Secure Coding mailing list archives
SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors
From: vanderaj at owasp.org (vanderaj vanderaj)
Date: Mon, 12 Jan 2009 19:12:14 -0500
Tom,
From the business' point of view, they really don't care if widget X
has weaknesses, they want to know how to make money by buying and using widget X. They assume X is safe by default, even though it's not. They've been doing fast and crappy for so long, and made heaps of money from it, that it's a hard sell in many places to do the safer thing until the horse has bolted. The only examples where folks buy widget X over widget Y is those folks in operational risk who have to make a financial allowance for a probable risk difference between X and Y. For example, if one satellite launch system blows up one time every four launches, and another blows up one time every eight launches, you'd go with the second or you'd have to budget for the likelihood of having to replace your satellite a bit more with the first one. In our industry, we have still yet to make a compelling, measurable and thus believable case that there's a TCO benefit from buying more expensive, but safer software. Most folks believe all software is safe, despite the fact that it is not. Until that time, CWE and similar *weakness* patterns are a derivative of the actual cost of ownership, and not the actual benefits. That's why I've gone gung ho into "build it right the first time" mode. I doubt we'll get the accurate metrics required for proof that safer software is cheaper (over time), so it's best that we simply get safer software - period. That's why I will be working with the frameworks and code repositories rather than the 0day crowd. In my view, there is zero value in vulnerability disclosure, discussion, or discovery. It's like shooting fish in a barrel. thanks, Andrew
Will business start to talk CWE as they already talk CVE? Discussion/Debate/Thoughts Tom Brennan
Current thread:
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Kenneth Van Wyk (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Steven M. Christey (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Steven M. Christey (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Pravir Chandra (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Chris Wysopal (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 14)