Secure Coding mailing list archives

Re: SearchSecurity: Architecture Risk Analysis

From: Gary McGraw <gem () cigital com>
Date: Thu, 19 Sep 2013 09:58:37 -0400

hi marinus,

Sorry for the (spam filter related) delay!

Two of the steps that we define in the ARA article address your idea directly.  Step1: known-attack analysis certainly 
leverages knowledge about components, packages, and design patterns (associated with known attacks) and "stuff you 
inherit."  And, step3: dependency analysis is almost entirely focused on what you suggest.

Have a read: http://bit.ly/1b2f5Zk

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

From: Marinus van Aswegen <mvanaswegen () gmail com<mailto:mvanaswegen () gmail com>>
Date: Monday, September 16, 2013 3:15 PM
To: Secure Code Mailing List <SC-L () securecoding org<mailto:SC-L () securecoding org>>
Subject: [SC-L] SearchSecurity: Architecture Risk Analysis

Garry,

We have a step were we figure out how the various architecture intersect and synthesize together. After all you inherit 
more than you define and deliver.

Marinus

-----

hi sc-l,

Software security in general spends a lot of time talking about bugs---too much time, I believe.  We all know that 
software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design).  So, how do you 
find and FIX flaws?

That's what this month's SearchSecurity column is about.  This article about finding security flaws in software with 
Architecture Risk Analysis.  It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the 
Architecture practice.

We know this approach works, because we actually use it every day (and have done so for over a decade): 
http://bit.ly/1b2f5Zk   No, it's not easy, and yes it takes experience.  Oh well.

gem



_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

SearchSecurity: Architecture Risk Analysis Marinus van Aswegen (Sep 17)
- Re: SearchSecurity: Architecture Risk Analysis Gary McGraw (Sep 19)