26. failing to hire somebody when your training comprises a few modules of webmonkey.

The original SANS source with more details [sans.org] (bottom of page)

Bookmark that one! :-)

EDIT: Argh . . it's timing out now, maybe it's getting slashdotted . . . . or . . . their report has drawn too much attention from the "ankle biters" mentioned in the first article . . . .

Stop the bots / botnets, save the world?

Likely more true than we accept.

We love to hate agencies, such as the NSA, but what other agency or enterprise is taking the lead in challenging or taking down botnets?

Microsoft? The likely "botnet mother"? ICANN? Ya, sure, the mother of unlimited gTLDs, etc.

Really, when it comes to protecting the Web that we love from serious harm via attackers or botnets, who is in charge here?

Probably the answer is "us" - everyone of us - who has ever failed to secure a server or website, probably due to others handing us the keys to the car without confirming whether we have taken driving (security) lessons. And who's in charge of hosting firms, to be certain their servers are hardened against exploitation? And who is in charge of the server software and PC software providers to be certain their software is hardened? Can't wait to see what happens when everyone's cellphone->all-in-1-device starts to automatically dial up the Whitehouse or NSA . .

So, now the great mystery agency - the NSA - the agency with al the bad publicity or bad "we're spying on you" image, is going to take the lead in guiding the world in how to make the world more safe?

Well . . Geesh! It's the National Security Agency to the rescue?

It's about time some agency or enterprise took the lead. Shame it has to be one with image and other historical problems that may undermine any "trust us" campaign.

>>but what other agency or enterprise is taking the lead in challenging or taking down botnets

Agree... if we can get the implicit synergy of gov to act as you suggest. Too often concise direction and execution is over-burdened by pork (political motives).

a fantastic list! definitely bookmarkable.

I just found + fixed a "race condition" (CWE-362) yesterday, and it was an obscure oversight in code I wrote only 6 months ago. For any programmer who does their own QA and penetration testing, this is a pretty good checklist to look at before deploying to production.

Excellent list. Going to take a time to go through it all.

First saw it touted on Twitter by Matt Cutts, a couple of days ago.

Well I'm living dangerously as I havent a clue what half of those 25 even mean ;)

I suppose I'll eventually have a clue the hard way

well dauction it could be because some may use languages you dont know