SANS/CWE Top 25: "The New Standard" for Webappsec

[arian.evans at anachronic.com (Arian J. Evans)]

Hello all. Xposting to SCL and WASC:

Following-up to my commentary on the
WASC list about the SANS/CWE "Top 25"....

I have repeatedly confirmed that the SANS/CWE
Top 25 is being actively used, and growing in
use, as a "Standard".

I understand the spirit of intent and that the
makers are not accountable for how it is used,
but we need to be realistic about how it is
being implemented in the real world *now*.

It is beginning to be used as a "standard" for:
* what security defects to test software for
* how to measure the security quality of software
* how to build secure software
* what to teach developers about coding securely


I have confirmed this with:
* peers
* corporations
* state governments
* software security solutions vendors
* customers

We are already seeing RFPs for products
and services, management and auditor
created "internal" standards, and requests
for training and reporting using the "SANS/
CWE Top 25" as a standard.

There are three goals of this post:

1) to make very clear to all involved that
what is being built with the "Top 25" list is
a minimum standard of due care.

2) To suggest that this is (most likely) how
it is primarily going to be used.

(You brought the SANS/CIS club to the dance here...)

3) Suggest that future versions be re-focused
on building actual minimum standards of
due care for the demonstrated needs.

The great thing that is coming out of this Top 25
experiment is to identify that awareness and
hunger-level for material like this is very high.

This is also showing us what people really want
right now:

People want a minimum standard of due care.

It is obvious people want bite-sized digestible
snippets to use as guidelines for making and
measuring the security quality of our software.

That is evidenced by how rapidly people have
latched onto this new list. (one week + !)

The SANS and Mitre brand have huge stock in
the mainstream, non-appsec security community,
much larger than OWASP and WASC, as is
evidenced again by the attention this is getting
throughout the infosec and audit communities.

And summing up, directly from Alan Paller:

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html


Conclusions:

We need a minimum standard of due care Top N list.


We really need THREE minimum standards of due care:

1) Top N issues/defects to test your software for
2) Top N principles to build secure software
3) Top N strategies to improve software security in your enterprise

Webappsec folks should make webappsec
versions, or else we will all wind up using
the same ones for *everything*.

We might want to divide/share efforts between
organizations and cross-reference each other
for maximum (positive) effect. We could likely
leverage each others' work and try to unify
our language across appsec communities.

(Ideologies and pet naming systems are where
these efforts always break down in our group.)


I am avoiding the debate over the inherent
problems with "Top N" and bug parade approaches
in general.  People are letting us know what they
want and I think we should solve that need.

...or they will take whatever we give them for
other purposes and use it to solve that need,
partially, improperly, ineffectively.

I will quite my bitching about the "Top 25" and
focus on productively moving forward, now that
it's clear my concerns are too late and it's
already moving full-steam ahead as a standard.

People do not know what to do. They have
a serious problem that is starting to cause
them to lose real sleep and real money, and
they are looking to us for suggestions and
guidance as to what to do.

I concede that the Top 25 in this regard is
better than nothing, but it's not really what
people want or need right now (IMHO).

(Note: I have not asked parties involved
if I can quote them or quote facts of this
being used as a standard. The volume
of emails I am receiving providing examples
of this make me think this is either a fad,
or self-evident and you will all see plenty
of examples of this very soon if you
have not already.

SANS has spoken and I think that is
a pretty clear indication what is going on....)

$0.02 USD,

-- 
-- 
Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi