SANS/CWE Top 25: "The New Standard" for Webappsec

[arian.evans at anachronic.com (Arian J. Evans)]

On Mon, Jan 19, 2009 at 9:45 AM, Stephen Craig Evans
<stephencraig.evans at gmail.com> wrote:
> Hi Arian,
>
> " SANS has spoken and I think that is a pretty clear indication what is
> going on....)"
>
> Have you been watching Wizard of Oz re-reruns again? This sentence sounds
> too much like "The Mighty Oz has spoken" :-)

I am from Kansas, Stephen. How did you know?

On a serious note:

I have tremendous respect for the SANS organizations'
work and the value they provide to the infosec community.

I believe they are one of the best barometers of what
is going on out in day-to-day security-land. In addition
they have significant clout with information security
professionals ranging from technical & implementation
engineers, to tactical security management and auditors,
to strategic level CISOs and policy compliance folks.

They have a lot more clout across the board with all
of those folks for infosec in general than the combined
communities of OWASP, WASC, Mitre, and the denizens
of the SCL list. </strong_suspicion: educated_guess>

Translation: we should all watch closely and take cues
from how SANS uses our software security publication
output, be it Top N lists or standards or whatever.

SANS and their many tentacles are market driven
both with regards to private sector and government.
They will react to needs and provide them, and have
a clear idea what folks want.

In this case what is wanted is CLEARLY a minimum
standard of due care and SANS will use such a list
accordingly, much as previous SANS Top N lists.

What this means to the rest of us I pretty much
covered in my last post.

I have gotten a deluge of email in response to my
posts to both SCL and WASC about SANS/CWE
Top 25 from folks at organizations that have already
had their bosses ask -- or even implement -- the
CWE Top 25 as a standard of some type in
their organization.

Numerous customers I interact with are already
asking me to cross-map the CWE/SANS Top 25
with existing web application security lists. (OWASP
Top 10, WASC Threat Classification, etc.)

My previous email lists the type of uses I am
already seeing.

First, the list should be "webified". That is probably
the #1 interest in consumption of that data. There
are a finite number of programmers working at
Microsoft on their network stack in C++, and they
are already way beyond this level. We're not putting
out information for them.

The majority of crappy software today is being
built as web systems or embedded software. Two
very different problem domains in terms of threat
landscape and attack surface (though overlap
in basic data handling principles).

Then, again, you need three lists:

+ stuff to test for
+ patterns and practices to build secure
+ how to address software security in an enterprise

The current Top 25 is kinda a bastard mix of
all three of those, and solves none of them well.

Sorry to stir people up, but this CWE list just
created a headache and more work for me that
I do not see improves upon anything I am already
working on or providing.

(Besides global attention -- proving again my
assertion that folks are hungry for more)

Thanks all,

-- 
-- 
Arian Evans

"I ask, sir, what is the militia? It is the
whole people. To disarm the people is
the best and most effectual way to
enslave them."-- Patrick Henry