Security Resources [Update]

Years ago, I was working with a client who was implementing their first web site.

Well, actually, it wasn't their first. It was their third. But their first two were haphazard "we hope this works" kind of web sites. They relied on third-party security and were pretty sure they were using it correctly.

I was involved with their first externally-facing application. We were going through a "risk-exposure" analysis.

One of their people was so uncomfortable that they balked at the very idea of a fixed list of risks.

"We don't know what we don't know," they pronounced. Their claim was that security considerations included an unbounded list of vulnerabilities.

Vulnerability Lists

I make regular use of the OWASP top 10 vulnerabilities and other resources.

Today I learned about the SANS Institute's top 25 coding errors . They provide three categories of errors.

And, there's the 19 Deadly Sins of Software Security list. [Thanks!]

This is very, very handy stuff. There's nothing better than a concrete checklist of errors to structure architecture, design, and coding.

What We Don't Know

Yes, there are unknown, unlisted, yet-unexploited vulnerabilities. Until those are discovered, we really do know what to do.

Don't waste a lot of time on a complex risk/cost analysis. These are complex -- often subjective -- and very expensive. A short list of exposure and cost is all you need. And often, the short list includes something like "HIPAA PHI " and that's all you need to know.
Use a straight-forward checklist of vulnerabilities built from these lists. Numerous items appear on all three lists, that's the bare minimum of security considerations. The union of all three lists isn't that big or complex. Your framework or language may not even have some of these vulnerabilities.

It's probably cheaper to just plug these known holes than it is to decide which -- if any -- holes have "enough" expected value of a loss.