Congratulations to you, Brian, Sammy, and the rest of the BSIMM3
I have a few questions:
1) Was any analysis done to ensure that the 3 levels are consistent
from a maturity perspective - for example, if an organization
performed an activity at level 2, that there was
While I'd like to see Black Hat add some more defensive-minded tracks, I
just realized that this desire might a symptom of a larger problem: there
aren't really any large-scale conferences dedicated to defense / software
assurance. (The OWASP conferences are heavily web-focused; Dept. of
Maybe you would have had more success if you explicitly said in the
On Thu, 3 Feb 2011, Jim Manico wrote:
I've tried to leverage Veracode in recent engagements. Here is how the
Jim: Boss, can I upload all of your code to this cool SaaS
Excellent article! For the Top 25, we've had lots of people assume that
the entire list is about domain-specific issues, when it also covers
domain-agnostic issues as well. My first guess is that domain-specific
has a loose association with implementation, and domain-agnostic has a
On Mon, 20 Dec 2010, Arian J. Evans wrote:
On a day to day basis - here are the most common backdoors in
webapps I've encountered over the last 15 years or so:
1) Developer Tools Backdoor hidden under obscure path
2) COTS module improperly deployed results in backdoor
3) Custom admin module,
FYI - heard about this from Russell Thomas on another list. The US
Department of Homeland Security will be publishing a Broad Agency
Announcement (BAA) related to software assurance; an Industry Day session
will take place on November 17, with a registration deadline of November
On Fri, 22 Oct 2010, Jim Manico wrote:
I think the deprecation of these technologies for an enterprise is a
wise idea. :) How can a large enterprise use PHP or ASP for
security-critical applications with a straight face? Let's move forward
to Ruby on Rails, Enterprise Java, .NET and other
On Thu, 21 Oct 2010, James Manico wrote:
A lot of smart people disagree with me here - but the history of Java
sandbox problems, data theft though reflection, the weak security policy
mechanism, etc, backs up my recommendation.
Given the history of security problems in the PHP interpreter
CWE, CLASP, and some other information sources have a number of code
snippets that highlight various weaknesses. In CWE, this code is easily
extractable from the XML by grabbing the Demonstrative_Examples element,
and we've even conveniently labeled examples with the various languages.
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote:
One of the general patterns I noted while providing feedback to the
OWASP Top Ten listserv is that top ten lists do sort differently. Within
an enterprise setting, it is typical for enterprise applications to be
built on Java, .NET or
On Wed, 3 Feb 2010, Gary McGraw wrote:
Popularity contests are not the kind of data we should count on. But
maybe we'll make some progress on that one day.
That's my hope, too, but I'm comfortable with making baby steps along the
Ultimately, I would love to see the kind of linkage
On Thu, 4 Feb 2010, Jim Manico wrote:
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through ie6 for years
Actually, it was a not-so-vanilla use-after-free, which once upon a
On Tue, 2 Feb 2010, Wall, Kevin wrote:
To study something scientifically goes _beyond_ simply gathering
observable and measurable evidence. Not only does data needs to be
collected, but it also needs to be tested against a hypotheses that offers
a tentative *explanation* of the observed
On Tue, 2 Feb 2010, Arian J. Evans wrote:
BSIMM is probably useful for government agencies, or some large
organizations. But the vast majority of clients I work with don't have
the time or need or ability to take advantage of BSIMM. Nor should
they. They don't need a software security group.
Speaking of top 25 tea leaves, the bug parade boogeyman just called
and reminded me that the 2010 Top 25 is due to be released next Thursday,
February 4. Thanks for the plug.
A preview of some of the brand-new features:
1) Data-driven ranking with alternate metrics to feed the brain and
On Thu, 7 Jan 2010, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened...
My name is Steve. I had a 2010 problem.
An internal CVE support program was hit by this issue. Fortunately,
there weren't any fatal results and it was only an annoyance. However: I
I wonder what would happen if somebody offered $1 to the first applied
researcher to find a fault or security error. According to
overflows, memory leaks, and other issues are not present. Maybe people
would give up if they
CVE is littered with these kinds of issues, for PHP especially. The
scripts are often open source, fully-functional packages that just happen
to have lots of security issues. Sometimes the root cause is buried
fairly deep in the code, but the people who find these bugs often care
On Wed, 18 Mar 2009, Gary McGraw wrote:
Many of the top N lists we encountered were developed through the
consistent use of static analysis tools.
Interesting. Does this mean that their top N lists are less likely to
include design flaws? (though they would be covered under various other
On Wed, 18 Mar 2009, Gary McGraw wrote:
Because it is about building a top N list FOR A PARTICULAR ORGANIZATION.
You and I have discussed this many times. The generic top 25 is
unlikely to apply to any particular organization. The notion of using
that as a driver for software purchasing is
On Wed, 18 Mar 2009, Gary McGraw wrote:
Both early phases of software security made use of any sort of argument
or 'evidence' to bolster the software security message, and that was
fine given the starting point. We had lots of examples, plenty of good
intuition, and the best of intentions.
In the past year or so, I've been of a growing mindset that one of the
hidden powers of CWE and other weakness/bug/vulnerability/attack
taxonomies would be in evaluating secure coding practices: if you do X and
Y, then what does that actually buy you, in terms of which vulnerabilities
On Tue, 13 Jan 2009, Greg Beeley wrote:
Steve I agree with you on this one. Both input validation and output
encoding are countermeasures to the same basic problem -- that some of
the parts of your string of data may get treated as control structures
instead of just as data.
Note that I'm
On Tue, 13 Jan 2009, Gary McGraw wrote:
I thought you might get a kick out of it.
I did! :-) Always good to have debates.
Executives don't care about technical bugs
No, but they do what PCI says they have to (i.e. listen to the OWASP Top
Ten). They do care about the bottom line. They hate
All, I'm the editor of the Top 25 list. Thanks to Ken and others on SC-L
who provided some amazing feedback before its publication. I hope we were
able to address most of your concerns and am sorry that we couldn't
address all of them.
Note that MITRE's site for the Top 25 is more technically
Since this is the week of the top-lists related to secure coding, I
thought I'd notify the SC-L people about a new collaboration between SANS
and MITRE. We are creating a Top 25 list of the worst programming errors,
targeted largely at developers, software managers, and CIOs.
The list is not as
On Tue, 25 Nov 2008, Mark Rockman wrote:
Assuming this is repeated for every use case, the resulting
reports would be a very good guide to how CAS settings should be
established for production. Of course, everytime the program is changed
in any way, the process would have to be repeated.
The CWE Research view (CWE-1000) is language-neutral at its higher-level
nodes, and decomposes in some areas into language-specific constructs.
Early experience suggests that this view is not necessarily
developer-friendly, however, because it's not organized around the types
of concepts that
On Tue, 4 Nov 2008, Benjamin Tomhave wrote:
An interesting read. Not much to really argue with, I don't think.
Agree. But, just to bolster (if it's relevant) I'll expand on my comment
On Tue, 29 Apr 2008, Joe Teff wrote:
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
On Mon, 4 Feb 2008, ljknews wrote:
(%s to fill up disk or memory, anybody?), so it's marked with
All and it's not in the C-specific view, even though there's a heavy
concentration of format strings in C/C++.
It is marked as All ?
What is the construct in Ada that has such a
Another question is how many of the reported bugs wound up being false
positives. Through casual conversations with some vendor (I forget whom),
it became clear that the massive number of reported issues was very
time-consuming to deal with, and not always productive. Of course this is
On Fri, 30 Nov 2007, Shea, Brian A wrote:
Software vendors will need a 3 tier approach to software security: Dev
training and certification, internal source testing, external
independent audit and rating.
I don't think I've seen enough emphasis on this latter item. A
Interesting that attack surface isn't included, given that Microsoft was
one of the earliest advocates of attack surface, a metric that is likely
strongly associated with the number of input-related vulnerabilities.
It's probably hard to do perfectly, though, especially if any third-party
On Mon, 8 Oct 2007, Gary McGraw wrote:
Not surprising. Last time I looked, attack surface is subjective.
McCabe is not. BTW, McCabe's Cyclomatic complexity boils down to 85%
lines of code and 15% data flow if you do a principal component analysis
Hopefully the SEI people are
I figured people on this list might be interested in this. If you have
any concerns or suggestions about CWE, the upcoming months will be the
best time to raise them in a focused discussion forum, the CWE Researcher
If you don't know what CWE is, then shame on me for not pimping it
On Tue, 26 Jun 2007, Kenneth Van Wyk wrote:
Mind you, the overrun can only be exploited when specific characters
are used as input to the loop in the code. Thus, I'm inclined to
think that this is an interesting example of a bug that would have
been extraordinarily difficult to find using
On 6/26/07 4:25 PM, Wall, Kevin [EMAIL PROTECTED] wrote:
I mean, was the fix really rocket science that it had to take THAT
LONG??? IMHO, no excuse for taking that long.
Some major vendor organizations, most notably Oracle and Microsoft, have
frequently stated that they can't always fix even
On Mon, 11 Jun 2007, Crispin Cowan wrote:
Gary McGraw wrote:
Though I don't quite understand computer science theory in the same way
that Crispin does, I do think it is worth pointing out that there are two
major kinds of security defects in software: bugs at the implementation
I agree with Ryan, at the top skill levels anyway. Binary reverse
engineering seems to have evolved to the point where I refer to binary as
source-equivalent, and I was told by some well-known applied researcher
that some vulns are easier to find in binary than source.
But the bulk of public
On Tue, 12 Jun 2007, Michael S Hines wrote:
So - aren't a lot of the Internet security issues errors or omissions in the
IETF standards - leaving things unspecified which get implemented in
different ways - some of which can be exploited due to implementation flaws
(due to specification
On Thu, 7 Jun 2007, Michael Silk wrote:
and that's the problem. the accountability for insecure coding should
reside with the developers. it's their fault [mostly].
The customers have most of the power, but the security community has
collectively failed to educate customers on how to ask for
On Wed, 6 Jun 2007, Wietse Venema wrote:
more and more people, with less and less experience, will be
programming computer systems.
The challenge is to provide environments that allow less experienced
people to program computer systems without introducing gaping
holes or other unexpected
On Tue, 22 May 2007, McGovern, James F (HTSC, IT) wrote:
We will shortly be starting an evaluation of tools to assist in the
secure coding practices initiative and have been wildly successful in
finding lots of consultants who can assist us in evaluating but
absolutely zero in terms of
On Mon, 14 May 2007, McGovern, James F (HTSC, IT) wrote:
1. ONLY consultants and vendors have jumped on the bandwagon. Other IT
professionals such as those who work in large enterprises have no
motivation to pursue.
Only vendors have jumped on the bandwagon? The software developers are
On Sat, 12 May 2007, ljknews wrote:
but based on biases I see on this list, I tend to believe that those
who make such a certification scheme would bias it toward:
Programming done in C and derivative languages (C++, Java, etc.)
Programming relying on TCP/IP
neither of which
On Wed, 21 Mar 2007, mudge wrote:
Sorry, but I couldn't help but be reminded of an old L0pht topic that
we brought up in January of 1999. Having just re-read it I found it
still relatively poignant: Cyberspace Underwriters Laboratories.
I was thinking about this, too, I should have
I was originally going to say this off-list, but it's not that big a deal.
Arian J. Evans said:
I think you are on to something here in how to think about this subject.
Perhaps I should float my little paper out there and we could shape up
something worth while describing how the industry is
On Mon, 19 Mar 2007, Crispin Cowan wrote:
Since many users are economically motivated, this may explain why users
don't care much about security :)
But... but... but...
I understand the sentiment, but there's something missing in it. Namely,
that the costs related to security are not really
On a slightly tangential note, and apologies if this was mentioned on this
list previously, OWASP has some guidelines on how consumers can write up
contracts with their vendors related to secure software:
On Thu, 8 Mar 2007, Greg Beeley wrote:
Perhaps one of the issues here is that if you are in operations work
(network security, etc.), there are more aspects of the CISSP that are
relevant to your daily work. In software development, there is usually
just the one - app development sec - that
Based on my general impressions in day-to-day operations for CVE (around
150 new vulns a week on average), maybe 40-60% of disclosures happen
without any apparent attempt at vendor coordination, another 10-20% with a
communication breakdown (including they didn't answer in 2 days), and
On Tue, 27 Feb 2007, J. M. Seitz wrote:
Always a great debate, I somewhat agree with Marcus, there are plenty of
pimps out there looking for fame, and there are definitely a lot of them
(us) that are working behind the scenes, taking the time to help the vendors
and to stay somewhat out of
[EMAIL PROTECTED] said:
that wasnt the question- well 'not how can overwritting 5 bytes help
you', but what error do you code thats a miscount by 5 bytes?
The off-by-one errors I am familiar with have manipulated character
arrays, so each element is one byte long. When the index is off by
Mads Rasmussen [EMAIL PROTECTED] said:
I for one have difficulties understanding the off-by-one
vulnerability. Maybe a kind soul would step in?
I'll try to tackle this. Corrections or additions are most welcome :)
In general, off-by-one bugs involve small errors in which an array of
Mail list logo