[SC-L] Survey: source code review tools and programing languages
List, I'm conducting a small study on static and dynamic code analyzers, which aims at evaluating how prevalent code review products are being used in diversely sized organizations, and on which programing language they are being used. What I can offer: - Anonymous processing <-- email authors won't be collected in the report (unless someone hacks into my email account...) - Fully independent, technology/vendor-agnostic-independent processing of the data <-- contact me if you need more info this point - I will centralize and formalize the data <-- won't cost you a dime! - I will share the results back to the list <-- won't cost you either What I will not do: - I will not collect/process information on the quality of a product, its effectiveness or its features. I am interested in distribution aspects such as programing languages, organization size and the product itself. <-- don't bother telling me whether product A or B is good or bad, that information will not be processed. If you would like to participate, just send me back the form below by email at: antonio.fon...@owasp.org (publicly or privately as you wish). If you can provide several combinations, just copy/paste the form as many times as you need: 1. Name of the product: 2. Language(s) on which the product is being used: 3. Organization size: (A: <10 employees, B: <50 emp., C: <250 emp., D: <=1000 emp., E: >1000 emp.) I will collect responses until Thursday July 7th 11pm (end of the world time-zone) Thank you, Antonio Fontes OWASP Switzerland / Geneva Chapter (PS: this survey request was also sent to the OWASP leaders mailing list) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] Are people using Threat modeling?
Yes. I mostly do TM by myself when conducting pentests. It helps me identify critical scenarios and keep some business orientation when I don't catch up with flashy sql injections. TM also adds some business orientation to the test and gives real "field" insight to non-technical people (usually, those who pay) about what's at stake. Some clients (2 ...actually) recently started showing interest in working on building threat models before the coding phase. That's cool. Late, but cool. Now concerning the tools: - 2 hours meeting with some guys from the business, a developer and the application business owner - I ask questions, they answer them, I take notes If it helps... Antonio From: Matt Parsons [mparsons1...@gmail.com] Sent: Tuesday, May 11, 2010 12:32 PM To: 'Webappsec Group'; owaspdal...@utdallas.edu; SC-L@securecoding.org Subject: [WEB SECURITY] Are people using Threat modeling? Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt [cid:image001.jpg@01CAF0FD.96DE65B0] [cid:image002.jpg@01CAF0FD.96DE65B0] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The Importance of Type Safety
Actually, I thought you meant "managing costs of development with type safe languages" on the human management aspect (learning, training, design and development time, testing, etc.) and not about pure computer, compiler or runtime performance. On that aspect, I can only agree with you (mostly blindly because I don't have the knowledge to qualify these internals by myself ; ) Thank you for your answer, Antonio Fontes Brad Andrews wrote: > It may not always be true, but languages with stronger type safety > normally also have a larger execution overhead. This is somewhat > unavoidable since the extra checking to make sure the types match does > take machine cycles. Of course the compiler can enforce a lot of > these rules, so some of the performance hit could be at compile time, > but it is still there. > > In addition, you lose some flexibility. Its kind of like swimming > with water wings (to continue my pool analogy). You are much less > likely to drown, they limit what you can do at the same time. You are > not likely to pick up too many things off the bottom of the pool with > water wings on, unless you are really creative and strong. > > The flexibility in C/C++ remains there for a reason - it is helpful to > at least some sorts of problems. It may or may not be the best for > security, but it is a "cost" that should be considered as well as > compile or run-time performance. > > Does this help? > > Brad > > Quoting AF : > > >> Brad Andrews wrote: >> >>> [..] >>> Perhaps we will get to a world where all the "management overhead" >>> doesn't matter, but until then, the extra cost for type safety should >>> be weighed against other factors, not just discounted out of hand. >>> >>> >> Hi Brad, >> Could you please explain what you mean by "the extra cost for type safety"? >> > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] The Importance of Type Safety
Brad Andrews wrote: > [..] > Perhaps we will get to a world where all the "management overhead" > doesn't matter, but until then, the extra cost for type safety should > be weighed against other factors, not just discounted out of hand. > Hi Brad, Could you please explain what you mean by "the extra cost for type safety"? regards, Antonio Fontes ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Language agnostic secure coding guidelines/standards?
Pete Werner wrote: > Hi all > I've been tasked with developing a secure coding standard for my > employer. This will be a policy tool used to get developers to fix > issues in their code after an audit, and also hopefully be of use to > developers as they work to ensure they are compliant. The kicker is it > needs to cover things ranging from cobol running on a mainframe, in > house network monitoring software in c and perl through to web and > desktop applications in java or .net. > I've been doing some searching to see if there is anything similar > online, but everything i've found is mostly focussed on web > applications or language/platform specific. Does anyone know of > something that may be what I'm looking for? > It's basically going to be a checklist where every item will be > something that can be audited, and the things that aren't relevant to > a given application can be ignored. The broad sections I have so far > are: > Input/Output handling > Session Control and Management > Memory allocation and Management > Authentication Management > Authorisation Management > Data Protection > Logging and Auditing > Application Errors and Exceptions > Thanks in advance > Pete > Hi Pete, You are right when it comes to being agnostic, many checklists and guides found on the web are webapp-oriented. The security frames, however, mostly remain the same for software, whether it is web-based or desktop-based, such as: - authentication - authorisation - data validation - session management - logging - error handling - cryptography - ... The proposition is that you might consider the OWASP's "code review" or "testing" guides checkpoints (more than 60 controls are included) and derive their "architecture-agnostic" counterpart. You can then add the remaining frames, less found on webapp-security guidances, such as memory management or multithreading, from other sources. This strategy would (I hope) help you build a first version of your corporate secure coding guideline in a checklist form. I hope it helps... regards, A ps: http://www.owasp.org/, the guides links are shown in the upper right quick access projects links ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___