Before the current focus on security at Microsoft, all security bugs at Microsoft were rated using the DREAD model. (See prior post). Now, Microsoft rates each security bug using the STRIDE model. STRIDE is an acronym that stands for:
Before the current focus on security at Microsoft, all security bugs at Microsoft were rated using the DREAD model. DREAD is an acronym stands for:
When a bug was filed, the bug would be rated from 1-10 in each of these areas.
In security parlance, the following 3 points make up the "CIA Triad":
The Wikipedia article on the CIA Triad describes confidentiality in this context as "prevent the disclosure of information to unauthorized individuals or systems"; integrity as "data cannot be modified without authorization"; and availability is described as when the information can be accessed.
I love cheat sheets. They jog my memory about things I need to do or should test for – especially when I have not done it for awhile.
From a test perspective, my favorite test value cheat sheet for cross site scripting (XSS) is http://ha.ckers.org/xss.html. If you have not tried out these samples (and variations on the themes) in your own web application, you need to do it now.
From a developer perspective, OWASP’s (Open Web Application Security Project) XSS (Cross Site Scripting) Prevention Cheat Sheet provides a set of rules to implement.
I was reading an article when I saw a reference to how NASA’s Jet Propulsion Laboratory (JPL) was using 10 simple coding guideline to develop safe code. The article referenced the following URL: http://spinroot.com/p10/. Going to this site, you will discover that the work was originally published in the June 2006 issue of IEEE Computer in The Power of Ten – Rules for Developing Safety Critical Code by Gerard J. Holzmann.
The paper and site describes 10 rules:
Check the site and the paper out.
I was listening to Security Now 229: The Rational Rejection of Security Advice when there was a reference to site/conference that I found intriguing. The entire episode was based on a paper from the conference.
The site, www.nspw.org, is the companion to the "New Security Paradigms Workshop" events. The description of the workshop is what I find so fascinating:
The New Security Paradigms Workshop (NSPW) is an annual, small invitation-only workshop for researchers in information security and related disciplines. NSPW’s focus is on work that challenges the dominant approaches and perspectives in computer security. In the past, such challenges have taken the form of critiques of existing practice as well as novel, sometimes controversial, and often immature approaches to defending computer systems. By providing a forum for important security research that isn’t suitable for mainstream security venues, NSPW aims to foster paradigm shifts in information security.
It happens that all of the proceedings for the conference are available online. Well worth reviewing.
I was reading a press release for a security analysis program and there was a reference to the "Common Weakness Enumeration site". I was not interested in the product but did decide to investigate the site referenced.
The Common Weakness Enumeration (CWA) is subtitled "A Community-Developed Dictionary of Software Weakness Types." The site is hosted by MITRE”. The scope of the project is to "provides a unified, measurable set of software weaknesses."
It appears that the starting point of this taxonomy of software security weaknesses was quite a few of disparate standards, papers, proposals, etc. A pretty good list and links to original sources can be found on the sources page. Each item in the list includes a description, where the weakness may be introduced, whether it is applicable to particular platforms, examples and related items.
The following links were published in the March 2010 ACM SIGSOFT Software Engineering Notes in the "Surfing the Net for Software Engineering Notes" by Mark Doernhoefer. This issues topic was Cyber Security.
A coworker pointed me to the following video: Quality Software Development by Yahoo Architect Douglas Crockford (181 MB). The presentation from from the Yahoo 2007 FrontEnd Engineering Summit (March 7-8, 2007).
Below are my notes of the slide titles.
The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.
Here are the 25 items: