[SC-L] SearchSecurity: Architecture Risk Analysis
hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com p.s. Long link for Mr Wall: http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] HP Protect Keynote (next week 9.17.13)
hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] HP Protect Keynote (next week 9.17.13)
I'll be there and am looking forward to seeing it Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop giving developers PDFs/badometers , c) create security Labels for APIs/Apps and d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue the application security knowledge created by tools and humans :) For the record I'm gutted that HP can't organise an 'Conference Band' like the 'Owasp band' so that we can do our yearly rendition of the 'SQL Injection Blues' :) Dinis On 15 Sep 2013 09:39, Gary McGraw g...@cigital.com wrote: hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDB http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] HP Protect Keynote (next week 9.17.13)
hi dinis, I will be covering the basics for sure. I agree with all of your points below. The trickiest one you bring up is security labels which though it may be a good idea is a political swamp. I am up for an HP Protect band, but I am pretty sure such an idea has never crossed the corporate HP mind! See you in DC. gem From: Dinis Cruz dinis.c...@owasp.orgmailto:dinis.c...@owasp.org Date: Sunday, September 15, 2013 5:54 AM To: gem g...@cigital.commailto:g...@cigital.com Cc: Casey Callaway ccalla...@cigital.commailto:ccalla...@cigital.com, Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Re: [SC-L] HP Protect Keynote (next week 9.17.13) I'll be there and am looking forward to seeing it Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop giving developers PDFs/badometers , c) create security Labels for APIs/Apps and d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue the application security knowledge created by tools and humans :) For the record I'm gutted that HP can't organise an 'Conference Band' like the 'Owasp band' so that we can do our yearly rendition of the 'SQL Injection Blues' :) Dinis On 15 Sep 2013 09:39, Gary McGraw g...@cigital.commailto:g...@cigital.com wrote: hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.comhttp://www.cigital.com podcast www.cigital.com/silverbullethttp://www.cigital.com/silverbullet blog www.cigital.com/justiceleaguehttp://www.cigital.com/justiceleague book www.swsec.comhttp://www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.orgmailto:SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___