Wireshark-dev: Re: [Wireshark-dev] Con Edison - Top25 Software Errors - Assessment

From: Gerald Combs <gerald@xxxxxxxxxxxxx>
Date: Fri, 09 Sep 2011 09:01:25 -0700
Carlos,

Many items on the list don't apply to Wireshark. For example, we don't
use SQL queries (item 1) and Wireshark isn't a web-based application
(items 4, 12, 22).

For the items that do apply we use the following methods to detect and
mitigate errors:

Review. We ask that contributors submit code via an enhancement request
on our bug tracker where it can be reviewed before being added to the
source code repository.

Documentation and training. We address some of the issues in the CWE in
our developer documentation and in our introductory development class at
Sharkfest (the Wireshark user and developer conference).

Continuous Integration. As part of our automated build system we run API
tests (including the detection of insecure functions), unit tests, and
fuzz tests.

Privilege separation. Packet capture (which requires elevated privileges
on many platforms) is handled by a separate process, dumpcap.


On 9/8/11 3:41 PM, Walton, Carlos wrote:
> Good day,
> 
> Can I possibly get a response before close of business tomorrow.
> 
>  
> 
>  
> 
> *From:*Walton, Carlos
> *Sent:* Wednesday, August 24, 2011 10:37 AM
> *To:* wireshark-dev@xxxxxxxxxxxxx
> *Cc:* Walton, Carlos
> *Subject:* Con Edison - Top25 Software Errors - Assessment
> 
>  
> 
> *Wireshark University *has been identified as a provider  of  software
> that is in use or is being evaluated for use in Con Edison.
> 
> Con Edison is committed to having a strong cyber security program, which
> includes vulnerability management.
> 
>  
> 
> The SANS Institute has recently published an updated list of the Top 25
> Most Dangerous Software Errors that can lead to serious vulnerabilities
> in software.
> 
> To help us maintain our current security posture, please respond how you
> are addressing  the most common  weaknesses identified in the
> publication, during and after the development lifecycle of your software.
> 
>  
> 
> Please specifically address each one of the Top 25 in the attached
> document.
> 
>  
> 
>  
> 
> *green-recycleScaledCarlos Walton*| Environmental Engineering & Program
> Support | 212.460.6485
> 
>  
> 
> 
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe