Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: OWASP Top Ten - dev process

RE: OWASP Top Ten - dev process

From: Evans, Arian <Arian.Evans_at_fishnetsecurity.com>
Date: Tue, 12 Jul 2005 17:40:42 -0500

I'm guessing we've all seen it but it hit home
recently when I spent two months as the most
expensive QA tester ever (barring a Final Four
firm or Foundstone :) testing an application
that half of it was so bug riddled it didn't
work. The fault-injection testing was darn
near useless cause half the application didn't
even process or store the data it was supposed
to. What's the #1 Risk item there? Not XSS.
It's "you can't build enterprise class software".

Also made me wonder about the previous people who
had "tested" the application. </anecdotal>

Part of the FUD problem is that you've got all these
network security folks and auditors looking for another
tool to hit "scan" to address this "new" "problem".

A Top-10 retooling that reflects and communicates
this fact would help the FUD and benefit everyone.
Less emphasis on XSS and more on how to build reusable
unit tests/build software. Security tests for unit
testing are cheap, right, I/O tests only need to be
built once to work across a wide variety of application
conditions based upon data type of course.

Not so with business-logic specific tests, e.g.-"Rob's Report".

-ae

> -----Original Message-----
> From: Mark Curphey [mailto:mark_at_curphey.com]
> Sent: Monday, July 11, 2005 7:11 AM
> To: 'Jeff Robertson'; webappsec_at_securityfocus.com
> Subject: RE: OWASP Top Ten - My Case For Updating It
>
> Hallelujah brother !
>
> -----Original Message-----
> From: Jeff Robertson [mailto:Jeff.Robertson_at_DigitalInsight.com]
> Sent: Monday, July 11, 2005 7:58 AM
> To: 'Mark Curphey'; webappsec_at_securityfocus.com
> Cc: 'Jeff Williams'
> Subject: RE: OWASP Top Ten - My Case For Updating It
>
> > -----Original Message-----
> > From: Mark Curphey [mailto:mark_at_curphey.com]
> >
> >
> > If the problem of web application security is poor software
> quality,
> > it is a natural conclusion that the solution is to build better
> > software. Not once in the top ten does the list address the
> fact that
> > the majority of software is built without a design, security
> > requirements or a repeatable software security development process.
>
> I would go so far as to say that unless a development shop is already
> following a process (I don't want to start waterfall vs. RUP
> vs. XP wars
> here) to keep plain old functionality bugs down to a minimum,
> they have no
> hope of producing secure software.
>
> If a software company haven't even figured out that their
> developers need to
> be doing unit tests, then the idea that they could
> successfully implement
> any sort of security testing is just putting the cart before
> the horse.
>
>
>

The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material.
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.
Received on Jul 12 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]