Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: OWASP Top Ten - My Case For Updating It

Re: OWASP Top Ten - My Case For Updating It

From: Dean H. Saxe <dean_at_fullfrontalnerdity.com>
Date: Mon, 11 Jul 2005 15:51:21 -0400

Having worked with Jeff in the past (he's one of the brightest guys
I've had the pleasure of working with), I'm familiar the problems
that he's making mention of. The problem is inertia. If you've
always done things a certain way and been successful at it --
measured by length of time in business, customer base, lack of
discovered hacks, whatever -- there is no driver for change. And
when there is a driver for change -- customers demanding less buggy/
more secure software -- the focus is going to be on fixing the
obvious flaws!

Until we fix the process of building software in shops that are
without process controls, we'll never change the outcome.

-dhs

Dean H. Saxe, CEH
dean_at_fullfrontalnerdity.com
Here in America everything is bought and sold, you can get anything
for little bits of gold.
We'll rape the earth and ruin the air, cut down every tree from here
to there.
     -- Donna The Buffalo "America"

On Jul 11, 2005, at 8:11 AM, Mark Curphey wrote:

> Hallelujah brother !
>
> -----Original Message-----
> From: Jeff Robertson [mailto:Jeff.Robertson_at_DigitalInsight.com]
>
>> -----Original Message-----
>> From: Mark Curphey [mailto:mark_at_curphey.com]
>>
>> If the problem of web application security is poor software quality,
>> it is a natural conclusion that the solution is to build better
>> software. Not once in the top ten does the list address the fact that
>> the majority of software is built without a design, security
>> requirements or a repeatable software security development process.
>>
>
> I would go so far as to say that unless a development shop is already
> following a process (I don't want to start waterfall vs. RUP vs. XP
> wars
> here) to keep plain old functionality bugs down to a minimum, they
> have no
> hope of producing secure software.
>
> If a software company haven't even figured out that their
> developers need to
> be doing unit tests, then the idea that they could successfully
> implement
> any sort of security testing is just putting the cart before the
> horse.
Received on Jul 11 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]