Hi Arian, " SANS has spoken and I think that is a pretty clear indication what is going on....)"
Have you been watching Wizard of Oz re-reruns again? This sentence sounds too much like "The Mighty Oz has spoken" :-) Cheers, Stephen On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans <[email protected] > wrote: > Hello all. Xposting to SCL and WASC: > > Following-up to my commentary on the > WASC list about the SANS/CWE "Top 25".... > > I have repeatedly confirmed that the SANS/CWE > Top 25 is being actively used, and growing in > use, as a "Standard". > > I understand the spirit of intent and that the > makers are not accountable for how it is used, > but we need to be realistic about how it is > being implemented in the real world *now*. > > It is beginning to be used as a "standard" for: > * what security defects to test software for > * how to measure the security quality of software > * how to build secure software > * what to teach developers about coding securely > > > I have confirmed this with: > * peers > * corporations > * state governments > * software security solutions vendors > * customers > > We are already seeing RFPs for products > and services, management and auditor > created "internal" standards, and requests > for training and reporting using the "SANS/ > CWE Top 25" as a standard. > > There are three goals of this post: > > 1) to make very clear to all involved that > what is being built with the "Top 25" list is > a minimum standard of due care. > > 2) To suggest that this is (most likely) how > it is primarily going to be used. > > (You brought the SANS/CIS club to the dance here...) > > 3) Suggest that future versions be re-focused > on building actual minimum standards of > due care for the demonstrated needs. > > The great thing that is coming out of this Top 25 > experiment is to identify that awareness and > hunger-level for material like this is very high. > > This is also showing us what people really want > right now: > > People want a minimum standard of due care. > > It is obvious people want bite-sized digestible > snippets to use as guidelines for making and > measuring the security quality of our software. > > That is evidenced by how rapidly people have > latched onto this new list. (one week + !) > > The SANS and Mitre brand have huge stock in > the mainstream, non-appsec security community, > much larger than OWASP and WASC, as is > evidenced again by the attention this is getting > throughout the infosec and audit communities. > > And summing up, directly from Alan Paller: > > > http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html > > > Conclusions: > > We need a minimum standard of due care Top N list. > > > We really need THREE minimum standards of due care: > > 1) Top N issues/defects to test your software for > 2) Top N principles to build secure software > 3) Top N strategies to improve software security in your enterprise > > Webappsec folks should make webappsec > versions, or else we will all wind up using > the same ones for *everything*. > > We might want to divide/share efforts between > organizations and cross-reference each other > for maximum (positive) effect. We could likely > leverage each others' work and try to unify > our language across appsec communities. > > (Ideologies and pet naming systems are where > these efforts always break down in our group.) > > > I am avoiding the debate over the inherent > problems with "Top N" and bug parade approaches > in general. People are letting us know what they > want and I think we should solve that need. > > ...or they will take whatever we give them for > other purposes and use it to solve that need, > partially, improperly, ineffectively. > > I will quite my bitching about the "Top 25" and > focus on productively moving forward, now that > it's clear my concerns are too late and it's > already moving full-steam ahead as a standard. > > People do not know what to do. They have > a serious problem that is starting to cause > them to lose real sleep and real money, and > they are looking to us for suggestions and > guidance as to what to do. > > I concede that the Top 25 in this regard is > better than nothing, but it's not really what > people want or need right now (IMHO). > > (Note: I have not asked parties involved > if I can quote them or quote facts of this > being used as a standard. The volume > of emails I am receiving providing examples > of this make me think this is either a fad, > or self-evident and you will all see plenty > of examples of this very soon if you > have not already. > > SANS has spoken and I think that is > a pretty clear indication what is going on....) > > $0.02 USD, > > -- > -- > Arian Evans > > Anti-Gun/UN people: you should weep for > Mumbai. Your actions leave defenseless dead. > > "Among the many misdeeds of the British > rule in India, history will look upon the Act > depriving a whole nation of arms, as the > blackest." -- Mahatma Gandhi > _______________________________________________ > Secure Coding mailing list (SC-L) [email protected] > List information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > _______________________________________________ >
_______________________________________________ Secure Coding mailing list (SC-L) [email protected] List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
