Crispin said:
But taking the remark seriously, it says that you must not trust
anything that you don't have source code for. The point of
Thompson's
paper is that this includes the compiler; having the source
code for the
applications and the OS is not enough, and even having the
der Mouse is correct. I recall a product from the early 80s called The
Last One. There was an advertisement for the product on Prof Doug Comer's
door when I was a grad student at Purdue... the claim was that this product
made designing applications so simple that you'd never have to program
There's lots of interesting papers; I couldn't begin to select a top 10.
But for an answer to this question from the late 90s, take a look at the UC
Davis collection available at
http://csrc.nist.gov/publications/history/index.html
Also a plug: every year the Annual Computer Security Applications
The Great Australian Ice Creamery might be as effective as CISSP for
software engineers. I was wondering whether it was accidental or
intentional that Ed Rohwer suggested defiantly looking at CISSP.
Defiantly: in a rebellious manner or boldly resisting.
[Ed. Thanks for the laugh, Jeremy! KRvW]
Encryption is one way to secure the *transport* on the network (subject to
various caveats about appropriate use of crypto, trust issues, etc.). I'd
strongly disagree with anyone who says that encryption makes a network
secure - because people interpret that to mean if I encrypt the network, I
Title: Re: [SC-L] RE: Comparing Scanning Tools
At the RSA Conference in February, I went to a reception
hosted by a group called "Secure Software Forum"(not to be confused with
the company Secure Software Inc, which offers a product competitive to
Fortify). They had a panel session where
Gary,
Interesting point. I'm on the Virginia state commission charged with making
recommendations around voting systems, and we watched the Princeton video as
part of our most recent meeting. The reaction from the election officials
was amusing and scary: if this is so real, why don't you hack
Gonzales or anyone else tapping my phone.
--Jeremy
Jeremy Epstein
Senior Director, Product Security Performance
P 703.460.5852 | C 703.989.8907 | F 703.460.2599 | W 202.456.
AIM jeremyepstein | Skype jjepstein
www.webMethods.com
___
Secure Coding
Saw this article:
http://cordis.europa.eu/ictresults/popup.cfm?section=newstpl=articleID=89864AutoPrint=True,
and was wondering if anyone on this list knows anything about the
project
or Dr Bengt Nordström at Chalmers University in Göteborg Sweden. Sounds to
me like they're reinventing all the
Colleagues,
I'm pleased to announce the creation of LAMN, the Legion Against Meaningless
certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and
you're proud of it - this group is for you.
You can join LAMN on LinkedIn by searching in the groups area. Unlike so
many other
On Thu, Mar 19, 2009 at 11:14 AM, Benjamin Tomhave
list-s...@secureconsulting.net wrote:
gee whiz, what if you have letters after your name that aren't
meaningless certifications (like MS or PhD)? :)
Paragraph 13.4 subsection (B)(iv) of the LAMN bylaws allows earned degrees,
but only if you
This is kind of a funny discussion, to those of us over a certain
age. When I was a young-un :-), the argument was that you couldn't
write real software in a high level language like C because it was
too inefficient compared to assembly language, and you lost
flexibility since you didn't have
The cat's out of the bag. LAMN is being acquired by ASSCERT we
decided that some certifications *are* valid.
On Wed, Apr 1, 2009 at 11:25 AM, SC-L Reader Dave Aronson
securecoding2d...@davearonson.com wrote:
Y'all-
I think I've finally found the right certification for me! Check out
the
I'm also doing a panel on security in voting systems. Podcast at
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_2009/2009/04/15/jeremy-epstein-rr-107-technology-lessons-learned-from-election-2008
Hope to see many of you at the panel - Tue @ 410pm.
--Jeremy
On Wed, Apr 15
RSA records all the sessions and makes the recordings available for
purchase at some exorbitant fee.
On 4/15/09, Brad Andrews andr...@rbacomm.com wrote:
Are any of these going to be recorded? That would help those of us
with no travel budget or time. :)
Brad
Quoting Gary McGraw
Greetings,
I'm experimenting (on paper initially) with a technique for improving
resiliency of web applications, and to do so am looking for examples
of server side scripts (PHP, Perl, whatever) that have security
vulnerabilities, to see if the technique would work. If you have
scripts you'd be
I spent a fair bit of time doing stuff relating to voting systems,
which all have embedded systems. (I am not one of the experts who
pulls them apart, lest anyone think I'm claiming credit for them.)
They are supposedly closed systems, but every time someone competent
has tried to attack them,
(Apologies if I already sent this to the group; I don't think I did.)
There's an interesting presentation at
http://www.iarpa.gov/stonesoup_Merced_DHSAWGbrief.pdf about a study
done by the US NSA (National Security Agency) of C and Java source
code analysis tools. They developed a synthetic test
...@securecoding.org] On
Behalf Of Jeremy Epstein
Sent: Friday, October 02, 2009 6:38 AM
To: Wall, Kevin
Cc: Secure Code Mailing List
Subject: Re: [SC-L] Provably correct microkernel (seL4)
This was discussed a few months ago on several other lists I read.
The consensus is that it's interesting
Greetings,
I was listening yesterday to an interview [1] on NPR with Dr. Atul
Gawande, author of Checklist Manifesto [2]. He describes the
problem that medical procedures (e.g., surgery) tend to have lots of
mistakes, mostly caused because of leaving out important steps. He
claims that 2/3 of
OK, many of you don't care about DARPA, but here's something that
happened there you *should* care about. DARPA funds research, and has
historically drawn its program managers from the ranks of academia and
occasionally the military. This is a massive change in outlook
All,
I'm looking for a one day software security awareness training class for a
client. Yes, I know one day isn't enough to teach what people need to know,
but I'll be lucky if I can get them to spend that long. (The initial
reaction to my recommendation was no way.)
My goal is for them to
All,
For a VERY short window (Sep 24-30), the DC Board of Elections and
Ethics is opening up their system for review - documents, source code,
and a live system to hack. I think it's probably a well-designed
system (the folks doing it are knowledgeable), but it's of course
completely vulnerable
As many of you know, DC is doing an Internet voting pilot - original
plan was to allow voters to download blank ballots as PDF, mark them,
and submit them (*). They set up a test server and encouraged anyone
interested to take a whack - which promptly happened. A team from
Univ of Michigan led
The ITS4 article can be found at
http://www.acsac.org/2000/abstracts/78.html - it won the best paper
award when it was presented in 2000. (I don't think SLINT was every
presented at a professional conference.)
And since I'm mentioning ACSAC, the deadline for early registration is
coming up on
All,
This may be of interest - an RFI is a way to both provide information and
influence future procurements by pointing out areas that need to be
emphasized.
https://www.fbo.gov/index?s=opportunitymode=formid=3c867a45671f0cde56fca2bf81bdaf44tab=documentstabmode=list
--Jeremy
Agree with you - there's nothing new in the article. I gave a talk a
couple years ago at a conference on biomedical engineering, and there was
one person in the room (out of a few hundred) who had heard of Therac-25.
(Which I assume is what you were referring to with 1985.)
If the article were
27 matches
Mail list logo
