WebApp Sec mailing list archives
Re: Oracle CSO's Response to InfoSecMagazines Secure Coding Bah! [Virus checkedAU]
From: Bruce.Morris () au ey com
Date: Wed, 11 Feb 2004 11:24:01 +1100
Hi Gang, Reasonable = balance between risk, cost and benefits. Secure coding is about control in response to risk. This requires an understanding and assessment of the risk. If internally developed - what does the organisation stand to loose? What is the likeihood that its going to get trashed? How much money is the organisation prepared to spend to mitigate the exposure? If a COTS type application - what sort of business/function is being targeted with this application? How serious will the security concerns of purchasing organisations likely be? Does the product require some independent assessment to deliver an identifiable level of asssurance (eg a DoD or common criteria type equivalent). I appreciate the point - Briney said, "Risk reduction is all about reducing vulnerabilities, mitigating threats and lowering event costs." However, most customers have almost no information on the security-worthiness of the products they buy, and some risks can't be mitigated. The single best thing the industry can do to mitigate users' risk is to write better software. Yes it is not practical, conceivable, cost effective or useful for all products to submit to common criteria evaluation. As coding guidelines are specific to a toolset, risk assessment is specific to a product and organisational context.
From an audit perspective the question that comes to mind out of this is,
should there be a baseline specification for what minimum standards should be applied in coding practices? Can these be universally applicable? At which point do we move from putting up a sign to say "enter bridge at own risk" to being able to have all drivers understand that a bridge will reliably support one car and one car only at a time - unless otherwise stated. Using the electric kettle as an example, if the kettle isn't built to certain minimum safety standards then the manufacturer will get sued if a user gets electricuted, due to failure in duty of care. I realise that that legal issues come into play here and an organisational/country context also matters, however, is there a bottom line which could be set for one and all, or can "control effectiveness" type levels be added to existing guidelines that demosntrate measurable bang-for-thebuck? Is this generally desirable? Cheers...keep up the great work.
Current thread:
- Re: Oracle CSO's Response to InfoSecMagazines Secure Coding Bah! [Virus checkedAU] Bruce . Morris (Feb 10)