This is completely unsurprising. Apparently nobody told the agile dev community that they still need to follow all the secure coding practices preached at the traditional dev folks for eons. XSS, redirects, and SQL injection attacks are not revolutionary, are not all that interesting, and are so common-place that it makes one wonder where these developers have been the last 5-10 years. Solution to date: throw out traditional design review, move to agile security testing. Why? Because there seems rarely to be a design to review, and certainly no time to do it in. Overall, it's important that agile apps be built on an underlying publishing framework so that inherited vulns can be found and fixed across the board by focusing on a single platform. Next challenge: new year, new technology fads. Web 2.0 is another code word for "that's so last year". Time to play catch-up, and January isn't over yet! *sigh* Oh, and speaking of Web 2.0, who's protecting the customer and their data? Better yet, who owns which data? With mashups being the buzz word du jour, you may think your data is on SiteA, when in fact it's spread across SiteB, SiteC, and SiteD. Wheee. One bit of good news: agile dev has often meant, in my experience, rapid resolution of discovered vulns. Since you don't have the full SDLC (or comparable) process to follow, or even a formalized patch mgmt process, it's often just a matter of finding bugs (through targeted "hyper-testing" - think flash-bang), sending them to the devies, waiting 10-30 minutes, and watching the vuln disappear like magic. Am curious how change mgmt works on that, though... ;) cheers, -ben
--- Benjamin Tomhave, CISSP, NSA-IAM, NSA-IEM [EMAIL PROTECTED] Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/pub/0/622/964 Blog: http://www.secureconsulting.net/ "We must scrupulously guard the civil rights and civil liberties of all citizens, whatever their background. We must remember that any oppression, any injustice, any hatred is a wedge designed to attack our civilization." -President Franklin Delano Roosevelt _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Monday, January 22, 2007 1:24 PM To: Secure Coding Subject: [SC-L] Vulnerability tallies surged in 2006 | The Register FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, "The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. 'The best we can figure, most of the growth is due to fairly easy-to-discover vulnerabilities in Web applications," Manion said. "They are easy to find, easy to create, and easy to deploy.'" Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________