can be found at http://www.webappsec.org/articles/ .
Regards,
- Robert Auger
articles_at_webappsec.org
http://www.webappsec.org
Are you interested in writing a 'Guest Article' for the WASC? Additional
this would force companies to develop these sorts of programs since it will
most likely
be less expensive than paying the fine.
My $1.50
Regards,
- Robert Auger
http://www.webappsec.org/
http://www.cgisecurity.com/
--===1159861409==
Content-Type: multipart/signed; boundary
I've posted the following entry and I'm wondering what experiences people on
this list have had.
Security metrics on flaws detected during architectural review?
http://www.cgisecurity.com/2009/01/security-metrics-on-flaws-detected-during-architectural-review.html
Regards,
- Robert Auger
http
I've posted a rant on training security to QA people.
The security industry needs to re-align its training expectations for QA
http://www.cgisecurity.com/2009/02/the-security-industry-needs-to-realign-its-training-expectations-for-qa.html
Regards,
- Robert
http://www.cgisecurity.com/
http
Application Security Vendors Need Help With Reporting
http://www.cgisecurity.com/2009/02/application-security-vendors-need-help-with-reporting.html
Regards,
- Robert
http://www.cgisecurity.com/
http://www.webappsec.org/
___
Secure Coding mailing list
:
http://www.qasec.com/2011/01/tips-for-tracking-security-related-defects-in-your-bugtracker.html
Regards,
- Robert Auger
http://www.webappsec.org/
http://www.qasec.com/
http://www.cgisecurity.com/
___
Secure Coding mailing list (SC-L) SC-L
Yes it is cancelled.
At 1:13 AM -0500 3/14/08, Gadi Evron wrote:
I am trying to understand if this conference is cancelled or not?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
++
as well as guidelines for using features like encryption, authentication,
SSO, SSL, etc. I am open to both publicly available standards as well as
commercially available standards. So far, I found
1. www.securecoding.cert.org - thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008
The CERT C Secure Coding Standard has been published by Addison-Wesley. More
information is available at:
http://www.informit.com/store/product.aspx?isbn=0321563212
Thanks to all the lurkers on SC-L who helped us develop and review the
content.
Thanks,
rCs
Pete,
I think your best bet is the work being done by ISO/IEC JTC 1/SC 22/ WG 23
Programming Language Vulnerabilities. The website for this work is
http://www.aitcnet.org/isai/.
The latest Editor's draft of PDTR 24772, prepared by John Benito, is N0138
which can be found here:
Sean,
I think you would want to provide this guarantee through some sort of static
assertion. For example, if you want to ensure that text controlled by FRED is
not included in a release build, you could include an #error preprocessor
directive as part of the controlled text that will
Brad,
You can also look at The CERT Sun Microsystems Secure Coding Standard for Java
at:
https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java
Which has many examples of secure/insecure Java source code.
rCs
-Original
The Common Weakness Enumeration (CWE) has a view of issues that can
occur in Java applications.
See: http://cwe.mitre.org/data/slices/660.html for a listing of all the
details or: http://cwe.mitre.org/data/lists/660.html for a list of the
items where the names are hyper-links to the content
Java Concurrency Guidelines
Fred Long, Dhruv Mohindra, Robert Seacord, David Svoboda
CMU/SEI-2010-TR-015
An essential element of secure coding in the Java programming language is
well-documented and enforceable coding standards. Coding standards encourage
CERT has completed the development of an integer module for our Secure Coding
in C course. A demo course set up at http://oli.web.cmu.edu Enter the course
key: seccode
The course is open and free. If you want to use the course at your University,
College, Corporation, or other organization you
On 6/30/05, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Your final statement still focus's only on technology i.e. educate
programmers.
Yes I agree they can play a significant part in security applications
but in my experience the common theme of making everything transparent
for the users is
and maintenance
CO-CHAIRS
Sven Dietrich CERT[EMAIL PROTECTED]
Daniel Plakosh CERT/CC [EMAIL PROTECTED]
Robert C. Seacord CERT/CC [EMAIL PROTECTED]
PROGRAM COMMITTEE
Julia Allen SEI/CMU
Hal Burch CERT/CC
Brian Chess
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-6989
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
Does anyone have any experience of specific examples of vulnerabilities
resulting from the use of uninitialized or invalidated STL iterators or
other STL related vulnerabilities? I'm doing some research for a new
project (which I hope to announce here shortly).
Thanks,
rCs
success or failure. The managed string library also protects against
improper data sanitization by (optionally) ensuring that all characters
in a string belong to a predefined set of safe characters.
rCs
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268
. 8^)
rCs
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-6989
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List
vulnerability analyst Robert Seacord is leading the secure coding
initiative. Seacord is a leading authority on secure coding, author of
the book Secure Coding in C and C++ [Seacord 05], and technical expert
for the ISO/IEC JTC1/SC22/WG14 international standardization working
group
Gadi,
Here are some searches from Derek Jones:
The new Google source code search page has opened up
some interesting research possibilities.
How many instances of:
if (...) ;
are there out there (skip the first half dozen unusual macro uses)?
Coding in C
and C++. I'm hoping to take this material and incorporate it into the
course. Once I get some experience teaching the material, I could help
turn it into a college text. (I've written three books already, so I'm
a proven threat. 8^)
Thanks,
rCs
--
Robert C. Seacord
Senior
Crispin,
I think you may have over spoken below:
Seeking perfect correctness as an approach to security is a fool's
errand. Security is designing systems that can tolerate imperfect software.
I could go along with achieving perfect correctness as an approach to
security is a fool's belief but
I've seen advice here and there to use the mkdtemp() function to create
temporary directories, for example:
- Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3
recommends them
- David Wheeler's Secure Programming for Linux and Unix HOWTO at
David,
Thanks for the explanation of mkdtemp(). I got confused reading the man
page because I wasn't expecting the function to return char *, but I
guess that makes sense.
I wish that the C standard body would update the C library and add
an exclusive create capability for fopen(), so that
of registration after this
date.
CO-CHAIRS OF THE CSSIS CLUSTER
Guido Schryen (RWTH Aachen University)
Jason A. Rafail(CERT/CC)
Address email to the Cluster Chairs to [EMAIL PROTECTED]
CO-CHAIRS OF THE CSAS MINITRACK
Jason A. Rafail (CERT/CC)
Robert C. Seacord (CERT/CC)
Dan Plakosh (CERT/CC
ljknews,
Yes, it is virtually impossible to get a serious runtime error in an Ada
program. For example:
http://www.youtube.com/watch?v=kYUrqdUyEpI
rCs
At 9:51 PM +0100 6/9/07, David Crocker wrote:
If instead we pay people to perform the more skilled tasks of establishing
requirements
Meunier at Purdue and by Dieter Gollmann
at Hamburg-Harburg; if you know of any others, I'd be glad to hear
about
those, too.
Kind regards from Germany,
Holger Peine
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-6989
available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Robert C. Seacord
Senior Vulnerability
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Robert C. Seacord
Senior Vulnerability Analyst
CERT/CC
Work: 412-268-7608
FAX: 412-268-6989
___
Secure
We would like to invite the community to review and comment on the
current version of the CERT C Secure Coding Standard available online at
www.securecoding.cert.org http://www.securecoding.cert.org before
Version 1.0 is published. To comment, you can create an account on the
Secure Coding wiki
Ken,
Comment below.
FYI, here's an interesting article (and follow-on discussions) about a
recent bug in the GCC compiler collection.
http://lwn.net/Articles/278137/
The bug, which has been documented in a CERT advisory, affects C code
in which, under some circumstances, buffer bounds
, etc. I am open to both publicly
available standards as well as commercially available standards. So
far, I found
1. www.securecoding.cert.org http://www.securecoding.cert.org/ -
thanks to Robert C. Seacord,
http://krvw.com/pipermail/sc-l/2008/001401.html
2. http
35 matches
Mail list logo