[WEB SECURITY] 2009 Top 25 Programming Errors
Arian J. Evans
arian.evans at anachronic.com
Thu Jan 15 20:10:24 EST 2009
On Thu, Jan 15, 2009 at 3:21 PM, Micah Tapman <
m.tapman at questconsultantsllc.com> wrote:
> I'll dissent from this list's most vocal constituency by saying that I like
> the CWE work, find it insightful (especially in terms of root cause
> identification), and most likely a terrific step in the right direction
> a big picture perspective.
I 100% agree that CWE is a great step towards a better taxonomy
for identifying and classifying vulnerabilities and defects with security
implications. Too many consultants do a poor job of this.
Note that CWE != CWE/SANS Top 25
An example of why I like this list might be helpful here...
> Take CWE-20, Improper Input Validation and assume we're talking to an
> executive at a bank about a situation where an application allows a user to
> enter data and the application never checks the data or doesn't check it
> well enough. Our approach is to use an analogy based on client loan
> applications, which are native terrain for a bank executive. "Imagine a
> person applies for a loan by filling out a form, however, your loan officer
> never checks the person's name against a driver's license or other form of
> legal identification. You could end up issuing a loan to someone using a
> false name and never be able to track that person down." Hopefully, this
> little example conveys the message that all input should be verified before
> the organization considers it trusted. In my experience it's these little
> stories that can make or break a briefing to executives. Our objective,
> talking with the executive, is to gain support for an initiative to make
> sure all applications under the bank's control use proper input validation
So you agree that to explain to an executive an otherwise challengingly
abstract concept with zero business implications like "Improper Input
you need to rely on describing a specific attack vector?
It sounds like you and I are on the exact same page on the two points above.
Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.
"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity