Secure Coding mailing list archives
Re: informIT: software security zombies
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Thu, 21 Jul 2011 09:40:27 -0500
Gary McCraw wrote:
This month's informIT article covers the zombies:
[snip]
* Software security defects come in two main flavorsābugs at the implementation level (code) and flaws at the architectural level (design)
So, two questions:
1) How is this (software *security* defects) different than any other software defect?
It seems to me that these are also 2 main categories of software defects in general.
2) In terms of "flavors", where do you see software security defects arising from either incorrect
requirements or simply lack of specifications?
My experience with #2 is that poor specifications are a major contributor to software
security defects, more so even than with software defects in general. That's because generally
these specs are usually considered "non-functional requirements" and they get missed
more by systems analysts simply because they are not something that the business
wants and therefore they aren't put into the reqts and thus never get built.
I'm not talking about the pseudo-PCI-like requirements that says things like making
sure that you have no OWASP Top Ten vulnerabilities, but rather actual omission
of requirements such as failure to specify that data must be kept confidential,
or to access this data requires authorization by a certain role, or that an audit
trail must be required for certain actions, etc.
I don't see how you can chalk these sorts of defects up to flaws at the
architecture level (unless you and I have drastically different views of
system architecture). The are outright omissions in the specifications
and because they are not there, the application team never even thinks
about building in that functionality. Bottom line: I think you are missing
a "flavor".
Thanks,
-kevin
--
Kevin W. Wall 614.215.4788 Qwest Risk Management / Information Security Team
Blog: http://off-the-wall-security.blogspot.com/
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents." -- Nathaniel Borenstein, co-creator of MIME
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________
Current thread:
- informIT: software security zombies Gary McGraw (Jul 21)
- Re: informIT: software security zombies Wall, Kevin (Jul 21)
- Re: informIT: software security zombies Gary McGraw (Jul 21)
- Re: informIT: software security zombies Wall, Kevin (Jul 21)