Hello all. Xposting to SCL and WASC: Following-up to my commentary on the WASC list about the SANS/CWE "Top 25"....
I have repeatedly confirmed that the SANS/CWE Top 25 is being actively used, and growing in use, as a "Standard". I understand the spirit of intent and that the makers are not accountable for how it is used, but we need to be realistic about how it is being implemented in the real world *now*. It is beginning to be used as a "standard" for: * what security defects to test software for * how to measure the security quality of software * how to build secure software * what to teach developers about coding securely I have confirmed this with: * peers * corporations * state governments * software security solutions vendors * customers We are already seeing RFPs for products and services, management and auditor created "internal" standards, and requests for training and reporting using the "SANS/ CWE Top 25" as a standard. There are three goals of this post: 1) to make very clear to all involved that what is being built with the "Top 25" list is a minimum standard of due care. 2) To suggest that this is (most likely) how it is primarily going to be used. (You brought the SANS/CIS club to the dance here...) 3) Suggest that future versions be re-focused on building actual minimum standards of due care for the demonstrated needs. The great thing that is coming out of this Top 25 experiment is to identify that awareness and hunger-level for material like this is very high. This is also showing us what people really want right now: People want a minimum standard of due care. It is obvious people want bite-sized digestible snippets to use as guidelines for making and measuring the security quality of our software. That is evidenced by how rapidly people have latched onto this new list. (one week + !) The SANS and Mitre brand have huge stock in the mainstream, non-appsec security community, much larger than OWASP and WASC, as is evidenced again by the attention this is getting throughout the infosec and audit communities. And summing up, directly from Alan Paller: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html Conclusions: We need a minimum standard of due care Top N list. We really need THREE minimum standards of due care: 1) Top N issues/defects to test your software for 2) Top N principles to build secure software 3) Top N strategies to improve software security in your enterprise Webappsec folks should make webappsec versions, or else we will all wind up using the same ones for *everything*. We might want to divide/share efforts between organizations and cross-reference each other for maximum (positive) effect. We could likely leverage each others' work and try to unify our language across appsec communities. (Ideologies and pet naming systems are where these efforts always break down in our group.) I am avoiding the debate over the inherent problems with "Top N" and bug parade approaches in general. People are letting us know what they want and I think we should solve that need. ...or they will take whatever we give them for other purposes and use it to solve that need, partially, improperly, ineffectively. I will quite my bitching about the "Top 25" and focus on productively moving forward, now that it's clear my concerns are too late and it's already moving full-steam ahead as a standard. People do not know what to do. They have a serious problem that is starting to cause them to lose real sleep and real money, and they are looking to us for suggestions and guidance as to what to do. I concede that the Top 25 in this regard is better than nothing, but it's not really what people want or need right now (IMHO). (Note: I have not asked parties involved if I can quote them or quote facts of this being used as a standard. The volume of emails I am receiving providing examples of this make me think this is either a fad, or self-evident and you will all see plenty of examples of this very soon if you have not already. SANS has spoken and I think that is a pretty clear indication what is going on....) $0.02 USD, -- -- Arian Evans Anti-Gun/UN people: you should weep for Mumbai. Your actions leave defenseless dead. "Among the many misdeeds of the British rule in India, history will look upon the Act depriving a whole nation of arms, as the blackest." -- Mahatma Gandhi _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
