Now here's an interesting development in the software security space.
Seems that New York State is going to start requiring contracted
application developers to conform with a minimum set of practices (as
covered in the SANS Application Security Procurement Language,
hi sc-l,
Ever wonder what it's like to cover security from a media perspective? Bill
Brenner (once at TechTarget and now Sr Ed at CSOonline and CSO magazine) is my
victim in the 34th Silver Bullet.
http://www.cigital.com/silverbullet/show-034/
A bit less on software security this time, but
* Steven M. Christey:
Yet smart people insist that it's still input validation, even
when presented with the example I gave. So So what's the
perspective difference that's causing the disconnect?
Some technologies are designed as if to discourage proper output
encoding. Most
On Tue, 13 Jan 2009, Greg Beeley wrote:
Steve I agree with you on this one. Both input validation and output
encoding are countermeasures to the same basic problem -- that some of
the parts of your string of data may get treated as control structures
instead of just as data.
Note that I'm
What is a business rule? Something like If the customer has changed
the shipment address from a previous order, we must re-request his or
her credit card details? How would you implement *that* using input
validation?
The example I often use is 'equity can only be used as debt
collateral,
Hi Chris,
You certainly have a point. There are occasional stories on software security
that are not disaster coverage or top ten's, but not enough (sample from this
set: http://www.cigital.com/~gem/press/).
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog
On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote:
To all, I'll ask a more strategic question - assuming we're agreed
that
the Top 25 is a non-optimal means to an end, what can the software
security community do better to raise awareness and see real-world
change?
From a Web
Brian Chess, Sammy Migues and I continue to pound out the software assurance
maturity model. Expect more on that soon. Working with a large real-world
data set has really been amazing.
For those of you just getting wind of this, see:
http://www.informit.com/articles/article.aspx?p=1271382