References¶

AFL: Michał Zalewski, american fuzzy lop. http://lcamtuf.coredump.cx/afl/, retrieved 2019-05-29.
AminiPortnoy: Pedram Amini & Aaron Portnoy, Fuzzing Sucks! Introducing Sulley Fuzzing Framework. Blackhat US 2007. https://github.com/OpenRCE/sulley/raw/master/docs/introducing_sulley.pdf, retrieved 2019-05-29.
ASVS: OWASP, Application Security Verification Standard 4.0. https://github.com/OWASP/ASVS/raw/master/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0-en.pdf, retrieved 2019-04-15.
BSI: Hubert Garavel, Formal Methods for Safe and Secure Computers Systems. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/formal_methods_study_875/formal_methods_study_875.pdf?__blob=publicationFile, retrieved 2019-05-28.
BSIMM: Gary McGraw, Sammy Migues, and Jacob West, Building Security In Maturity Model (BSIMM) Version 9. https://www.bsimm.com/content/dam/bsimm/reports/bsimm9.pdf, retrieved 2019-07-01.
BeyondGrep: Andy Lester, More tools for searching source code. https://beyondgrep.com/more-tools/, retrieved 2019-04-23.
Böck: Hanno Böck, The Fuzzing Project. https://fuzzing-project.org/, retrieved 2019-05-29.
Boofuzz: Joshua Pereyda, boofuzz: Network Protocol Fuzzing for Humans. https://github.com/jtpereyda/boofuzz, retrieved 2019-05-29.
CAPEC: MITRE, Common Attack Pattern Enumeration and Classification. http://capec.mitre.org/, retrieved 2019-04-19.
CATB: Eric Raymond, The Cathedral and the Bazaar. http://www.catb.org/esr/writings/cathedral-bazaar/cathedral-bazaar/, retrieved 2019-05-31.
Cheung: Chun Yu Cheung, Threat Modeling Techniques. Draft 0.91. http://www.safety-and-security.nl/uploads/cfsas/attachments/SPM5440%20%26%20WM0804TU%20-%20Threat%20modeling%20techniques%20-%20CY%20Cheung.pdf, retrieved 2019-04-19.
CII3Years: https://www.coreinfrastructure.org/blogs/core-infrastructure-initiative-celebrates-3-year-anniversary/, retrieved 2019-02-13.
CIIBadge: https://www.coreinfrastructure.org/programs/badge-program/, retrieved 2019-07-08.
CioInsight: Michael Vizard, App Testing Now Consumes a Quarter of IT Budget. https://www.cioinsight.com/it-strategy/application-development/slideshows/app-testing-now-consumes-a-quarter-of-it-budget.html, retrieved 2019-05-21.
CodeSearch: Google, CodeSearch. https://github.com/google/codesearch, retrieved 2019-04-23.
ComputerWeekly: Cliff Saran, Application testing costs set to rise to 40% of IT budget. https://www.computerweekly.com/news/4500253336/Application-testing-costs-set-to-rise-to-40-of-IT-budget, retrieved 2019-05-21.
Cscope: Sourceforge.net, Cscope. http://cscope.sourceforge.net/, retrieved 2019-04-23.
Ctags: Sourceforge.net, Exuberant Ctags. http://ctags.sourceforge.net/, retrieved 2019-04-23.
CVE: MITRE, Common Vulnerabilities and Exposures. http://cve.mitre.org/index.html, retrieved 2019-02-15.
CVSS: NIST, Vulnerability Metrics. https://nvd.nist.gov/vuln-metrics/cvss, retrieved 2019-02-15.
CWE: MITRE, Common Weakness Enumeration. http://cwe.mitre.org/, retrieved 2019-04-19.
Danezis: George Danezis, Principles of Computer Security. https://handouts.secappdev.org/handouts/2014/George%20Danezis/SecAppDev-2014-01-Principles.pdf, retrieved 2019-05-29.
DeepSpec: DeepSpec, About. https://deepspec.org/page/About/, retrieved 2019-05-21.
FFS: T.C. Hemel and J.A. de Vries, Framework Secure Software. http://www.securesoftware.nl/resources/FrameworkSecureSoftware_v1.pdf, retrieved 2019-05-17.
Github: Github, About security alerts for vulnerable dependencies. https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/, retrieved 2019-02-15.
Fogel: Karl Fogel, Producing Open Source Software: How to Run a Successful Free Software Project. https://producingoss.com/, retrieved 2019-06-05.
GotoFail: https://www.imperialviolet.org/2014/02/22/applebug.html, retrieved 2019-04-22.
Grönke: Stefan Grönke, Hardening Open Source Development. https://media.ccc.de/v/34c3-9249-hardening_open_source_development, retrieved 2019-06-07.
Hound: Kelly Norton & Jonathan Klein, Hound. https://github.com/hound-search/hound, retrieved 2019-04-23.
iPhoneHacks: Rajesh Pandey, Apple’s Bug Bounty Program Fails to Take off as iOS Bugs Are Too Valuable to Disclose. http://www.iphonehacks.com/2017/07/apples-bug-bounty-program-fails-take-off-ios-bugs-valuable-disclose.html, retrieved 2019-05-31.
JurczykColdwind: Mateusz Jurczyk and Gynvael Coldwind, FFmpeg and a thousand fixes. https://security.googleblog.com/2014/01/ffmpeg-and-thousand-fixes.html, retrieved 2019-05-29.
Kadlec: Tim Kadlec, Understanding Responsible Disclosures. https://snyk.io/blog/understanding-responsible-disclosures/, retrieved 2019-05-31.
Knuth: D.E. Knuth, Notes on the van Emde Boas construction of priority deques: an in-structive use of recursion, Classroom notes Stanford University, March 1977. https://staff.fnwi.uva.nl/p.vanemdeboas/knuthnote.pdf, retrieved 2019-05-28.
KohnfelderGarg: Kohnfelder, Loren; Garg, Praerit (April 1, 1999). “The threats to our products”. https://adam.shostack.org/microsoft/The-Threats-To-Our-Products.docx, retrieved 2019-02-19.
LakhaniWolf: Karim R. Lakhani & Robert G. Wolf, Why Hackers Do What They Do: Understanding Motivation and Effort in Free/Open Source Software Projects. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.85.2689&rep=rep1&type=pdf, retrieved 2019-06-05.
Levefre: François Lefèvre, Docker and IPtables. https://fralef.me/docker-and-iptables.html, retrieved 2019-06-04.
LINDDUN: DistriNet Research Group, LINDDUN: Privacy Threat Modeling. https://linddun.org/, retrieved 2019-06-07.
LinuxBugsNotShallow: Sean Michael Kerner, Why All Linux (Security) Bugs Aren’t Shallow. February 2015. https://www.esecurityplanet.com/open-source-security/why-all-linux-security-bugs-arent-shallow.html, retrieved 2019-02-13.
LinuxFoundation: Ibrahim Haddad & Brian Warner, Understanding the Open Source Development Model. http://www.ibrahimatlinux.com/uploads/6/3/9/7/6397792/00.pdf, retrieved 2019-06-04.
LXR: The LXR Project Web-Site. https://lxr.sourceforge.io/en/index.php, retrieved 2019-04-23.
MASVS: OWASP, Mobile AppSec Verification, Version 1.1. https://github.com/OWASP/owasp-masvs/releases/download/1.1/OWASP_Mobile_AppSec_Verification_Standard_v1.1.pdf, retrieved 2019-04-19.
McGraw: Gary McGraw, Software Security, Building Security In. Addison-Wesley, 2006.
Meyer: Bejamen Meyer, Docker Network bypasses Firewall, no option to disable. https://github.com/moby/moby/issues/22054, retrieved 2019-06-04.
MITRE: MITRE, Sample Secure Code Review Report. https://www.mitre.org/sites/default/files/publications/secure-code-review-report-sample.pdf, retrieved 2019-04-25.
Mozilla: Mozilla, Handling Mozilla Security Bugs. https://www.mozilla.org/en-US/about/governance/policies/security-group/bugs/, retrieved 2019-05-31.
NCCGroup: NCCGroup, Fix Bounty. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/march/fix-bounty/, retrieved 2019-06-05.
OpenGrok: Oracle, {OpenGrok. https://oracle.github.io/opengrok/, retrieved 2019-04-23.
OSSFuzz: Google, OSS-Fuzz - continuous fuzzing of open source software. https://github.com/google/oss-fuzz/, retrieved 2019-05-29.
OSSSurvey2017: Open Source Survey 2017. https://opensourcesurvey.org/2017/, retrieved 2019-02-13.
OWASP: OWASP. OWASP™ Foundation, the free and open software security community. https://www.owasp.org/index.php/Main_Page, retrieved 2019-06-05.
OWASPCRG: OWASP, OWASP Code Review Guide. https://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents, retrieved 2019-04-25.
OWASPDAST: OWASP, Category:Vulnerability Scanning Tools. https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools, retrieved 2019-05-29.
OWASPPTM: OWASP, Penetration testing methodologies. https://www.owasp.org/index.php/Penetration_testing_methodologies, retrieved 2019-05-29.
OWASPTG: OWASP, OWASP Testing Guide v4. https://www.owasp.org/index.php/OWASP_Testing_Project, retrieved 2019-05-29.
RFC3833: Atkins & Austein, Threat Analysis of the Domain Name System (DNS). August 2004. https://www.ietf.org/rfc/rfc3833.txt, retrieved 2019-04-19.
RFC3552: Rescorla & Korver, Guidelines for Writing RFC Text on Security Considerations. July 2003. https://www.ietf.org/rfc/rfc3552.txt, retrieved 2019-04-19.
RFC6819: Lodderstedt, et al., OAuth 2.0 Threat Model and Security Considerations. January 2013. https://www.ietf.org/rfc/rfc6819.txt, retrieved 2019-04-19.
RFC7132: Kent & Chi, Threat Model for BGP Path Security. February 2014. https://www.ietf.org/rfc/rfc7132.txt, retrieved 2019-04-19.
SAFECode: Stacy Simpson, Fundamental Practices for Secure Software Development - A Guide to the Most Effective Secure Development Practices in Use Today. October, 2008. http://safecode.org/publication/SAFECode_Dev_Practices1108.pdf, retrieved 2019-04-22.
SAMATE: NIST. Source Code Security Analyzers. https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html, retrieved 2019-05-19.
SAMM: OWASP, OWASP SAMM Project. https://www.owasp.org/index.php/OWASP_SAMM_Project, retrieved 2019-07-01.
Sarkar: Sarkar, Advait. (2015). The impact of syntax colouring on program comprehension. http://www.ppig.org/sites/default/files/2015-PPIG-26th-Sarkar.pdf, retrieved 2019-04-23.
Schneider: Fred B. Schneider, Blueprint for a science of cybersecurity. https://www.cs.cornell.edu/fbs/publications/SoS.blueprint.pdf, retrieved 2019-05-29.
Schneier2002: Bruce Scheier, Crypto-Gram May 15, 2002. https://www.schneier.com/crypto-gram/archives/2002/0515.html, retrieved 2019-05-31.
Schneier2008: Bruce Scheier, Random Number Bug in Debian Linux. May 2008. https://www.schneier.com/blog/archives/2008/05/random_number_b.html, retrieved 2019-04-22.
Seacord: Robert Seacord, fgets() and gets_s(). September 2005. https://www.us-cert.gov/bsi/articles/knowledge/coding-practices/fgets-and-gets_s, retrieved 2019-04-22.
Shostack: Adam Shostack, Threat Modeling, designing for security. Wiley, 2014.
STH: Software Testing Help, Top 10 Most Popular Code Review Tools for Developers and Testers. https://www.softwaretestinghelp.com/code-review-tools/, retrieved 2019-04-26.
Traxiom: Traxiom Security, Disadvantages of a Bug Bounty Program. https://www.triaxiomsecurity.com/2018/12/10/disadvantages-of-a-bug-bounty-program/, retrieved 2019-06-05.
TUF: The Update Framework. https://theupdateframework.github.io/, retrieved 2019-06-07.
UserFriendly: Iliad, User Friendly cartoon for Oct 02, 2000. https://web.archive.org/web/20011218081203/http://ars.userfriendly.org:80/cartoons/?id=20001002, retrieved 2019-04-27.
Wheeler: High Assurance (for Security or Safety) and Free-Libre / Open Source Software (FLOSS)… with Lots on Formal Methods / Software Verification. https://dwheeler.com/essays/high-assurance-floss.html, retrieved 2019-06-05.
WikipediaLinusLaw: https://en.wikipedia.org/wiki/Linus’s_Law, retrieved 2019-02-13.
WikipediaObscurity: https://en.wikipedia.org/wiki/Security_through_obscurity, retrieved 2019-02-13.
Winkler: Ira Winkler, A simple cure for the cybersecurity skills shortage. https://www2.computerworld.com/article/2488336/a-simple-cure-for-the-cybersecurity-skills-shortage.html, retrieved 2019-06-04.
Zerodium: Zerodium, Our Exploit Acquisition Program. https://zerodium.com/program.html, retrieved 2019-05-31.