[Owasp-wash_dc_va] FW: [SC-L] A New Open Source Approach to Weakness

John Steven jsteven at cigital.com
Wed Aug 9 16:10:52 EDT 2006 

Stan et al.,

I'd be interested in how Jeff believes this effort should ideally  
play against other existing efforts such as Mitre's CWE, which rather  
than (I shudder to even use this word in print) 'folkonomy' rely on a  
more rigorous structure and nomenclature.

While I won't weigh in on the topic proper, I can say I consider the  
proliferation of the best practice sets, various enumerations,  
taxonomies, and whathaveyou exceptionally misleading to even the  
better Application Security Groups within the commercial space. I'd  
be prepared to argue that accessibility and community involvement  
that has disallowed ubiquitous adoption. In my mind, we've faced more  
barriers in the form of:

1) People / organizations re-treading each others' guidance in  
various presentations and mediums
2) Insufficient formal training and experience with existing 'common'  
security constructs, both positive and negative (whether you call  
them vulns., best practices, attack patterns, or Shirley)
3) Inability for content owners to succinctly codify both instance  
and pattern data in #2's domains

I think there are other non-technical/horsepower barriers in addition  
to those listed above. But, men and women; while we may argue, as a  
community, about what to do about the problem (Code Review vs.  
Penetration Testing vs. Automated Code Analysis), failing to  
standardize on a strong vocabulary and structure to talk about the  
problem we're being paid to solve discredits us all tragically. In  
summary: this is a problem worth solving.


I'd love to make it to this event and participate in discussion--but  
alas I'm stuck in the NE payin' the bills. There's no rest for the  
wicked,

----
John Steven
Technical Director; Principal, Software Security Group
Direct: (703) 404-5726 Cell: (703) 727-4034
Key fingerprint = 4772 F7F3 1019 4668 62AD  94B0 AE7F
http://www.cigital.com
Software Confidence. Achieved.


On Aug 9, 2006, at 3:39 PM, Wisseman Stan wrote:

> We can ask Jeff ask to discuss further tonight.
>
> Stan
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org
> [mailto:sc-l-bounces at securecoding.org] On Behalf Of Jeff Williams
> Sent: Wednesday, August 09, 2006 11:50 AM
> To: Secure Coding
> Subject: Re: [SC-L] A New Open Source Approach to Weakness
>
> Fortify has graciously donated these vulnerability writeups to OWASP,
> where they will be maintained wikipedia-style.  We have a strong  
> team of
> reviewers in place to review all changes daily.  There are a total of
> almost 500 vulnerabilities now, from Fortify, CLASP, and many other
> sources.  We're creating an interlinked knowledgebase of common
> application security principles, threats, attacks, vulnerabilities,  
> and
> countermeasures.  Anyone can participate, so come help us out.
>
> http://www.owasp.org/index.php/Category:OWASP_Honeycomb_Project
>
> --Jeff
>
> -----Original Message-----
> From: sc-l-bounces at securecoding.org
> [mailto:sc-l-bounces at securecoding.org] On Behalf Of Gergely Buday
> Sent: Wednesday, August 09, 2006 10:08 AM
> To: Secure Coding
> Subject: [***SPAM (header)***] - Re: [SC-L] A New Open Source Approach
> to Weakness - Email found in subject
>
> On 09/08/06, Kenneth Van Wyk <ken at krvw.com> wrote:
>>
>> FYI, here's an article about Fortify's pernicious kingdom taxonomy of
> common
>> coding defects that I thought would be of interest here:
>>
>> http://www.internetnews.com/dev-news/article.php/3623751
>
> The link to the original paper is:
>
> http://vulncat.fortifysoftware.com/docs/tcm_taxonomy_submission.pdf
>
> Cheers
>
> - Gergely
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/ 
> charter.php
>
> _______________________________________________
> Secure Coding mailing list (SC-L)
> SC-L at securecoding.org
> List information, subscriptions, etc -
> http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/ 
> charter.php
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Owasp-wash_dc_va mailing list
> Owasp-wash_dc_va at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-wash_dc_va



----------------------------------------------------------------------------
This electronic message transmission contains information that may be
confidential or privileged.  The information contained herein is intended
solely for the recipient and use by any other party is not authorized.  If
you are not the intended recipient (or otherwise authorized to receive this
message by the intended recipient), any disclosure, copying, distribution or
use of the contents of the information is prohibited.  If you have received
this electronic message transmission in error, please contact the sender by
reply email and delete all copies of this message.  Cigital, Inc. accepts no
responsibility for any loss or damage resulting directly or indirectly from
the use of this email or its contents.
Thank You.
----------------------------------------------------------------------------

More information about the Owasp-wash_dc_va mailing list