<div dir="ltr">Good catch!<div class="gmail_extra"><br>
<br><div class="gmail_quote">On Fri, Oct 31, 2014 at 10:38 AM, Hookings, Stephen <span dir="ltr"><<a href="mailto:stephen.hookings@sap.com" target="_blank">stephen.hookings@sap.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">





<div lang="EN-GB" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Hi all<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">New to list so apologies if there is an errata section I should have checked.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Firstly I really like the guide. I am co-lead on Security Testing Strategy in SAP and we will certainly be using this info to educate our development teams.<u></u><u></u></p>
<p class="MsoNormal">I am also liking the ASVS too.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">On PDF page 11/224 of OWASP_Testing_Guide_v4.pdf, top right 2<sup>nd</sup> column:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">For example, in June 2002, the US National Institute of Standards<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">(NIST) published a survey on the cost of insecure software to the US<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">economy due to inadequate software testing [3]. Interestingly, they<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">estimate that a better testing infrastructure would save more than a<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">third of these costs, or about $22 billion a year. More recently, the links<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">between economics and security have been studied by academic researchers.<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">See [4] for more information about some of these efforts.<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">While estimating the cost of insecure software may appear a daunting<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">task, there has been a significant amount of work in this direction.<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">For example, in June 2002, the US National Institute of Standards<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">(NIST) published a survey on the cost of insecure software to the US<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">economy due to inadequate software testing [3]. Interestingly, they<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">estimate that a better testing infrastructure would save more than a<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">third of these costs, or about $22 billion a year. More recently, the links<u></u><u></u></span></p>
<p class="MsoNormal" style="text-autospace:none"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">between economics and security have been studied by academic researchers.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif"">See [4] for more information about some of these efforts.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Titillium-Regular","sans-serif""><u></u> <u></u></span></p>
<p class="MsoNormal">I know one has to repeat to make a point, but seems to me there is some duplication here?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Regards<br>
Steve Hookings, SAP Code Analysis team.<u></u><u></u></p>
</div>
</div>

<br>_______________________________________________<br>
Owasp-testing mailing list<br>
<a href="mailto:Owasp-testing@lists.owasp.org">Owasp-testing@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-testing" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-testing</a><br>
<br></blockquote></div><br></div><img src="http://t.signauxdix.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v5dr2gW4XXW3d4WJgKYMQBdTvd3_yKW4sbZt_1k1H6H0?si=5971359149588480&pi=44c932a5-b8ee-4108-dd98-7235bc06b277" width="1" height="1" style="display:none"></div>