Open Web Application Security Project issues new secure coding bible The Open Web Application Security Project (OWASP) has published the third version of its developer security bible trimming the fat and offering peer-reviewed and tested means of building more secure apps. The Application Security Verification Standard Project (ASVS) is the carrot to OWASP's much-cited stick that is the Top 10 …
"three to four years ago he and others in the industry were doing penetration testing at the end of a build. Now, the best work with builders from the start."
This is a good idea and has been standard in other fields for a long time. For example bridge building and high-rise construction.
It is also rather easier to fix issues in code afterwards than fix a critical flaw with a bridge or a high-rise.
It's also easier to spot flaws in code as it doesn't have three layers of reinforced concrete poured over it.
(Not that I'm condoning post build security reviews, I believe all programmers should program securely at all times, the same way they're expected to write good, or efficient code)
It is also rather easier to fix issues in code afterwards
That simply isn't true in practice - just search this august journal for "SOHOpeless" for the evidence.
And even if it were, critical flaws in software can cause huge economic damage before they're detected and fixed. Fixing afterwards may be pointless if the damage is already done.
"That simply isn't true in practice"
It's talking about testing at the end of a build (QA testing) not testing after it has been publicly released.
If you think it is easier to knock down a high rise to fix a critical flaw with the metalwork than recode some potential buffer overruns then don't get a job in the construction industry (or the software industry).
True.
Always.
And to the reply "The PHB made me do it." Make sure you have a record of supplying them with an analysis of what happens (especially how much money) will be lost if the project goes live with their planned arrangements and security is breached.
This business of recording information given to a boss reminds me of an old friend who used to be a sailor.
He was once given an instruction by a captain which he could see was bloody risky. He insisted that he would only comply if it was written in the ship's log as an order from the captain; the captain backed down when he realised that any blame would be attached to him if the ship sank and could not be passed on.
Perhaps something like ship's log should be kept for orders handed down (VW are you listening?).
"An application achieves ASVS Level 2 (or Standard) if it adequately defends against most of the risks associated with software today."
Your web applications are only as secure as the underlying OS. If that's insecure then no amount of ASVS will cure it. How about designing an OS that can differenciate between local software and software downloaded from the Internet and don't execute the latter. How about not using an OS that can be compromised by clicking on a malicious weblink or opening an email attachment.
ps: I notice some broken HTML at the top of the page to get some script to run:
html> head> script>var inDapIF true; /script> /head> body> script src "https://tpc.googlesyndication.com/safeframe/1-0-2/js/ext.js"> /script> IFRAME SRC "https://fw.adsafeprotected.com/rjsi/dc/49009/6898563/ddm/adi/N117602.126839THEREGISTER.COM/B9199301.125002745;sz 728x90;click https://adclick.g.doubleclick.net/aclk 253Fsa 253DL 2526ai
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
