Excuse Cases, Caboose Cases and Other Terrible Application “Security” Practices

Hopefully everyone in the software industry is familiar with using “use cases” to capture software requirements by describing the behavior of a system as it responds to user actions. And most folks who work in application and software security ought to be familiar with using “abuse cases” to describe possible ways attackers might try to attack software. The past couple of weeks around the office (and on Twitter) we got to talking about other “-use cases” we see in the practice of software security.

Here’s some of what we came up with:

  •  All the “Excuse Cases” teams use to avoid fixing security bugs
  •  The “Caboose Case” where teams hold off on doing any security testing until the very end of a project with predictable results (credit to @shrdlu)
  • The “Spruce Goose Case” for impossibly huge projects that still somehow take off (credit to @shpantzer)
  • “J’Accuse Cases” where everybody points fingers at everyone else rather than trying to solve the underlying problems
  • “Loose Cases” where security requirements and their implementation are kept as vague as possible
  • “Obtuse Cases” where software developers refuse to believe their code could possibly be vulnerable (credit to @shrdlu)
  • “Rule the Roost” cases where teams decide to fight each other through their executive sponsors rather than working together to solve problems
  • And finally “Noose Cases” where the development team makes decisions they know are going to come back and kill them later

It doesn’t have to be like this. Contact us for help building a high-performance application security practice.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *