Secure Coding mailing list archives

Re: Classification/Enumeration of Software Defect Mitigations

From: Jim Manico <jim.manico () owasp org>
Date: Fri, 22 Oct 2010 03:02:14 +0530

You may wish to consider OWASP ASVS mitigation recommendations. You can word-smith negative recommendations of what 
•not• to do to come up with a great list of defensive recommendations.

For example, instead of saying "Never put sensitive data in HTTP GET requests" I'd like to see us shift to 
control-centric language like "Only use HTTPS POST to transmit sensitive data".

And in general Steve, a list of mitigations implies tactical approaches to Application Security (ie: fix specific 
flaws) which is fairly limited. I'd love to see this expanded to cover general defensive coding techniques and good 
security design principles that help dev's build secure apps from day 1.

And Steve, you only see me pop up when I have a criticism. But as I said when we went hiking on Kauai, I think you and 
team are doing outstanding work and I'm thankful for all of your efforts.

Regards,

-Jim Manico
http://manico.net

On Oct 22, 2010, at 12:39 AM, "Steven M. Christey" <coley () linus mitre org> wrote:


All,

Both WASC and the MITRE CWE team have begun exploring the feasibility of enumerating or classifying the types of 
mitigations that are used to fix software defects/weaknesses.  Does anybody know of such work in this area? (We can 
draw from sources such as McGraw/Viega "Building Secure Software," and 'indirect' sources such as ESAPI, but I was 
wondering if there was something that was a little more focused on mitigations.)

CWE status:

http://www.webappsec.org/lists/websecurity/archive/2010-10/msg00065.html

WASC status:

http://www.webappsec.org/lists/websecurity/archive/2010-10/msg00066.html



Thanks,
Steve
_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________

Current thread:

Classification/Enumeration of Software Defect Mitigations Steven M. Christey (Oct 21)
- Re: Classification/Enumeration of Software Defect Mitigations Jim Manico (Oct 21)
  - Re: Classification/Enumeration of Software Defect Mitigations Steven M. Christey (Oct 21)