Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

approach on this issue. We'd want to know a lot more about how the economics work out on a small scale before applying it to all software. -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

On Nov 29, 2007 6:07 PM, Blue Boar [EMAIL PROTECTED] wrote: Andy Steingruebl wrote: I like contractual approaches to this problem myself. People buying large quantities of software (large enterprises, governments) should get contracts with vendors that specify money-back for each patch

Re: [SC-L] quick question - SXSW

to the development conference organizer? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

Re: [SC-L] quick question - SXSW

for our evangelizing... Thoughts? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

Re: [SC-L] Microsoft's message at RSA

with developers, its whether its going to fly with the public at large. Are people (and their proxies - Governments) going to finally demand a change in the the rules/game? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] No general-purpose computer, or everything under surveillance?

controls. These pollution controls often inhibit your max speed, acceleration, etc. They are really hard to, or impossible to disable. They also make our environment cleaner. Which is the right analogy for the personal computer? -- Andy Steingruebl [EMAIL PROTECTED

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote: but actually the main point of my post and the one i would like to hear people's thoughts on - is to say that attempting to apply principle of least privilege in the real world often leads to drilling dry wells. i am

Re: [SC-L] Security in QA is more than exploits

in the same way that if you have mostly junior programmers who are lucky to get their code to compile you're probably not going to have a lot of luck training them on formal proofs, rigorous design, etc. -- Andy Steingruebl stein...@gmail.com ___ Secure

Re: [SC-L] Security in QA is more than exploits

QA cycle. -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

problem here isn't just type safety. Just like in the HTML example. The core problem is that the language/format mixes code and data with no way to differentiate between them. Or is my brain working too slowly today? -- Andy Steingruebl stein...@gmail.com

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

class objects and I think you'll see what I mean. http://en.wikipedia.org/wiki/Lambda_calculus gem (supposedly still on vacation, but it is a rainy day) http://www.cigital.com/~gem http://www.cigital.com/%7Egem On 3/24/09 2:50 PM, Andy Steingruebl stein...@gmail.com wrote: On Mon, Mar 23

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

On Wed, Mar 25, 2009 at 10:18 AM, ljknews ljkn...@mac.com wrote: Worry about enforcement by the hardware architecture after you have squeezed out all errors that can be addressed by software techniques.\ Larry, Given the focus we've seen fro Microsoft and protecting developers from

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html and the OWASP podcast

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

. And, even learning the basics of what an algorithm are is tricky, much less learning defensive programming, etc. So, yes, it is an advanced concept for the majority of beginning programmers. -- Andy Steingruebl stein...@gmail.com ___ Secure Coding

Re: [SC-L] Genotypes and Phenotypes

. Is the complexity and expression of it really the key piece here? Or is it general resilience against failure, complexity spread out so that the common enemies (transcription errors in one place) aren't fatal. The system is designed against different threat models. -- Andy Steingruebl stein

Re: [SC-L] Checklist Manifesto applicability to software security

a checklist to examine their code, and others not. Might be interesting to see exactly what types of checklist items really result in a reduction in bugs... -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] informIT: Modern Malware

On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, The tie between malware (think zeus and stuxnet) and broken software of the sort we work hard on fixing is difficult for some parts of the market to fathom.  I think it's simple: software riddled with bugs and

Re: [SC-L] informIT: Modern Malware

On Wed, Mar 23, 2011 at 8:14 AM, Gary McGraw g...@cigital.com wrote: I agree that clueless users who click on whatever pops up lead to many infections even when software is is reasonable shape, but I don't see that as a reason not to build better software.  Presumably, you guys at paypal