Validating user input in c

17 Feb

Consider using the Top 25 as part of contract language during the software acquisition process.The SANS Application Security Procurement Language site offers customer-centric language that is derived from the OWASP Secure Software Contract Annex, which offers a "framework for discussing expectations and negotiating responsibilities" between the customer and the vendor.As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you.

validating user input in c-38validating user input in c-48validating user input in c-49

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe.

See if they reflect any of the associated weaknesses on the Top 25 (or your own custom list), and if so, contact your vendor to determine what processes the vendor is undertaking to minimize the risk that these weaknesses will continue to be introduced into the code.

See the On the Cusp summary for other weaknesses that did not make the final Top 25; this will include weaknesses that are only starting to grow in prevalence or importance, so they may become your problem in the future.

Develop your own nominee list of weaknesses, with your own prevalence and importance factors - and other factors that you may wish - then build a metric and compare the results with your colleagues, which may produce some fruitful discussions.

Treat the Top 25 as an early step in a larger effort towards achieving software security.