Re: [SC-L] informIT: Building versus Breaking
On 9/3/2011 11:22 AM, Kevin W. Wall wrote: On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) Simple. Owasp esapi + owasp appsensor + honeypot = win I'd still consider that defensive. If you want cyber warfare and are willing to go over to the dark side, you can define your own custom AppSensor response actionsto act offensively. For instance, you could easily try to download malware to the attacker or mount a DoS attack against them. Personally, I don't recommend such escalation though, even if it is a tit-for-tat strategy. Reacting in that manner is likely to make you a criminal as well. -kevin That may be, but there are ways to fight back without breaking the law.. Hence the honeypot, let the attacker exploit the hell out of a system that does absolutely nothing track all of his movements and gather as much intel about them as possible - then provided you have good audit logging you have more information than you can handle about the attack to forward on to the feds for appropriate vanning. Granted, this is making some pretty hefty assumptions about the state of the app in question, the skill of the attacker, and the vanning abilities of the men in black, but it is far more sexy than purely writing defensive code alone. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
I agree on the terminology of whitehat vs. blackhat here Sergio, but in almost every other regard I disagree completely. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books when it comes to secure software development. This is 100% false and misleading. Yes, there are great security tools out there, and yes there are great development conferences - however, the two *rarely* if *ever* intermingle. See my blog Cross Pollination; It's not just for Bees ( http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f or-bees.html) for my thoughts on this subject in particular. Additionally, students are taught how to write insecure code from the time they write their first Hello World application. This topic has been discussed a great many times and hasn't changed much. Go to your local bookstore and pick up a java book, flip to the section on JDBC and tell me that the first thing you learn to do is something other than build a dynamic SQL statement with untrusted user input. Show me an MVC book that covers proper contextual output encoding or building a Data Access Control policy. Pick up a Tomcat Book and tell me where it says you should disable the InvokerServlet. Pick up a .Net book and tell me where the chapter on using AntiXSS is. I could go on and on, but I really don't think it is necessary. Every year what is presented, in the best security conferences, are new techniques that developers need to be aware of in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or corner-cases which were not considered. I think we can agree that the majority of flaws that get exploited are due to improper or missing security controls. This is a fundamental flaw in engineering software. I have sat with some of the best software architects and looked at their architecture diagrams and specifications. I have seen the missing controls, I have seen the specifications lacking or using controls improperly. I have seen damn smart developers make really stupid mistakes when trying to make security decisions in code simply because they don't really understand what it means to write secure code. There are also a lot of tools and libraries which help development teams to do things right, specially libraries and templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves. They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a lot of developers don't use what is available to them. See above statements. Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more talks about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do any good to Blackhat. Again, I completely disagree. As a general rule, people that break software know enough about engineering to be able to spot flaws in code - they don't really *understand* terms like 'Agile' or 'Inversion of Control' and conversely most developers may have heard of SQL Injection or Cross Site Scripting but have *no* concept of the depth of the problems. Only by bringing the builders and the breakers together and getting them involved in the other side will we begin to see changes. Blackhat is a *perfect* opportunity to do this. Where else are there thousands of security professionals who are great at breaking stuff but not so good on understanding what it really takes to build something - how to architect software and systems - or the nuances of specific languages, libraries, and development methodologies. Also the argument that this is what the vendor area is for - complete and utter BS. You show me the magic box that takes poorly written code in one side and spits out well architected and secure code on the other and then we can talk. Products don't fix software problems - and we can all agree that the application is the attack surface that everyone should be focusing on right now I think. Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. And even then many good talks overlap unfortunately. Yes, Blackhat is absolutely about breaking stuff, this is a major part of the problem. Developers generally don't go to Blackhat - they go to JavaOne. How many talks are there at JavaOne on the latest 0-day in Spring or Struts. How many speakers go to ApacheCon to talk about the vulnerabilities in Cocoon or HTTPD? None! We want developers to come to blackhat and learn about doing this - but there are very few, if any development
[SC-L] ESAPI 2.0GA Released!
Friends, Romans, Countrymen - Lend me your ears! It is my pleasure to announce the official release of ESAPI 2.0GA! This release features some key enhancements over ESAPI 1.4.x including, but not limited to: * Upgrade baseline to use Java5 * Completely redesigned and rewrote Encryptor * New and Improved Validation and Encoding Methods * Complete redesign of the ESAPI Locator and ObjectFactory * More unit tests * ESAPI Jar is now Signed with an OWASP Code Signing Certificate * ESAPI Jar is Sealed * And much, much more We understand that a lot of you have been waiting a very long time for this, and so have we! It was important that we take our time with this release to make sure we had addressed everything possible prior to it going out. Included in that process was: * Peer review of the ESAPI Codebase * Code and Architecture Review of new Encryption * Adding and fixing unit tests * Tons of discussion and interaction with the OWASP Community and ESAPI Users Without the feedback from our users, we could have never accomplished some of the awesome enhancements that have been made to the library since the last major release, so we owe you all a debt of gratitude for helping us design and implement controls that will ultimately help you write more secure applications. We are currently in the process of getting a whole new suite of documentation, with a focus on integration tasks and actually using ESAPI in real applications - look for those documents over the next couple monthes, as well as a whole new contribs section in our repository aimed at providing turnkey components and solutions to some of the more commonly encountered integration points for ESAPI. You can download the full distribution of ESAPI 2.0GA from our home on Google Code at: http://code.google.com/p/owasp-esapi-java/downloads/list The latest API Docs can always be found at: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/latest/index.html Within the next 24-48 hours the distribution to Maven Central should be updated as well and you should be able to start using 2.0GA in your Maven projects as soon as that happens. Maven dependency will be: dependency groupIdorg.owasp.esapi/groupId artifactIdesapi/artifactId version2.0GA/version /dependency As always, we would love to hear your feedback on the release and if you have any questions at all, you can join the ESAPI-User Mailing List here: https://lists.owasp.org/mailman/listinfo/esapi-user Thanks again to the OWASP and ESAPI Community for helping us build and release the tools that help make the internet just a little bit more sane! Sincerely, The ESAPI Development and Management Teams P.S. Please forward this along to any colleagues or distribution lists that may be interested. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ESAPI Contribs now Live!
All - In addition to last night's release of ESAPI 2.0GA, I would like to direct your attention to a new section on the ESAPI page on Google Code. ESAPI Contribs http://code.google.com/p/owasp-esapi-java/wiki/esapi_contribs_home Download page for Contribs is located http://code.google.com/p/owasp-esapi-java/downloads/list?q=label:Contribs Source Code for Contribs will be available http://code.google.com/p/owasp-esapi-java/source/browse/contrib This will be the repository for any approved contributed modules to the ESAPI Community. Right now there is an example of one such component available - and within the next couple of days instructions on how to submit your contributions to the community will be live on the site as well. Again, your feedback is most welcome. Thanks, The ESAPI Development and Management Teams ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Question about HIPAA Compliance in application development
For example, there are HIPPA access control requirements that demand that you only give doctors access to transmit patient data in a minimal way; only transmitting data needed for a diagnosis. Good luck coding that. It's also bad medicine. Sounds like contextual access control to me - someone wrote a pretty good blog about that once :) I do however, agree on the bad medicine point - just like in diagnosing software bugs, often something seemingly unrelated to the problem you are addressing is either a contributing factor or the root of the problem itself! This is why engineers should be the ones writing the standards instead of standards authors. :) Sent from my iPwn On Apr 26, 2011, at 12:19 PM, James Manico j...@manico.net wrote: Rohit, The most cost-effective way to handle these requirements is to get your HIPPA auditor drunk nightly. I'm being partially serious here because these and other HIPPA requirements are: (1) Technically ambiguous (2) Often in conflict with other HIPPA requirements (3) Impossible to achieve cost effectively For example, there are HIPPA access control requirements that demand that you only give doctors access to transmit patient data in a minimal way; only transmitting data needed for a diagnosis. Good luck coding that. It's also bad medicine. And now, let me leave you with a few lyrics from the Bon Jovi song bad medicine. He was singing about medical software, I'm fairly sure: I ain't got a fever got a permanent disease And it'll take more than a doctor to prescribe a remedy And I got lots of money but it isn't what I need Gonna take more than a shot to get this poison outta me And I got all the symptoms, count 'em 1, 2, 3 ;) Jim Manico On Apr 26, 2011, at 2:35 AM, Rohit Sethi rkli...@gmail.com wrote: Hi all, Has anyone had to deal with the following HIPAA compliance requirements within a custom application before: §164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. §164.312(e)(2)(i) Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. How have you actually implemented these controls in applications? Have you used a third party tool to do this? Does §164.312(c)(2) simply boil down to sufficient access control? -- Rohit Sethi SD Elements http://www.sdelements.com twitter: rksethi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Java DOS
I would assume just about any app with a shopping cart does. This is of course compounded by libraries like struts and spring mvc that autobind your form variables for you. Use a form with a double in it and your boned. Sent from my iPwn On Feb 14, 2011, at 8:57 AM, Wall, Kevin kevin.w...@qwest.com wrote: Jim Manico wrote... Rafal, It's not that tough to blacklist this vuln while you are waiting for your team to patch your JVM (IBM and other JVM's have not even patched yet). I've seen three generations of this filter already. Walk with me, Rafal and I'll show you. :) 1) Generation 1 WAF rule (reject one number only) This mod security rule only blocks a small portion of the DOSable range. The mod security team is working to improve this now (no disrespect meant at all!) SecRule ARGS|REQUEST_HEADERS @contains 2.2250738585072012e-308 phase:2,block,msg:'Java Floating Point DoS Attack',tag:'CVE-2010-4476' Reference: http://mobile.twitter.com/modsecurity/status/35734652652093441 Depending how when the exponent conversion is done, this mod_security rule may be completely ineffective. For example, if an attacker can write this floating point # as the equivalent 22.250738585072012e-309 (which note, I have not tested), then the test above is invalid. I presumed that this was why Adobe's blacklist *first* removed the decimal point. Adobe's blacklist could be generalized a bit to cover appropriate ranges with a regular expression, but I agree wholeheartedly with you that what you dubbed as the Chess Defense (I like it) is the best approach short of getting a fix from the vendor of your JRE. So on a somewhat related note, does anyone have any idea as to how common it is for application developers to call ServletRequest.getLocale() or ServletRequest.getLocales() for Tomcat applications? Just curious. I'm sure it's a lot more common than developers using double-precision floating point in their applications (with the possible exception within the scientific computing community). -kevin --- Kevin W. Wall Qwest Risk Mgmt / Information Security kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] Re: Backdoors in custom software applications
Jeff Williams did a talk about this at Blackhat last year as well for Java Rootkits. Paper here: http://www.blackhat.com/presentations/bh-usa-09/WILLIAMS/BHUSA09-Williams-En terpriseJavaRootkits-PAPER.pdf On 12/17/10 8:56 AM, Chris Wysopal cwyso...@veracode.com wrote: Here is a paper that I wrote with Chris Eng that covers major categories of backdoors with examples. http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0.pdf Our Blackhat presentation http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0-black hat2007-slides.pdf -Chris -Original Message- From: Jeremy Epstein [mailto:jeremy.j.epst...@gmail.com] Sent: Thursday, December 16, 2010 6:10 PM To: Sebastian Schinzel Cc: Secure Coding; websecurity Subject: [WEB SECURITY] Re: [SC-L] Backdoors in custom software applications There was an interesting example in a NPS thesis about a decade ago introducing a back door into a device driver. I can't remember the student's name, unfortunately. Phil something-or-other. On Thu, Dec 16, 2010 at 3:18 PM, Sebastian Schinzel s...@seecurity.org wrote: Hi all, I am looking for ideas how intentional backdoors in real software applications may look like. Wikipedia already provides a good list of backdoors that were found in software applications: http://en.wikipedia.org/wiki/Backdoor_(computing) Has anyone encountered backdoors during code audits, penetration tests, data breaches? Could you share some details of how the backdoor looked like? I am really interested in a technical and abstract description of the backdoor (e.g. informal descriptions or pseudo-code). Anonymized and off-list replies are also very welcome. Thanks, Sebastian ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ Join us on IRC: irc.freenode.net #webappsec Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ Subscribe via RSS: http://www.webappsec.org/rss/websecurity.rss [RSS Feed] To unsubscribe email websecurity-unsubscr...@webappsec.org and reply to the confirmation email Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA WASC on Twitter http://twitter.com/wascupdates ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [Esapi-dev] OWASP CSRFGuard
My gut feel here is that we gain a lot more by merging the work done here into ESAPI. CSRFGuard is and has been a great project, but as it stands unmaintained right now (although it is a very simple project, with a very low level of maintenance) it seems to me that a lot of traction and momentum could be gained for the code by merging with the ESAPI project which is one of the more active OWASP Projects AFAIK. This is really just my $0.02 and I don¹t want to discount the work that has been done on CSRF-Guard. As I stated it is a great project and I personally have used it in 3 projects succesfully, but I also think that as such a small project it seems to be an easy one to forget about in the grand scheme of things. On 10/29/10 9:09 AM, Jim Manico jim.man...@owasp.org wrote: Hello, The OWASP CSRF guard project ( http://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project ) has recently been deemed ³inactive² and I¹m trying to help bring it back to life. I¹m taking a survey of folks who have used CSRFGuard. In particular, I would like to understand any potential modifications CSRFGuard users have had to make in order to implement it successfully for their website. I¹d also like to hear of any success stories of using CSRFGuard out of the box. Any feedback regarding this matter is greatly appreciated. Thanks kindly + Aloha, Jim Manico OWASP Podcast Producer OWASP ESAPI Project Manager http://manico.net ___ Esapi-dev mailing list esapi-...@lists.owasp.org https://lists.owasp.org/mailman/listinfo/esapi-dev ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] working on java security help from experts
Also be sure to check on http://www.owasp.org as there is a *ton* of great information on the site. Here are some good starting points: http://www.owasp.org/index.php/Category:OWASP_Java_Project http://www.owasp.org/index.php/Category:Java And also some good information on doing code review in general: http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents On Thu, Apr 1, 2010 at 2:29 PM, Romain Gaucher rgauc...@cigital.com wrote: CERT has also a many rules for Java (good and bad examples) as part of their secure coding practices. You can find that here: https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java Romain - Security consultant, Cigital From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Martin, Robert A. [ramar...@mitre.org] Sent: Thursday, April 01, 2010 2:49 PM To: Matt Parsons Cc: SC-L@securecoding.org Subject: Re: [SC-L] working on java security help from experts The Common Weakness Enumeration (CWE) has a view of issues that can occur in Java applications. See: http://cwe.mitre.org/data/slices/660.html for a listing of all the details or: http://cwe.mitre.org/data/lists/660.html for a list of the items where the names are hyper-links to the content about them. The entries include description, code examples, real world CVE examples of the issue in many cases, references and in most cases pointers to the attack patterns effective against the issue. Bob Matt Parsons wrote: I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:image001.jpg@01CAD11E.CF635CA0] [cid:image002.jpg@01CAD11E.CF635CA0] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Chris Schmidt OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Check out OWASP ESAPI for Java http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI for JavaScript http://code.google.com/p/owasp-esapi-js/ Yet Another Developers Blog http://yet-another-dev.blogspot.com Bio and Resume http://www.digital-ritual.net/resume.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___