Re: [SC-L] Microsoft Pushes Secure, Quality Code
Hi Steven, I'm (with Vadim Okun) currently doing some research and prototype development in that direction. We are actually counting the number of diffused inputs (diffuse in a sense of affectation to other variables, even with filter application, etc.) going through sinks. We are working on PHP code only for now since we have to work pretty much from scratch (using yaxx in order to generate the AST), but we started to do evaluation of real code (wordpress, mediawiki, dotclear, joomla etc.). We also plan to try different combination of possible metrics, and see the correlation between them. But well, the main problem with such a metric is that's it's strongly related to how the programmer is working: - Is it better to have lots of different variables that are a variation of a single input? I thought not... - Is it better to have localized inputs in the source code? I think yes... - Shall we count the number of classes, the Object orientation of the code, the number of functions... also? These are some questions that we are currently working one. If you guys have some ideas about that or comments, I would really appreciate :) Romain http://rgaucher.info Steven M. Christey wrote: > Interesting that attack surface isn't included, given that Microsoft was > one of the earliest advocates of attack surface, a metric that is likely > strongly associated with the number of input-related vulnerabilities. > It's probably hard to do perfectly, though, especially if any third-party > APIs are involved. > > Are there any tools out there that try to measure attack surface? Has > anybody had any experience in trying to apply it? > > - Steve > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft Pushes Secure, Quality Code
> That said, we should keep trying! I believe one answer is to take advantage > of relative metrics over time. > I agree that this can be a practical starting point for organizations. I had a client starting down the path with static analysis, they have thousands of developers and many applications. They have a small software security team and they obviously cannot scan every single app. Worse, if they find something they don't necessarily have the governance in place to make sure that a lot of what they find gets addressed. So what we did was to get the CIO to give them one silver bullet a month. They scanned 8-10 apps per month, and whichever one came up worst based on the metrics in the group had to remediate. This approach has some incremental benefits - 1) it gets security out of the "its perfect or its broken business" 2) at least one project per month makes measurable improvements 3) the projects are not being compared to an ivory tower but rather to their peers who have to deliver under the same constraints, making the suggested remediations more palatable to the developers. There is no way to relativity, relativity is the way. -gp ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft Pushes Secure, Quality Code
I am in full agreement that we need metrics. The challenge is that syntactic metric are easy to compute and not very useful from a management perspective and that business-relevant metrics are much fuzzier and difficult to compute given a glob of code. That said, we should keep trying! I believe one answer is to take advantage of relative metrics over time. gem company www.cigital.com --Original Message-- From: Steven M. Christey To: Gary McGraw Cc: Steven M. Christey Cc: Secure Coding Mailing List Sent: Oct 8, 2007 4:07 PM Subject: RE: [SC-L] Microsoft Pushes Secure, Quality Code On Mon, 8 Oct 2007, Gary McGraw wrote: > Not surprising. Last time I looked, attack surface is subjective. > McCabe is not. BTW, McCabe's Cyclomatic complexity boils down to 85% > lines of code and 15% data flow if you do a principal component analysis > on it. Hopefully the SEI people are monitoring this list and can provide their feedback. They've done some concrete work in making attack surface as objective as possible, enough to the point where they compared 2 FTP servers about a year ago. One of their papers comments that they wanted to use the code scanners to make the calculations for them, but for some reason they couldn't. I was under the impression from Mike Howard's comments over the years, that MS had some concrete (perhaps subjective) comparisons between different MS variants, and this was part of the argument for Vista's security over past MS operating systems. > Just throw the code in the box and turn the crank. Then discard the > results and you're done! While I understand the sentiment, it seems to me that you can't get very far without metrics of some sort. Perhaps more importantly, the real decision-makers need them because it's not their job (and probably not their expertise) to pore through endless details. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] CfP for 2nd Int. Workshop on Secure Software Engineering
Dear all, I think the following call for papers is highly relevant for readers of this list, so please pardon me to promote an event for the first time: Second International Workshop on Secure Software Engineering (SecSE 2008) In conjunction with ARES 2008 Barcelona, Catalonia, March 4th-7th 2008 http://www.ares-conference.eu/conf/ Call for Papers Introduction In our modern society, software is an integral part of everyday life, and we expect and depend upon software systems to perform correctly. Software security is about ensuring that systems continue to function correctly also under malicious attack. As most systems now are web-enabled, the number of attackers with access to the system increases dramatically and thus the threat scenario changes. The traditional approach to secure a system includes putting up defence mechanisms like IDS and firewalls, but such measures are no longer sufficient by themselves. We need to be able to build better, more robust and more secure systems. Even more importantly, however, we should strive to achieve these qualities in all software systems, not just the ones that need special protection. This workshop will focus on techniques, experiences and lessons learned for engineering secure and dependable software. Topics == Suggested topics include, but are not limited to: - Secure architecture and design - Security in agile software development - Aspect-oriented software development for secure software - Security requirements - Risk management in software projects - Secure implementation - Secure deployment - Testing for security - Quantitative measurement of security properties - Static and dynamic analysis for security - Verification and assurance techniques for security properties - Lessons learned - Security and usability - Teaching secure software development - Experience reports on successfully attuning developers to secure software engineering Important dates: === - Submission Deadline: October 25th 2007 (NOTE: Extended from 10th) - Author Notification: November 30th 2007 - Author Registration: December 15th 2007 - Proceedings Version: January 15th 2008 - Conference/workshop: March 4th - March 7th 2008 Submission Guidelines = Authors are invited to submit research and application papers in IEEE Computer Society Proceedings Manuscripts style (two columns, single-spaced, including figures and references, using 10 fonts, and number each page). Please consult the IEEE CS Author Guidelines at the following web page: http://preview.tinyurl.com/psg2o We solicit the submission of full papers (8 pages) representing original, previously unpublished work. Submitted papers will be carefully evaluated based on originality, significance, technical soundness, and clarity of exposition. Duplicate submissions are not allowed. A submission is considered to be a duplicate submission if it is submitted to other conferences/workshops/journals or if it has been already accepted to be published in other conferences/workshops/journals. Duplicate submissions thus will be automatically rejected without reviews. Contact author must provide the following information: paper title, authors' names, affiliations, postal address, phone, fax, and e-mail address of the author(s), about 200-250 word abstract, and about five keywords and register at our ARES website: http://www.ares-conference.eu/conf/ Submission of a paper implies that should the paper be accepted, at least one of the authors will register for the ARES conference and present the paper in the workshop. Accepted papers will be given guidelines in preparing and submitting the final manuscript(s) together with the notification of acceptance. Note that SecSE 2008 does not require anonymized submissions. Publication === All accepted papers will be published as ISBN proceedings published by the IEEE Computer Society. Organizing committee: = Torbjørn Skramstad, Norwegian University of Science and Technology (NTNU) Lillian Røstad, Norwegian University of Science and Technology (NTNU) Martin Gilje Jaatun, SINTEF ICT, Norway Enquiries to the organizing committee may be sent to: SecSE08 "replace with at-character" gmail.com Program committee = Rubén Alonso, ESI, Spain Ana Cavalli, GET/INT, France Ivan Flechais, University of Oxford, UK Per Håkon Meland, SINTEF ICT, Norway Leon Moonen, Delft University of Technology, Netherlands Khalid Mughal, University of Bergen, Norway Holger Peine, Fraunhofer IESE, Germany Samuel Redwine, James Madison University, USA Chunming Rong, University of Stavanger, Norway Lillian Røstad, NTNU, Norway Christoph Schuba, Sun Microsystems Inc., USA Nahid Shahmehri, Linköping University, Sweden Torbjørn Skramstad, NTNU, Norway Bart De Win, KU Leuven, Belgium Stephen Wolthusen, Royal Hol