As the saying goes, a Unix server goes down and you have a bad weekend. A
Mainframe goes down and the earth stops rotating on its axis. To the latter
point, MQ Series and other messaging systems that communicate with Mainframes
and heritage(*) systems get next to no attention from the security
In case anyone needs a summer project, I wonder what percentage of issues
discussed in the 111 shows are still issues today?
-gunnar
On Jul 7, 2015, at 11:45 AM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
Ah, I see...so the dirty trick is that you are finally doing reruns.
Syndication
Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of
security. On the software side, esp in the case of Twitter, Facebook et al, the
equivalent is David Gelernter.
I did a mashup of these titans and I must say I think there is a fair(and
increasing) amount of impedance
Advanced = goes through firewall
Persistent = tried more than once
Threat = people trying to get into valuable stuff
Nothing new to sc-l readers, but a Reasonably good marketing term esp by
infosec standards (yay we get to scare business people with something other
than an auditor's
from interview with iRobot CEO and founder Colin Angle:
Are you planning on developing apps for robots like Roomba and Scooba?
The robot operating system architecture will divide in half. The mobile
industry is moving far faster and is far larger than the robot industry. You’ve
got a couple of
Hi Ken,
You raise some important points. Most infosec is approached as a set of
controls, but access control only takes you so far in the face of malice.
I like this quote from G.K. Chesterton
The real trouble with this world of ours is not that it is an unreasonable
world, nor even that it
Flip side of Lifestyle Hacking aptly described by Messrs McGraw and
Routh is when your organization cannot deliver the functionality/data/
usability that the consumers need.
http://1raindrop.typepad.com/1_raindrop/2010/03/bring-your-cloud-to-work-in-iraq.html
-gunnar
Its been awhile since there was a bugs vs flaws debate, so here is a
snippet from Jaron Lanier
Q: What's wrong with the way we create software today?
A: I think the whole way we write and think about software is wrong.
If you look at how things work right now, it's strange -- nobody --
design flaws. So we have only removed 50% of the problem.
for my part there have been many, many days when I would settle for
solving 50% of a problem
-gunnar
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information,
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
+1
great interview
-gunnar
On Jul 17, 2009, at 11:25 AM, Gary McGraw wrote:
hi sc-l,
One of our sc-l listeners (gunnar) suggested Bob Blakley as an
interview target. Bob is a particularly interesting guy because he
both a well-respected scientist very active in the security research
Two areas that don't seem to immediately lend themselves to design/
spec
level solutions are (1) transitive trust and (2) interaction errors
between multiple components that are all working correctly. I'd
love to
hear from people who've had to solve these problems in the real world.
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
4. apply all settings
5. figure out how to keep 1-4 in synch all the time
do all of this
software
security on the wrong people.
Cheers,
Stephen
On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson
[EMAIL PROTECTED] wrote:
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access
http://validator.w3.org shows that page has 25 HTML errors.
fwiw, mac.com has 28 errors and 1 warning
-gunnar
p.s. my domain has 42 otoh i wrote the whole design from scratch in vi
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List
I strongly agree with James' ask. Its nice to hear from gurus, but we need to
hear about real world tradeoffs too. Sausage making aint pretty (ask Hank and
Ben), but its the real world and I for one am always fascinated with what
choices organizations make and why.
I am also very excited to
Ken van Wyk and I are teaching Building Secure Web Applications in Java/J2EE in
Minneapolis, September 30 - October 2. The summary is below, if you would like
more info please let me know. More details to follow.
Building Secure Web Applications in Java/J2EE
Course Description
This course
But the difference is who is in final control. In the end, the users of
computers should be in final control, not their makers, or we have given
up essential liberty. We can develop systems which provide suites of
more specialized privileges to particular functions, without giving up
Hi Andy,
Great post. I especially like the part about making choices. Having
users type passwords into websites that protect all their assets
pretty clearly isn't working. Cardspace is pretty clearly a massive
improvement. That said, I don't think the choice is between perfect
liberty and
Hi Gary,
I think they are doing it, Cardspace is the key enabling technology to
making it happen. Given how many enterprises are federation-enabled (and
how simply the rest can be), the biggest missing piece right now is that
we need an Identity Provider for the Internets.
Of course this only
I agree this is a big issue, there is no cotton picking way that the
security people are solving these problems, it has to come from the
developers. I put together a track for QCon which included Brian Chess
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on
ESAPI and Web
Another approach is decentralized specialized teams, centers of excellence
in current managementspeak, with a specific agenda and expertise on an area
deemed strategic. This approach is probably best paired with 2,3, or 4 from
your list. For example, a roving specialized threat modeling team that
Local boy makes good
http://online.wsj.com/article/0,,SB112128453130584810,00-search.html
-gp
On 11/15/07 10:25 AM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:
I have observed an interesting behavior in that the vast majority of IT
executives still haven't heard about the
, non-commercial service to the software security community.
___
--
Gunnar Peterson, Managing Principal, Arctec Group
http://www.arctecgroup.net
Blog: http://1raindrop.typepad.com
___
Secure Coding mailing list
That said, we should keep trying! I believe one answer is to take advantage
of relative metrics over time.
I agree that this can be a practical starting point for organizations. I had
a client starting down the path with static analysis, they have thousands of
developers and many
decisions.
If you know others that would be interested this collaborative workshop,
please forward them this email and let them know about this opportunity.
Please contact us with any questions.
Thanks,
Betsy Nichols and Gunnar Peterson
Metricon 2.0 Co-Chairs
Dan Geer, Geer Risk Services
Andrew Jaquith, Yankee Group
Elizabeth Nichols, ClearPoint Metrics, Co-Chair
Gunnar Peterson, Arctec Group, Co-Chair
Russell Cameron Thomas, Meritology
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List
Just because people can look at a project in detail, doesn't mean they
will. More to the point, just because people can, doesn't mean code
auditing gurus will look at it.
And sometimes, when they do look they get booted out of the project
http://www.heise-security.co.uk/news/82500
-gp
JD Meier had a good post recently on influencing without authority, which is the
position security finds itself in:
1. assume all potential allies
2. clarify goals and priorities
3. diagnose the allies world
4. identify relevant currencies
5. deal with relationships
6. influence through give and
actually just the former. Robert Garigue characterized firewalls, nids, et al
as good network hygiene. The equivalent of a dentist telling you to brush your
teeth. An infosec pro needs much more depth than that. The model is charlemagne
as professionals.
Professionals in this definition being people who are certified and
expected to operate within specified standards of quality and behavior
much like CISSP, CPA, MD, etc.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
Sent
Along these same lines, I submit ³the Four Coders of the Apocalypse² by Dave
Thomas and Andy Hunt. One of the major areas we need to work is adoption.
Programmers are not all created equal, this presentation shows four types of
programmers, and describes what drives them and ideas on dealing with
Sure it should be built into the language, and I assume it will be
eventually. Heck it only took 30 or 40 years for people to force developers
to use Try...Catch blocks.
-gp
On 12/21/06 9:30 AM, McGovern, James F (HTSC, IT)
[EMAIL PROTECTED] wrote:
I have been noodling the problem space of
Seeking perfect correctness as an approach to security is a fool's
errand. Security is designing systems that can tolerate imperfect software.
Exactly. On Curb Your Enthusiasm this happened recently. Larry David was
frantically looking for a DVD case, but could not find it.
LD: I don't know
DTDs
http://www.google.com/codesearch?hl=enlr=q=file%3AdtdbtnG=Search
-gp
On 10/6/06 2:14 AM, Robert C. Seacord [EMAIL PROTECTED] wrote:
Gadi,
Here are some searches from Derek Jones:
The new Google source code search page has opened up
some interesting research possibilities.
How
I can't say enough good things about this interview:
Conversation with Bruce Lindsay
Design For Failure
http://www.acmqueue.org/modules.php?name=Contentpa=showpagepid=233
snip
BL: There are two classes of detection. One is that I looked at my own guts and
they didnt look right, and so I say
Secure software you're (not) soaking in it.
On 7/16/06 8:32 AM, mikeiscool [EMAIL PROTECTED] wrote:
On 7/16/06, ljknews [EMAIL PROTECTED] wrote:
At 3:27 PM -0400 7/15/06, Goertzel Karen wrote:
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
Hi James,
I think you are right to look at it as economic issue, but the other factor
to add into your model is not just the short term impact to developer
productivity (which is non-trivial), but also the long term effects of
making decisions *not* to deal with finding bugs.
Cleaning up data
in the lifecycle
rather than later in which X could be pretty much any system quality.
-Original Message-
From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 08, 2006 9:28 AM
To: McGovern, James F (HTSC, IT)
Cc: Secure Mailing List
Subject: Re: [SC-L] Comparing
This comes back to that great concept called 'Faith-based' Security (see Gunnar Peterson's post http://1raindrop.typepad.com/1_raindrop/2005/11/net_and_java_fa.html ), which is when people are told so many times that something is secure, that that they believe that it MUST be secure. Some
a lot of this gets back to a framework versus roll your own debate
http://1raindrop.typepad.com/1_raindrop/2005/05/wsmex_v_httpget.html
http://www.identityblog.com/2005/04/30.html#a210
also, for some good context security in ajax, rest, et. al. as well
as examples of how amazon and google
Good stuff, you (and your co-authors) are right: SOA and Web Services are
properly viewed as opportunities for security improvements, not security
nightmares.
Also, I have a paper here (http://www.arctecgroup.net/ISB1009GP.pdf) on Service
Oriented Security (SOS) Architecture
-gp
Quoting Gary
Hi John,
Which of the following more aptly characterizes the problem?:
IMPL. BUG: Insufficient security-constraint existed on the admin
Servlet in
the app's deployment descriptor.
ARCH. FLAW: No façade component gated privileged functionality
-alternatively-
ARCH. FLAW: Privileged
That page is a link to the doc types
html:
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.html
txt
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.txt
pdf
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.pdf
-gp
CIO Asia has a column on A Few Good Metrics
http://cio-asia.com/ShowPage.aspx?
pagetype=2articleid=2560pubid=5issueid=63
The article talks about using metrics to quantify risks and control
effectiveness.
There's no denying that proven economic principles can—and should—be
applied to
to also extend user stories to abuser stories (http://
www.johanpeeters.com/papers/abuser stories.pdf).
kr,
Yo
Gunnar Peterson wrote:
I have published a new paper on integrating security into Use
Case Modeling:
http://www.arctecgroup.net/secusecase.htm
-gp
--
Johan Peeters
http
Keith Brown has a good discussion of at least one of the design choices, namely
delegation vs. impersonation:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsImpersonation.html
-gp
Quoting Gizmo
It appears that the user-obvious malware would need to reach the anterior
insula to make a difference in computer security.
From Business Week -- Why Does logic often takes a backseat in making
decisons?:
The National Hockey League and its players wrangle over a salary cap. The
impasse causes
I was thinking about something that Dave Winer said on the Gillmor Gang
about how the software industry moves forward when small groups (like 1
or 2) of developers get motivated to solve a problem. I was wondering
how this applies to software security, since it seems like a perfect
description for
Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]:
You seem to be leaving out one of the largest open efforts at security.
ISECOM at http://www.isecom.org covers security testing, secure coding,
incident response and other security related topics.
-Original Message-
From: Gunnar Peterson
Date
I have blogged at a high level about some work I am doing on security aspects in
SOA and Web Services. Service Oriented Security (SOS) architecture defines a set
of architectural views, their key consituents, constraints, and relationships.
As the SOA space continues to evolve our software
Gee, no my OS is better than yours? What are mailing lists for then?
[Ed. Nope, sorry. While our volume is low, I like to think that our
signal:noise
ratio is high. Let's keep it that way. Besides, Debian rocks! :-) KRvW]
If people on this list have not read it yet, the conversation with
so the question then is how do we security professionals catch up to where the
anasazis were 700 hundred years ago:
http://riskman.typepad.com/perilocity/2004/08/cliff_forts_vs_.html
-gp
Quoting Greenarrow 1 [EMAIL PROTECTED]:
As quoted in a recent email from the article, A Patch is a Patch,
. Information like how many lines
of code, what languages, what libraries, process used, security testing
done, mechanisms included, and other information can and should be
disclosed.
--Jeff
- Original Message -
From: Gunnar Peterson [EMAIL PROTECTED]
To: Yousef Syed [EMAIL PROTECTED]
Cc
54 matches
Mail list logo
