James McGovern wrote...
> Maybe folks are still building square windows because we haven't
> realized how software fails and can describe it in terms of a pattern.
> The only pattern-oriented book I have ran across in my travels is the
> Core Security Patterns put out by the folks at Sun. Do you think we
> should stop talking solely about code and start talking about how
> vulnerabilities are repeatedly introduced and describe using patterns
> notation?
You might want to check out securitypatterns.org, and more specifically,
http://www.securitypatterns.org/patterns.html
which mentions a few other books.
I think there are a few other books by Markus Schumacher, one of which
was based on his doctoral dissertation that is not shown there.
As to your question, should we stop talking _SOLEY_ about code? Probably,
yes. But I think the reason we don't is two-fold -- the first is that most
of us view that as the easy-part, the low-hanging fruit so-to-speak. The
second is that the development community for the most part, still doesn't
seem to be applying the securing CODING principles, so many of us think
it would be premature to move on to try to teach them secure design
principles, developing security reqts with abuse cases, etc., threat modeling,
etc. From a personal POV, I think that's something that a small team of
security specialists can handle. (At least it mostly works here. Security
evaluations are mandatory shortly after the design is complete.) But we
can't possibly do manual code inspections with a small security team,
so we try to instruct (alas, w/out too much success) developers secure
coding practices to avoid the problems at that level in the first place.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
[EMAIL PROTECTED] Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
_______________________________________________
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
_______________________________________________
