Comments on: How To Use A Checklist to Prevent Security Errors http://blog.bstpierre.org/how-to-use-a-checklist-to-prevent-security-errors Software Development, version 3.0 Fri, 05 Mar 2010 15:01:53 -0700 http://wordpress.org/?v=2.8.5 hourly 1 By: brian http://blog.bstpierre.org/how-to-use-a-checklist-to-prevent-security-errors/comment-page-1#comment-66 brian Sun, 25 Jan 2009 05:15:58 +0000 http://blog.bstpierre.org/?p=98#comment-66 Thanks for the link to your article. I'd have to agree, five questions is probably a better limit than 15. Looking in my file now, most of mine have 6-10 items. I've got a post brewing for Monday around a similar idea to your "don't ask what you can automate". The SANS paper was good. Did you click-through to the detail for each item? There may have been some C slant in a couple of items, but a lot of the problems are really architectural: hardcoded passwords, failure to authenticate. OS command injection may not be a problem in C# or Java, but it may be a problem for perl or PHP. The checklist you really need to develop is for <em>design</em> review, not as much for code review. With half of these errors, by the time you're finding the errors in code, you're already hosed. Get the design right first. Thanks for the link to your article. I’d have to agree, five questions is probably a better limit than 15. Looking in my file now, most of mine have 6-10 items. I’ve got a post brewing for Monday around a similar idea to your “don’t ask what you can automate”.

The SANS paper was good. Did you click-through to the detail for each item? There may have been some C slant in a couple of items, but a lot of the problems are really architectural: hardcoded passwords, failure to authenticate. OS command injection may not be a problem in C# or Java, but it may be a problem for perl or PHP. The checklist you really need to develop is for design review, not as much for code review. With half of these errors, by the time you’re finding the errors in code, you’re already hosed. Get the design right first.

]]> By: Jason Cohen http://blog.bstpierre.org/how-to-use-a-checklist-to-prevent-security-errors/comment-page-1#comment-64 Jason Cohen Sat, 24 Jan 2009 15:10:53 +0000 http://blog.bstpierre.org/?p=98#comment-64 Excellent point -- checklists are indeed essential. Perhaps you'd be interested in an article I wrote for Embedded.com that shows <a href="http://embedded.com/columns/guest/208803162" rel="nofollow">how to build and change a checklist over time</a> as well as a few tips for avoiding pitfalls. BTW, what do you think of the "25 most dangerous programming errors" paper? I thought it was pretty good for C/C++ programs but not as relevant for Java/C#. Excellent point — checklists are indeed essential.

Perhaps you’d be interested in an article I wrote for Embedded.com that shows how to build and change a checklist over time as well as a few tips for avoiding pitfalls.

BTW, what do you think of the “25 most dangerous programming errors” paper? I thought it was pretty good for C/C++ programs but not as relevant for Java/C#.

]]>