<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY
style="WORD-WRAP: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space">
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=282163701-23012007>This is completely unsurprising. Apparently
nobody told the agile dev community that they still need to follow all the
secure coding practices preached at the traditional dev folks for eons.
XSS, redirects, and SQL injection attacks are not revolutionary, are not all
that interesting, and are so common-place that it makes one wonder where these
developers have been the last 5-10 years.</SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2>Solution to date: throw out traditional design review, move to agile
security testing. Why? Because there seems rarely to be a
design to review, and certainly no time to do it in. Overall, it's
important that agile apps be built on an underlying publishing framework so that
inherited vulns can be found and fixed across the board by focusing on a single
platform.</FONT></SPAN></DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff size=2>Next
challenge: new year, new technology fads. Web 2.0 is another code word for
"that's so last year". Time to play catch-up, and January isn't over yet!
*sigh* Oh, and speaking of Web 2.0, who's protecting the customer and
their data? Better yet, who owns which data? With mashups being the
buzz word du jour, you may think your data is on SiteA, when in fact it's spread
across SiteB, SiteC, and SiteD. Wheee.</FONT></SPAN></DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff size=2>One
bit of good news: agile dev has often meant, in my experience, rapid resolution
of discovered vulns. Since you don't have the full SDLC (or
comparable) process to follow, or even a formalized patch mgmt process,
it's often just a matter of finding bugs (through targeted "hyper-testing"
- think flash-bang), sending them to the devies, waiting 10-30 minutes, and
watching the vuln disappear like magic. Am curious how change mgmt works
on that, though... ;)</FONT></SPAN></DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2>cheers,</FONT></SPAN></DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=282163701-23012007><FONT face=Arial color=#0000ff
size=2>-ben</FONT></SPAN></DIV><!-- Converted from text/plain format -->
<P><FONT size=2>---<BR>Benjamin Tomhave, CISSP, NSA-IAM,
NSA-IEM<BR>falcon@secureconsulting.net<BR>Web: <A
href="http://falcon.secureconsulting.net/">http://falcon.secureconsulting.net/</A><BR>LI:
<A
href="http://www.linkedin.com/pub/0/622/964">http://www.linkedin.com/pub/0/622/964</A><BR>Blog:
<A
href="http://www.secureconsulting.net/">http://www.secureconsulting.net/</A><BR><BR>"We
must scrupulously guard the civil rights and civil liberties of all citizens,
whatever their background. We must remember that any oppression, any injustice,
any hatred is a wedge designed to attack our civilization."<BR>-President
Franklin Delano Roosevelt<BR></FONT></P>
<DIV> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> sc-l-bounces@securecoding.org
[mailto:sc-l-bounces@securecoding.org] <B>On Behalf Of </B>Kenneth Van
Wyk<BR><B>Sent:</B> Monday, January 22, 2007 1:24 PM<BR><B>To:</B> Secure
Coding<BR><B>Subject:</B> [SC-L] Vulnerability tallies surged in 2006 | The
Register<BR></FONT><BR></DIV>
<DIV></DIV><BASE href=data:>
<DIV
style="FONT-SIZE: 12px; COLOR: black; FONT-FAMILY: Helvetica; TEXT-ALIGN: left">FYI,
CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase
over 2005.</DIV>
<DIV
style="FONT-SIZE: 12px; COLOR: black; FONT-FAMILY: Helvetica; TEXT-ALIGN: left"><BR
class=khtml-block-placeholder></DIV>See <A
href="http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/">http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/</A>
<DIV
style="FONT-SIZE: 12px; COLOR: black; FONT-FAMILY: Helvetica; TEXT-ALIGN: left"><BR
class=khtml-block-placeholder></DIV>The article further states, "The greatest
factor in the skyrocketing number of vulnerabilities is that certain types of
flaws in community and commercial Web applications have become much easier to
find, said Art Manion, vulnerability team lead for the CERT Coordination
Center.
<DIV><BR class=khtml-block-placeholder>
<DIV style="MARGIN: 0px">'The best we can figure, most of the growth is due to
fairly easy-to-discover vulnerabilities in Web applications," Manion said.
"They are easy to find, easy to create, and easy to deploy.'"</DIV>
<DIV style="MARGIN: 0px"><BR class=khtml-block-placeholder></DIV>
<DIV style="MARGIN: 0px">Cheers,</DIV>
<DIV style="MARGIN: 0px"><BR class=khtml-block-placeholder></DIV>
<DIV style="MARGIN: 0px">Ken</DIV>
<DIV><SPAN class=Apple-style-span
style="WORD-SPACING: 0px; FONT: 12px Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; border-spacing: 0px 0px; -khtml-text-decorations-in-effect: none; -apple-text-size-adjust: auto; orphans: 2; widows: 2"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: 12px Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; border-spacing: 0px 0px; -khtml-text-decorations-in-effect: none; -apple-text-size-adjust: auto; orphans: 2; widows: 2"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: 12px Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; border-spacing: 0px 0px; -khtml-text-decorations-in-effect: none; -apple-text-size-adjust: auto; orphans: 2; widows: 2"><SPAN
class=Apple-style-span
style="WORD-SPACING: 0px; FONT: 12px Helvetica; TEXT-TRANSFORM: none; COLOR: rgb(0,0,0); TEXT-INDENT: 0px; WHITE-SPACE: normal; LETTER-SPACING: normal; BORDER-COLLAPSE: separate; border-spacing: 0px 0px; -khtml-text-decorations-in-effect: none; -apple-text-size-adjust: auto; orphans: 2; widows: 2">
<DIV>-----</DIV>
<DIV>Kenneth R. van Wyk</DIV>
<DIV>SC-L Moderator</DIV>
<DIV>KRvW Associates, LLC</DIV>
<DIV><A href="http://www.KRvW.com">http://www.KRvW.com</A></DIV>
<DIV><BR class=khtml-block-placeholder></DIV>
<DIV><BR class=khtml-block-placeholder></DIV><BR
class=Apple-interchange-newline></SPAN></SPAN></SPAN></SPAN></DIV><BR></DIV></BLOCKQUOTE></BODY></HTML>