why I try to share as much as possible through patterns & practices security guidance, Guidance Explorer, and SecurityGuidanceShare.com.