Greetings SC-L,I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here:http://www.ddj.com/dept/architect/189401902The article describes a small project team (say 5 developers) who have suddenly had
practices (not just security reviews) when they're in
crisis mode? I'm sure that the answer varies a lot by team,
priorities, etc., but I'd welcome any comments, opinions, etc. from
any of you who have been in similar situations.
Cheers,
Ken
Kenneth Van Wyk
KRvW Associates, LLC
http
to continue the thread, be prepared to prove
to me with each message that your message(s) deserves to be approved
for distribution to the list, please.
Cheers,
Ken
Kenneth Van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
___
Secure
Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta:http://www.darkreading.com/document.asp?doc_id=99780f_src=darkreading_section_296I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your
FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here:http://www.internetnews.com/dev-news/article.php/3623751Cheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published. Among other things, Coffee makes some interesting comparisons to the
Wow, it's sure been a quiet few days out here on SC-L. Summer
vacations are over, I suppose...
In any case, I thought that I'd post a link to a new IEEE Security
Privacy article on training for software security engineers. It was
written by Cigital's John Steven and yours truly, and can
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below). In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software
So here's a lovely statistic for the software community to hang its
hat on:
http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed
Among other things, the article says, Atlanta-based ISS, which is
being acquired by IBM, predicts there will be a 41 percent increase
in confirmed
On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote:
I suppose now is as good a time as any to say that everything david
is talking about here is described in great detail in the HOW TO
book that I released last february. If you're reading this list,
you really should read that book. It's
Here's a somewhat interesting link to an eweek article that discusses
Apple's use of encryption to protect some of its OS X binaries:
http://www.eweek.com/article2/0,1895,2050875,00.asp
Of course, encrypting binaries isn't anything new, but it's
interesting (IMHO) to see how it's being used
FYI, a friend forwarded me a link to this interesting article by
Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php?
id=956
Since much has been written here on SC-L about relatively safe
programming languages recently, I thought it might be interesting to
look at the
I guess this falls in to the you can lead a horse to water, but you
can't make him drink category:
http://www.heise-security.co.uk/news/82500
A member of the PHP security team has left in apparent disgust over
the team's security practices.
I doubt that anyone here on SC-L is surprised by
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a
35% increase over 2005.
See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/
The article further states, The greatest factor in the skyrocketing
number of vulnerabilities is that certain types of flaws in community
Ok, last software security news item for today, I promise. :-) This
article (see
http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1)
is about a couple of new startup companies. One of them in
particular, Veracode, may be of some interest here. The article
says,
SC-L,
So my trusty rss aggregator (NewsFire) found an interesting blog for
me this morning, and I thought I'd share it here. The blog is from
Free Software Magazine and it's titled, The seven sins of
programmers. On the surface, it has nothing whatsoever to do with
software security --
Here's an interesting article from Dark Reading about web fuzzers.
Web fuzzing seems to be gaining some traction these days as a popular
means of testing web apps and web services.
http://www.darkreading.com/document.asp?
doc_id=118162f_src=darkreading_section_296
Any good/bad
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see
RSnake's
cheat sheet) as well as directory traversal, combined with the sheer
number of potential inputs in web applications, multipied by all the
variations in encodings, I
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best
security testing method ever? or you remain unconvinced that fuzzing
in web apps is fuzzing in os apps?
fuzzing has obvious advantages. that's all anyone should care about.
No,
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In
every case, those vendors with extreme reputation exposure have
attempted to move past penetrate and patch. Microsoft, for one, is
trying hard, but (to use my broken leg
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
Ken, in terms of a previous response to your posting in terms of
getting customers to ask for secure coding practices from vendors,
wouldn't it start with figuring out how they could simply cut-and-
paste InfoSec policies into
FYI, the folks at SANS have announced the launch of their Software
Security Institute (see http://www.sans-ssi.org/ for details).
Their web site cites the following 6 goals:
* Allow employers to rate their programmers on security skills
so they can be confident that every project has at
shameless-self-plug
I hope that some of you will find my April column over on
eSecurityPlanet interesting. It can be found (for free) at the link
below. If not, just press the old delete key.
http://www.esecurityplanet.com/article.php/11162_3670486_2
/shameless-self-plug
Cheers,
Ken
On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote:
http://www.esecurityplanet.com/article.php/11162_3670486_2
Sorry folks -- I inadvertently posted the URL to page 2 of the
column. Page 1 is at http://www.esecurityplanet.com/article.php/3670486
Sorry for the inconvenience (and the list
SC-L,
Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/
1_raindrop/2007/05/common_attack_p.html)... Check out Mitre's first
draft of CAPEC, the Common Attack Pattern Enumeration and
Classification database (http://capec.mitre.org). It complements the
existing CVE
SC-L,
After an insane travel schedule over the last several months, the
moderator is taking some much-needed time to relax on the beach while
sipping boat drinks. I'll be checking the SC-L queue over the next
week at least once daily, but if you submit something, please be a
bit
SC-Lers,
FYI, back from a few days in the sun. It was a quiet week in any
case here on SC-L, but I am indeed back at the moderator's (virtual)
desk now.
Anyone here attending the FIRST conference in Sevilla, Spain later
this month? Any interest in an SC-L BoF session? I'll be there
Some interesting (IMHO) stats coming out of Gartner security summit.
One that jumped off the page at me was that 57% of the attendees
believe that independent security research labs are providing a
useful and valuable service. Whether you agree or not, the article
below is an interesting
Hi SC-L,
[Hmmm, this didn't make it out to the list as I'd expected, so here's
a 2nd try. Apologies for any duplicates. KRvW]
At the SC-L BoF sessions held to date (which admittedly is not
exactly a huge number, but I'm doing my best to see them continue), I
like to ask those that attend
FYI, yet another acquisition in the security world... This time it's
IBM buying up Watchfire (makers of AppScan).
http://news.zdnet.com/2100-1009_22-6188999.html?
part=rsstag=feedsubj=zdnet
Kind of reminds me of something Chef Jacques Pepin said in an
interview with Terry Gross on NPR's
First off, many thanks to all who've contributed to this thread. The
responses and range of opinions I find fascinating, and I hope that
others have found value in it as well. Great stuff, keep it coming.
That said, I see us going towards that favorite of rat-holes here,
namely the my
On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote:
I am in complete agreement with your thinking, which is why one of
the touchpoints (and chapter 9 of Software Security is about
operations. Ken knows more about this than any of us, but he's on
a plane now...right Ken?
Wow, I'd stop far
SC-L
I'm not quite so sure why this one (below) caught my eye -- we _all_
get tons of product advisories -- but it did. In particular, two
things jump out at me:
1) the original author of the defect thought that s/he was doing
things correctly in using strncpy (vs. strcpy).
2) the
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:
Well after a few attempts to install it on a Mac OS X system I
finally dope out
that it only seems to install and run as admin. That is, I not only
need to
install it as admin (that's OK, ordinary users can't write to the /
On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:
During our conversation, I made a question to Mr.
Hayes similar to this: Is it possible that only
software development process improvements can produce
secure software?
The scenario was only based on CMMI without security
interference.
All
Greetings SC-Lers,
Here's a great success story regarding Mozilla's new open source
fuzzer that they just released during the blackhat conference:
http://www.informationweek.com/story/showArticle.jhtml?
articleID=201800584cid=RSSfeed_IWK_News
Kudos to the Opera team!
Cheers,
Ken
-
FYI, I saw the following tool release announcement over on bugtraq,
and thought it might be of interest to some of you here. I know the
terms PHP and security in the same sentence often are met with
laughter here, but what the heck. If the tool helps a few PHP
developers write PHP apps
SC-L,
I'm forwarding the following Call for Papers (see below) for next
year's FIRST conference here. Now, I recognize that FIRST (the Forum
of Incident Response and Security Teams) is NOT a software security
conference. But, over the past few years, I've started bringing some
software
Here's some good news from CERT and Fortify. Shortly, CERT will be
generating Fortify SCA rules to help automate reviewing C/C++ source
code against their secure coding standards.
http://www.darkreading.com/document.asp?doc_id=135352WT.svl=news1_2
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L
SC-Lers,
Hey, here's some good news out of Microsoft. According to EWeek,
Now for Visual Studio 2008, Microsoft's code analysis team is adding
some new features, including Code Metrics, a new tool window that
allows you to not only get an overall view of the health [code-wise]
of your
Saw this story via Gunnar's blog (thanks!):
http://www.gcn.com/online/vol1_no1/45286-1.html
Any thoughts on new group, which is calling itself SAFEcode? Anyone
here involved in its formation and care to share with us what's the
driving force behind it?
Cheers,
Ken
-
Kenneth R. van
SC-L,
FYI, some of you might find my column this month on eSecurityPlanet to
be interesting:
http://www.esecurityplanet.com/article.php/3709301 (free, no
registration required)
In it, I talk about some of the software security lessons to be
gleamed from Apple's iPhone bricking
Reposted with permission, FYI...
Cheers,
Ken
SC-L Moderator
Begin forwarded message:
From: Pete Herzog [EMAIL PROTECTED]
Date: November 30, 2007 10:30:18 AM EST
To: [EMAIL PROTECTED]
Subject: SCARE metrics and tool release
Hi,
Scare, the Source Code Analysis Risk Evaluation tool for
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
So he's not completely naive, though the history of security metrics
and
standards - which tend to produce code that satisfies the standards
without being any more secure - should certainly give on pause.
One could, I suppose, give rebates
FYI, interesting article on sandboxing of applications, with quotes
from a few SC-L regulars. Enjoy!
http://reddevnews.com/features/article.aspx?editorialsid=2386
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME
New Year's greetings, SC-Lers,
FYI, here's an interesting article about the application security
testing space, from eWeek.
http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594
The author sort of compares apples and oranges a bit, IMHO, in
comparing recent
FYI, from Michael Howard's blog:
Today SAFECode, the Software Assurance Forum for Excellence in Code,
introduced its first white paper, Software Assurance: An Overview of
Current Industry Best Practices.
The organization was founded by Microsoft, Symantec, EMC, SAP and
Juniper to advance
Greetings SC-L,
So, I've always done my best to keep SC-L non-commercial since its
inception in 2003. I'm curious, though, how you the readers would
react to accepting sponsorships in the form of sponsored by:
banners at the bottom of each posting.
The banner presently points to the
Greetings SC-L,
So here's a question to ponder. Now that PCI DSS 1.1 is out there
(save a couple June 2008 deadlines still looming), has it been good or
bad for software security as a whole?
It does require secure development processes (as prescribed by OWASP).
It does require sensitive
Ben,
Your point is a good one -- the software security community needs to
be vigilant in reaching out to developers and spreading the word.
FWIW, some dev conferences have done this. I spoke at SD West in
2006, and there was a significant security track there. Still, it'd
be great to
Greetings SC-Lers,
Things have been pretty quiet here on the SC-L list...
I hope everyone saw David Litchfield's recent announcement of a new
category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf)
He refers to this new category as
FYI, here's an interesting article (and follow-on discussions) about a
recent bug in the GCC compiler collection.
http://lwn.net/Articles/278137/
The bug, which has been documented in a CERT advisory, affects C code
in which, under some circumstances, buffer bounds checking can be
FYI, a bit of MA activity going on in the software security (product)
space:
http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME
FYI, interesting announcement out of KU Leuven in Belgium and the SANS
institute:
http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description:
FYI, interesting eWeek article on some of Vista's security features
that are provided to developers. (I misinterpreted the article's
title a bit, but it quickly becomes clear in the article. At first, I
thought it was about giving $$ bonuses to vista programmers -- it
reminded me of an
Subject says it all. Any of you going to be at the FIRST conference?
If you are and want to hook up for a chat--perhaps over a beer--then
drop me a note.
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't
hear often.)
http://www.internetnews.com/ec-news/article.php/3755916
In talking with my customers over the past several months, I always
find it interesting that the vast majority would sooner have root
canal than submit
Hi SC-Lers,
With these last 2 messages, let's kill off the survey thread, please.
I allowed it to continue on--probably longer than I should have--
because there seemed to be valid and interesting points being made on
both sides of the debate. But that seems to have run its course, so
http://www.adacore.com/home/gnatpro/tokeneer/
Excerpt:
Project Summary
In order to demonstrate that developing highly secure systems to the
level of rigor required by the higher assurance levels of the Common
Criteria is possible, the NSA (National Security Agency) asked Praxis
High
[Posted on behalf of Gary McGraw, who is without comms right now but
wanted this to go out today. KRvW]
hi sc-l,
Brian Chess and I have been working hard on a software security
framework that we are using in a scientific study of many of the top
software security initiatives. Our plan of
Greetings SC-L,
I thought I'd chime in on this, as it very closely relates to my
current book project.
On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
Brian Chess and I have been working hard on a software security
framework that we are using in a scientific study
Greetings SC-L,
I've been asked to allow a job posting here on SC-L. It certainly
doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php
), but then again, we've generally not used SC-L for job listings.
And then again++, with the
FYI, see Call for Participation below.
Cheers,
Ken van Wyk
Begin forwarded message:
From: Bart De Win [EMAIL PROTECTED]
Date: December 9, 2008 8:22:14 AM EST
To: [EMAIL PROTECTED]
Subject: ESSoS'09: Call for Participation
CALL FOR PARTICIPATION
On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote:
Using the software security framework introduced in October (A
Software Security Framework: Working Towards a Realistic Maturity
Model http://www.informit.com/articles/article.aspx?p=1271382), we
interviewed nine executives running top
FYI, a top 25 programming errors list from the folks at SANS has been
released. See the following for details:
http://www.sans.org/top25errors/
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME cryptographic signature
Now here's an interesting development in the software security space.
Seems that New York State is going to start requiring contracted
application developers to conform with a minimum set of practices (as
covered in the SANS Application Security Procurement Language,
No big surprises for SC-L readers, I'm sure, but it's still an
interesting read:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=213000162
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description:
On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote:
Our fearless leader Ken gave a nice presentation on software
security methodologies yesterday at secappdev. I wonder what he
says about the Touchpoints when I'm not in the room?!
Thanks for the kind words. What I say about the Touchpoints,
Hello SC-Lers,
I saw this blog and thought it may be of interest here:
http://blogs.zdnet.com/security/?p=2861
According to the blog, there's a design issue (read: flaw) in iTunes
that can allow a maliciously formed podcast to cause a user to get
prompted for a username/password -- to
Good news today from the Software Assurance Maturity Model (SAMM) group.
http://www.opensamm.org/2009/03/samm-10-released/
Their release says:
The Beta release has been out for quite a while now (since August
2008) and lots of organizations and individuals have provided
excellent feedback
FYI, some eWeek coverage of application security and how it is being
taken more seriously in the enterprise these days. No big surprises
for long-time SC-L folks, but still an interesting read from a fairly
mainstream IT Security outlet.
FYI, a short but interesting read on usability vs. security in software.
http://www.usabilitynews.com/news/article5692.asp
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
(This email is digitally signed with a free x.509 certificate from
CAcert. If you're
On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:
Realizing that java binaries hold a lot more is a mental shift
that probably must be actively kept in mind. Those with only Java
experience may think it is obvious, but how many developers did not
start with Java and have not purged this
On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote:
Jeremiah Grossman and I were both pondering the size of the SCL
recently.
Is the list size public?
It's not public per se, but only in the sense that the number isn't
directly available--unless you ask for it.
The list has pretty
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:
Exploits are FUN.
I agree, at least to a point. Whenever I work exploits into my
workshops, the results are right on the mark. So long as the exploits
are balanced with just the right amount of remediations, it works great.
The key is
FYI, a couple of interesting developments in the software security
tool space:
http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator
smime.p7s
Description:
FYI, some activity in the open source WAF space:
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
smime.p7s
Description: S/MIME cryptographic signature
___
On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote:
Just a quick note, for those coming into DC for AppSec DC, rumor has
it
that a social gathering is brewing for Thurs PM. Let's hope so as I'd
love to put faces with names! :) If I hear details, I'll be sure to
pass
along (feel free to ping
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote:
In any case, I'm not sure of the lay of the land at the conference site, but
I'm betting there's a bar in or near the site. Let's plan on meeting up
there immediately following the day's sessions on Thursday. As soon as I can
pinpoint
Happy new year SC-Lers.
FYI, interesting blog post on some of the new security features in Java EE 6,
by Ramesh Nagappan. Worth reading for all you Java folk, IMHO.
http://www.coresecuritypatterns.com/blogs/?p=1622
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
smime.p7s
Greetings SC-L,
There have been several reports in the last few days of various devices being
hit with a so-called year 2010 software glitch. Several bank ATMs, mobile
devices, etc., have reportedly been hit. Below is a link to one such story.
My question for SC-L is: anyone here aware of
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:
Among other things, David and I discussed the difference between descriptive
models like BSIMM and prescriptive models which purport to tell you what you
should do.
Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome
OK, so this thread has heated up substantially and is on the verge of flare-up.
So, I'm declaring the thread to be dead and expunging the extant queue.
If anyone has any civil and value-added points to add, feel free to submit
them, of course. As always, I encourage free and open debate here,
I saw this event announcement today and thought some SC-L folks might find it
of interest, FYI.
The International Secure Systems Development Conference addresses the key
issues around designing-in security for standard and web-based software and
systems, both in terms of developing new
The folks at Google have released some web app training, along with a
vulnerable web app sandbox to play in. The tool is called Jarlsberg. Anyone
here take a look at it yet, and have an opinion about it?
The description (see below) sounds kinda sorta like OWASP's WebGoat, except
that the
New fuzzing framework released from the folks up at CMU, FYI.
https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html
Aloha,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: http://twitter.com/KRvW_Associates
smime.p7s
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote:
Anyone know of any static code analysis tools that can scan an iPhone app
package? Something that integrates with the Xcode SDK and can at the very
least scan through all of the Objective C in the src tree is what I'm looking
for. Any
I figured this was relevant here, so here's a link to my August column for
Computerworld.
Excerpt:
'What's that you say? All the app vetting you've been doing to date consists
only of verifying that the apps play by the rules? That is, that they use only
published APIs and such? Well, then,
FYI, nice write-up on the Fortify acquisition as well as the static code
analysis space here:
http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at:
Greetings SC-L,
I read the news this morning with a lot of hope -- that Apple has finally
published their app review guidelines for iOS app developers. But then I read
the document.
For starters, I did a quick grep for: security, secure, crypt, safe. Nothing.
Nada.
The document is
Greetings SC-L folks,
I don't participate in standards bodies, so I'm not very familiar with their
inner workings and such. However, a colleague has pointed me to an ISO
standard under development that will describe an application security
development process.
I visited the site
Greets all. FYI:
SAFECode has released, “Fundamental Practices for Secure Software Development
2nd Edition: A Guide to the Most Effective Secure Development Practices in Use
Today.” The report is intended to help others in the industry initiate or
improve their own software security programs
FYI, new version of Basic Fuzzing Framework released by CERT/CC.
http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: http://twitter.com/KRvW_Associates
Greetings SC-L Subscribers,
I'm in an airport lounge on the other side of the planet (from my home), and I
thought I'd take a few moments to jot down some answers to SC-L administrative
issues that come up from time to time here on SC-L. I hope you find them
helpful.
I try to keep the
Greetings SC-L,
It occurred to me that I neglected to send a pointer here to my latest
Computerworld column. The general topic is mobile device security, but more to
the point, it's about trying to do (security) things differently in the mobile
world, so we don't have to re-live all our
Greetings all.
Yesterday, we put out the first public release of the OWASP iGoat project. This
message is a brief description and call for participants in the project.
Background
The iGoat tool is a learning tool, primarily meant for iOS developers (but also
useful to IT security
Greetings SC-L,
I'll keep this announcement real short...
Gunnar Peterson and I are teaming up to present our Mobile App Sec Triathlon --
3 days of training, heavily laden with hands-on exercises -- to San Jose,
California on 2-4 November 2011. Details available at:
We are pleased to announce SecAppDev 2012, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The
Greetings SC-L folks,
I thought some of you might find our project announcement (below) interesting.
If you're an iOS developer or know any iOS developers, I'd like to encourage
you to check out the OWASP iGoat project. It's modeled after its namesake,
WebGoat, and is intended to be a tool for
99 matches
Mail list logo
