[SC-L] OWASP iGoat 1.2 released
Greetings SC-L folks, I thought some of you might find our project announcement (below) interesting. If you're an iOS developer or know any iOS developers, I'd like to encourage you to check out the OWASP iGoat project. It's modeled after its namesake, WebGoat, and is intended to be a tool for iOS developers to learn about the major security pitfalls when developing on iOS. FYI, we released iGoat version 1.2 yesterday. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth. Thanks Mansi and Sean for pulling this together. It's great to see some external participation on the project, of course. We'd love to see more -- any time! Cheers, Ken van Wyk iGoat Project Leader signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium
We are pleased to announce SecAppDev 2012, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with K.U. Leuven and Solvay Brussels School of Economics and Management. SecAppDev 2012 is the 8th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including + Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab. + Ken van Wyk, co-founder of the CERT Coordination Center and widely acclaimed author and lecturer. + Dr. Steven Murdoch of the University of Cambridge Computer Laboratory's security group, well known for his research in anonymity and banking system security. + Jim Manico, founder, producer and host of the OWASP Podcast Series. When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats. We cover a wide range of facets of secure software engineering including + threat modeling + architecture + design + coding + testing + cryptography + web applications + mobile applications + economic/business aspects The course takes place from March 5th to 9th in the Irish College, Leuven, Belgium. For more information visit the web site: http://secappdev.org. Places are limited, so do not delay registering to avoid disappointment. Registration is on a first-come, first-served basis. A 25% discount is available for Early Bird registration until January 15th. Public servants and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Cheers, Ken van Wyk (and the rest of the SecAppDev organizers) P.S. I apologize if you have already received this announcement via another channel. If you do not wish to receive future secappdev.org announcements, please unsubscribe by replying to this email. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Announcing the first Mobile App Sec Triathlon, 2-4 Nov 2011, San Jose, CA
Greetings SC-L, I'll keep this announcement real short... Gunnar Peterson and I are teaming up to present our Mobile App Sec Triathlon -- 3 days of training, heavily laden with hands-on exercises -- to San Jose, California on 2-4 November 2011. Details available at: http://mobileappsectriathlon.com, or email us for more info. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com We're on Facebook now at: http://facebook.com/KRvW.Associates ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: OWASP iGoat initial public release, version 1.0
Greetings all. Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project. Background The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them. Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time. iGoat was sponsored and initially developed by KRvW Associates, LLC (www.krvw.com), and is being released under GPLv3 licensing to the community. Status With the first public release, we've included several initial exercises and exercise categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it. No doubt, further improvements will quickly surface as the community starts using the tool... Project Site iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project All releases and source code are on Google Code. See the project home page above for further details. Call for Participation The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk (k...@krvw.com) if you wish to contribute to the project. Mailing List An open, unmoderated forum has been set up for the iGoat project. To subscribe, see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OPINION column re mobile security
Greetings SC-L, It occurred to me that I neglected to send a pointer here to my latest Computerworld column. The general topic is mobile device security, but more to the point, it's about trying to do (security) things differently in the mobile world, so we don't have to re-live all our mistakes of the past. Let's at least find some _new_ mistakes... ;-) http://www.computerworld.com/s/article/9216996/Kenneth_van_Wyk_Mobile_security_isn_t_going_to_just_happen Cheers, Ken van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SC-L Administrative FAQ
Greetings SC-L Subscribers, I'm in an airport lounge on the other side of the planet (from my home), and I thought I'd take a few moments to jot down some answers to SC-L administrative issues that come up from time to time here on SC-L. I hope you find them helpful. I try to keep the administrative traffic here to a bare minimum, so you don't often hear from me. But I do moderate and approve every single posting that goes to the list, so I'm always actively involved here. And I deal with quite a fair share of administrative issues. So, I thought it would be worth taking a few minutes and recording some of the things that people ask me from time to time. Your feedback is always appreciated. Please contact me at ken _at_ krvw.com if you have any questions or issues re SC-L. Cheers, Ken van Wyk SC-L Moderator === SC-L Administrative FAQ Q: What is SC-L? A: SC-L is a moderated mailing list whose mission is to further the state of the practice of developing secure software, by providing a free and open, objectively moderated, forum for the discussion of issues related to secure coding practices throughout a software development lifecycle process (including architecture, requirements and specifications, design, implementation, deployment, and operations). --- Q: Who runs SC-L? A: I do. I'm Ken van Wyk, and I run the list as a free, non-commercial service to the software security community. If you have questions/issues, you can contact me at ken _at_ krvw.com. Q: How do I subscribe to the list? A: The URL for the Mailman interface to subscribe or unsubscribe is http://www.krvw.com/mailman/listinfo/sc-l Q: What sort of things are allowed and not allowed on SC-L? A: Basically, my primary rule is civility. You can agree or disagree with others to your heart's content, but keep a civil tone and you're likely to have your submissions approved. For more details on what I allow and don't allow on the list, see the list charter at: http://www.securecoding.org/list/charter.php Q: How about job postings? A: So long as they're tasteful and not shotgunned to the list frequently, I'm happy to accept the occasional job posting from people within the software security community. Q: Announcements about conferences and training events? A: Similar to my policy re job postings, I'll accept them if they're not overly commercial and if they're occasional. This goes for commercial as well as non-commercial events. Q: Advertisements? A: No. I do not accept advertisements on SC-L. There are more than plenty places on the net to advertise your products and services; just not here. Q: The moderator has rejected my posting, and I believe the decision was unfair. What is my recourse? A: Well, this isn't a democracy... But, if you feel your submission should have been approved, email me and state your case. I'm a reasonable man and I'm willing to hear you out -- and admit when I'm wrong. Q: There seems to be a LOT of traffic from a small vocal minority here. What's up with that? A: The group is what the group makes of it. If you want to see more diverse traffic here, post it. I'm don't take a position on who may and may not submit to the list. If you're subscribed and your posting conforms to my guidelines, then I'll most likely approve your posting. Q: I'm a subscriber to SC-L, and I submitted a message to the list, but it never showed up and I never got any notification. Did the moderator ignore me? Why? A: Perhaps you submitted your email using an email address that isn't itself subscribed? To reduce the spams that show up in my inbox, I have configured SC-L to discard (without notification) any submissions from email addresses that are not subscribed to the list. So, if you subscribed from (say) your personal address but are posting from your work address, your submission would get discarded. Q: But I use multiple email addresses regularly. What can I do so I can submit from any of them without getting duplicate copies of SC-L in all my inboxes? A: That's easy to do. Just contact me off-list (ken _at_ krvw.com) and tell me which of your email addresses you want to submit from. I can subscribe them to the list but have them not get duplicate copies of the list traffic. No problem. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW
[SC-L] CERT/CC Blog: Announcing the CERT Basic Fuzzing Framework 2.0
FYI, new version of Basic Fuzzing Framework released by CERT/CC. http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] New Safecode doc released
Greets all. FYI: SAFECode has released, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods. Doc can be found at: http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ISO/IEC 27034 application security guideline
Greetings SC-L folks, I don't participate in standards bodies, so I'm not very familiar with their inner workings and such. However, a colleague has pointed me to an ISO standard under development that will describe an application security development process. I visited the site (http://www.iso27001security.com/html/27034.html) and didn't find much in the way of documentation, other than a list of really ambitious plans for the future. So my question here is this: anyone here involved in this standards effort? If so, would you mind sharing with us a high level overview of where they are in their efforts and when the world is likely to start seeing output from the effort? Much appreciated. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Apple's iOS app review guidelines
Greetings SC-L, I read the news this morning with a lot of hope -- that Apple has finally published their app review guidelines for iOS app developers. But then I read the document. For starters, I did a quick grep for: security, secure, crypt, safe. Nothing. Nada. The document is essentially a big long black list of what things not to do. There seems to be nothing in the way of prescriptive guidance on what TO do. Not inspiring... :-\ I was really hoping Apple would take this opportunity to include some actionable security guidance, but that wasn't the case. Of course, they did say that they don't want any more Fart apps... Great. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Building Real Software: Has Static Analysis reached its limits?
FYI, nice write-up on the Fortify acquisition as well as the static code analysis space here: http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Computerworld: Opinion - Making apps secure is hard work
I figured this was relevant here, so here's a link to my August column for Computerworld. Excerpt: 'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by the rules? That is, that they use only published APIs and such? Well, then, you really have your work cut out for you, because that's not all that your customers expect.' To read the complete article see: http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17 Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Static code review for iPhone developers?
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote: Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any SCA product vendors currently doing this? Please contact me on or off list. Thanks to all who responded. Great suggestions. Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here. (http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html) Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including C++ and Objective C. Memory leaks, uninitialized variables, type mismatches, and that sort of thing should be pretty easy to spot using Clang. I'm hoping also for something that goes beyond that. How about analysis of static code for use of secure network connections, session management (for client-server apps), protection of sensitive data (at rest and in transit), and that sort of thing. These are relatively language-agnostic needs, but would be extremely useful in a static analysis tool, IMHO. I'll bet the folks who coded the Citi banking app could have made good use of something like that... :-\ In any case, thanks again for all the responses. Speaks volumes for the quality of folks we have here in the SC-L community. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Vulnerability Analysis Blog: CERT Basic Fuzzing Framework
New fuzzing framework released from the folks up at CMU, FYI. https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html Aloha, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Web Application Exploits and Defenses
The folks at Google have released some web app training, along with a vulnerable web app sandbox to play in. The tool is called Jarlsberg. Anyone here take a look at it yet, and have an opinion about it? The description (see below) sounds kinda sorta like OWASP's WebGoat, except that the vulnerable app itself is written in Python. Oh, and the app is available on the web, as well as in source code (under Creative Commons). http://jarlsberg.appspot.com/ There's also an instructor's guide available at: http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] The International Secure Systems Development Conference
I saw this event announcement today and thought some SC-L folks might find it of interest, FYI. The International Secure Systems Development Conference addresses the key issues around designing-in security for standard and web-based software and systems, both in terms of developing new applications securely and also in adding security to legacy applications. The aim of the event is to help change the balance away from a repeated and ever more costly focus on securing ever more insecure infrastructures, to one which focuses on the creation of inherently secure systems through the introduction of verifiable, secure development methodologies and coherent security architectures. http://www.issdconference.com/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Thread is dead -- Re: BSIMM update (informIT)
OK, so this thread has heated up substantially and is on the verge of flare-up. So, I'm declaring the thread to be dead and expunging the extant queue. If anyone has any civil and value-added points to add, feel free to submit them, of course. As always, I encourage free and open debate here, so long as it remains civil and on topic. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a one or the other debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] FT.com / UK - 'Year 2010' software glitch hits German bank cards
Greetings SC-L, There have been several reports in the last few days of various devices being hit with a so-called year 2010 software glitch. Several bank ATMs, mobile devices, etc., have reportedly been hit. Below is a link to one such story. My question for SC-L is: anyone here aware of the actual underlying software problems willing to share? Source examples would be most appreciated. http://www.ft.com/cms/s/0/00da0e24-fa63-11de-beed-00144feab49a.html?nclick_check=1 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog
Happy new year SC-Lers. FYI, interesting blog post on some of the new security features in Java EE 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. http://www.coresecuritypatterns.com/blogs/?p=1622 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] tweetup Thurs PM for AppSec DC?
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote: In any case, I'm not sure of the lay of the land at the conference site, but I'm betting there's a bar in or near the site. Let's plan on meeting up there immediately following the day's sessions on Thursday. As soon as I can pinpoint the actual bar name/location, I'll post it here. OK, so I did fail at getting the word out--sorry. However, it was nice to see at least a few SC-Lers notice the sponsored cocktail hour on the conference agenda. Great to meet some of you face to face. And thanks to Cenzic for hosting the cocktail hour, by the way. For those of you who weren't there, if you work with web apps at all, you really ought to put OWASP on your radar. Great community of people, and these events are a fabulous time to chat with some of the brightest software security people on the planet. Thanks, OWASP! Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] tweetup Thurs PM for AppSec DC?
On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote: Just a quick note, for those coming into DC for AppSec DC, rumor has it that a social gathering is brewing for Thurs PM. Let's hope so as I'd love to put faces with names! :) If I hear details, I'll be sure to pass along (feel free to ping me or reply with the 411) Well, I got a few responses to my note about meeting up there (although I doubt I'd ever use the word tweetup except in the context of saying I wouldn't use it...). :-) In any case, I'm not sure of the lay of the land at the conference site, but I'm betting there's a bar in or near the site. Let's plan on meeting up there immediately following the day's sessions on Thursday. As soon as I can pinpoint the actual bar name/location, I'll post it here. Hope to see some SC-L folks there. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Another WAF in town
FYI, some activity in the open source WAF space: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Unicode Security : Microsoft releases BinScope and MiniFuzz to the public
FYI, a couple of interesting developments in the software security tool space: http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is to hook the students with the exploits, and then sprinkle in a now here's how to do it _right_ discussion while they're still paying attention. ;-) And FWIW, I've found OWASP's WebGoat to be phenomenally effective at doing just that. There are other similar tools out there as well, but the point is to give the class a safe sandbox to play in. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What is the size of this list?
On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote: Jeremiah Grossman and I were both pondering the size of the SCL recently. Is the list size public? It's not public per se, but only in the sense that the number isn't directly available--unless you ask for it. The list has pretty consistently hovered around 1000 subscribers since pretty shortly after I launched it in late 2003. I am curious why I don't see many new names on SC-L. Lots of lurkers? We do seem to have a high percentage of lurkers, but I always like to encourage newcomers as well as new active participants. I do my best to keep my moderating light, and I welcome all perspectives and opinions on the topics we discuss here. My primary moderating criteria are ensuring submissions are relevant to the list charter and keep a civil tone. Beyond that, everyone on the list is largely free to say/discuss whatever suits. Plain and simple: the list is what the members make of it. btw// SCL has always been a great place for academic and progressive-minded folks to talk about state of the art, and future ideas for secure coding. I have always recommended it to developers looking for new places to learn as a best and brightest haunt. So thanks for running it guys, Thanks. I've consistently found over the years that efforts like this are worth the effort in a myriad of ways, and it's something that I gladly take on. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Source or Binary
On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote: Realizing that java binaries hold a lot more is a mental shift that probably must be actively kept in mind. Those with only Java experience may think it is obvious, but how many developers did not start with Java and have not purged this concept from their mind. Fair enough, but understand too that a Java class file (like those in a typical jar file, which is just a fancy word for ZIP format) can be trivially decompiled into quite legible Java source. Numerous open source Java decompilers (e.g., Jode, Jad) exist that make this extremely easy. And FWIW, that's exactly how the Etisalat Blackberry software update was analyzed and proven to contain spyware last week. Note that, there are many options to distributing these trivially decompiled class files... Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Usability News - Why Security and Usability don't go hand in hand
FYI, a short but interesting read on usability vs. security in software. http://www.usabilitynews.com/news/article5692.asp Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Application Security Starts in the Development Lifecycle
FYI, some eWeek coverage of application security and how it is being taken more seriously in the enterprise these days. No big surprises for long-time SC-L folks, but still an interesting read from a fairly mainstream IT Security outlet. http://www.eweek.com/c/a/Security/Application-Security-Starts-in-the-Development-Lifecycle-792076/?kc=rss Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SAMM 1.0 Released! | OpenSAMM
Good news today from the Software Assurance Maturity Model (SAMM) group. http://www.opensamm.org/2009/03/samm-10-released/ Their release says: The Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback to help improve the model. I’ve heard lots of stories from people using SAMM (some are consulting firms, and some are development organizations) and that feedback has been some of the most valuable. This release marks the official 1.0 version of SAMM and there’s a few new pieces added: * Executive summary and introduction to the model * Improved details on applying the model to solve problems * Assessment worksheets for evaluating existing programs * Roadmaps for financial services and government organizations * Improvements and refinements to the model (I’ll cover changes individually in separate posts) Many thanks to the individual reviewers and the organizations that have volunteered time to help improve SAMM. I look forward to more active participants as we push forward with some of the future development plans for SAMM. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com
Hello SC-Lers, I saw this blog and thought it may be of interest here: http://blogs.zdnet.com/security/?p=2861 According to the blog, there's a design issue (read: flaw) in iTunes that can allow a maliciously formed podcast to cause a user to get prompted for a username/password -- to iTunes itself. That dialog box can then be hijacked and the victim's credentials stolen. What made it interesting to me was a couple things: first, the cited advisory from Apple (http://support.apple.com/kb/HT3487) clearly says it's a design issue. Tells me we're not likely to see a real fix for a while, IMHO. Indeed, Apple's initial fix to this design issue is, This update addresses the issue by clarifying the origin of the authentication request in the dialog. That doesn't sound like much of a fix at all, and I'd expect a lot of users will still fall for the dialog box ruse. Sigh... Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Reality Check: EMC Eric Baize
On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote: Our fearless leader Ken gave a nice presentation on software security methodologies yesterday at secappdev. I wonder what he says about the Touchpoints when I'm not in the room?! Thanks for the kind words. What I say about the Touchpoints, Microsoft's SDL, or OWASP's CLASP remains the same whether you're in the room or not. They all offer good points and bad points. I tend to favor a hybrid approach that works well for me, which is what I always recommend to my customers. More importantly, though, I am eager to update the message with what the companies who participated in the BSIMM are actually doing in practice. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Web Applications: Achilles' Heel Of Corporate Security -- Security -- InformationWeek
No big surprises for SC-L readers, I'm sure, but it's still an interesting read: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=213000162 Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] InternetNews Realtime IT News - New York Plans Application Security Program
Now here's an interesting development in the software security space. Seems that New York State is going to start requiring contracted application developers to conform with a minimum set of practices (as covered in the SANS Application Security Procurement Language, http://www.sans.org/appseccontract/) . http://www.internetnews.com/dev-news/article.php/3796091 IMHO, putting things like this into contract language is a good thing. Even if the SANS list isn't the right one for everyone, it's a starting point. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors
FYI, a top 25 programming errors list from the folks at SANS has been released. See the following for details: http://www.sans.org/top25errors/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] top 10 software security surprises
On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote: Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model http://www.informit.com/articles/article.aspx?p=1271382), we interviewed nine executives running top software security programs in order to gather real data from real programs. Wow, this is great stuff. Kudos to Gary, Sammy, and Brian. I have a couple comments/observations on some of your conclusions: - You obviously wrote the top-10 list in C, since it went from 9 to 0. :-) - Not only are there are no magic software security metrics, bad metrics actually hurt. This is an excellent point. I think it's also worth noting that it's important to carefully consider what metrics make sense for an organization _as early as possible_ in the life of their software security efforts. Trying to retro-engineer some metrics into a program after the fact is not a fun thing. - Secure-by-default frameworks can be very helpful, especially if they are presented as middleware classes (but watch out for an over focus on security stuff). Yes yes yes! I've found significantly more traction to prescriptive guidance vs. a don't do this list of bad practices. Plus, it inherently supports a mindset of positive validation instead of negative. It's important to look for common mistakes, but if you really want your devs to follow, give them clear coding guidelines with annotated descriptions of how to follow them. Efforts like OWASP's ESAPI are indeed a great starting point here for plugging in things like strong positive input validation and such. - Web application firewalls are not in wide use, especially not as Web application firewalls. I can't say I'm much surprised by this one. Even with PCI-DSS driving people to WAFs (or do external independent code reviews), I just don't often see them often. But you go on to say, But even these two didn't use them to block application attacks; they used them to monitor Web applications and gather data about attacks.--but you don't come back to this point. One serious benefit to WAFs can be enhancing the ability to do monitoring, especially of legacy apps. Adding one network choke point WAF can quickly add an app-level monitoring capability that few organizations considered when rolling the apps out in the first place. - Though software security often seems to fit an audit role rather naturally, many successful programs evangelize (and provide software security resources) rather than audit even in regulated industries This one too is very encouraging to see. - Architecture analysis is just as hard as we thought, and maybe harder. And this one is very discouraging. I've seen good results in doing architectural risk analyses, but the ones that produce useful results tend to be the more ad hoc ones -- and NOT the ones that follow rigorous processes. - All nine programs we talked to have in-house training curricula, and training is considered the most important software security practice in the two most mature software security initiatives we interviewed. That explains the quarter-million miles in my United account this year alone. :-) Ugh. - Though all of the organizations we talked to do some kind of penetration testing, the role of penetration testing in all nine practices is diminishing over time. Hallelujah! Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: ESSoS'09: Call for Participation
FYI, see Call for Participation below. Cheers, Ken van Wyk Begin forwarded message: From: Bart De Win [EMAIL PROTECTED] Date: December 9, 2008 8:22:14 AM EST To: [EMAIL PROTECTED] Subject: ESSoS'09: Call for Participation CALL FOR PARTICIPATION International Symposium on Engineering Secure Software and Systems (ESSoS'09) In collaboration with ACM SIGSAC/SIGSOFT and IEEE TCSE http://distrinet.cs.kuleuven.be/events/essos2009/ February 04-06, 2009Leuven, Belgium You are cordially invited to attend ESSoS, a conference-level event that provides a unique research and practitioners' view on the state of the art in secure software engineering. There are many good reasons for you to participate (and ditto arguments to convince your supervisor or boss). The program includes invited talks by two renowned researchers, as well as technical papers on a variety of topics ranging from program transformation to testing and assurance. Being the first edition in a future series, this is the time to join this growing community, meet new people and interact with peers. As an industry representative, you might be especially interested in the tutorials, which address current challenges and best practices in secure software construction. And last but not least, the symposium takes place in Leuven, a very enjoyable and historic city with a strong tradition in beer brewing. The program consists of three days, one day of tutorials and two days of technical program, including among others: * Invited talks: - Elaborating Security Requirements by Analysis of Malicious Anti-Models (Axel van Lamsweerde, Université Catholique de Louvain) - Automating Software Testing Using Program Analysis (Wolfram Schulte, Microsoft Research) * Tutorials: - Security by Construction (Rod Champan, Praxis) - Risk Management in Practice: Model Based Security Risk Analysis with the CORAS Method (Heidi Dahl and Mass Lund, SINTEF) - Inside the Biggest of the OWASP Top-10 Issues (Kenneth R. van Wyk, KRvW Associates) - Security: Philosophy, Patterns and Practices (Munawar Hafiz, University of Illinois at Urbana-Champaign) * Technical program: - a list of accepted papers is available at http://distrinet.cs.kuleuven.be/events/essos2009/papers EARLY REGISTRATION DEADLINE: January 6, 2009 We're looking forward to meeting you all there ! Bart De Win (General Chair) Fabio Massacci and Samuel Redwine (PC co-Chairs) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Opportunity at DTCC
Greetings SC-L, I've been asked to allow a job posting here on SC-L. It certainly doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php ), but then again, we've generally not used SC-L for job listings. And then again++, with the economy such as it is, perhaps this sort of thing is a good community service. So, below is the job listing I was asked to post. If anyone here on SC-L has strong feelings for or against future job postings here, please let me know. I'm always happy to take your opinions into consideration! Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com === The Depository Trust and Clearing Corporation (DTCC) is the premier global financial institution responsible for clearing and settling many types of financial transactions between banks and brokerage firms for the United States and many foreign markets. These include stock, bond, fixed income, government, mortgage, and insurance transactions. DTCC has an exciting position in Application Security based in Tampa, Florida. The position is responsible for leading a highly successful and innovative Application Security Program across the DTCC enterprise. This includes driving security in our SDLC, as well as ensuring products and services procured are also built with security in mind. The successful candidate will find the challenges of our leading edge environment, to be very stimulating. We are looking for a candidate that has knowledge of SDLC's, Java, C++, and secure coding practices. The successful candidate will be able to interface and speak to programmers in our Development organization about secure programming, as well as be able to present to senior leadership including the CIO, CTO, and CDO. The successful candidate will also understand the value of KPIs to determine what new controls might be needed, and to lead the implementation of these. In addition to the technical skills above, thought leadership, communication , and relationship management skills are critical qualities of the successful candidate. Qualified candidates should contact Mike Longo, Director (HR) at [EMAIL PROTECTED] == smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] (fwd) informIT: A Software Security Framework
Greetings SC-L, I thought I'd chime in on this, as it very closely relates to my current book project. On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote: Brian Chess and I have been working hard on a software security framework that we are using in a scientific study of many of the top software security initiatives. Great work, guys. In some areas, I think it's probably overly simplistic, as some of the practices span more than one domain. (Notably, penetration testing can and should be part of a security testing regimen as well as a deployment testing regimen, IMHO.) But it's a great starting point for going out and gathering real world data on what's being done in the field. More importantly, it's useful at defining what practices should be assessed for a maturity model. Our plan of action is to interview the people running the top ten large-scale software security initiatives over the next few weeks and then build a maturity model with the resulting data. Our discipline stands to gain significantly from having a maturity model in place, if for no other reason than to help dev organizations set goals and objectives in their software security efforts. Pravir et al at OWASP have done a great job at getting one started over there. I also love the idea of using real world data as an initial set of measurements for each maturity level, especially for early version(s) of a maturity model. I think that goes a long way to helping development organizations realistically know what to aspire to--and how to get there--for each maturity level. In time, however, I'd sure like to see the maturity model advance beyond that and set the bars higher than just what's currently being done in practice, and define what *should* be done. That said, starting with a solid framework of practices to measure for each maturity level is the right way to do things. IMHO, it'll probably be a few years before these efforts bear significant fruit in terms of advancing what is being practiced in the field, but we've got to start somewhere. Kudos. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] (fwd) informIT: A Software Security Framework
[Posted on behalf of Gary McGraw, who is without comms right now but wanted this to go out today. KRvW] hi sc-l, Brian Chess and I have been working hard on a software security framework that we are using in a scientific study of many of the top software security initiatives. Our plan of action is to interview the people running the top ten large-scale software security initiatives over the next few weeks and then build a maturity model with the resulting data. That's right, we're actually using real data from real software security programs. Brian and I co-authored my informIT column this month, which just so happens to be about the software security framework. Please check it out, we're interested to know what you think! http://www.informit.com/articles/article.aspx?p=1271382 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] AdaCore - Home GNAT Pro The Tokeneer Project
http://www.adacore.com/home/gnatpro/tokeneer/ Excerpt: Project Summary In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High Integrity Systems to undertake a research project to develop part of an existing secure system (the Tokeneer System) in accordance with Praxis’ Correctness by Construction development process. This development and research work has now been made available by the NSA to the software development and security communities in an effort to prove that it is possible to develop secure systems rigorously in a cost effective manner. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Survey thread killer
Hi SC-Lers, With these last 2 messages, let's kill off the survey thread, please. I allowed it to continue on--probably longer than I should have-- because there seemed to be valid and interesting points being made on both sides of the debate. But that seems to have run its course, so let's please let it die out. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear often.) http://www.internetnews.com/ec-news/article.php/3755916 In talking with my customers over the past several months, I always find it interesting that the vast majority would sooner have root canal than submit their source code to anyone for external review. I'm betting PCI 6.6 has been a boon for the web application firewall (WAF) world. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Any SC-Lers going to FIRST in Vancouver next week?
Subject says it all. Any of you going to be at the FIRST conference? If you are and want to hook up for a chat--perhaps over a beer--then drop me a note. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Security Bonuses for Vista Programmers
FYI, interesting eWeek article on some of Vista's security features that are provided to developers. (I misinterpreted the article's title a bit, but it quickly becomes clear in the article. At first, I thought it was about giving $$ bonuses to vista programmers -- it reminded me of an old Dilbert where the company was offering cash bonuses for finding bugs, and Wally was coding himself a minivan... :-) Anyway, don't let that stop you from reading this interesting article. http://www.eweek.com/c/a/Security/Security-Bonuses-For-Vista-Programmers/ Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] DistriNet Research Group
FYI, interesting announcement out of KU Leuven in Belgium and the SANS institute: http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Coverity to Buy Codefast
FYI, a bit of MA activity going on in the software security (product) space: http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/ Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] GCC and pointer overflows [LWN.net]
FYI, here's an interesting article (and follow-on discussions) about a recent bug in the GCC compiler collection. http://lwn.net/Articles/278137/ The bug, which has been documented in a CERT advisory, affects C code in which, under some circumstances, buffer bounds checking can be optimized out to produce binaries that are susceptible to buffer overflows. The article includes a couple examples that really help illustrate the issue -- very interesting reading, IMHO. Of course, many/most SC-Lers will no doubt jump on this as another example of why C is such a dangerous language to write (secure) code in, and that's fine. But, I see the issue at least a little differently: a compiler making decisions for the programmer and producing executable code that does not accurately conform to what the programmer coded. We've all heard of security-related optimizing issues for years, right? Well, here's a prime example of one in action. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Lateral SQL injection paper
Greetings SC-Lers, Things have been pretty quiet here on the SC-L list... I hope everyone saw David Litchfield's recent announcement of a new category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) He refers to this new category as lateral SQL injection attacks. It's very different than conventional SQL injection attacks, as well as quite a bit more limited. In the paper, he writes: Now, whether this becomes exploitable in the normal sense, I doubt it... but in very specific and limited scenarios there may be scope for abuse, for example in cursor snarfing attacks - http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf . In conclusion, even those functions and procedures that don’t take user input can be exploited if SYSDATE is used. The lesson here is always, always validate and don’t let this type of vulnerability get into your code. The second lesson is that no longer should DATE or NUMBER data types be considered as safe and not useful as injection vectors: as this paper has proved, they are. It's definitely an interesting read, and anyone doing SQL coding should take a close look, IMHO. It's particularly interesting to see how he alters the DATE and NUMBER data types so that they can hold SQL injection data. Yet another demonstration of the importance of doing good input validation -- preferably positive validation. As long as you're doing input validation, I'd think there's probably no need to back through your code and audit it for lateral SQL injection vectors. Anyone else have a take on this new attack method? (Note that I don't normally encourage discussions of specific product vulnerabilities here, but most certainly new categories of attacks--and their impacts on secure coding practices--are quite welcome.) Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Ben, Your point is a good one -- the software security community needs to be vigilant in reaching out to developers and spreading the word. FWIW, some dev conferences have done this. I spoke at SD West in 2006, and there was a significant security track there. Still, it'd be great to see that sort of thing at more dev-specific conferences. Cheers, Ken van Wyk SC-L Moderator On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote: First, thanks for that Bill, it exemplifies my point perfectly. A couple thoughts... one, targeting designers is just as important as reaching out to the developers themselves... if the designers can ensure that security requirements are incorporated from the outset, then we receive an added benefit... two, a re-phrasing around my original thought... somehow we need to get security thinking and considerations encoded into the DNA of everyone in the business, whether they be designers, architects, coders, analysts, PMs, sysadmins, etc, etc, etc. Every one of those topics you mention could (should!) have had implicit and explicit security attributes included... yet we're still at the point where secure coding has to be explicitly requested/demanded (often as an afterthought or bolt-on)... How do we as infosec professionals get people to the next phase of including security thoughts in everything they do... with the end-goal being that it is then integrated fully into practices and processes as a bona fide genetic mutation that is passed along to future generations? To me, this seems to be where infosec is stuck as an industry. There seems to be a need for a catalyst to spur the mutation so that it can have a life of its own. :) fwiw. -ben -- Benjamin Tomhave, MS, CISSP [EMAIL PROTECTED] LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] Augustine's Second Law of Socioscience: For every scientific (or engineering) action, there is an equal and opposite social reaction. http://globalnerdy.com/2007/07/18/laws-of-software-development/ William L. Anderson wrote: Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not see many discussions that pay attention to security, or any other software engineering oriented concerns, explicitly. There was a discussion of scalability for web services that featured the developers from digg, Flickr, WordPress, and Media Temple. I got there about half-way through but the discussion with the audience was about tools and methods to handle high traffic loads. There was a question about build and deployment strategies and I asked about unit testing (mixed answers - some love it, some think it's strong-arm micro-mgt (go figure)). There was a session on OpenID and OAuth (open authorization) standards and implementation. These discussions kind of assume the use of secure transports but since I couldn't stay the whole time I don't know if secure coding was addressed explicitly. The main developer attendees at SXSW would call themselves designers and I would guess many of them are doing web development in PHP, Ruby, etc. I think the majority of attendees would not classify themselves as software programmers. To me it seems very much like at craft culture. That doesn't mean that a track on how to develop secure web services wouldn't be popular. In fact it might be worth proposing one for next year. If you want to talk further, please get in touch. -Bill Anderson praxis101.com Benjamin Tomhave wrote: I had just a quick query for everyone out there, with an attached thought. How many security and/or secure coding professionals are prevalently involved with the SXSW conference this week? I know, I know... it's a big party for developers - particularly the Web 2.0 clique - but I'm just curious. Here's why: I'm increasingly frustrated by the disconnect between business/dev and security. I don't feel like we're being largely successful in getting the business and developers to include security as part of their standard operating procedures. Developers are still oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes. I then look at SXSW from afar and think: a) shouldn't I be there evangelizing security? and, b) shouldn't a major thread to all these conferences be about how security is integrating with dev processes and practices, making it better? Maybe I'm just too idealist. I'm curious what everyone else thinks. cheers, -ben smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a
[SC-L] PCI: Boon or bust for software security?
Greetings SC-L, So here's a question to ponder. Now that PCI DSS 1.1 is out there (save a couple June 2008 deadlines still looming), has it been good or bad for software security as a whole? It does require secure development processes (as prescribed by OWASP). It does require sensitive cardholder data to be encrypted at rest and in transit. Has it improved the overall state of affairs, worsened it, or have things pretty much remained the same. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SC-L Administrivia: How does the readership feel about sponsorships?
Greetings SC-L, So, I've always done my best to keep SC-L non-commercial since its inception in 2003. I'm curious, though, how you the readers would react to accepting sponsorships in the form of sponsored by: banners at the bottom of each posting. The banner presently points to the list, the list charter, along with a note saying that the list is hosted and moderated by my company. So, my question is this: could/should I accept sponsorships where the sponsor would get (say) two or three lines of text saying who they are and pointing to their web page? I welcome your candid/serious feedback on this. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Michael Howard's Web Log : Introducing SAFECode
FYI, from Michael Howard's blog: Today SAFECode, the Software Assurance Forum for Excellence in Code, introduced its first white paper, Software Assurance: An Overview of Current Industry Best Practices. The organization was founded by Microsoft, Symantec, EMC, SAP and Juniper to advance understanding and practices related to secure development and integrity controls. Our goal is to raise the security bar across the software industry to reduce vulnerabilities. Complete blog text, along with links to SAFECode and the white paper can be found here: http://blogs.msdn.com/michael_howard/archive/2008/02/14/introducing-safecode.aspx Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Code Testing Tools Could Be Acquisition Targets in '08
New Year's greetings, SC-Lers, FYI, here's an interesting article about the application security testing space, from eWeek. http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594 The author sort of compares apples and oranges a bit, IMHO, in comparing recent acquisitions of security testing product firms (e.g., SPI and WatchFire) with potential future acquisitions of source code analysis tool companies, but it's still worth a quick read. The good news in the article is, The acquisitions, coupled with an increase in the number of providers offering vulnerability assessments, are indicators of a growing emphasis on increasing security in the development process. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Redmond Developer News | Best Defense?
FYI, interesting article on sandboxing of applications, with quotes from a few SC-L regulars. Enjoy! http://reddevnews.com/features/article.aspx?editorialsid=2386 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: SCARE metrics and tool release
Reposted with permission, FYI... Cheers, Ken SC-L Moderator Begin forwarded message: From: Pete Herzog [EMAIL PROTECTED] Date: November 30, 2007 10:30:18 AM EST To: [EMAIL PROTECTED] Subject: SCARE metrics and tool release Hi, Scare, the Source Code Analysis Risk Evaluation tool for measuring security complexity in C source code is now available. The tool is written to support the OpenTC project (opentc.net) as the SCARE methodology project available at: http://www.isecom.org/scare We have done some test cases with the tool already do track trends in Xen and are now working on measuring trends in the Linux Kernel. USE The SCARE analysis tool is run against source code. Currently only C code is supported. The ouput file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE. Trends in Xen: XEN ver. VisAccessesTrustsSCAREDelta 3.0.3_0 1 3142857758.26-41.74 3.0.4_1 1 3113106057.79-42.21 3.1.0 1 3163313957.43-42.57 As you can see, the security complexity of Xen is getting worse due to the increased numbers of Trusts (reliance on external variables which a user can manipulate as an input). Trust attacks can be tested according to the 4th point of the 4 Point test process in the OSSTMM 3: Intervention - changing resource interactions with the target or between targets. At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code. We need help! We are looking for people to help us complete the SCARE methodology, add new programming languages to the tool, as well as even making a windows binary version for those who do not code in Linux. Contact me if you can do this. Sincerely, -pete. -- Pete Herzog - Managing Director - [EMAIL PROTECTED] ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org --- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote: So he's not completely naive, though the history of security metrics and standards - which tend to produce code that satisfies the standards without being any more secure - should certainly give on pause. One could, I suppose, give rebates based on actual field experience: Look at the number of security problems reported per year over a two- year period and give rebates to sellers who have low rates. Right, so this is where I believe the entire idea would fall apart. I don't think we have adequate metrics today to measure products fairly. Basing the tax on field experience would also be problematic to measure well, although I could see this leading to development organizations getting some sort of actuarial score. But the real problem with it, as I said, is metrics. Should it be based on (say) defect density per thousand lines of code as reported by (say) 3 independent static code analyzers? What about design weaknesses that go blissfully unnoticed by code scanners? (At least the field experience concept could begin to address these over time, perhaps.) I do think that software developers who produce bad (security) code should be penalized, but at least for now, I still think the best way of doing this is market pressure. I don't think we're ready for more, on the whole, FWIW. But _consumers_ wield more power than they probably realize in most cases. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: People in glass houses shouldn't brick phones
SC-L, FYI, some of you might find my column this month on eSecurityPlanet to be interesting: http://www.esecurityplanet.com/article.php/3709301 (free, no registration required) In it, I talk about some of the software security lessons to be gleamed from Apple's iPhone bricking debacle. Enjoy... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] IT industry creates secure coding advocacy group
Saw this story via Gunnar's blog (thanks!): http://www.gcn.com/online/vol1_no1/45286-1.html Any thoughts on new group, which is calling itself SAFEcode? Anyone here involved in its formation and care to share with us what's the driving force behind it? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Microsoft Pushes Secure, Quality Code
SC-Lers, Hey, here's some good news out of Microsoft. According to EWeek, Now for Visual Studio 2008, Microsoft's code analysis team is adding some new features, including Code Metrics, a new tool window that allows you to not only get an overall view of the health [code-wise] of your application, but also gives you the ability to dig deep to find those unmaintainable and complex hotspots, Somasegar said. For Visual Studio 2008, Code Metrics will ship with five metrics: Cyclomatic Complexity, Depth of Inheritance, Class Coupling, Lines of Code and Maintainability Index, he said. The full story is here http://www.eweek.com/ article2/0,1895,2192515,00.asp Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] CERT Advances Secure Coding Standards - Desktop Security News Analysis - Dark Reading
Here's some good news from CERT and Fortify. Shortly, CERT will be generating Fortify SCA rules to help automate reviewing C/C++ source code against their secure coding standards. http://www.darkreading.com/document.asp?doc_id=135352WT.svl=news1_2 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: [1st-t] Vancouver 2008 First Conference - Call for Papers
SC-L, I'm forwarding the following Call for Papers (see below) for next year's FIRST conference here. Now, I recognize that FIRST (the Forum of Incident Response and Security Teams) is NOT a software security conference. But, over the past few years, I've started bringing some software security related sessions to the conference, and they've been well received. I'm a big believer in reaching out to other communities, and if ever there were two groups that should be talking and working together more than they currently do (IMHO), it's software developers and information security folks. Disclaimer: I currently sit on FIRST's steering committee, although I have nothing to do with accepting/rejecting conference sessions. That said, if any of you ARE interested in reaching out to FIRST a bit and would like to chat, please drop me a line. Cheers, Ken van Wyk - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com SC-L Moderator Begin forwarded message: From: Reneaué Railton [EMAIL PROTECTED] Date: September 20, 2007 1:20:29 PM EDT To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: [1st-t] Vancouver 2008 First Conference - Call for Papers FIRST 20th Annual Conference, June 22nd – 27th, 2008, Hyatt Regency Vancouver British Columbia, Canada Crossing Borders: Towards the Globalization of Security Call for Papers - - - - --- This is a call for papers and tutorials for the 20th Annual FIRST Conference. This text is also available at: http://www.first.org/conference/2008/papers.html Overview - - - - - The Forum of Incident Response and Security Teams (FIRST, http://www.first.org/) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRT's) and includes response teams from 180 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference not only provides a setting for participants to attend tutorials and hear presentations by leading experts in the CSIRT community, it also creates opportunities for networking, collaboration, and sharing technical information. Just as importantly, the conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries. FIRST conference participants include not only CSIRT staff, but also IT managers, network and system administrators, software and hardware vendors, law enforcement representatives, security solutions providers, telecommunications organizations, ISPs, and general computer and network security personnel. FIRST conferences cover a broad range of security related topics such as (but not limited to): . Advanced techniques in security incident prevention, detection and response. . Latest advances in computer and network security tools . Shared views, experiences, and resolutions in the computer security incident response field. The Conference - - - The conference is a five-day event, comprised of two days of Tutorials, three days of Plenary Sessions focused on either Business or Technical issues. These include paper presentations, keynote speeches, Panel discussions and Birds-of-a-Feather Sessions. Features planned for this year's conference include: Geek Zone - Presentations with a Hands On Format aimed at smaller, more technical audiences of up to 30 people Case Studies – Lessons learned in dealing with real events, from discovery to remediation. Share practical experiences in dealing with cyber incidents along with the tools that provided most valuable. SIG (Special Interest Group) meetings Beer 'n Gear where vendors demonstrate their equipment . Security Challenge The theme for the 2008 conference is ‘Crossing Borders: Towards the Globalization of Security '. The conference language is English. Call for Papers - - - --- The FIRST program committee solicits original contributions for this conference, which are broadly based on the theme of ‘Crossing Borders: Towards the Globalization of Security'. All submissions must reflect original work and must adequately document any overlap with previously published or simultaneously submitted papers from any of the authors. If authors have any doubts regarding whether such overlap exists, they should contact the program chairs prior to submission. Papers will be scheduled as part of the Main Conference. Timeslots are available in three lengths: a) 50 Minutes, with 10 minutes question time b) 40 minutes, with 10 minutes question time c) 25 Minutes, with 5 minutes question time. The program committee is also looking for contributions to the 'Geek Zone Sessions', where presentations may last for up to three hours and which are aimed at a smaller more technical audience of up to 30 people. These presentations are intended to
[SC-L] Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.
FYI, I saw the following tool release announcement over on bugtraq, and thought it might be of interest to some of you here. I know the terms PHP and security in the same sentence often are met with laughter here, but what the heck. If the tool helps a few PHP developers write PHP apps that are hardened against SQL injection attacks, then why not. Cheers, Ken van Wyk SC-L Moderator Begin forwarded message: From: Ezequiel Gutesman [EMAIL PROTECTED] Date: August 22, 2007 12:26:55 PM EDT To: [EMAIL PROTECTED] Subject: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system. CORE GRASP for PHP is a web-application protection software aimed at detecting and blocking injection vulnerabilities and privacy violations. As mentioned during its presentation at Black Hat USA 2007, GRASP is being released as open source under the Apache 2.0 license and can be obtained from http://gasp.coresecurity.com/. The present implementation protects PHP 5.2.3 against SQL-injection attacks for the MySQL engine, it can be installed with almost the same effort as the PHP engine, both in Unix and Windows systems, and protection is immediate with any PHP web application running in the protected server. CORE GRASP works by enhancing the PHP execution engine (VM) to permit byte-level taint tracking and analysis for all the user-controlled or otherwise untrustable variables of the web application. Tainted bytes are then tracked and their taint marks propagated throughout the web application's runtime. Whenever the web application tries to interact with an DB backend using SQL statements that contain tainted bytes, GRASP analyzes the statment and detects and prevents attacks or abnormal actions. CORE GRASP was developed by CoreLabs, the research unit of Core Security Technologies. At CoreLabs, we plan to improve the tool and include new protections shortly. However, the invitation to collaborate with the project is open. If you would like to collaborate, please go to the GRASP website and subscribe to our mailing list. Project home: http://grasp.coresecurity.com/ Documentation, presentation and papers: http://grasp.coresecurity.com/index.php?m=doc Download: http://grasp.coresecurity.com/index.php?m=dld - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Opera Uses Mozilla Fuzzer Tool To Find 'Highly Severe' Bug -- Browser -- InformationWeek
Greetings SC-Lers, Here's a great success story regarding Mozilla's new open source fuzzer that they just released during the blackhat conference: http://www.informationweek.com/story/showArticle.jhtml? articleID=201800584cid=RSSfeed_IWK_News Kudos to the Opera team! Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software process improvement produces secure software?
On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: During our conversation, I made a question to Mr. Hayes similar to this: Is it possible that only software development process improvements can produce secure software? The scenario was only based on CMMI without security interference. All that follows is IMHO, of course... I would have to agree with you, Francisco, that process improvements without security interference are unlikely to produce significant changes in the security of the software produced. That said, I am a believer in somewhat more rigorous security-based software process. In particular, I think it's worth spending additional time/effort delving into the non-functional aspects of software, from requirements gathering through design as well as during the implementation/coding phases. I think that solutions that focus solely on implementation improvement are not sufficient. To me, a vital component in improving throughout the dev process must focus on process improvement. That is, process improvement based not (necessarily) on CMMI, and _with_ security interference. :-) But I also don't like to see process for the sake of _process_. I'm fine with intelligently applied ad hoc processes, if that's not too much of a contradiction in terms. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] how far we still need to go
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote: Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the / Applications area), but I need to run it as admin. Maddening, isn't it? I maintain that this is a software issue, insofar as how the software is bolted into its operating environment. Many disagree with that point of view, which I can accept, but I believe that to pass this off to the ops guys is a bad practice that borders on negligence. Even for those who disagree with me, I still would argue that it's largely under the control of the developer to be able to bolt the code into a safe operating environment -- that promotes the principle of least privilege effectively. One of my customers uses -- and hence, so do I -- VPN software and a software one-time token (SoftToken) that requires the SoftToken.app software to have read/write access to its folder under /Applications on OS X. The presumption was that it would always be run as root. Well, I've gone out of my way to run my desktop OS X user without privs, which broke SoftToken (it would generate the same token EVERY time it was invoked). I still wouldn't accept running it as root, however, and was able to circumvent the problem by only giving my desktop user read/write to the one data file that SoftToken needed to write to. Still not as good as designing it properly in the first place, but it was an acceptable compromise for me to be able to do what I need to do. FWIW... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07
SC-L I'm not quite so sure why this one (below) caught my eye -- we _all_ get tons of product advisories -- but it did. In particular, two things jump out at me: 1) the original author of the defect thought that s/he was doing things correctly in using strncpy (vs. strcpy). 2) the original author had apparently been doing static source analysis using David Wheeler's Flawfinder tool, as we can tell from the comments. Yet, a simple coding mistake was made in calculating the length of a buffer and passing that incorrect length to strncpy. The result was a buffer overrun on the stack, just like the millions that we've all seen. Mind you, the overrun can only be exploited when specific characters are used as input to the loop in the code. Thus, I'm inclined to think that this is an interesting example of a bug that would have been extraordinarily difficult to find using black box testing, even fuzzing. The iDefense team doesn't say how the (anonymous) person who reported it found it, but I for one would be really curious to hear that story. Just some random thoughts this afternoon... Perhaps I'm still getting over the jet lag after returning from the FIRST conference in Seville. Cheers, Ken van Wyk SC-L Moderator Begin forwarded message: From: iDefense Labs [EMAIL PROTECTED] Date: June 26, 2007 3:53:46 PM EDT To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: iDefense Security Advisory 06.26.07: RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability iDefense Security Advisory 06.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 26, 2007 I. BACKGROUND RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. HelixPlayer is the open source version of RealPlayer. More information can be found at the URLs shown below. http://www.real.com/realplayer.html http://helixcommunity.org/ Synchronized Multimedia Integration Language (SMIL) is a markup language used to specify the use of several multi-media concepts when rendering media. Some such concepts are timing, transitions, and embedding. More information is available from WikiPedia at the following URL. http://en.wikipedia.org/wiki/ Synchronized_Multimedia_Integration_Language II. DESCRIPTION Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user. The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows. 924HX_RESULT 925SmilTimeValue::parseWallClockValue(REF(const char*) pCh) 926{ ... 957char buf[10]; /* Flawfinder: ignore */ ... 962while (*pCh) 963{ ... 972 else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' || *pCh == 'Z') 973 { 974 // this will find the last +, - or Z... which is what we want. 975 pTimeZone = pCh; 976 } ... 982 ++pCh; 983} ... 1101if (pTimePos) 1102{ 1103//HH:MM... 1133 if (*(pos-1) == ':') 1134 { 1148if (*(pos-1) == '.') 1149{ 1150// find end. 1151UINT32 len = 0; 1152if (pTimeZone) 1153{ 1154len = pTimeZone - pos; 1155} 1156else 1157{ 1158len = end - pos; 1159} 1160strncpy(buf, pos, len); /* Flawfinder: ignore */ The stack buffer is declared to be 10 bytes on line 957. You can see that it has a comment which will cause the FlawFinder program to ignore this buffer. The loop, which begins on line 962, runs through the parameter to the function looking for characters that denote different sections of the time format. When it encounters white space, or the +, -, or Z characters it will record the location for later use. If a time was located and it contains both a colon and a period the vulnerable code will be reached. The length of data to copy into the stack buffer is calculated either on line 1154 or line 1158 depending on whether or not a timezone is present. Neither calculations take into consideration the constant length of the 'buf' buffer and therefore a stack-based buffer overflow can occur on line 1160. Again, notice that this unsafe use of strncpy() is also marked with a FlawFinder ignore comment. III. ANALYSIS Exploitation requires that an attacker persuade a user to supply RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For example, this can be accomplished by convincing them to visit a malicious web
Re: [SC-L] Harvard vs. von Neumann
On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote: I am in complete agreement with your thinking, which is why one of the touchpoints (and chapter 9 of Software Security is about operations. Ken knows more about this than any of us, but he's on a plane now...right Ken? Wow, I'd stop far short of such strong words, but I have spent a great deal of time in operations land, and I am convinced we're (all) missing out on significant opportunities to enhance our software security by better making use of deployment security, for lack of a better term. I've seen far too many one size fits all approaches to software deployments that fall far short of adequately protecting the app, much less enabling the detection and response of issues when they come up. Cheers, Ken P.S. And yes, I was on a plane. Greetings from Lisbon, en route to Sevilla, Spain for the FIRST conference. I'll again toss out the offer to meet with any SC-Lers who are at the conference. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What's the next tech problem to be solved in software security?
First off, many thanks to all who've contributed to this thread. The responses and range of opinions I find fascinating, and I hope that others have found value in it as well. Great stuff, keep it coming. That said, I see us going towards that favorite of rat-holes here, namely the my programming language is better than yours, nyeah! path. Let's please avoid that. I'm confident that we've seen it enough times to know that it ends with no clear winners (but plenty of losers). Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] What's the next tech problem to be solved in software security?
Hi SC-L, [Hmmm, this didn't make it out to the list as I'd expected, so here's a 2nd try. Apologies for any duplicates. KRvW] At the SC-L BoF sessions held to date (which admittedly is not exactly a huge number, but I'm doing my best to see them continue), I like to ask those that attend what we can be doing to make SC-L more useful and meaningful to the subscribers. Of course, as with all mailing lists, SC-L will always be what its members make of it. However, at one recent SC-L BoF session, it was suggested that I pose periodic questions/issues for comment and discussion. As last week was particularly quiet here with my hiatus and all, this seems like a good opportunity to give that a go, so... What do you think is the _next_ technological problem for the software security community to solve? PLEASE, let's NOT go down the rat hole of senior management buy-in, use [this language], etc. (In fact, be warned that I will /dev/null any responses in this thread that go there.) So, what technology could/would make life easier for a secure software developer? Better source code analysis? High(er) level languages to help automate design reviews? Better security testing tools? To any of these, *better* in what ways, specifically? Any takers? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] IBM to catch Watchfire security technology | Tech News on ZDNet
FYI, yet another acquisition in the security world... This time it's IBM buying up Watchfire (makers of AppScan). http://news.zdnet.com/2100-1009_22-6188999.html? part=rsstag=feedsubj=zdnet Kind of reminds me of something Chef Jacques Pepin said in an interview with Terry Gross on NPR's Fresh Air some time back (IIRC). He said when he was growing up, leftover food never went to waste. They always took yesterday's leftovers and made something completely new with it the next day -- NEVER simply re-heating it to serve the same thing again, which always ends up being bland. By the time the last of the real food was gone, nobody remembered what the original recipe even was. That kept them interested in the food even as it went through several transformations. Not sure why this comes to mind now... ;-\ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Who's To Blame For Insecure Software? Maybe You
Some interesting (IMHO) stats coming out of Gartner security summit. One that jumped off the page at me was that 57% of the attendees believe that independent security research labs are providing a useful and valuable service. Whether you agree or not, the article below is an interesting read. http://www.informationweek.com/security/showArticle.jhtml? articleID=199901402pgno=1queryText= Cheers, Ken P.S. I'm surprised to say that I've so far had no takers on my question yesterday -- what is the next technology hurdle for us to clear? Perhaps everyone is off enjoying their summer breaks like I was last week... - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Administrivia: Moderator is in, and SC-L BoF in Spain?
SC-Lers, FYI, back from a few days in the sun. It was a quiet week in any case here on SC-L, but I am indeed back at the moderator's (virtual) desk now. Anyone here attending the FIRST conference in Sevilla, Spain later this month? Any interest in an SC-L BoF session? I'll be there all week and would be happy to meet with any SC-L folks who'll be there. Drop me a line and say hi. First Rioja Crianza and jambon Iberia is on me. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Administrivia: Moderator on hiatus
SC-L, After an insane travel schedule over the last several months, the moderator is taking some much-needed time to relax on the beach while sipping boat drinks. I'll be checking the SC-L queue over the next week at least once daily, but if you submit something, please be a bit patient. It'll go out, but might take a little while. Sorry for the inconvenience. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] 1 Raindrop: Common Attack Pattern Enumeration and Classification (CAPEC)
SC-L, Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/ 1_raindrop/2007/05/common_attack_p.html)... Check out Mitre's first draft of CAPEC, the Common Attack Pattern Enumeration and Classification database (http://capec.mitre.org). It complements the existing CVE (http://cve.mitre.org) and CWE (http://cwe.mitre.org) efforts by presenting the attack patterns used to exploit the various vulnerabilities. Great stuff that should be of interest to our readers here at SC-L, though the site itself does require Javascript to work -- boo hiss! :-) Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Stakes are High for Vista Security
shameless-self-plug I hope that some of you will find my April column over on eSecurityPlanet interesting. It can be found (for free) at the link below. If not, just press the old delete key. http://www.esecurityplanet.com/article.php/11162_3670486_2 /shameless-self-plug Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Stakes are High for Vista Security
On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote: http://www.esecurityplanet.com/article.php/11162_3670486_2 Sorry folks -- I inadvertently posted the URL to page 2 of the column. Page 1 is at http://www.esecurityplanet.com/article.php/3670486 Sorry for the inconvenience (and the list clutter). Mea culpa++ Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SANS Software Security Institute announced
FYI, the folks at SANS have announced the launch of their Software Security Institute (see http://www.sans-ssi.org/ for details). Their web site cites the following 6 goals: * Allow employers to rate their programmers on security skills so they can be confident that every project has at least one security master and all of their programmers understand the common errors and how to avoid them. * Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier. * Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps. * Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge. * Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses. * Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Information Protection Policies
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote: Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and- paste InfoSec policies into their own? Using someone's boilerplate policies as a starting point is great, as long as they go beyond just infosec policies and include examples/ guidelines for writing contracts for outsourcing software development and acquisition. Steve Christey pointed to OWASP's example at http://www.owasp.org/ index.php/OWASP_Secure_Software_Contract_Annex. While I haven't (yet) looked at this AND while I'm certainly no authority on contract writing, I'd bet that this OWASP example will at least provide some pretty good food for thought for anyone who is contracting software development. I firmly believe that we as consumers and as a whole, are not doing an adequate job at demanding more in the way of software security from the software we purchase and outsource. IMHO, that shouldn't be horribly difficult to change in the short- to medium-term. Better contracts and contractor oversight (e.g., independent architectural risk analysis, static code analysis, and rigorous security testing) should go a long way. I know I'm over-simplifying things here, but still... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote: I think some vendors have come around to the economics argument. In every case, those vendors with extreme reputation exposure have attempted to move past penetrate and patch. Microsoft, for one, is trying hard, but (to use my broken leg analogy) they had a sever case of osteoporosis and must take lots of calcium to build up bone mass. The financial vertical, led by the credit card consortiums is likewise making good progress. Other vendors with less brand exposure (or outright apathy from users) are slower on the uptake. Having spent several years on the incident handling side of this argument at CMU's CERT/CC, US. Dept. of Defense, etc., I thought I'd chime in here as well. It's encouraging to me to see that many vendors now recognize the reputation exposure and economics argument. I know that in my years at CERT (1989-1993), we were more than once threatened by uncooperative vendors, saying that they would sue us if we published information about their product's vulnerabilities. We spent years developing those vendor relationships and building up some level of mutual trust. It's not always an easy path. In the full disclosure years, it's been my observation that many vendors get forced into publishing patches when the vulnerability pimps (as Marcus calls them) call them out in public. Without a doubt, that's lead many vendors to respond more quickly and more publicly than they otherwise might have. At the same time, (and to try to bring this thread back to *software security*) I'm concerned about the software security ramifications of being bullied into patching something too quickly. While a simple strcpy--strncpy (or similar) src edit takes just moments, and shouldn't impact the functionality and reliability of any software, patches are rarely that simple. When software producers are forced to develop patches in unnaturally rushed situations, bigger problems (IMHO) will inevitably be introduced. So, I applaud the public disclosure model from the standpoint of consumer advocacy. But, I'm convinced that we need to find a process that better balances the needs of the consumer against the secure software engineering needs. Some patches can't reasonably be produced in the amount of time that the vulnerability pimps give the vendors. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
Here's an interesting article from Dark Reading about web fuzzers. Web fuzzing seems to be gaining some traction these days as a popular means of testing web apps and web services. http://www.darkreading.com/document.asp? doc_id=118162f_src=darkreading_section_296 Any good/bad experiences and opinions to be shared here on SC-L regarding fuzzing as a means of testing web apps/services? I have to say I'm unconvinced, but agree that they should be one part--and a small one at that--of a robust testing regimen. Cheers, Ken P.S. I'm over in Belgium right now for SecAppDev (http:// www.secappdev.org). HD Moore wowed the class here with a demo of Metasploit 3.0. For those of you that haven't looked at this (soon to be released, but available in beta now) tool, you really should check it out. Although it's geared at the IT Security pen testing audience, I do believe that it has broader applicability as a framework for constructing one-off exploits against applications. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote: Given the complex manipulations that can work in XSS attacks (see RSnake's cheat sheet) as well as directory traversal, combined with the sheer number of potential inputs in web applications, multipied by all the variations in encodings, I wouldn't be surprised if they were effective in finding those kinds of implementation bugs, even in well-designed software. Although successfully diagnosing some XSS without live verification smells like a hard problem akin to the Ptacek/Newsham vantage point issues in IDS. With the track record of non-web fuzzers and PROTOS style test suites, why do you think web app fuzzing is less likely to succeed? It's not so much that I don't think fuzzing is useful, it's that I don't see one size fits all fuzzing _products_ being useful. To me, it gets to an issue of informed vs. uninformed (or white box vs. black box if you prefer) testing. While they're both useful and should both be exercised, I believe (though I have no hard statistics to validate) that issues of coverage/state are always going to doom uninformed testing to being less effective than informed testing. For a fuzzer to be really meaningful, I believe that a smart fuzzing approach is going to be the best bet, and that makes it hard for a one size fits all product solution to be feasible. To do smart fuzzing, a lot of setup time is necessary in establishing an appropriate test harness and cases that fully exercise the files, network interface data, user data, etc., that the software is expecting. Perhaps I'm totally off base, and I invite any product folks here to chime in and correct my misconceptions. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote: unconvinced of what? what fuzzing is useful? or that it's the best security testing method ever? or you remain unconvinced that fuzzing in web apps is fuzzing in os apps? fuzzing has obvious advantages. that's all anyone should care about. No, not that it's useful or not. As I said in my other reply, my real wariness is of the one size fits all product solutions. It seems to me that the best fuzzing tools are in fact frameworks for building customized fuzzing tests. OWASP's jbrofuzz (in beta release currently) is an example of what I mean here. It gives the tester the means for identifying fields to fuzz and how to fuzz them (say, integer size testing), and then you press the fuzz button and it generates all the tests. That's useful, meaningful, and valuable, IMHO. But it's not a fire and forget general purpose tool that can test any web app. Beyond that, to me it's an issue of coverage. As was any uninformed testing, it's bound to miss things, which is to be expected. (E.g., a state tree that contains a format string vulnerability that doesn't execute because the testing never triggered that particular state -- hence my comments about test coverage/state earlier.) So, my impression is that fuzzing is useful (in Howard/Lipner's SDL book, they say that some 25% of the bugs they find during testing come out during fuzzing), but that it should only be a small, say 10-20%, part of a testing regimen. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] The seven sins of programmers | Free Software Magazine
SC-L, So my trusty rss aggregator (NewsFire) found an interesting blog for me this morning, and I thought I'd share it here. The blog is from Free Software Magazine and it's titled, The seven sins of programmers. On the surface, it has nothing whatsoever to do with software security -- the word security is never even mentioned in passing -- but I believe there are some worthy security lessons to be gleamed from it. http://www.freesoftwaremagazine.com/blog/seven_sins Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Vulnerability tallies surged in 2006 | The Register
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. 'The best we can figure, most of the growth is due to fairly easy-to- discover vulnerabilities in Web applications, Manion said. They are easy to find, easy to create, and easy to deploy.' Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers. The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design. Opinions on binary vs. source code (and design!) analysis, anyone? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] heise Security - News - Security specialist leaves PHP security team
I guess this falls in to the you can lead a horse to water, but you can't make him drink category: http://www.heise-security.co.uk/news/82500 A member of the PHP security team has left in apparent disgust over the team's security practices. I doubt that anyone here on SC-L is surprised by the article, but PHP remains quite popular, and it seems sad to see it losing some vital and much-needed security support. Well, there's always AJAX, I suppose. ;-\ Cheers, Ken P.S. Hey, SC-L is 3 years old this month! - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Top 10 Ajax Security Holes and Driving Factors
FYI, a friend forwarded me a link to this interesting article by Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php? id=956 Since much has been written here on SC-L about relatively safe programming languages recently, I thought it might be interesting to look at the other end of the spectrum. ;-) Yes, I know Ajax is wildly popular these days. 10,000 lemmings can't be wrong, certainly! Cheers, Ken - Kenneth R. van Wyk Moderator, SC-L KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Apple Places Encrypted Binaries in Mac OS X
Here's a somewhat interesting link to an eweek article that discusses Apple's use of encryption to protect some of its OS X binaries: http://www.eweek.com/article2/0,1895,2050875,00.asp Of course, encrypting binaries isn't anything new, but it's interesting (IMHO) to see how it's being used in a real OS. The article cites speculation as to whether Apple uses encryption for anti-piracy or anti-reverse-engineering. Another interesting side topic (though not mentioned in this article) is code obfuscation, which is being increasingly used for both purposes as well. Course, some coders have been inadvertently doing code obfuscation for years. ;-\ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Secure programming is NOT just good programming
On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote: I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's called software security. Ken and I have trained thousands of developers using the book as a guide with some success. Cigital has a number of very large-scale software security initiatives underway at various customers that leverage that training. But more importantly, good programs instill and measure the kinds of best practices (called touchpoints in the book) that are certainly not part of standard good coding practice. Presuming you meant now part of... and not not part of... In any case, another great source of information on the touchpoint processes in Gary's book is the DHS-sponsored Build Security In portal at http://BuildSecurityIn.us-cert.gov. It's still a work in progress, but there are a bunch of in-depth articles explaining all of Gary's touchpoint activities and such. Plus, several new articles will be appearing there over the next few months, so keep checking in for updates. The site is free and open to the public. (Full disclosure: as one of the BSI authors, I'm certainly not unbiased, but I still believe it's a valuable resource for those who are interested in learning more about the touchpoints Gary cited.) Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] A banner year for software bugs | Tech News on ZDNet
So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004. Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Insecurity in Open Source
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below). In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software security/quality with the best of what's out in the open source world. Further, he opines that the open source guys need to adopt far more rigorous QA testing in order to compete with the best of the proprietary source world.I'm passing this along not to launch into the invariable religious debates of closed- vs. open-source, but to encourage discussion about Chelf's claims with regards to rigorous QA testing. Anyway, here's the article.http://www.businessweek.com/technology/content/oct2006/tc20061006_394140.htm?campaign_id=bier_tco.g3a.rss1007Cheers,Ken -Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] IEEE Security and Privacy article on software security training
Wow, it's sure been a quiet few days out here on SC-L. Summer vacations are over, I suppose... In any case, I thought that I'd post a link to a new IEEE Security Privacy article on training for software security engineers. It was written by Cigital's John Steven and yours truly, and can be found via: http://www.computer.org/portal/site/security Enjoy. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Fwd: There's More than One Monoculture
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published. Among other things, Coffee makes some interesting comparisons to the Internet monoculture situation that existed in November 1988 when Robert Morris unleashed his Internet worm program. Interesting reading, IMHO.Cheers,Ken-Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] A New Open Source Approach to Weakness
FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here:http://www.internetnews.com/dev-news/article.php/3623751Cheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis
Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta:http://www.darkreading.com/document.asp?doc_id=99780f_src=darkreading_section_296I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your typical buffer overflow or other bug, but basically exploits a Vista (and Windows) design problem -- that user-mode applications are allowed to access raw disk sectors, Rutkowska says."The attack, which is being described in detail at Blackhat, looks for "interesting" OS code to be paged out and then carefully modifies the contents of the page file in order to dupe Vista into loading the corrupt page data.Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Administrivia: Bumper Stickers
Greetings SC-L, It's been a busy couple of days here on SC-L. The bumper sticker thread, in particular, has obviously generated a *lot* of (useful and interesting) discussion. While I'm reluctant to stop legitimate and open debate of opinions, I think that it's fair to say that this thread has pretty much run its course. As such, I'm going to be increasingly diligent in rejecting submissions to it that don't carry the debate further. I'd like to ask for everyone's support in helping this thread die its natural death and move on to other subjects. So, to those that want to continue the thread, be prepared to prove to me with each message that your message(s) deserves to be approved for distribution to the list, please. Cheers, Ken Kenneth Van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006
Greetings SC-L,I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here:http://www.ddj.com/dept/architect/189401902The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code.What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says "finish this yesterday"), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of "death march". Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations.Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006
Greetings SC-L, (Sorry for the previous message; I see that my (new) MacGPG is causing grief for Mailman, so I'm re-sending this message unsigned.) I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on Quick-Kill Project Management -- full link is here: http://www.ddj.com/dept/architect/189401902 The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code. What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says finish this yesterday), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of death march. Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php