[WEB SECURITY] 2009 Top 25 Programming Errors

Arian J. Evans arian.evans at anachronic.com
Thu Jan 15 20:10:24 EST 2009

On Thu, Jan 15, 2009 at 3:21 PM, Micah Tapman <
m.tapman at questconsultantsllc.com> wrote:

> I'll dissent from this list's most vocal constituency by saying that I like
> the CWE work, find it insightful (especially in terms of root cause
> identification), and most likely a terrific step in the right direction
> from
> a big picture perspective.

I 100% agree that CWE is a great step towards a better taxonomy
for identifying and classifying vulnerabilities and defects with security
implications. Too many consultants do a poor job of this.

Note that CWE != CWE/SANS Top 25


An example of why I like this list might be helpful here...
> Take CWE-20, Improper Input Validation and assume we're talking to an
> executive at a bank about a situation where an application allows a user to
> enter data and the application never checks the data or doesn't check it
> well enough. Our approach is to use an analogy based on client loan
> applications, which are native terrain for a bank executive. "Imagine a
> person applies for a loan by filling out a form, however, your loan officer
> never checks the person's name against a driver's license or other form of
> legal identification. You could end up issuing a loan to someone using a
> false name and never be able to track that person down." Hopefully, this
> little example conveys the message that all input should be verified before
> the organization considers it trusted. In my experience it's these little
> stories that can make or break a briefing to executives. Our objective,
> talking with the executive, is to gain support for an initiative to make
> sure all applications under the bank's control use proper input validation
> mechanisms.

So you agree that to explain to an executive an otherwise challengingly
abstract concept with zero business implications like "Improper Input
you need to rely on describing a specific attack vector?

It sounds like you and I are on the exact same page on the two points above.


Arian Evans

Anti-Gun/UN people: you should weep for
Mumbai. Your actions leave defenseless dead.

"Among the many misdeeds of the British
rule in India, history will look upon the Act
depriving a whole nation of arms, as the
blackest." -- Mahatma Gandhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090115/5b7bf660/attachment.html>

More information about the websecurity mailing list