WebApp Sec mailing list archives
RE: OWASP Top Ten - dev process
From: Jeff Robertson <Jeff.Robertson () DigitalInsight com>
Date: Tue, 12 Jul 2005 21:56:46 -0400
Admitting that I helped get this line of thinking rolling, is the top ten really the place to tell people how to "build software" (especially enterprise class)? There are entire bookshelves at Barnes and Noble about that. In the world of free stuff on you can read on the Internet, there are places like Joel on Software and c2.com and so on and so on. My point is, I hope I didn't start too much with my grumbling. -----Original Message----- From: Evans, Arian [mailto:Arian.Evans () fishnetsecurity com] Sent: Tuesday, July 12, 2005 6:41 PM To: Mark Curphey; Jeff Robertson Cc: webappsec () securityfocus com Subject: RE: OWASP Top Ten - dev process I'm guessing we've all seen it but it hit home recently when I spent two months as the most expensive QA tester ever (barring a Final Four firm or Foundstone :) testing an application that half of it was so bug riddled it didn't work. The fault-injection testing was darn near useless cause half the application didn't even process or store the data it was supposed to. What's the #1 Risk item there? Not XSS. It's "you can't build enterprise class software". Also made me wonder about the previous people who had "tested" the application. </anecdotal> Part of the FUD problem is that you've got all these network security folks and auditors looking for another tool to hit "scan" to address this "new" "problem". A Top-10 retooling that reflects and communicates this fact would help the FUD and benefit everyone. Less emphasis on XSS and more on how to build reusable unit tests/build software. Security tests for unit testing are cheap, right, I/O tests only need to be built once to work across a wide variety of application conditions based upon data type of course. Not so with business-logic specific tests, e.g.-"Rob's Report". -ae
-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] Sent: Monday, July 11, 2005 7:11 AM To: 'Jeff Robertson'; webappsec () securityfocus com Subject: RE: OWASP Top Ten - My Case For Updating It Hallelujah brother ! -----Original Message----- From: Jeff Robertson [mailto:Jeff.Robertson () DigitalInsight com] Sent: Monday, July 11, 2005 7:58 AM To: 'Mark Curphey'; webappsec () securityfocus com Cc: 'Jeff Williams' Subject: RE: OWASP Top Ten - My Case For Updating It-----Original Message----- From: Mark Curphey [mailto:mark () curphey com] If the problem of web application security is poor softwarequality,it is a natural conclusion that the solution is to build better software. Not once in the top ten does the list address thefact thatthe majority of software is built without a design, security requirements or a repeatable software security development process.I would go so far as to say that unless a development shop is already following a process (I don't want to start waterfall vs. RUP vs. XP wars here) to keep plain old functionality bugs down to a minimum, they have no hope of producing secure software. If a software company haven't even figured out that their developers need to be doing unit tests, then the idea that they could successfully implement any sort of security testing is just putting the cart before the horse.
The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Current thread:
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 12)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- Re: OWASP Top Ten - dev process Andrew van der Stock (Jul 13)
- Re: OWASP Top Ten - dev process Devdas Bhagat (Jul 13)
- <Possible follow-ups>
- RE: OWASP Top Ten - dev process Jeff Robertson (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- RE: OWASP Top Ten - dev process Evans, Arian (Jul 13)
- Re: OWASP Top Ten - dev process Michael Silk (Jul 13)