I just wanted to chime in with my two cents on the top N list. I have witnessed (and developed) secure programs that were built to defend attacks identified in secure requirements (i.e. data validation and data transformation) But the one vulnerability that keeps popping up is weak authentication. Most business apps rely (and can only afford) one the most basic use of authentication; username and passwords.
I would like to see the basic the use of one tier authentication on a Bug Parade list. It is by design a weak link and I think the business community needs to understand that a stronger authentication policy is just as important as data validation. I agree with GEM when he wrote that Executives don't care about technical bugs; but a Bug Parade lists does help highlight the usual list of suspects that need to be dealt with. Thus it justifies the additional spending on secure design and development. Jason Grembi -- THE INFORMATION CONTAINED IN THIS MESSAGE AND ANY ATTACHMENT MAY BE PRIVILEGED, CONFIDENTIAL, PROPRIETARY OR OTHERWISE PROTECTED FROM DISCLOSURE. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and permanently delete it from your computer and destroy any printout thereof.
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
