Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs
Which is why I list that I have _had_ a CISSP, but am currently non-financial.. It was too damn easy to pass and too damn hard to keep up with the CPE point entry... :) I was LAMN member #8 :) Best number :) Cheers Bret At 03:38 PM 21/03/2009, Joe Teff wrote: I notice certs like CISSP when hiring. It says the person has a basic understanding of all IS security areas. Nothing more. If someone can't pass the CISSP then I have to wonder why. -Original Message- From: Paco Hope p...@cigital.com To: SC-L@securecoding.org SC-L@securecoding.org Date: Thu, 19 Mar 2009 11:36:45 -0400 Subject: Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs On 3/18/09 5:29 PM, Jeremy Epstein jeremy.j.epst...@gmail.com wrote: If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it ...then I'd say you have an overly simplistic view of the world. Anyone who believes that a credential automatically conveys some magical knowledge that you didn't have before is just as overly-simplistic as someone who disparages all credentials equally. It just isn't a black and white world. Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-lhttp://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.phphttp://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.comhttp://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs
fwiw, I've interviewed my fair share of CISSPs who didn't have a basic understanding of infosec... with the boot camps these days, people don't learn anything... they cram for 1-2 wks, shoving everything into short-term rote memory, and then they take the test and promptly forget everything... this is especially true since the feds began mandating CISSPs for contractors... at least here in the DC metro, the pool of candidates has become extremely watered down over the last 5 or so years... Joe Teff wrote: I notice certs like CISSP when hiring. It says the person has a basic understanding of all IS security areas. Nothing more. If someone can't pass the CISSP then I have to wonder why. -Original Message- From: Paco Hope p...@cigital.com To: SC-L@securecoding.org SC-L@securecoding.org Date: Thu, 19 Mar 2009 11:36:45 -0400 Subject: Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs On 3/18/09 5:29 PM, Jeremy Epstein jeremy.j.epst...@gmail.com wrote: If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it ...then I'd say you have an overly simplistic view of the world. Anyone who believes that a credential automatically conveys some magical knowledge that you didn't have before is just as overly-simplistic as someone who disparages all credentials equally. It just isn't a black and white world. Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Benjamin Tomhave, MS, CISSP fal...@secureconsulting.net LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] I think there should be something in science called the 'reindeer effect.' I don't know what it would be, but I think it'd be good to hear someone say, 'Gentlemen, what we have here is a terrifying example of the reindeer effect.' Deep Thoughts by Jack Handy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
Hey John, I like where your head is at - great list. Regarding: Builds adaptors so that bugs are automatically entered in tracking systems Does the industry have: 1) A standard schema for findings, root causes, vulnerabilities, etc, and the inter-relation of these key terms (and others?) 2) Standardized API's for allowing different risk systems for correlate this data? Or is it, right now, mostly proprietary glue? Curious... Also, how do you build adaptors so that manual processes are automatically entered in a tracking system? Are you just talking about content management ststems to make it easy to manual reviewers to enter data into rosk mangement software? Anyhow, I like where your head is at and it definately got me thinking. - Jim - Original Message - From: Tom Brennan - OWASP t...@owasp.org To: John Steven jste...@cigital.com; sc-l-boun...@securecoding.org; Benjamin Tomhave list-s...@secureconsulting.net; Secure Code MailingList SC-L@securecoding.org Sent: Friday, March 20, 2009 10:37 AM Subject: Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT) John Stevens for Cyber Czar! I have Elect J.Stevens bumper stickers printing, I retooled my Free Kevin sticker press. Well stated ;) have a great weekend! -Original Message- From: John Steven jste...@cigital.com Date: Fri, 20 Mar 2009 14:35:01 To: Benjamin Tomhavelist-s...@secureconsulting.net; Secure Code MailingListSC-L@securecoding.org Subject: Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT) Tom, Ben, All, I thought I'd offer more specifics in an attempt to clarify. I train people here to argue your position Ben: security vulnerabilities don't count unless they affect development. To this end, we've specifically had success with the following approaches: [Integrate Assessment Practices] [What?] Wrap the assessment activities (both tool-based and manual techniques) in a process that: * Normalizes findings under a common reporting vocabulary and demonstrates impact * Include SAST, DAST, scanning, manual, out-sourced, ALL findings producers in this framework * Anchors findings in either a developmental root cause or other software artifact: * Use Case, reqs, design, spec, etc. * Builds adaptors so that bugs are automatically entered in tracking systems * Adaptors should include both tool-based and manual findings * Calculates impact with an agreed-upon mechanism that rates security risk with other factors: * Functional release criteria * Other non-security non-functional requirements [Realistic?] I believe so. Cigital's more junior consultants work on these very tasks, and they don't require an early-adopter to fund or agree to them. There's plenty of tooling out there to help with the adapters and plenty of presentations/papers on risk (http://www.riskanalys.is), normalizing findings ( http://cwe.mitre.org/.) , and assessment methodology (http://www.cigital.com/papers/download/j15bsi.pdf). [Panacea?] No. I've done research and consulting in functional testing. If you think security is powerless against development, try spending a few years in a tester's shoes! Functionality may be king for development and PMs, but I've found that functional testing has little to no power. While a lack of features may prevent software from going out the door, very rarely do I find that functional testing can implement an effective go/no-go gate from their seat in the org. That's why testing efforts seek muscle from their friend Security (and its distant cousins under quality Load and Performance) to stop releases from going out the door. There's no reason NOT to integrate with testing efforts, reporting, and groups: we should. There's every reason security should adhere to the same interface everyone else does with developers (let them produce code and let them consume bugs)... I think the steps I outlined under 'what' bring us closer. I enjoyed Guy's book, but I don't think we need to (or can expect to) flip organizational precedent and behavior on its head to make progress. [Steering] The above scenario doesn't allow explicitly for two key input/outputs from the software security ecosystem: 1. Handling ultra-high-priority issues in real time 2. Adjusting and evolving to changing threat landscapes I've long suggested establishing a steering committee for this. [What?] Establish a steering committee on which a software security, dev, architecture, operations, and corporate risk sit. These folk should manage the risk-model, scoring, security standards that drive the assessment verification standard, and the definition of both short-term and longer-term mitigating strategies. I'd argue that you'd like Industry representation too. That organization could come in written form (like the Top N lists) or in
Re: [SC-L] Supply Chain Resiliency Project Assistance
hi sc-l, For what it's worth, I am involved in the project with jmr...as is Sammy Migues. jmr was our BSIMM participant from DTCC. Their software security initiative is most impressive. gem On 3/22/09 9:08 AM, Mason Brown mbr...@sans.org wrote: Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Questions asked on job interview for application security/penetration testing job
On Sat, Mar 21, 2009 at 2:43 PM, Matt Parsons mparsons1...@gmail.com wrote: I was asked the following questions on a job phone interview and wondered what the proper answers were. I was told their answers after the interview. I was also told that the answers to these questions were one or two word words. In the beginning of next week I will post what they told me were the proper answers. Any references would be greatly appreciated. Looks simple enough. Were there tricks to it? Some companies play games with these type of interviews. (Google) I empathize with brevity. Usually when people ramble too long in interviews they don't know what they are talking about (and are extra nervous because of this). So what are the word answers? 1. What are the security functions of SSL? Transport layer security. Asymmetric public key, symmetric private key, blah blah 2. What is a 0 by 90 bytes error. Error? 0x90 is NOP. A bunch of them make a good sled. 3. What is a digital signature, Not what it is? Authentication 4. What is the problem of having a predictable sequence of bits in TCP/IP? Session Prediction (leads to etc. etc.) 5. What is heap memory? Pooled memory dynamically allocated, no fixed-life 6. What is a system call? Software call to underlying OS function ( FileOpen()) 7. what is two factor authentication? Two of something you have, know, or are -- Arian Evans Let me issue and control a nation's money, and I care not who writes its laws --Mayer Amchel Rothschild ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Supply Chain Resiliency Project Assistance
On Sun, 22 Mar 2009, Gary McGraw wrote: hi sc-l, For what it's worth, I am involved in the project with jmr...as is Sammy Migues. jmr was our BSIMM participant from DTCC. Their software security initiative is most impressive. I don't know much TOO much about supply chain issues, but I have to admit that the lecture i heard on the subject by Marcus Sachs was highly interesting and opened my eyes. Blessed initiative. Gadi. gem On 3/22/09 9:08 AM, Mason Brown mbr...@sans.org wrote: Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs
Great idea but why would you say CISSP is meaningless or MCSE is meaningless? Certifications are like technology. They have a place where they fit. CISSP became so popular and prolific because of the vast field of coverage (10 domains) that a certified practitioner had to study, understand, relate to and practice if given a situation. I am strongly against any certification that touts that you would be able to change the world for good. As silly as it might sound, there are quite a handful of these. On the other hand, companies like CISCO and Microsoft offer certification that allow professional to get certified and demonstrate their ability to understand and take over the responsibility of the said position that the certificate applies to. Now, if you make a case against certifications just because it has become so easy to cram overnight and get certified in the morning, then that's not justice. There are 2 extremes to the spectrum and you see only 1. It's like giving the entire security industry (professionals with certifications mostly) becuase of a few (thousand) individuals who don't prove to be laible candidates to have obtained that certification. You can compare it to how the world panned out the meaning of the holy word Hacker to what it is today. Prasad On Wed, Mar 18, 2009 at 5:29 PM, Jeremy Epstein jeremy.j.epst...@gmail.comwrote: Colleagues, I'm pleased to announce the creation of LAMN, the Legion Against Meaningless certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it - this group is for you. You can join LAMN on LinkedIn by searching in the groups area. Unlike so many other certifications, LAMN doesn't charge fees, require outrageously overpriced exams, or demand check-the-box continuing education. Hope to see many people joining this group - and feel free to pass this along! --Jeremy P.S. After you join the group, you can proudly write your name John Doe, LAMN - which conveniently also stands for Letters After My Name. I can't recall who suggested the term to me, but would be happy to give credit if someone wants to step forward and claim credit. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Thought for the day - Emails can hurt feelings. If this one did, please ignore your feelings. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Supply Chain Resiliency Project Assistance
Hello everyone, To reinforce Mason's request, we're looking for any collection of controls (contractual, technical, people, process, etc.) that organizations should request, demand, cajole, enforce, etc. when out-sourcing software development to ensure the required software security in the resulting deliverable. For the purposes of this exercise, you can define controls and software security as broadly as you like and we'll sort it out later. Our next meeting with Jim is Tuesday afternoon and any pointers to public information, or copies of shareable non-public information, you can provide will be much appreciated. Thanks, --Sammy. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Mason Brown Sent: Sunday, March 22, 2009 9:09 AM To: 'Secure Code Mailing List' Subject: [SC-L] Supply Chain Resiliency Project Assistance Jim Routh, CISO at Depository Trust and Clearing Corporation is leading a project for the Financial Services ISAC. There is a lot of knowledge on this list and I was hoping you might be willing to offer your thoughts. Below is the request from Jim. If you have thoughts or data and could share it, I'll be happy to collate and send back to the list or to anyone that requests. After he presents it to the FS-ISAC in May, the complete information will be made public. Important project if your organization uses contractors and outsourcers to design, build or deploy important applications. Jim Routh, CISO at Depository Trust and Clearing Corporation (and one of the top CISOs in implementing application security), leads a broad industry team identifying leading practices in improving supply chain resiliency -- specifically in the area of procurement for outsourcing software development and services. They have asked for your help in finding sources of information in the public domain and/or descriptions of a practice or control that you have used that actually mitigates one or more risks. If you have experience or knowledge of security controls and practices specific to the outsourcing of application development through service providers please send a note to Mason Brown at mbr...@sans.org. This can include things like sample contract language or URLs information/resources you have seen or used. We will provide a summary of the information to anyone who contributes or expresses and interest in seeing the results. *** Action Required: Give some thought to helpful information on security controls and practices specific to the outsourcing of application development work through service providers that will help improve the resiliency of the supply chain that may be in two categories: 1. Source information in the public domain with reference information on where to find it (eg: url) 2. Description of a practice/control along with a summary of the risks mitigated We are striving to create a summary of practices/controls for consideration for those organizations interested in significantly increasing their supply chain resiliency and mitigate the risk of sabotage of supply chain sources. This information along with the survey results will provide the information security professional with a source of information enabling him/her to determine the appropriate practices/controls for his/her organization. Mason Brown, Director SANS Institute (www.sans.org) 865-692-0978 (w) Don't miss SANSFIRE 2009 with the Internet Storm Center! June 13-22 in Baltimore, MD http://www.sans.org/info/39248 SANS courses are hands-down the best security courses in the industry. - Scott Hiltis, Bruce Power ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Questions asked on job interview for application security/penetration testing job
Here are the answers that I was given for the following questions by a non-technical recruiter. 1. What are the security functions of SSL? Encryption and authentication 2. What is a 0 by 90 bytes error. Buffer over flow. 3. What is a digital signature, Not what it is? The senders message is encrypted with a sender's private key and attached like a signature to an encrypted message to ensure that the person is who he claims to be. The recipient uses the sender's public key to decrypt the signature. 4. What is the problem of having a predictable sequence of bits in TCP/IP? TCP/IP session hijacking I also thought it was man in the middle attack. 5. What is heap memory? A heap memory pool is an internal memory pool created at start-up that tasks use to dynamically allocate memory as needed. 6. What is a system call? Call from the operating system. 7. what is two factor authentication? Use of something you know, something you have, something you are. Thanks Matt Parsons Matt Parsons, CISSP From: Matt Parsons [mailto:mparsons1...@gmail.com] Sent: Saturday, March 21, 2009 4:44 PM To: 'Secure Code Mailing List' Subject: RE: Questions asked on job interview for application security/penetration testing job Ladies and gentlemen, I was asked the following questions on a job phone interview and wondered what the proper answers were. I was told their answers after the interview. I was also told that the answers to these questions were one or two word words. In the beginning of next week I will post what they told me were the proper answers. Any references would be greatly appreciated. 1. What are the security functions of SSL? 2. What is a 0 by 90 bytes error. 3. What is a digital signature, Not what it is? 4. What is the problem of having a predictable sequence of bits in TCP/IP? 5. What is heap memory? 6. What is a system call? 7. what is two factor authentication? Thanks Matt Matt Parsons, CISSP Parsons Software Security Consulting, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___