Fortify Software, which identifies and remediates software vulnerabilities, has contributed its collection of 115 types of software security errors to the Open Web Application Security Project (OWASP), a six-year old non-profit with almost 5,000 members whose “mission is to find and fight the causes of insecure software.”
The work will become part of OWASP's Honeycomb Project .
This is a very good thing.
Fortify's descriptions are well-written and easy to understand, a sort of HowStuffWorks for programmers (or HowStuffBreaks).
"OWASP comes up almost every time I talk to a prospective customer,” Fortify chief scientist Brian Chess told me. “Usually it's around the payment card industry (PCI) data security standard. They call out the OWASP Top 10 list. This institutionalizes that list. That leads people toward getting deeper into OWASP.”
Since OWASP is big among the transaction processors, Fortify's contribution may bring it some contracts. (I hope so, anyway.)
OWASP chairman Jeff Williams said “Vulnerabilities are probably the biggest piece of” his group's mission. “Fortify's knocked off a big chunk of that mountain. They're well done, they're correct, they have code examples with them.”
In addition to the work itself, most of which was done by Chess personally, the Fortify contribution will also help give OWASP members a guideline for how to document everything else they're doing. Chess' organization of problems into “Seven Pernicious Kingdoms” will also help programmers better understand them.
It should prove especially powerful in the transaction processing industry, as Chess noted above, as that business moves from low-level languages like COBOL to higher-level languages such as C++ and Web-based applications.
Chess explains, “C++ is a mixed blessing. In C people mix things up with string handling all the time. C++ has a string class that makes this harder to do. At the same time C++ lets you make all the old mistakes of C and Cobol, and adds things like operator overloading that lets you hide what you did.
In general complexity favors the attacker. It creates more code paths the programmer has to take into account.” And now, thanks to this open source contribution, programmers can fight those vulnerabilities in plain English.