Secure Coding mailing list archives

informIT: attack categories

From: gem at cigital.com (Gary McGraw)
Date: Tue, 25 Aug 2009 13:35:16 -0400

hi sc-l,

If you listened recently to the latest episode of Silver Bullet with Fred Schneider from Cornell 
<http://www.cigital.com/silverbullet/show-041/>, one of the ideas Fred and I discussed was the notion of attack 
categories and anticipating large scale trends in attack space.  Hopefully you guys all recall that I am a strong 
proponent of understanding the attacker's perspective (see, for example Exploiting Software from way back in 2004 where 
Hoglund and I coined the term "attack pattern" <http://exploitingsoftware.com/>).  This month's informIT article is 
about the notion of long term attack categories and is meant to inform software security research:

Software [In]security: Attack Categories and History Prediction
http://www.informit.com/articles/article.aspx?p=1393066

BTW, shout outs for the OWASP top 10 and CWE in the article may surprise the usual nay sayers.

Feedback is most welcome.  (Thanks to Ken and Sammy for helping me make this article slightly more coherent.)

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
podcast www.cigital.com/justiceleague
book www.swsec.com

Current thread:

informIT: attack categories Gary McGraw (Aug 25)
- informIT: attack categories Steven M. Christey (Aug 25)
  - informIT: attack categories Gary McGraw (Aug 25)
  - informIT: attack categories Prasad Shenoy (Aug 26)
  - informIT: attack categories ljknews (Aug 26)
- informIT: attack categories Gary McGraw (Aug 25)