RE: OWASP Top Ten - dev process

[Jeff Robertson <Jeff.Robertson () DigitalInsight com>]

Admitting that I helped get this line of thinking rolling, is the top ten
really the place to tell people how to "build software" (especially
enterprise class)? There are entire bookshelves at Barnes and Noble about
that.

In the world of free stuff on you can read on the Internet, there are places
like Joel on Software and c2.com and so on and so on. 

My point is, I hope I didn't start too much with my grumbling.

-----Original Message-----
From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] 
Sent: Tuesday, July 12, 2005 6:41 PM
To: Mark Curphey; Jeff Robertson
Cc: webappsec () securityfocus com
Subject: RE: OWASP Top Ten - dev process


I'm guessing we've all seen it but it hit home
recently when I spent two months as the most
expensive QA tester ever (barring a Final Four
firm or Foundstone :) testing an application
that half of it was so bug riddled it didn't
work. The fault-injection testing was darn
near useless cause half the application didn't
even process or store the data it was supposed
to. What's the #1 Risk item there? Not XSS.
It's "you can't build enterprise class software".

Also made me wonder about the previous people who
had "tested" the application. </anecdotal>

Part of the FUD problem is that you've got all these
network security folks and auditors looking for another
tool to hit "scan" to address this "new" "problem".

A Top-10 retooling that reflects and communicates
this fact would help the FUD and benefit everyone.
Less emphasis on XSS and more on how to build reusable
unit tests/build software. Security tests for unit
testing are cheap, right, I/O tests only need to be
built once to work across a wide variety of application conditions based
upon data type of course.

Not so with business-logic specific tests, e.g.-"Rob's Report".

-ae

> -----Original Message-----
> From: Mark Curphey [mailto:mark () curphey com]
> Sent: Monday, July 11, 2005 7:11 AM
> To: 'Jeff Robertson'; webappsec () securityfocus com
> Subject: RE: OWASP Top Ten - My Case For Updating It
>
> Hallelujah brother !
>
> -----Original Message-----
> From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com]
> Sent: Monday, July 11, 2005 7:58 AM
> To: 'Mark Curphey'; webappsec () securityfocus com
> Cc: 'Jeff Williams'
> Subject: RE: OWASP Top Ten - My Case For Updating It
>
> > -----Original Message-----
> > From: Mark Curphey [mailto:mark () curphey com]
> >
> >
> > If the problem of web application security is poor software
> quality,
> > it is a natural conclusion that the solution is to build better
> > software. Not once in the top ten does the list address the 
> fact that
> > the majority of software is built without a design, security
> > requirements or a repeatable software security development process.
>
> I would go so far as to say that unless a development shop is already 
> following a process (I don't want to start waterfall vs. RUP vs. XP 
> wars
> here) to keep plain old functionality bugs down to a minimum,
> they have no
> hope of producing secure software. 
>
> If a software company haven't even figured out that their
> developers need to
> be doing unit tests, then the idea that they could 
> successfully implement
> any sort of security testing is just putting the cart before 
> the horse.


The information transmitted in this e-mail is intended only for the
addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or
taking of any action upon this information by persons or entities other than
the intended recipient is prohibited by law and may subject them to criminal
or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the
communication from any computer or network system.