[ISN] List creates software security squabble

From: InfoSec News <alerts_at_private>
Date: Tue, 20 Jan 2009 00:21:21 -0600 (CST)
http://gcn.com/articles/2009/01/19/list-creates-software-security-squabble.aspx

By William Jackson
GCN.com
Jan 19, 2009

The release earlier this month of a consensus list of the most serious 
programming errors to be avoided has garnered quite a bit of attention, 
some of it predictably negative. Bloggers who are amusing themselves by 
dissing the effort seem to be missing the forest for the trees. They 
dismiss the list because it is not an absolute and perfect solution to 
software security, and ignore the benefits it might provide.

Development of the list, available online, was managed by the Sans 
Institute and Mitre Corp. with support from the National Security Agency 
and the Homeland Security Department's National Cyber Security Division. 
It represents a consensus of the most significant errors on which the IT 
community should concentrate. The idea is that an industrywide 
consensus, culled from the more than 700 errors detailed in the Common 
Weakness Enumeration database, can be used to standardize requirements 
for software procurements, to prioritize remediation of legacy 
applications and to help educate coders.

The detractors are unhappy essentially because no Top-N list is 
all-inclusive. The whole idea of these lists is that some things get 
left out, and that upsets some people.

"Security is a big deal, it's not a list," says Gwyn Fisher, chief 
technology officer of Klockwork in his Klocktalk blog. Yes, security is 
a big deal. But Fisher makes a big assumption in declaring that "what's 
outside that list is just as important as what made the cut." The 
compilers of the most recent list, which represents a broad range of the 
people in the IT community, apparently disagree. They decided that what 
is inside the list is more important.

Are they right? That is open to argument. But to summarily dismiss the 
effort simply because the list included some elements and excluded 
others is unfair. That's the nature of a list.

[...]


_______________________________________________      
Please help InfoSecNews.org with a donation!
http://www.infosecnews.org/donate.html
Received on Mon Jan 19 2009 - 22:21:21 PST

This archive was generated by hypermail 2.2.0 : Mon Jan 19 2009 - 22:29:11 PST