Secure Coding mailing list archives
BSIMM: Confessions of a Software Security Alchemist (informIT)
From: gem at cigital.com (Gary McGraw)
Date: Thu, 19 Mar 2009 15:04:49 -0400
Actually no. See: http://www.cigital.com/papers/download/j15bsi.pdf (John Steven, State of Application Assessment, IEEE S&P) I am not a tool guy, I am a software security guy. gem http://www.cigital.com/~gem On 3/19/09 2:58 PM, "Jim Manico" <jim at manico.net> wrote:
Many of the top N lists we encountered were developed through the consistent use of static analysis tools. After looking at millions of lines of code (sometimes constantly), a ***real*** top N list of bugs emerges for an organization.
You mean a "real list of what a certain vendors static analysis tools find". If you think that list really measures the risk of an organizations software security posture - that might ne considered to be insane! =) - Jim ----- Original Message ----- From: "Gary McGraw" <gem at cigital.com> To: "Steven M. Christey" <coley at linus.mitre.org> Cc: "Sammy Migues" <SMigues at cigital.com>; "Dustin Sullivan" <dustin.sullivan at informit.com>; "Secure Code Mailing List" <SC-L at securecoding.org> Sent: Wednesday, March 18, 2009 11:54 AM Subject: Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)
Hi Steve, Many of the top N lists we encountered were developed through the consistent use of static analysis tools. After looking at millions of lines of code (sometimes constantly), a ***real*** top N list of bugs emerges for an organization. Eradicating number one is an obvious priority. Training can help. New number one...lather, rinse, repeat. Other times (like say in the one case where the study participant did not believe in static analysis for religious reasons) things are a bit more flip (and thus suffer from the "no data" problem I like to complain about). I do not recall a case when the top N lists were driven by customers. Sorry I missed your talk at the SWA forum. I'll chalk that one up to NoVa traffic. gem http://www.cigital.com/~gem On 3/18/09 5:47 PM, "Steven M. Christey" <coley at linus.mitre.org> wrote: On Wed, 18 Mar 2009, Gary McGraw wrote:Because it is about building a top N list FOR A PARTICULAR ORGANIZATION. You and I have discussed this many times. The generic top 25 is unlikely to apply to any particular organization. The notion of using that as a driver for software purchasing is insane. On the other hand if organization X knows what THEIR top 10 bugs are, that has real value.Got it, thanks. I guessed as much. Did you investigate whether the developers' personal top-N lists were consistent with what their customers cared about? How did the developers go about selecting them? By the way, last week in my OWASP Software Assurance Day talk on the Top 25, I had a slide on the role of top-N lists in BSIMM, where I attempted to say basically the same thing. This was after various slides that tried to emphasize how the current Top 25 is both incomplete and not necessarily fully relevant to a particular organization's needs. So while the message may have been diluted during initial publication, it's being refined somewhat. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- BSIMM: Confessions of a Software SecurityAlchemist(informIT), (continued)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- Message not available
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Andy Steingruebl (Mar 25)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) ljknews (Mar 25)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Jim Manico (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist (informIT) John Steven (Mar 20)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Tom Brennan - OWASP (Mar 20)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) Jim Manico (Mar 21)
- BSIMM: Confessions of a Software SecurityAlchemist(informIT) John Steven (Mar 24)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Gary McGraw (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist (informIT) Jim Manico (Mar 19)
- BSIMM: Confessions of a Software Security Alchemist(informIT) Gary McGraw (Mar 19)