Re: [SC-L] SANS/CWE Top 25: "The New Standard" for Webappsec
Hi Arian, " SANS has spoken and I think that is a pretty clear indication what is going on)" Have you been watching Wizard of Oz re-reruns again? This sentence sounds too much like "The Mighty Oz has spoken" :-) Cheers, Stephen On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans wrote: > Hello all. Xposting to SCL and WASC: > > Following-up to my commentary on the > WASC list about the SANS/CWE "Top 25" > > I have repeatedly confirmed that the SANS/CWE > Top 25 is being actively used, and growing in > use, as a "Standard". > > I understand the spirit of intent and that the > makers are not accountable for how it is used, > but we need to be realistic about how it is > being implemented in the real world *now*. > > It is beginning to be used as a "standard" for: > * what security defects to test software for > * how to measure the security quality of software > * how to build secure software > * what to teach developers about coding securely > > > I have confirmed this with: > * peers > * corporations > * state governments > * software security solutions vendors > * customers > > We are already seeing RFPs for products > and services, management and auditor > created "internal" standards, and requests > for training and reporting using the "SANS/ > CWE Top 25" as a standard. > > There are three goals of this post: > > 1) to make very clear to all involved that > what is being built with the "Top 25" list is > a minimum standard of due care. > > 2) To suggest that this is (most likely) how > it is primarily going to be used. > > (You brought the SANS/CIS club to the dance here...) > > 3) Suggest that future versions be re-focused > on building actual minimum standards of > due care for the demonstrated needs. > > The great thing that is coming out of this Top 25 > experiment is to identify that awareness and > hunger-level for material like this is very high. > > This is also showing us what people really want > right now: > > People want a minimum standard of due care. > > It is obvious people want bite-sized digestible > snippets to use as guidelines for making and > measuring the security quality of our software. > > That is evidenced by how rapidly people have > latched onto this new list. (one week + !) > > The SANS and Mitre brand have huge stock in > the mainstream, non-appsec security community, > much larger than OWASP and WASC, as is > evidenced again by the attention this is getting > throughout the infosec and audit communities. > > And summing up, directly from Alan Paller: > > > http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html > > > Conclusions: > > We need a minimum standard of due care Top N list. > > > We really need THREE minimum standards of due care: > > 1) Top N issues/defects to test your software for > 2) Top N principles to build secure software > 3) Top N strategies to improve software security in your enterprise > > Webappsec folks should make webappsec > versions, or else we will all wind up using > the same ones for *everything*. > > We might want to divide/share efforts between > organizations and cross-reference each other > for maximum (positive) effect. We could likely > leverage each others' work and try to unify > our language across appsec communities. > > (Ideologies and pet naming systems are where > these efforts always break down in our group.) > > > I am avoiding the debate over the inherent > problems with "Top N" and bug parade approaches > in general. People are letting us know what they > want and I think we should solve that need. > > ...or they will take whatever we give them for > other purposes and use it to solve that need, > partially, improperly, ineffectively. > > I will quite my bitching about the "Top 25" and > focus on productively moving forward, now that > it's clear my concerns are too late and it's > already moving full-steam ahead as a standard. > > People do not know what to do. They have > a serious problem that is starting to cause > them to lose real sleep and real money, and > they are looking to us for suggestions and > guidance as to what to do. > > I concede that the Top 25 in this regard is > better than nothing, but it's not really what > people want or need right now (IMHO). > > (Note: I have not asked parties involved > if I can quote them or quote facts of this > being used as a standard. The volume > of emails I am receiving providing examples > of this make me think this is either a fad, > or self-evident and you will all see plenty > of examples of this very soon if you > have not already. > > SANS has spoken and I think that is > a pretty clear indication what is going on) > > $0.02 USD, > > -- > -- > Arian Evans > > Anti-Gun/UN people: you should weep for > Mumbai. Your actions leave defenseless dead. > > "Among the many misdeeds of the British > rule in India, history will look upon the Act > depriving a whole nation of arms, as the > blackest." -- Mahatma Gandhi > ___
Re: [SC-L] SANS/CWE Top 25: "The New Standard" for Webappsec
On Mon, Jan 19, 2009 at 9:45 AM, Stephen Craig Evans wrote: > > Hi Arian, > > " SANS has spoken and I think that is a pretty clear indication what is > going on)" > > Have you been watching Wizard of Oz re-reruns again? This sentence sounds > too much like "The Mighty Oz has spoken" :-) I am from Kansas, Stephen. How did you know? On a serious note: I have tremendous respect for the SANS organizations' work and the value they provide to the infosec community. I believe they are one of the best barometers of what is going on out in day-to-day security-land. In addition they have significant clout with information security professionals ranging from technical & implementation engineers, to tactical security management and auditors, to strategic level CISOs and policy compliance folks. They have a lot more clout across the board with all of those folks for infosec in general than the combined communities of OWASP, WASC, Mitre, and the denizens of the SCL list. Translation: we should all watch closely and take cues from how SANS uses our software security publication output, be it Top N lists or standards or whatever. SANS and their many tentacles are market driven both with regards to private sector and government. They will react to needs and provide them, and have a clear idea what folks want. In this case what is wanted is CLEARLY a minimum standard of due care and SANS will use such a list accordingly, much as previous SANS Top N lists. What this means to the rest of us I pretty much covered in my last post. I have gotten a deluge of email in response to my posts to both SCL and WASC about SANS/CWE Top 25 from folks at organizations that have already had their bosses ask -- or even implement -- the CWE Top 25 as a standard of some type in their organization. Numerous customers I interact with are already asking me to cross-map the CWE/SANS Top 25 with existing web application security lists. (OWASP Top 10, WASC Threat Classification, etc.) My previous email lists the type of uses I am already seeing. First, the list should be "webified". That is probably the #1 interest in consumption of that data. There are a finite number of programmers working at Microsoft on their network stack in C++, and they are already way beyond this level. We're not putting out information for them. The majority of crappy software today is being built as web systems or embedded software. Two very different problem domains in terms of threat landscape and attack surface (though overlap in basic data handling principles). Then, again, you need three lists: + stuff to test for + patterns and practices to build secure + how to address software security in an enterprise The current Top 25 is kinda a bastard mix of all three of those, and solves none of them well. Sorry to stir people up, but this CWE list just created a headache and more work for me that I do not see improves upon anything I am already working on or providing. (Besides global attention -- proving again my assertion that folks are hungry for more) Thanks all, -- -- Arian Evans "I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them."-- Patrick Henry ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SANS/CWE Top 25: "The New Standard" for Webappsec
Hello all. Xposting to SCL and WASC: Following-up to my commentary on the WASC list about the SANS/CWE "Top 25" I have repeatedly confirmed that the SANS/CWE Top 25 is being actively used, and growing in use, as a "Standard". I understand the spirit of intent and that the makers are not accountable for how it is used, but we need to be realistic about how it is being implemented in the real world *now*. It is beginning to be used as a "standard" for: * what security defects to test software for * how to measure the security quality of software * how to build secure software * what to teach developers about coding securely I have confirmed this with: * peers * corporations * state governments * software security solutions vendors * customers We are already seeing RFPs for products and services, management and auditor created "internal" standards, and requests for training and reporting using the "SANS/ CWE Top 25" as a standard. There are three goals of this post: 1) to make very clear to all involved that what is being built with the "Top 25" list is a minimum standard of due care. 2) To suggest that this is (most likely) how it is primarily going to be used. (You brought the SANS/CIS club to the dance here...) 3) Suggest that future versions be re-focused on building actual minimum standards of due care for the demonstrated needs. The great thing that is coming out of this Top 25 experiment is to identify that awareness and hunger-level for material like this is very high. This is also showing us what people really want right now: People want a minimum standard of due care. It is obvious people want bite-sized digestible snippets to use as guidelines for making and measuring the security quality of our software. That is evidenced by how rapidly people have latched onto this new list. (one week + !) The SANS and Mitre brand have huge stock in the mainstream, non-appsec security community, much larger than OWASP and WASC, as is evidenced again by the attention this is getting throughout the infosec and audit communities. And summing up, directly from Alan Paller: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html Conclusions: We need a minimum standard of due care Top N list. We really need THREE minimum standards of due care: 1) Top N issues/defects to test your software for 2) Top N principles to build secure software 3) Top N strategies to improve software security in your enterprise Webappsec folks should make webappsec versions, or else we will all wind up using the same ones for *everything*. We might want to divide/share efforts between organizations and cross-reference each other for maximum (positive) effect. We could likely leverage each others' work and try to unify our language across appsec communities. (Ideologies and pet naming systems are where these efforts always break down in our group.) I am avoiding the debate over the inherent problems with "Top N" and bug parade approaches in general. People are letting us know what they want and I think we should solve that need. ...or they will take whatever we give them for other purposes and use it to solve that need, partially, improperly, ineffectively. I will quite my bitching about the "Top 25" and focus on productively moving forward, now that it's clear my concerns are too late and it's already moving full-steam ahead as a standard. People do not know what to do. They have a serious problem that is starting to cause them to lose real sleep and real money, and they are looking to us for suggestions and guidance as to what to do. I concede that the Top 25 in this regard is better than nothing, but it's not really what people want or need right now (IMHO). (Note: I have not asked parties involved if I can quote them or quote facts of this being used as a standard. The volume of emails I am receiving providing examples of this make me think this is either a fad, or self-evident and you will all see plenty of examples of this very soon if you have not already. SANS has spoken and I think that is a pretty clear indication what is going on) $0.02 USD, -- -- Arian Evans Anti-Gun/UN people: you should weep for Mumbai. Your actions leave defenseless dead. "Among the many misdeeds of the British rule in India, history will look upon the Act depriving a whole nation of arms, as the blackest." -- Mahatma Gandhi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___