[SC-L] Metrics
Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP Podcast Series
Hello SC-L, We have released 3 OWASP podcasts over the last few days for your listening pleasure: #60 Interview with Jeremiah Grossman and Robert Hansen (Google pays for vulns) http://www.owasp.org/download/jmanico/owasp_podcast_60.mp3 #59 AppSec round table with Dan Cornell, Boaz Gelbord, Jim Manico, Andrew van der Stock, Ben Tomhave and Jeff Williams http://www.owasp.org/download/jmanico/owasp_podcast_59.mp3 #58 Interview with Ron Gula http://www.owasp.org/download/jmanico/owasp_podcast_58.mp3 I hope you enjoy. -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Metrics
In the web security world it doesn't seem to matter much. Top(n) Lists are Top(n). There is much ideological disagreement over what goes in those lists and why, but the ratios of defects are fairly consistent. Both with managed code and with scripting languages. The WhiteHat Security statistics report provides some interesting insights into this, particularly the last one. It's one of the only public stats reports out there for webappsec that I know of. I have observed what I've thought to be differences anecdotally, but when we crunch the numbers on a large scale, they average out and issue ratios are fairly consistent. Which shows you the dangerous power of anecdotes, and statistically small samples, to be misleading. --- Arian Evans Software Security Statistician On Fri, Feb 5, 2010 at 7:07 AM, McGovern, James F. (eBusiness) james.mcgov...@thehartford.com wrote: Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Metrics
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote: One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? A converged list is useful for general recommendations to people who haven't made their own custom lists. The 2010 Top 25, due to be released Feb 16, also considers alternate Focus Profiles with different prioritizations to serve different use cases and get people thinking about how to do their own prioritization. The general list, meanwhile, captures what patterns may exist across all participants - i.e., what everyone is most worried about. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___