Re: [SC-L] Darkreading: Getting Started
Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that works with many groups to help develop threat models, attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for specialized tasks for secure web app dev, say how do I use cardspace in my web app? Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure web app deve, etc. You can use #2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a large organization. -gp On 1/9/08 6:48 PM, Gary McGraw [EMAIL PROTECTED] wrote: hi sc-l, One of the biggest hurdles facing software security is the problem of how to get started, especially when faced with an enterprise-level challenge. My first darkreading column for 2008 is about how to get started in software security. In the article, I describe four approaches: 1. the top-down framework; 2. portfolio risk; 3. training first; and 4. leading with a tool. We've tried them all with some success at different Cigital customers. Are there other ways to get started that have worked for you? By the way, I can use your help. Darkreading is beginning to track reaction to topics more carefully than in the past. You can help make software security more prominent by reading the article and passing the URL on to others you may find interested. Another thing that helps is posting to the message boards. Thanks in advance. Here's to even more widespread software security in 2008! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
Gary, Interesting article. May I ask, why get started with only one of these approaches? Since 1-3 effects different parts of the organization (portfolio risk seems like a biz-management approach, top-down framework seems to effect software development management, and training effects developers, primarily) - why not *start* an initiative on all levels? In fact, doesn't it really take all of the above to truly effect permanent change in an organization? 4) Makes me nervous. I worry if you just toss a very expensive static code analysis or app scanning tool at development staff, you only provide a false sense of security since the coverage of even the best application security tools is very limited. Doesn't it take rather in-depth developer training and awareness for a tool to be truly useful? - Jim hi sc-l, One of the biggest hurdles facing software security is the problem of how to get started, especially when faced with an enterprise-level challenge. My first darkreading column for 2008 is about how to get started in software security. In the article, I describe four approaches: 1. the top-down framework; 2. portfolio risk; 3. training first; and 4. leading with a tool. We've tried them all with some success at different Cigital customers. Are there other ways to get started that have worked for you? By the way, I can use your help. Darkreading is beginning to track reaction to topics more carefully than in the past. You can help make software security more prominent by reading the article and passing the URL on to others you may find interested. Another thing that helps is posting to the message boards. Thanks in advance. Here's to even more widespread software security in 2008! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Best Regards, Jim Manico [EMAIL PROTECTED] 808.652.3805 (c) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Darkreading: Getting Started
hi gp, Yup. I count that as 1 (top-down framework) because that approach often leads with the creation of a special ops execution team that becomes the software security group. By far, this is the most impressive approach in terms of results and the one that is the most effective in well-run enterprises. Please do note that getting started does not mean you have to stick with only one of the ways. Any mature approach to software security requires aspects of each of the getting started ways. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 09, 2008 10:00 PM To: Gary McGraw; Secure Mailing List Subject: Re: [SC-L] Darkreading: Getting Started Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that works with many groups to help develop threat models, attack patterns, tests, and so on. Or a roving team that focuses on build secure web apps and cuts across groups for specialized tasks for secure web app dev, say how do I use cardspace in my web app? Once you figure out what your strategic goals are for security - threat modeling, cardspace, static analysis, secure web app deve, etc. You can use #2 to focus them on the right stuff, or use #3 as roving advisers (like the cia in the cold war), or in #4 arm them with a tool or technology like XML Security gateway or static analysis tools to make a small band more effective in a large organization. -gp On 1/9/08 6:48 PM, Gary McGraw [EMAIL PROTECTED] wrote: hi sc-l, One of the biggest hurdles facing software security is the problem of how to get started, especially when faced with an enterprise-level challenge. My first darkreading column for 2008 is about how to get started in software security. In the article, I describe four approaches: 1. the top-down framework; 2. portfolio risk; 3. training first; and 4. leading with a tool. We've tried them all with some success at different Cigital customers. Are there other ways to get started that have worked for you? By the way, I can use your help. Darkreading is beginning to track reaction to topics more carefully than in the past. You can help make software security more prominent by reading the article and passing the URL on to others you may find interested. Another thing that helps is posting to the message boards. Thanks in advance. Here's to even more widespread software security in 2008! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek
Good points Ken. I lurk on a top-secret open source list that has been discussing this since New Years. I posted an entry on Justice League with my partially formed opinion: http://www.cigital.com/justiceleague/2008/01/09/on-open-source/ I have also written a longer piece, which will be posted one of these weeks on darkreading. The gist of my opinion is that these open source projects are excellent work that should be commended, but that focus exclusively on bugs. Coverity's PR has been straightforward and correct, but the press does not get it. For example, compare these two articles: http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229cid=RSSfeed_IWK_All http://www.zdnet.com.au/news/security/soa/11-open-source-projects-pass-security-health-check/0,130061744,339284949,00.htm There's a /. thread on this to: http://slashdot.org/article.pl?sid=08/01/09/0027229 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Thursday, January 10, 2008 8:18 AM To: Secure Coding Subject: [SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek SC-L, I imagine many of you have seen the results of Coverity's DHS-funded scan of a *bunch* of open source projects: http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229cid=RSSfeed_IWK_All The stats are interesting, I suppose. I don't see any prioritization of the defects, but I imagine those were provided to the various open source project leaders. The question that isn't addressed here, and I'm sure was well outside of the scope of the project, is what each open source project *did* with the vulnerability information BEYOND just fixing the bugs? Did they merely fix the problems and move on? Or, did they use the defects as an opportunity to educate their team members on how to avoid these same sorts of things from creeping back in to the src tree? If they simply treated the vul lists as checklists of things to fix, then I'd expect a similar study in (say) five years to be just as bad as the recent Coverity study. I think it's important to learn from mistakes, not just fix them and get on with things. I sure hope the open source teams in this study did some of that. If any SC-Lers have insight here, please share. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek
Another question is how many of the reported bugs wound up being false positives. Through casual conversations with some vendor (I forget whom), it became clear that the massive number of reported issues was very time-consuming to deal with, and not always productive. Of course this is no surprise to people on this list, but important to note. Regarding vendor responses - through my work in CVE, I've noticed that eventually, a developer who's been tagged often enough will eventually develop more systematic responses such as secure APIs, coding standards, or at least a thorough review. This is briefly touched on in the Unforgivable Vulnerabilities paper that I gave at Black Hat USA last year, where I discuss vulnerability complexity as a qualitative indicator of software security. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___