Secure Coding mailing list archives
SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors
From: gem at cigital.com (Gary McGraw)
Date: Wed, 14 Jan 2009 21:26:41 -0500
Brian Chess, Sammy Migues and I continue to pound out the software assurance maturity model. Expect more on that soon. Working with a large real-world data set has really been amazing. For those of you just getting wind of this, see: http://www.informit.com/articles/article.aspx?p=1271382 http://www.informit.com/articles/article.aspx?p=1315431 No BS, just reality. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 1/14/09 5:18 PM, "Stephen de Vries" <stephen at twisteddelight.org> wrote: On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote:
To all, I'll ask a more strategic question - assuming we're agreed that the Top 25 is a non-optimal means to an end, what can the software security community do better to raise awareness and see real-world change?
From a Web Security point of view, have a look at the OWASP ASVS project: http://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project Abstract: "Whereas the OWASP Top Ten is a tool that provides web application security awareness, the OWASP Application Security Verification Standard (ASVS) is a commercially-workable open standard that defines ranges in coverage and levels of rigor that can be used to perform application security verifications ... The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing application security verification using a commercially- workable open standard. This standard can be used to establish a level of confidence in the security of web applications." regards, Stephen _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Kenneth Van Wyk (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Steven M. Christey (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Steven M. Christey (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Gary McGraw (Jan 14)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Stephen de Vries (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors Pravir Chandra (Jan 15)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors vanderaj vanderaj (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Tom Brennan - OWASP (Jan 12)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Chris Wysopal (Jan 13)
- SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors Gary McGraw (Jan 14)