Secure Coding mailing list archives
RE: Doing something about software security
From: <jasonw () securenetltd com>
Date: Tue, 19 Apr 2005 19:13:39 +0100
You seem to be leaving out one of the largest open efforts at security. ISECOM at http://www.isecom.org covers security testing, secure coding, incident response and other security related topics. -----Original Message----- From: Gunnar Peterson Date: 4/19/05 6:32 am To: Secure Coding Mailing List Subj: [SC-L] Doing something about software security I was thinking about something that Dave Winer said on the Gillmor Gang about how the software industry moves forward when small groups (like 1 or 2) of developers get motivated to solve a problem. I was wondering how this applies to software security, since it seems like a perfect description for what seems to have motivated Phil Zimmermann to write PGP. In information security, we seem to have a preponderance of ideas and technologies from vendors and academia, but relatively less (compared to the software space) amount of grassroots efforts by small groups of developers making incremental improvements. There are probably a couple of reasons for this, first security tends to be a system property, so it can be difficult to deal with this incrementally. Secondly, security is sort of invisble, e.g. in normal app development work you code a lot and then *something* happens, your web server is suddenly multithreaded and can handle tons more volume of requests. In security, you work really hard, write a lot of code and then something doesn't happen. Does anyone have candidates for grassroots efforts targeted at software security and secure coding? Not necessarily required to be open source (though I would expect most of them to be), but a low barrier to entry for developers to use, e.g. free. I have started a list including: * mod_security * RATS * OWASP (Standards and tools) * Legion of the Bouncy Castle * Microsoft's Threat Modeling Tool Any other nominations? -gp
Current thread:
- Doing something about software security Gunnar Peterson (Apr 19)
- <Possible follow-ups>
- RE: Doing something about software security jasonw (Apr 19)
- RE: Doing something about software security Gunnar Peterson (Apr 19)