<br>Hi Arian,<br><br>"
SANS has spoken and I think that is a pretty clear indication what is going on....)"<br><br>Have you been watching Wizard of Oz re-reruns again? This sentence sounds too much like "The Mighty Oz has spoken" :-)<br>
<br>Cheers,<br>Stephen<br><br><div class="gmail_quote">On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans <span dir="ltr"><<a href="mailto:arian.evans@anachronic.com">arian.evans@anachronic.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello all. Xposting to SCL and WASC:<br>
<br>
Following-up to my commentary on the<br>
WASC list about the SANS/CWE "Top 25"....<br>
<br>
I have repeatedly confirmed that the SANS/CWE<br>
Top 25 is being actively used, and growing in<br>
use, as a "Standard".<br>
<br>
I understand the spirit of intent and that the<br>
makers are not accountable for how it is used,<br>
but we need to be realistic about how it is<br>
being implemented in the real world *now*.<br>
<br>
It is beginning to be used as a "standard" for:<br>
* what security defects to test software for<br>
* how to measure the security quality of software<br>
* how to build secure software<br>
* what to teach developers about coding securely<br>
<br>
<br>
I have confirmed this with:<br>
* peers<br>
* corporations<br>
* state governments<br>
* software security solutions vendors<br>
* customers<br>
<br>
We are already seeing RFPs for products<br>
and services, management and auditor<br>
created "internal" standards, and requests<br>
for training and reporting using the "SANS/<br>
CWE Top 25" as a standard.<br>
<br>
There are three goals of this post:<br>
<br>
1) to make very clear to all involved that<br>
what is being built with the "Top 25" list is<br>
a minimum standard of due care.<br>
<br>
2) To suggest that this is (most likely) how<br>
it is primarily going to be used.<br>
<br>
(You brought the SANS/CIS club to the dance here...)<br>
<br>
3) Suggest that future versions be re-focused<br>
on building actual minimum standards of<br>
due care for the demonstrated needs.<br>
<br>
The great thing that is coming out of this Top 25<br>
experiment is to identify that awareness and<br>
hunger-level for material like this is very high.<br>
<br>
This is also showing us what people really want<br>
right now:<br>
<br>
People want a minimum standard of due care.<br>
<br>
It is obvious people want bite-sized digestible<br>
snippets to use as guidelines for making and<br>
measuring the security quality of our software.<br>
<br>
That is evidenced by how rapidly people have<br>
latched onto this new list. (one week + !)<br>
<br>
The SANS and Mitre brand have huge stock in<br>
the mainstream, non-appsec security community,<br>
much larger than OWASP and WASC, as is<br>
evidenced again by the attention this is getting<br>
throughout the infosec and audit communities.<br>
<br>
And summing up, directly from Alan Paller:<br>
<br>
<a href="http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html" target="_blank">http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html</a><br>
<br>
<br>
Conclusions:<br>
<br>
We need a minimum standard of due care Top N list.<br>
<br>
<br>
We really need THREE minimum standards of due care:<br>
<br>
1) Top N issues/defects to test your software for<br>
2) Top N principles to build secure software<br>
3) Top N strategies to improve software security in your enterprise<br>
<br>
Webappsec folks should make webappsec<br>
versions, or else we will all wind up using<br>
the same ones for *everything*.<br>
<br>
We might want to divide/share efforts between<br>
organizations and cross-reference each other<br>
for maximum (positive) effect. We could likely<br>
leverage each others' work and try to unify<br>
our language across appsec communities.<br>
<br>
(Ideologies and pet naming systems are where<br>
these efforts always break down in our group.)<br>
<br>
<br>
I am avoiding the debate over the inherent<br>
problems with "Top N" and bug parade approaches<br>
in general. People are letting us know what they<br>
want and I think we should solve that need.<br>
<br>
...or they will take whatever we give them for<br>
other purposes and use it to solve that need,<br>
partially, improperly, ineffectively.<br>
<br>
I will quite my bitching about the "Top 25" and<br>
focus on productively moving forward, now that<br>
it's clear my concerns are too late and it's<br>
already moving full-steam ahead as a standard.<br>
<br>
People do not know what to do. They have<br>
a serious problem that is starting to cause<br>
them to lose real sleep and real money, and<br>
they are looking to us for suggestions and<br>
guidance as to what to do.<br>
<br>
I concede that the Top 25 in this regard is<br>
better than nothing, but it's not really what<br>
people want or need right now (IMHO).<br>
<br>
(Note: I have not asked parties involved<br>
if I can quote them or quote facts of this<br>
being used as a standard. The volume<br>
of emails I am receiving providing examples<br>
of this make me think this is either a fad,<br>
or self-evident and you will all see plenty<br>
of examples of this very soon if you<br>
have not already.<br>
<br>
SANS has spoken and I think that is<br>
a pretty clear indication what is going on....)<br>
<br>
$0.02 USD,<br>
<br>
--<br>
--<br>
Arian Evans<br>
<br>
Anti-Gun/UN people: you should weep for<br>
Mumbai. Your actions leave defenseless dead.<br>
<br>
"Among the many misdeeds of the British<br>
rule in India, history will look upon the Act<br>
depriving a whole nation of arms, as the<br>
blackest." -- Mahatma Gandhi<br>
_______________________________________________<br>
Secure Coding mailing list (SC-L) <a href="mailto:SC-L@securecoding.org">SC-L@securecoding.org</a><br>
List information, subscriptions, etc - <a href="http://krvw.com/mailman/listinfo/sc-l" target="_blank">http://krvw.com/mailman/listinfo/sc-l</a><br>
List charter available at - <a href="http://www.securecoding.org/list/charter.php" target="_blank">http://www.securecoding.org/list/charter.php</a><br>
SC-L is hosted and moderated by KRvW Associates, LLC (<a href="http://www.KRvW.com" target="_blank">http://www.KRvW.com</a>)<br>
as a free, non-commercial service to the software security community.<br>
_______________________________________________<br>
</blockquote></div><br>