Secure Coding mailing list archives
SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors
From: cwysopal at Veracode.com (Chris Wysopal)
Date: Tue, 13 Jan 2009 23:08:50 -0500
The only attention software security seems to get in the mainstream press beyond the bug or attack of the day is from top X lists. That alone makes them worthwhile. They definitely steer the conversation in the right direction. I think everyone involved in creating and promoting top X lists believes they are a conversation starter and not an end game for software security. We just have to make sure the rest of software security follows. -Chris -----Original Message----- From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gary McGraw Sent: Tuesday, January 13, 2009 4:50 PM To: Secure Code Mailing List Subject: Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors hi sc-l, There are some important good things about top ten lists that are worthy of mention. The notion of knowing your enemy is essential in security (as it is in warfare), and top ten lists can help get software people started thinking about attacks, attackers, and the vulnerabilities they go after. These days almost any attention paid to the problem is good attention, and the fact that the the tech press is paying attention to software security at all is a good thing. Top ten lists help in that respect. But, I am really worried about these kinds of lists and I wrote up my worries in an article that was just posted: Top Eleven Reasons Why Top 10 (or Top 25) Lists Don't Work http://www.informit.com/articles/article.aspx?p=1322398 I thought you might get a kick out of it. gem http://www.cigital.com/~gem _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors, (continued)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Steven M. Christey (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Steven M. Christey (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Pravir Chandra (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Chris Wysopal (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 14)