Secure Coding mailing list archives

RE: Doing something about software security

From: Gunnar Peterson <gunnar () arctecgroup net>
Date: Tue, 19 Apr 2005 19:18:10 +0100

Thanks for the feedback and link (as well as to those who have replied off
line). Note, I did not intend that the 5 tools I listed were exhaustive, just
trying to get an idea what works in the field and wanted to get the ball
rolling. Any other candidates out there? Flawfinder, anyone?

-gp


Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>:

You seem to be leaving out one of the largest open efforts at security.
ISECOM at http://www.isecom.org covers security testing, secure coding,
incident response and other security related topics.

-----Original Message-----
From:  Gunnar Peterson
Date:  4/19/05 6:32 am
To:  Secure Coding Mailing List
Subj:  [SC-L] Doing something about software security

I was thinking about something that Dave Winer said on the Gillmor Gang
about how the software industry moves forward when small groups (like 1
or 2) of developers get motivated to solve a problem. I was wondering
how this applies to software security, since it seems like a perfect
description for what seems to have motivated Phil Zimmermann to write
PGP.

In information security, we seem to have a preponderance of ideas and
technologies from vendors and academia, but relatively less (compared
to the software space) amount of grassroots efforts by small groups of
developers making incremental improvements. There are probably a couple
of reasons for this, first security tends to be a system property, so
it can be difficult to deal with this incrementally. Secondly, security
is sort of invisble, e.g. in normal app development work you code a lot
and then *something* happens, your web server is suddenly multithreaded
and can handle tons more volume of requests. In security, you work
really hard, write a lot of code and then something doesn't happen.

Does anyone have candidates for grassroots efforts targeted at software
security and secure coding? Not necessarily required to be open source
(though I would expect most of them to be), but a low barrier to entry
for developers to use, e.g. free. I have started a list including:

* mod_security
* RATS
* OWASP (Standards and tools)
* Legion of the Bouncy Castle
* Microsoft's Threat Modeling Tool

Any other nominations?

-gp

Current thread:

Doing something about software security Gunnar Peterson (Apr 19)
- <Possible follow-ups>
- RE: Doing something about software security jasonw (Apr 19)
  - RE: Doing something about software security Gunnar Peterson (Apr 19)