On 4 April 2011 16:45, Gary McGraw <g...@cigital.com> wrote: > In my opinion, the most interesting thing about stuxnet was the payload.
So what was the huge stride made since Code Red wrt Stuxnet? > See: > How to p0wn a Control System with Stuxnet > <http://www.informit.com/articles/article.aspx?p=1636983> (September 23, > 2010) > > You might also listen to Langner on Silver Bullet (the longest episode > ever, but a good one): > http://www.cigital.com/silverbullet/show-059/ > > gem > > > On 4/1/11 9:16 AM, "Ben Laurie" <b...@google.com> wrote: > >>On 31 March 2011 13:03, Gary McGraw <g...@cigital.com> wrote: >>> hi sc-l, >>> >>> Yesterday, Microsoft released an SDL report card of sorts called "The >>>SDL Progress Report." It covers the history of the SDL from 2004-2010. >>>You should read it. >>> >>> >>>http://www.microsoft.com/downloads/en/details.aspx?FamilyID=918179a7-61c9 >>>-487a-a2e2-8da73fb9eade >>> >>> For some reason the tech press is mostly discussing DEP and ASLR >>>adoption (covered on pages 18 and 19). Though I guess that is the >>>"news" hook the PR flacks are hyping, I think there are many other parts >>>of the report that have plenty to teach about how a software security >>>initiative evolves. (WRT the two anti-exploit tactics, see an article I >>>co-authored with Ivan Arce from Core Assume Nothing: Is Microsoft >>>Forgetting a Crucial Security >>>Lesson?<http://www.informit.com/articles/article.aspx?p=1588145> (April >>>30, 2010).) >>> >>> Microsoft has made huge strides since the days of CodeRed, NIMDA and >>>Slammer. >> >>Stuxnet? >> >>> The best part of what they're doing is being very open about the >>>progress they are making and the approach that seems to be working for >>>them. I, for one, would love to see other reports like this issued by >>>software vendors. >>> >>> gem >>> >>> company www.cigital.com >>> podcast www.cigital.com/silverbullet >>> blog www.cigital.com/justiceleague >>> book www.swsec.com >>> >>> _______________________________________________ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - >>>http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC >>>(http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >>> _______________________________________________ >>> > > _______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
