Secure Coding mailing list archives
informIT: attack categories
From: gem at cigital.com (Gary McGraw)
Date: Tue, 25 Aug 2009 20:39:05 -0400
hi sc-l, Fred sent me some email today and reminded me that he has written about this idea himself in IEEE Security & Privacy magazine. We already had a link to his article on the Silver Bullet website, but here's a direct link: "The Monoculture Risk Put in Context" IEEE Security and Privacy 7, 1 (January/February 2009), 14-17. Fred Schneider and Ken Birman. http://www.cs.cornell.edu/fbs/publications/IEEEspMonoculture.pdf gem On 8/25/09 1:35 PM, "gem" <gem at cigital.com> wrote: hi sc-l, If you listened recently to the latest episode of Silver Bullet with Fred Schneider from Cornell <http://www.cigital.com/silverbullet/show-041/>, one of the ideas Fred and I discussed was the notion of attack categories and anticipating large scale trends in attack space. Hopefully you guys all recall that I am a strong proponent of understanding the attacker's perspective (see, for example Exploiting Software from way back in 2004 where Hoglund and I coined the term "attack pattern" <http://exploitingsoftware.com/>). This month's informIT article is about the notion of long term attack categories and is meant to inform software security research: Software [In]security: Attack Categories and History Prediction http://www.informit.com/articles/article.aspx?p=1393066 BTW, shout outs for the OWASP top 10 and CWE in the article may surprise the usual nay sayers. Feedback is most welcome. (Thanks to Ken and Sammy for helping me make this article slightly more coherent.) gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/justiceleague book www.swsec.com _______________________________________________ Secure Coding mailing list (SC-L) SC-L at securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
Current thread:
- informIT: attack categories Gary McGraw (Aug 25)
- informIT: attack categories Steven M. Christey (Aug 25)
- informIT: attack categories Gary McGraw (Aug 25)
- informIT: attack categories Prasad Shenoy (Aug 26)
- informIT: attack categories ljknews (Aug 26)
- informIT: attack categories Gary McGraw (Aug 25)
- informIT: attack categories Steven M. Christey (Aug 25)