subject:"Re\: \[SC\-L\] informIT\: Building versus Breaking"

Re: [SC-L] informIT: Building versus Breaking

2011-09-05 Thread James Walden

There are also a couple of other relevant academic security conferences:

MetriSec - http://metrisec2011.cs.nku.edu/ (September 21st in Banff, Canada)
SESS - http://homes.dico.unimi.it/~monga/sess11.html (May)

On Thu, Sep 1, 2011 at 12:41 PM, Goertzel, Karen [USA] 
goertzel_ka...@bah.com wrote:

 There are these:

 ISC(2) Secure Software Conference Series -
 https://www.isc2.org/PressReleaseDetails.aspx?id=650

 ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/

 SecSE - http://www.sintef.org/secse

 SSIRI - http://paris.utdallas.edu/ssiri11/


 But your point is taken. Most of the conferences in this domain appear to
 be outside the U.S. I'm not sure what THAT says about U.S. attitudes about
 software assurance (though I have my suspicions).

 More important is the question of who actually attends these conferences.
 I'm in the process of updating some research on how and where software
 security assurance is being taught by colleges and universities, and what
 I'm finding is that the topic has been pretty much marginalised into an
 aspect of information assurance - i.e., it's being taught mostly to
 postgraduates who are majoring in IA and related disciplines - rather than
 an aspect of software development. There are exceptions, of course - but by
 and large that seems to be the trend. And I think the same is true of the
 conferences. It's the security wonks who care about software assurance much
 more than the actual software developers. Take a look at:
 http://zastita.com/index.php?det=64494

 ===
 Karen Mercedes Goertzel, CISSP
 Booz Allen Hamilton
 703.698.7454
 goertzel_ka...@bah.com

 Sorry, you have reached an imaginary number.
 If you require a real number, please rotate
 your phone by ninety degrees and try again.
 
 From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on
 behalf of Steven M. Christey [co...@linus.mitre.org]
 Sent: 31 August 2011 16:45
 To: Sergio 'shadown' Alvarez
 Cc: Adam Shostack; Secure Code Mailing List
 Subject: Re: [SC-L] informIT: Building versus Breaking

 While I'd like to see Black Hat add some more defensive-minded tracks, I
 just realized that this desire might a symptom of a larger problem: there
 aren't really any large-scale conferences dedicated to defense / software
 assurance.  (The OWASP conferences are heavily web-focused; Dept. of
 Homeland Security has its software assurance forum and working groups, but
 those are relatively small.)

 If somebody built it, would anybody come?

 - Steve
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-05 Thread Stephen Craig Evans

Hi Ivan (and Sergio),

Maybe I should have clarified my position.

I have no problem with security researchers and whitehats that
investigate and reverse engineer malware to make the world a better
place.

I have problems with those that create malware - under the guise of
security research - which then gets used by the bad guys.

I'm not saying that one can never stop breaking into things. I just
don't like the glorification of creating malware by the so-called
good guys. If all of that energy instead was placed into prevention,
then we would be better off.

Let's say this...

I have a badness-ometer scale.

On the left side of the scale is ignorance and darkness. The bad guys
are operating on their own wits. There are no security researchers
that publish their results.

On the right side, we have today's world of infosec, where everybody
is crawling all over themselves to make a name for themselves and get
recognized - by tooting their horn and to see how cool that they can
be hacking into stuff.

It is what it is and I'm not under any illusion; I'm just not gonna
accept this glorification of bad guys pretending to be good.

Stephen

P.S. One might argue that a whitehat or security researcher can't
change sides and go into prevention, or in other words, be a Builder
instead of a Breaker. They can't because they don't have the skills to
do it.

Which is precisely my point.







On Fri, Sep 2, 2011 at 11:05 AM, iarce ia...@corest.com wrote:
 On 9/1/11 2:29 AM, Stephen Craig Evans wrote:
 Sergio,

 Blackhat IS about breaking stuff, the vendors area offers defense
 products and services to improve your security. For building stuff (as
 in development) there are other conferences out there. People go to
 Blackhat to be aware of what things might go wrong in order to protect
 better themselves.

 I really take offense to your comment.

 I am seeing malware out in the field that is based on work by
 so-called noble security researchers.

 My litmus test is: If there were no whitehats and security
 researchers, would we be better off at fighting the bad guys?

 My answer is emphatically yes.


 That is the kind of reply and opinion that very rapidly leads these
 debates to very divisive arguments.

 First you are taking offense then your are pejoratively dismissing other
 peoples work (by generically putting the quality or motivation of their
 work in question) and finally saying that you'd be better off if a whole
 community of people did not exist. Replace security researchers with
 any other collective and your statement would read very very nasty


 What I hate is that security researchers and the white hats try to
 present themselves as noble and as the good guys. It's f*cking
 bullsh*t and a total scam. Ten years later for me and the state of
 infosec is much worse.


 Hmm I wonder if I should take offense of that statement? You question
 the motivations and honesty of an entire group of people and imply
 they're responsible for an alleged degradation in the state of infosec.


 There is also a nasty faction of infosec that will never want to solve
 problems which will put themselves out of work. Yep, I am throwing
 down that gauntlet FWIW.


 Stephen, it is way past the time - it was 10 years go too- for people in
 the infosec community that claim to have an interest in improving the
 state of infosec to move away from confrontational stances and bigotry
 and to engage with the offensive security community in a constructive
 manner, putting prejudices aside and without invoking a moral high
 ground that they've not been given by divine intervention.

 Personally, I would be glad to put you out of work. Unfortunately I
 can't do it alone.


 sincerely,
 -ivan

 --
 Ivan Arce
 CTO - Core Security Technologies
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___




-- 
http://www.linkedin.com/in/stephencraigevans
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-03 Thread Kevin W. Wall

On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote:
 On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com 
 wrote:

 What we need is to start building software that can fight back. Then we
 could become part of cyber warfare which is much sexier than software
 assurance. :)

 Simple. Owasp esapi + owasp appsensor + honeypot = win

I'd still consider that defensive. If you want cyber warfare and are willing
to go over to the dark side, you can define your own custom AppSensor response
actionsto act offensively. For instance, you could easily try to
download malware
to the attacker or mount a DoS attack against them.

Personally, I don't recommend such escalation though, even if it is a
tit-for-tat
strategy. Reacting in that manner is likely to make you a criminal as well.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/
The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We *cause* accidents.        -- Nathaniel Borenstein

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-03 Thread Chris Schmidt

On 9/3/2011 11:22 AM, Kevin W. Wall wrote:
 On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote:
 On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] 
 goertzel_ka...@bah.com wrote:
 What we need is to start building software that can fight back. Then we
 could become part of cyber warfare which is much sexier than software
 assurance. :)
 Simple. Owasp esapi + owasp appsensor + honeypot = win
 I'd still consider that defensive. If you want cyber warfare and are willing
 to go over to the dark side, you can define your own custom AppSensor response
 actionsto act offensively. For instance, you could easily try to
 download malware
 to the attacker or mount a DoS attack against them.

 Personally, I don't recommend such escalation though, even if it is a
 tit-for-tat
 strategy. Reacting in that manner is likely to make you a criminal as well.

 -kevin
That may be, but there are ways to fight back without breaking the law..
Hence the honeypot, let the attacker exploit the hell out of a system
that does absolutely nothing track all of his movements and gather as
much intel about them as possible - then provided you have good audit
logging you have more information than you can handle about the attack
to forward on to the feds for appropriate vanning. Granted, this is
making some pretty hefty assumptions about the state of the app in
question, the skill of the attacker, and the vanning abilities of the
men in black, but it is far more sexy than purely writing defensive code
alone.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-02 Thread Jeffrey Walton

Hi Steve,

On Wed, Aug 31, 2011 at 4:45 PM, Steven M. Christey
co...@linus.mitre.org wrote:

 While I'd like to see Black Hat add some more defensive-minded tracks, I
 just realized that this desire might a symptom of a larger problem: there
 aren't really any large-scale conferences dedicated to defense / software
 assurance.  (The OWASP conferences are heavily web-focused;
I believe OWASP is moving towards Application Security in general. At
the chapter meetings I attend, we were told the acronym is probably
going to be changed to Open Web and Application Security Project.

 Dept. of Homeland Security has its software assurance forum and working
 groups, but those are relatively small.)
Homeland Security also has the HOST program, which partners with
industry, http://www.cyber.st.dhs.gov/host/. I'm just mentioning it
because its seems to be a bit more than a [low volume] forum.

 If somebody built it, would anybody come?
If the prices is right ;)

Jeff

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-02 Thread Tom Brennan

Ding ding ding... End of first round.

insert ring girl with below sign 

Largest application software security focused event in 2011 - don't miss: 

http://www.appsecusa.org

Sept 20-23 2011

###

Ding ding ding... Now let's get it on

Let's keep a professional..debate. Free speech only works with more free speech 
add bourbon for a party.









On Sep 1, 2011, at 3:26 AM, Sergio 'shadown' Alvarez shad...@gmail.com 
wrote:

 
 Blackhat IS about breaking stuff, the vendors area offers defense
 products and services to improve your security. For building stuff (as
 in development) there are other conferences out there. People go to
 Blackhat to be aware of what things might go wrong in order to protect
 better themselves.
 
 I really take offense to your comment.
 
 There's no offense within the truth. 
 btw, I forgot trainings in that paragraph.
 
 I am seeing malware out in the field that is based on work by
 so-called noble security researchers.
 
 You are seeing?, woow, how?
 From this mail its clear you have no idea, and even less about the reverse 
 engineering that is required to do such analysis. I am a reverse engineer, 
 and I know what I'm talking about, but this is not the list to get into 
 discussion about malware and reversing.
 
 My litmus test is: If there were no whitehats and security
 researchers, would we be better off at fighting the bad guys?
 
 My answer is emphatically yes.
 
 Might I ask you a question? Why are you even in this mailinglist if you are 
 the kind of guy or developer that just don't care about doing your products 
 correctly?
 Based on your answer a whitehat for you is a nightmare, the one who is giving 
 your boss the red pill and because of that you are 'force' to rewrite your 
 code and do things as you should have done from the very beginning.
 
 People that follow your line of thinking are the ones who need to be replaced 
 by people willing to learn in order to do better and more secure products.
 
 I agree with Gary and from knowing Gary from all of his posts and
 podcasts, this is not a new stance from him. I am in complete
 agreement with him and always have been.
 
 I do agree with Gary in that there is a need of having a new Conference about 
 Defense Technologies and Awareness *for Developers*, that bring top notch 
 security professionals and researchers together.
 
 I highlight *for developers* because for people who know what they are doing 
 there are a bunch of conferences, and since you brought the topic malware, 
 here you have some specifically for that topic:
 
 http://www.virusbtn.com/news/calendar/index
 
 Specially the VB Conference is really good. (Virus Bulletin)
 
 And while I am here, the Builders vs. Breakers term should be
 attributed to Mark Curphey. You can probably still find his original
 post.
 
 I'm sort of sick of the whole attribution thingy. I've seen many of that in 
 academia 'research', where they just take research from some unknown 
 researcher and put a label to it and clame attribution afterwards.
 The Builders vs Breakers meme has been discuss since *years*, I mean since 
 before the 90s, and specially in other disciplines than software development. 
 But since you've mentioned a specific person, a resent discussion which 
 predates the author you've mentioned is here from June 3, 2008:
 http://marc.info/?l=cryptographym=121260561401776w=2
 http://news.cnet.com/2300-1029_3-6240826.html?tag=ne.gall.pg
 Let me know if you find an article from the that Mark Curphey which predates 
 that one and I'll give you another one older just to fit your needs.
 
 The next question is: Can we ever prevent people from being security
 researchers or white hats or black hats or bad guys? No.
 
 Can we prevent people from developing shitty code?
 Can we prevent people from talking BS?
 
 Neither.
 
 But I think we have to start to take the lipstick off of the pigs and
 recognize what it is. It's called Blackhat, isn't it?
 
 A blackhat is the first one willing to keep things secret, so that nobody 
 knows anything. 
 Thanks to whitehats and researchers who present their work and bring some 
 light to blind people is that products evolve during the time.
 Otherwise we would still have products like Windows 95 or Windows NT 4.0 
 which were joke from a security point of view. When Bill Gates sent the 
 famous letter to all the company ask to stop doing what ever it was they were 
 doing and start auditing and reviewing the security of their developments, a 
 lot of developers and project managers quit because they didn't want to 
 rebuild right what they've built wrong. I believe you think like those 
 developers and PMs, that's not the way to go.
 
 Very unfortunately, there is more glamour - and probably more reward -
 in breaking stuff.
 
 That's a media/press problem, they are guilty for that.
 I personally have great respect for products well engineered.
 
 What I hate is that security researchers and the white hats try to
 present

Re: [SC-L] informIT: Building versus Breaking

2011-09-02 Thread Goertzel, Karen [USA]

What we need is to start building software that can fight back. Then we could 
become part of cyber warfare which is much sexier than software assurance. 
:)

===
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

Sorry, you have reached an imaginary number.
If you require a real number, please rotate
your phone by ninety degrees and try again.

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf 
of Rafal [ra...@ishackingyou.com]
Sent: 01 September 2011 22:59
To: co...@linus.mitre.org; shad...@gmail.com
Cc: a...@homeport.org; sc-l@securecoding.org
Subject: Re: [SC-L] informIT: Building versus Breaking

Steve,
  I think that the problem we have here is classic - defense isnta sexy. I 
think you could get DHS to sponsor one maybe? I think between some government 
funds, and some vendor support you'd be OK on costs, but the larger question of 
whether people would come... only time would tell.




Rafal Los - Security  Intelligence |  Voice/Text: (765) 247-2325  | Twitter: 
@RafalLos

Steven M. Christey co...@linus.mitre.org wrote:

While I'd like to see Black Hat add some more defensive-minded tracks, I
just realized that this desire might a symptom of a larger problem: there
aren't really any large-scale conferences dedicated to defense / software
assurance.  (The OWASP conferences are heavily web-focused; Dept. of
Homeland Security has its software assurance forum and working groups, but
those are relatively small.)

If somebody built it, would anybody come?

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Steven M. Christey



While I'd like to see Black Hat add some more defensive-minded tracks, I 
just realized that this desire might a symptom of a larger problem: there 
aren't really any large-scale conferences dedicated to defense / software 
assurance.  (The OWASP conferences are heavily web-focused; Dept. of 
Homeland Security has its software assurance forum and working groups, but 
those are relatively small.)


If somebody built it, would anybody come?

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Chris Schmidt

I agree on the terminology of whitehat vs. blackhat here Sergio, but in
almost every other regard I disagree completely.

 To design and build proper software and hardware there are a lot of
 conferences out there, as well as trainings and a huge amount of literature.
 There are very good books when it comes to secure software development.

This is 100% false and misleading. Yes, there are great security tools out
there, and yes there are great development conferences - however, the two
*rarely* if *ever* intermingle. See my blog Cross Pollination; It's not
just for Bees ( 
http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f
or-bees.html) for my thoughts on this subject in particular.

Additionally, students are taught how to write insecure code from the time
they write their first Hello World application. This topic has been
discussed a great many times and hasn't changed much. Go to your local
bookstore and pick up a java book, flip to the section on JDBC and tell me
that the first thing you learn to do is something other than build a dynamic
SQL statement with untrusted user input. Show me an MVC book that covers
proper contextual output encoding or building a Data Access Control policy.
Pick up a Tomcat Book and tell me where it says you should disable the
InvokerServlet. Pick up a .Net book and tell me where the chapter on using
AntiXSS is. I could go on and on, but I really don't think it is necessary.

 Every year what is presented, in the best security conferences, are new
 techniques that developers need to be aware of in order to build secure
 products. Most of the presentations talk about things that were wrongly
 designed and/or corner-cases which were not considered.

I think we can agree that the majority of flaws that get exploited are due
to improper or missing security controls. This is a fundamental flaw in
engineering software. I have sat with some of the best software architects
and looked at their architecture diagrams and specifications. I have seen
the missing controls, I have seen the specifications lacking or using
controls improperly. I have seen damn smart developers make really stupid
mistakes when trying to make security decisions in code simply because they
don't really understand what it means to write secure code.

 There are also a lot of tools and libraries which help development teams to do
 things right, specially libraries and templates like Microsoft Safeint as well
 as the safe APIs, which prevent developers from shooting themselves.
 They just need to use them. There are also managed languages, APIs to handle
 SQL securely, etc. It is just that a lot of developers don't use what is
 available to them.

See above statements.

 Blackhat is great as it is now, there are talks about new defense technologies
 from time to time too. Having more talks about defense would be use, in my
 opinion, to sale products than anything else. I don't believe it would do any
 good to Blackhat.

Again, I completely disagree. As a general rule, people that break software
know enough about engineering to be able to spot flaws in code - they don't
really *understand* terms like 'Agile' or 'Inversion of Control' and
conversely most developers may have heard of SQL Injection or Cross Site
Scripting but have *no* concept of the depth of the problems. Only by
bringing the builders and the breakers together and getting them involved in
the other side will we begin to see changes. Blackhat is a *perfect*
opportunity to do this. Where else are there thousands of security
professionals who are great at breaking stuff but not so good on
understanding what it really takes to build something - how to architect
software and systems - or the nuances of specific languages, libraries, and
development methodologies. Also the argument that this is what the vendor
area is for - complete and utter BS. You show me the magic box that takes
poorly written code in one side and spits out well architected and secure
code on the other and then we can talk. Products don't fix software problems
- and we can all agree that the application is the attack surface that
everyone should be focusing on right now I think.

 Blackhat IS about breaking stuff, the vendors area offers defense products and
 services to improve your security. For building stuff (as in development)
 there are other conferences out there. People go to Blackhat to be aware of
 what things might go wrong in order to protect better themselves. And even
 then many good talks overlap unfortunately.

Yes, Blackhat is absolutely about breaking stuff, this is a major part of
the problem. Developers generally don't go to Blackhat - they go to JavaOne.
How many talks are there at JavaOne on the latest 0-day in Spring or Struts.
How many speakers go to ApacheCon to talk about the vulnerabilities in
Cocoon or HTTPD? None! We want developers to come to blackhat and learn
about doing this - but there are very few, if any development

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Arian J. Evans

Not many builders go to BlackHat. BlackHat is by Breakers, for
Defenders. It is primarily attended by Defenders, with a smaller pool
of dedicated Breakers.

It is very valuable to our industry to have conferences focused on
Breaking. Though they do have Builder and Defender talks. Some of my
first BlackHat talks were on a statistical B-A-D WAF a few of us
built, though statistical behavioral anomaly detection is boring, so
we'd drop a few zero-days on products in the talk to keep folks awake.

If you want to reach Builders: there are already dev-focused
conferences and communities for Builders. Jeremiah Grossman and I have
made a point at going to developer-focused conferences around the
world, and been well received. So, I suspect they'll allow other
security folks in too.

Michael Coates has an excellent blog post suggesting an organization
for OWASP along the above lines - and appealing to all three groups -
it would be interesting to see other security conferences explore this
structure:

http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html

As for your concerns with over-emphasis on breaking

Breaking is concrete, measurable, and actionable. There are many
historical precedents for Breakers driving the innovations of
Builders.

For Example: The auto industry Builders learned substantively about
safety from the Breakers. There are many lessons in the evolution of
car safety features for us in how Breakers drive defense. From IR
(cadaver research) to Black Box (crash testing) to SAST/DAST
automation tools and test harnesses (Hybrid III and acceleration
sleds) - the evolution of car safety was instrumentally fueled, if not
driven, by the innovations of the Breakers.

It makes sense that software security will benefit from many of the
same analogues. So - it's no surprise there is so much emphasis on
breaking!

Finally - Breaking sells. It's really hard for Defenders to sell
Building Secure to business owners without concrete measurements from
Breakers. Basically, Breakers help Defenders get budget for things
like Secure Builder research and programs. And Breakers provide
measurement metrics on Builder progress.

Let's face it - Breaking is far sexier than Building. When was the
last time you saw an exciting presentation on -GS in Visual Studio?
This may be why the SCL list is smaller than the dozens of other
Breaker lists out there on the interwebs. Or it could be that the
problem is so darn hard

---
Arian Evans
Builder and Breaker

On Wed, Aug 31, 2011 at 7:16 AM, Gary McGraw g...@cigital.com wrote:
hi sc-l,

I went to Blackhat for the first time ever this year (even though I am
basically allergic to Las Vegas), and it got me started thinking about
building things properly versus breaking things in our field. Blackhat was
mostly about breaking stuff of course. I am not opposed to breaking stuff
(see Exploiting Software from 2004), but I am worried about an overemphasis
on breaking stuff.

After a quick and dirty blog entry on the subject
http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/,
I sat down and wrote a better article about it:

Software [In]security: Balancing All the Breaking with some Building
http://www.informit.com/articles/article.aspx?p=1750195

I've also had a chat with Adam Shostack (a member of the newly formed
Blackhat Advisors) about the possibility of adding some building content to
Blackhat. Go Adam!

Do you agree that Blackhat could do with some building content??

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justoceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Sergio 'shadown' Alvarez

Hi Chris,

Thanks for answering my email.
There's one thing that I actually believe you people are not following here.
Blackhat is a conference to present cutting-edge NEW offensive technologies,
methodologies, techniques, etc. It is *not* about talking things there were
already presented and talk about, for that there are other conferences with
that specific purpose, maybe you are not aware of those. You should google a
little bit. Search for: security conferences google calendar and you'll have
a good panorama of conferences, check the schedules and you'll see there are
conferences that cover pretty much all the topics.

I understand that a lot of developers and project managers are willing to have
technically *good* conferences focused on defense at all levels, but from there
to propose Blackhat to become such a thing is 100% plain wrong. Probably a new
conference should be created to satisfied the niche you are mentioning. Then if
people who is technically capable are willing to present the material they
usually use to give trainings to their customers, then that's another story.

To design and build proper software and hardware there are a lot of
conferences out there, as well as trainings and a huge amount of literature.
There are very good books when it comes to secure software development.

This is 100% false and misleading.

If you read the following six book you'll have probably more than you might
actually need (actually with the first 5):

The Security Development Lifecycle:
http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/ref=sr_1_1?s=booksie=UTF8qid=1314826912sr=1-1

Threat Modeling:
http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913/ref=sr_1_1?s=booksie=UTF8qid=1314826965sr=1-1

Writing Secure Code, Second Edition:
http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228/ref=sr_1_3?s=booksie=UTF8qid=1314826965sr=1-3

Code Complete: A Practical Handbook of Software Construction:
http://www.amazon.com/Code-Complete-Practical-Handbook-Construction/dp/0735619670

The Art of Software Security Assessment: Identifying and Preventing Software
Vulnerabilities:
http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/032126/ref=sr_1_1?s=booksie=UTF8qid=1314826625sr=1-1

Hunting Security Bugs:
http://www.amazon.com/Hunting-Security-Bugs-Tom-Gallagher/dp/073562187X/ref=sr_1_2?s=booksie=UTF8qid=1314826641sr=1-2

Yes, there are great security tools out
there, and yes there are great development conferences - however, the two
*rarely* if *ever* intermingle. See my blog Cross Pollination; It's not
just for Bees (
http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f
or-bees.html) for my thoughts on this subject in particular.

I've read your blog and I understand your frustration.
I know a buch of people who are great in both areas, and they work actively in
the SDL process for big companies.
I believe if a conference to present this kind of presentations is created they
would be interested in doing some presentations there. Actually I would do a
couple as well. But once the life time of such a conference technically is
short, because once you've presented what has to be done, then the rest is up
to the people who develop the software.
New tool, yes there will always be new tool, as well there will always be
people willing to talk. But for professionals once the message is transmitted
there are two options or the developers understood or they need to get a
training to understand.
Also there it is the responsibility of the companies to train their people to
make better products, big companies do that all the time and also even create
internal conferences so that their developers get aware of what can go wrong.

Additionally, students are taught how to write insecure code from the time
they write their first Hello World application. This topic has been
discussed a great many times and hasn't changed much. Go to your local
bookstore and pick up a java book, flip to the section on JDBC and tell me
that the first thing you learn to do is something other than build a dynamic
SQL statement with untrusted user input.

That's because there are crappy books all over the place. And professors who
shouldn't be 'teaching' anymore unless they actualize their education material
to the time they are living at. Are they teaching. GWBasic? NO, they are just
teaching wrong.
Thanks not my problem. It is an education problem, and we could discuss ages
about this, because the even all the education models that I know of are
fundamentally broken.

Show me an MVC book that covers
proper contextual output encoding or building a Data Access Control policy.
Pick up a Tomcat Book and tell me where it says you should disable the
InvokerServlet. Pick up a .Net book and tell me where the chapter on using
AntiXSS is. I could go on and on, but I really don't

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Stephen Craig Evans

Sergio,

Blackhat IS about breaking stuff, the vendors area offers defense
products and services to improve your security. For building stuff (as
in development) there are other conferences out there. People go to
Blackhat to be aware of what things might go wrong in order to protect
better themselves.

I really take offense to your comment.

I am seeing malware out in the field that is based on work by
so-called noble security researchers.

My litmus test is: If there were no whitehats and security
researchers, would we be better off at fighting the bad guys?

My answer is emphatically yes.

I agree with Gary and from knowing Gary from all of his posts and
podcasts, this is not a new stance from him. I am in complete
agreement with him and always have been.

And while I am here, the Builders vs. Breakers term should be
attributed to Mark Curphey. You can probably still find his original
post.

The next question is: Can we ever prevent people from being security
researchers or white hats or black hats or bad guys? No. But I
think we have to start to take the lipstick off of the pigs and
recognize what it is. It's called Blackhat, isn't it?

Very unfortunately, there is more glamour - and probably more reward -
in breaking stuff.

What I hate is that security researchers and the white hats try to
present themselves as noble and as the good guys. It's f*cking
bullsh*t and a total scam. Ten years later for me and the state of
infosec is much worse.

There is also a nasty faction of infosec that will never want to solve
problems which will put themselves out of work. Yep, I am throwing
down that gauntlet FWIW.

Stephen

On Wed, Aug 31, 2011 at 1:01 PM, Sergio 'shadown' Alvarez
shad...@gmail.com wrote:
Hi gem,

I've read your article to see what direction you were willing to take, before
jumping into the conversation. Your post was exactly what I thought you were
heading to.

I disagree with your thought for many reasons.

But first I would like to use proper terms so that we don't misuse some
vocabulary:

You said: Software security should be a balanced approach of offense and
defense (white hat and black hat, if you will)

Whitehat: reports what he/she has found. Network vulenerabilities, software
security flaws, flawed crypto, design flaws, or whatever it is that the
individual found it was broken or wrong.

Blackhat: doesn't report what he/she found, because she/he want to keep it
that way.

Of course there are a lot of grays out there too.

Defense is…well... defense.

Every year what is presented, in the best security conferences, are new
techniques that developers need to be aware of in order to build secure
products. Most of the presentations talk about things that were wrongly
designed and/or corner-cases which were not considered.

There are also a lot of tools and libraries which help development teams to
do things right, specially libraries and templates like Microsoft Safeint as
well as the safe APIs, which prevent developers from shooting themselves.
They just need to use them. There are also managed languages, APIs to handle
SQL securely, etc. It is just that a lot of developers don't use what is
available to them.

Blackhat is great as it is now, there are talks about new defense
technologies from time to time too. Having more talks about defense would be
use, in my opinion, to sale products than anything else. I don't believe it
would do any good to Blackhat.

I am not opposed to breaking stuff (see Exploiting Software from 2004),
but I am worried about an overemphasis on breaking stuff.

Blackhat IS about breaking stuff, the vendors area offers defense products
and services to improve your security. For building stuff (as in development)
there are other conferences out there. People go to Blackhat to be aware of
what things might go wrong in order to protect better themselves. And even
then many good talks overlap unfortunately.

Regards,
Sergio

On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote:

hi sc-l,

Software [In]security: Balancing All the Breaking with some Building

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Goertzel, Karen [USA]

There are these:

ISC(2) Secure Software Conference Series - 
https://www.isc2.org/PressReleaseDetails.aspx?id=650

ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/

SecSE - http://www.sintef.org/secse

SSIRI - http://paris.utdallas.edu/ssiri11/


But your point is taken. Most of the conferences in this domain appear to be 
outside the U.S. I'm not sure what THAT says about U.S. attitudes about 
software assurance (though I have my suspicions). 

More important is the question of who actually attends these conferences. I'm 
in the process of updating some research on how and where software security 
assurance is being taught by colleges and universities, and what I'm finding is 
that the topic has been pretty much marginalised into an aspect of information 
assurance - i.e., it's being taught mostly to postgraduates who are majoring in 
IA and related disciplines - rather than an aspect of software development. 
There are exceptions, of course - but by and large that seems to be the trend. 
And I think the same is true of the conferences. It's the security wonks who 
care about software assurance much more than the actual software developers. 
Take a look at: http://zastita.com/index.php?det=64494

===
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

Sorry, you have reached an imaginary number.
If you require a real number, please rotate
your phone by ninety degrees and try again.

From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf 
of Steven M. Christey [co...@linus.mitre.org]
Sent: 31 August 2011 16:45
To: Sergio 'shadown' Alvarez
Cc: Adam Shostack; Secure Code Mailing List
Subject: Re: [SC-L] informIT: Building versus Breaking

While I'd like to see Black Hat add some more defensive-minded tracks, I
just realized that this desire might a symptom of a larger problem: there
aren't really any large-scale conferences dedicated to defense / software
assurance.  (The OWASP conferences are heavily web-focused; Dept. of
Homeland Security has its software assurance forum and working groups, but
those are relatively small.)

If somebody built it, would anybody come?

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

2011-08-31 Thread Sergio 'shadown' Alvarez

Hi gem,

I've read your article to see what direction you were willing to take, before
jumping into the conversation. Your post was exactly what I thought you were
heading to.

I disagree with your thought for many reasons.

But first I would like to use proper terms so that we don't misuse some
vocabulary:

You said: Software security should be a balanced approach of offense and
defense (white hat and black hat, if you will)

Whitehat: reports what he/she has found. Network vulenerabilities, software
security flaws, flawed crypto, design flaws, or whatever it is that the
individual found it was broken or wrong.

Blackhat: doesn't report what he/she found, because she/he want to keep it that
way.

Of course there are a lot of grays out there too.

Defense is…well... defense.

To design and build proper software and hardware there are a lot of conferences
out there, as well as trainings and a huge amount of literature. There are very
good books when it comes to secure software development.

There are also a lot of tools and libraries which help development teams to do
things right, specially libraries and templates like Microsoft Safeint as well
as the safe APIs, which prevent developers from shooting themselves.
They just need to use them. There are also managed languages, APIs to handle
SQL securely, etc. It is just that a lot of developers don't use what is
available to them.

Blackhat is great as it is now, there are talks about new defense technologies
from time to time too. Having more talks about defense would be use, in my
opinion, to sale products than anything else. I don't believe it would do any
good to Blackhat.

I am not opposed to breaking stuff (see Exploiting Software from 2004),
but I am worried about an overemphasis on breaking stuff.

Blackhat IS about breaking stuff, the vendors area offers defense products and
services to improve your security. For building stuff (as in development) there
are other conferences out there. People go to Blackhat to be aware of what
things might go wrong in order to protect better themselves. And even then many
good talks overlap unfortunately.

Regards,
Sergio

On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote:

hi sc-l,

Software [In]security: Balancing All the Breaking with some Building
http://www.informit.com/articles/article.aspx?p=1750195

I've also had a chat with Adam Shostack (a member of the newly formed
Blackhat Advisors) about the possibility of adding some building content to
Blackhat. Go Adam!

Do you agree that Blackhat could do with some building content??

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justoceleague
book www.swsec.com

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

Re: [SC-L] informIT: Building versus Breaking

14 matches

Site Navigation

Mail list logo

Footer information