Re: [SC-L] SearchSecurity: Architecture Risk Analysis
hi marinus, Sorry for the (spam filter related) delay! Two of the steps that we define in the ARA article address your idea directly. Step1: known-attack analysis certainly leverages knowledge about components, packages, and design patterns (associated with known attacks) and "stuff you inherit." And, step3: dependency analysis is almost entirely focused on what you suggest. Have a read: http://bit.ly/1b2f5Zk gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com From: Marinus van Aswegen mailto:mvanaswe...@gmail.com>> Date: Monday, September 16, 2013 3:15 PM To: Secure Code Mailing List mailto:SC-L@securecoding.org>> Subject: [SC-L] SearchSecurity: Architecture Risk Analysis Garry, We have a step were we figure out how the various architecture intersect and synthesize together. After all you inherit more than you define and deliver. Marinus - hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Architecture Risk Analysis
Garry, We have a step were we figure out how the various architecture intersect and synthesize together. After all you inherit more than you define and deliver. Marinus - hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Architecture Risk Analysis
hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com p.s. Long link for Mr Wall: http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___