Secure Coding mailing list archives
BSIMM: Confessions of a Software Security Alchemist (informIT)
From: jsteven at cigital.com (John Steven)
Date: Thu, 19 Mar 2009 08:46:17 -0400
Steve, You saw my talk at the OWASP assurance day. There was a brief diversion about the number of "business logic" problems and "design flaws" (coarsely lumped together in my chart). That 'weight' should indicate that-at least in the subset of clients I deal with-flaws aren't getting short-shrift. http://www.owasp.org/images/9/9e/Maturing_Assessment_through_SA.ppt (for those who didn't see it) You may also want to look at my OWASP NoVA chapter presentation on "why" we believe Top N lists are bad... It's not so much a rant as it is a set of limitations in ONLY taking at Top N approach, and a set of constructive steps forward to improve one's practices: http://www.owasp.org/images/d/df/Moving_Beyond_Top_N_Lists.ppt.zip I cover how one should cause their own organization-specific Top N list to emerge and how to manage it once it does. ---- John Steven Senior Director; Advanced Technology Consulting Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. On 3/18/09 6:14 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote: On Wed, 18 Mar 2009, Gary McGraw wrote:
Many of the top N lists we encountered were developed through the consistent use of static analysis tools.
Interesting. Does this mean that their top N lists are less likely to include design flaws? (though they would be covered under various other BSIMM activities).
After looking at millions of lines of code (sometimes constantly), a ***real*** top N list of bugs emerges for an organization. Eradicating number one is an obvious priority. Training can help. New number one...lather, rinse, repeat.
I believe this is reflected in public CVE data. Take a look at the bugs that are being reported for, say, Microsoft or major Linux vendors or most any product with a long history, and their current number 1's are not the same as the number 1's of the past.
Current thread:
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Stephan Neuhaus (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Stephan Neuhaus (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 18)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Benjamin Tomhave (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) kowsik (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Goertzel, Karen [USA] (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- Message not available
- BSIMM: Confessions of a Software Security Alchemist(informIT) Benjamin Tomhave (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Steven M. Christey (Mar 18)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Pravir Chandra (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Steven M. Christey (Mar 20)