On Mon, Jan 19, 2009 at 9:45 AM, Stephen Craig Evans <stephencraig.ev...@gmail.com> wrote: > > Hi Arian, > > " SANS has spoken and I think that is a pretty clear indication what is > going on....)" > > Have you been watching Wizard of Oz re-reruns again? This sentence sounds > too much like "The Mighty Oz has spoken" :-)
I am from Kansas, Stephen. How did you know? On a serious note: I have tremendous respect for the SANS organizations' work and the value they provide to the infosec community. I believe they are one of the best barometers of what is going on out in day-to-day security-land. In addition they have significant clout with information security professionals ranging from technical & implementation engineers, to tactical security management and auditors, to strategic level CISOs and policy compliance folks. They have a lot more clout across the board with all of those folks for infosec in general than the combined communities of OWASP, WASC, Mitre, and the denizens of the SCL list. </strong_suspicion: educated_guess> Translation: we should all watch closely and take cues from how SANS uses our software security publication output, be it Top N lists or standards or whatever. SANS and their many tentacles are market driven both with regards to private sector and government. They will react to needs and provide them, and have a clear idea what folks want. In this case what is wanted is CLEARLY a minimum standard of due care and SANS will use such a list accordingly, much as previous SANS Top N lists. What this means to the rest of us I pretty much covered in my last post. I have gotten a deluge of email in response to my posts to both SCL and WASC about SANS/CWE Top 25 from folks at organizations that have already had their bosses ask -- or even implement -- the CWE Top 25 as a standard of some type in their organization. Numerous customers I interact with are already asking me to cross-map the CWE/SANS Top 25 with existing web application security lists. (OWASP Top 10, WASC Threat Classification, etc.) My previous email lists the type of uses I am already seeing. First, the list should be "webified". That is probably the #1 interest in consumption of that data. There are a finite number of programmers working at Microsoft on their network stack in C++, and they are already way beyond this level. We're not putting out information for them. The majority of crappy software today is being built as web systems or embedded software. Two very different problem domains in terms of threat landscape and attack surface (though overlap in basic data handling principles). Then, again, you need three lists: + stuff to test for + patterns and practices to build secure + how to address software security in an enterprise The current Top 25 is kinda a bastard mix of all three of those, and solves none of them well. Sorry to stir people up, but this CWE list just created a headache and more work for me that I do not see improves upon anything I am already working on or providing. (Besides global attention -- proving again my assertion that folks are hungry for more) Thanks all, -- -- Arian Evans "I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them."-- Patrick Henry _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________