In our projects we are often asked for standard lists of vulnerabilities. The rationale be-hind this question is to ensure that security tests follow industry best-practice. If you don't do this, liability discussions might follow.
For quite some time there are top lists of vulnerabilities that must be avoided in applications. Some focus only on Web applications (OWASP Top 10) and others are industry-specific (e.g. security standard of Payment Credit Card Industry (PCI) or FDA Part 11). The "TOP 25 Most Dangerous Programming Errors" compiled by CVE/SANS is one of the most comprehensive lists today. Review such lists carefully and ensure that well-known issues are addressed in your development projects. You should also ensure that your security tester of choice is aware of such benchmarks.
A final thought - focusing solely on these lists is not sufficient. It's important to extend such a list for dedicated environments like SAP applications. They have some very special properties and specific security demands that are not addressed by generic top lists of vulnerabilities.
Abonnieren
Kommentare zum Post (Atom)
1 Kommentar:
Agree that negative lists aren't enough. Check the OWASP Application Security Verification Standard (ASVS) for a positive verification approach to scanning, testing, code review, and threat modeling. http://www.owasp.org/index.php/ASVS
Kommentar veröffentlichen