You may wish to consider OWASP ASVS mitigation recommendations. You can word-smith negative recommendations of what •not• to do to come up with a great list of defensive recommendations.
For example, instead of saying "Never put sensitive data in HTTP GET requests" I'd like to see us shift to control-centric language like "Only use HTTPS POST to transmit sensitive data". And in general Steve, a list of mitigations implies tactical approaches to Application Security (ie: fix specific flaws) which is fairly limited. I'd love to see this expanded to cover general defensive coding techniques and good security design principles that help dev's build secure apps from day 1. And Steve, you only see me pop up when I have a criticism. But as I said when we went hiking on Kauai, I think you and team are doing outstanding work and I'm thankful for all of your efforts. Regards, -Jim Manico http://manico.net On Oct 22, 2010, at 12:39 AM, "Steven M. Christey" <co...@linus.mitre.org> wrote: > > All, > > Both WASC and the MITRE CWE team have begun exploring the feasibility of > enumerating or classifying the types of mitigations that are used to fix > software defects/weaknesses. Does anybody know of such work in this area? > (We can draw from sources such as McGraw/Viega "Building Secure Software," > and 'indirect' sources such as ESAPI, but I was wondering if there was > something that was a little more focused on mitigations.) > > CWE status: > > http://www.webappsec.org/lists/websecurity/archive/2010-10/msg00065.html > > WASC status: > > http://www.webappsec.org/lists/websecurity/archive/2010-10/msg00066.html > > > > Thanks, > Steve > _______________________________________________ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > _______________________________________________ _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
