[WEB SECURITY] Re: [SC-L] SANS/CWE Top 25: "The New Standard" for Webappsec

Stephen Craig Evans stephencraig.evans at gmail.com
Mon Jan 19 12:45:52 EST 2009

Hi Arian,

" SANS has spoken and I think that is a pretty clear indication what is
going on....)"

Have you been watching Wizard of Oz re-reruns again? This sentence sounds
too much like "The Mighty Oz has spoken" :-)


On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans <arian.evans at anachronic.com
> wrote:

> Hello all. Xposting to SCL and WASC:
> Following-up to my commentary on the
> WASC list about the SANS/CWE "Top 25"....
> I have repeatedly confirmed that the SANS/CWE
> Top 25 is being actively used, and growing in
> use, as a "Standard".
> I understand the spirit of intent and that the
> makers are not accountable for how it is used,
> but we need to be realistic about how it is
> being implemented in the real world *now*.
> It is beginning to be used as a "standard" for:
> * what security defects to test software for
> * how to measure the security quality of software
> * how to build secure software
> * what to teach developers about coding securely
> I have confirmed this with:
> * peers
> * corporations
> * state governments
> * software security solutions vendors
> * customers
> We are already seeing RFPs for products
> and services, management and auditor
> created "internal" standards, and requests
> for training and reporting using the "SANS/
> CWE Top 25" as a standard.
> There are three goals of this post:
> 1) to make very clear to all involved that
> what is being built with the "Top 25" list is
> a minimum standard of due care.
> 2) To suggest that this is (most likely) how
> it is primarily going to be used.
> (You brought the SANS/CIS club to the dance here...)
> 3) Suggest that future versions be re-focused
> on building actual minimum standards of
> due care for the demonstrated needs.
> The great thing that is coming out of this Top 25
> experiment is to identify that awareness and
> hunger-level for material like this is very high.
> This is also showing us what people really want
> right now:
> People want a minimum standard of due care.
> It is obvious people want bite-sized digestible
> snippets to use as guidelines for making and
> measuring the security quality of our software.
> That is evidenced by how rapidly people have
> latched onto this new list. (one week + !)
> The SANS and Mitre brand have huge stock in
> the mainstream, non-appsec security community,
> much larger than OWASP and WASC, as is
> evidenced again by the attention this is getting
> throughout the infosec and audit communities.
> And summing up, directly from Alan Paller:
> http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1344962,00.html
> Conclusions:
> We need a minimum standard of due care Top N list.
> We really need THREE minimum standards of due care:
> 1) Top N issues/defects to test your software for
> 2) Top N principles to build secure software
> 3) Top N strategies to improve software security in your enterprise
> Webappsec folks should make webappsec
> versions, or else we will all wind up using
> the same ones for *everything*.
> We might want to divide/share efforts between
> organizations and cross-reference each other
> for maximum (positive) effect. We could likely
> leverage each others' work and try to unify
> our language across appsec communities.
> (Ideologies and pet naming systems are where
> these efforts always break down in our group.)
> I am avoiding the debate over the inherent
> problems with "Top N" and bug parade approaches
> in general.  People are letting us know what they
> want and I think we should solve that need.
> ...or they will take whatever we give them for
> other purposes and use it to solve that need,
> partially, improperly, ineffectively.
> I will quite my bitching about the "Top 25" and
> focus on productively moving forward, now that
> it's clear my concerns are too late and it's
> already moving full-steam ahead as a standard.
> People do not know what to do. They have
> a serious problem that is starting to cause
> them to lose real sleep and real money, and
> they are looking to us for suggestions and
> guidance as to what to do.
> I concede that the Top 25 in this regard is
> better than nothing, but it's not really what
> people want or need right now (IMHO).
> (Note: I have not asked parties involved
> if I can quote them or quote facts of this
> being used as a standard. The volume
> of emails I am receiving providing examples
> of this make me think this is either a fad,
> or self-evident and you will all see plenty
> of examples of this very soon if you
> have not already.
> SANS has spoken and I think that is
> a pretty clear indication what is going on....)
> $0.02 USD,
> --
> --
> Arian Evans
> Anti-Gun/UN people: you should weep for
> Mumbai. Your actions leave defenseless dead.
> "Among the many misdeeds of the British
> rule in India, history will look upon the Act
> depriving a whole nation of arms, as the
> blackest." -- Mahatma Gandhi
> _______________________________________________
> Secure Coding mailing list (SC-L) SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> _______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090120/16e8f1cc/attachment.html>

More information about the websecurity mailing list