Hi again Mike, Yadda yadda, delay, and so on...
On 2/2/10 9:30 PM, "Mike Boberski" <mike.bober...@gmail.com> wrote: <somebody eslse said> But the vast majority of clients I work with don't have the time or need or ability to >take advantage of BSIMM >>Mike's Top 5 Web Application Security Countermeasures: >>1. Add a security guy or gal who has a software development background to >>your application's software >>development team. Dang, this would have saved Microsoft lots of money. With 30,000 developers that security gal would have been pretty busy though. >>3. Build an Enterprise Security API (a.k.a. an ESAPI, e.g. OWASP's several >>different ESAPI toolkits) that is >>specific to your solution stack and >>minimally provides input validation controls that use whitelists, output >>>>encoding/escaping controls (optionally use parameterized interfaces for >>SQL), and authentication controls. >>Build your ESAPI to target a specific >>level of overall security when all of your security controls are viewed as >>>>a whole (e.g. an OWASP Application Security Verification Standard (ASVS) >>level). Why do you believe that an ESAPI (which is a good idea) is the best place to start? Why not training? Why not pen testing by Mike? Etc. This was not "job 1" in any firm I have been involved with. >>4. Write a programming manual (i.e. a secure coding standard that is specific >>to your solution stack that is >>organized by vulnerability type or security >>requirement with before and after code snippets, e.g. a >>cookbook that >>provides before and after code snippets and links to API documentation) that >>contains step->>by-step instructions for using your ESAPI to both proactively >>guard against vulnerabilities, and to act as a >>quick reference when the >>time comes to make fixes. Again. How does this fit into a bigger picture? The notion of code guidelines is a good one. See [CR2.1] in the BSIMM which 11 of 30 companies we observed carry out. This was not "job 2" in any case I am aware of. How about tying such guidance to code review technology. We've helped multiple clients do that. How many customers have followed Mike's Way? What are their results? How do the Mike's Way customers score with the BSIMM? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On Tue, Feb 2, 2010 at 7:23 PM, Steven M. Christey <co...@linus.mitre.org> wrote: On Tue, 2 Feb 2010, Arian J. Evans wrote: BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. I'm looking forward to what BSIMM Basic discovers when talking to small and mid-size developers. Many of the questions in the survey PDF assume that the respondent has at least thought of addressing software security, but not all questions assume the presence of an SSG, and there are even questions about the use of general top-n lists vs. customized top-n lists that may be informative. - Steve _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
