All,
I followed this article up with a blog entry, more targeted at adopting
organizations. I hope you find it useful:
http://www.cigital.com/justiceleague/2011/02/02/if-its-so-hard-why-bother/
John Steven
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell
-ESAPI code. I've
been on the ESAPI mailing list for a while and can't discern from conversation
much information regarding successful operationalization, though I hear
rumblings of people working on this very problem.
Cheers all,
John Steven
Senior Director; Advanced Technology Consulting
a knowledgeable but separate
perspective: the ESAPI approach has pluses and minuses just like all the
others.
John Steven
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell: 703.727.4034
Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
Blog: http
assured that those of us out there that have looked get
that ESAPI can be a good thing.
John Steven
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell: 703.727.4034
Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
Blog: http://www.cigital.com
analysis on binaries
via SAAS' battle, they and the organizations they serve would do well to
keep this question in mind... Or risk the same failures that the current
crop of parser-based static-analysis tools face against dynamic approaches.
-jOHN
On 7/29/09 8:44 AM, John Steven jste...@cigital.com
, and a set of constructive steps
forward to improve one's practices:
http://www.owasp.org/images/d/df/Moving_Beyond_Top_N_Lists.ppt.zip
I cover how one should cause their own organization-specific Top N list to
emerge and how to manage it once it does.
John Steven
Senior Director; Advanced
in the first month. Though, any seasoned QA professional
will tell you--expecting to is ludicrous.
John Steven
Senior Director; Advanced Technology Consulting
Direct: (703) 404-5726 Cell: (703) 727-4034
Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
Blog: http://www.cigital.com
to support it,
but as a commercial organization, I wouldn't hold your breath on near-term
support.
I could answer how these tools support new languages, but that doesn't seem
like public domain knowledge. I'll let the vendors tackle that 'un.
John Steven
Technical Director; Principal
seen some organizations control this cost effectively and still get value:
See:
http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e
2%80%9cspecificity-knob%e2%80%9d/#comment-1048
Some people think my stand controversial...
What do you guys think?
John Steven
as justification.
Well, this is long enough for now. If there are topics you'd like me
to enumerate more fully, or if I've missed something, shoot me an email.
Hope this helps, and sorry I didn't just attach a PPT ;)
John Steven
Technical Director; Principal, Software Security Group
Direct: (703
/hurting us isn't _your_ goal. But, by
collecting data on 7 figures of your own code base, you can start to
see what trends in your programmers' coding practices play to which
tools. This, can in fact, help you make a better tool choice.
John Steven
Technical Director; Principal, Software
the PriviledgedAction subclass as an explicit top-level
class and they've passed information to-and-fro using the inner class
syntactic sugar--rather than explicit method calls defined pre-
compile time.
John Steven
Technical Director; Principal, Software Security Group
Direct: (703) 404-5726
contend with a
vulnerability is also valuable.
In other words, smart guys will always find the problems--by hook, or by
crook--but it takes classification to aid in efficient and thorough
mitigation.
-
John Steven
Principal, Software Security Group
Technical Director, Office
that overcomes my prejudiceor are you referring to the navigator tools as well?
-
John Steven
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc. | [EMAIL PROTECTED]
4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5
that prevent software folk from making the same mistake again.
-
John Steven
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc. | [EMAIL PROTECTED]
4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
of further fleshing out the flaw.
Is this at all helpful?
-
John Steven
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc. | [EMAIL PROTECTED]
4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
From
a sampling from a larger laundry list. But, hopefully it
provides some more guidance to those whose appetites are whet from Gunnar
and Johan's posts.
-
John Steven
Principal, Software Security Group
Technical Director, Office of the CTO
703 404 5726 - Direct | 703 727 4034 - Cell
Cigital Inc
17 matches
Mail list logo