Re: [SC-L] informIT: Building versus Breaking
There are also a couple of other relevant academic security conferences: MetriSec - http://metrisec2011.cs.nku.edu/ (September 21st in Banff, Canada) SESS - http://homes.dico.unimi.it/~monga/sess11.html (May) On Thu, Sep 1, 2011 at 12:41 PM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: There are these: ISC(2) Secure Software Conference Series - https://www.isc2.org/PressReleaseDetails.aspx?id=650 ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/ SecSE - http://www.sintef.org/secse SSIRI - http://paris.utdallas.edu/ssiri11/ But your point is taken. Most of the conferences in this domain appear to be outside the U.S. I'm not sure what THAT says about U.S. attitudes about software assurance (though I have my suspicions). More important is the question of who actually attends these conferences. I'm in the process of updating some research on how and where software security assurance is being taught by colleges and universities, and what I'm finding is that the topic has been pretty much marginalised into an aspect of information assurance - i.e., it's being taught mostly to postgraduates who are majoring in IA and related disciplines - rather than an aspect of software development. There are exceptions, of course - but by and large that seems to be the trend. And I think the same is true of the conferences. It's the security wonks who care about software assurance much more than the actual software developers. Take a look at: http://zastita.com/index.php?det=64494 === Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com Sorry, you have reached an imaginary number. If you require a real number, please rotate your phone by ninety degrees and try again. From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Steven M. Christey [co...@linus.mitre.org] Sent: 31 August 2011 16:45 To: Sergio 'shadown' Alvarez Cc: Adam Shostack; Secure Code Mailing List Subject: Re: [SC-L] informIT: Building versus Breaking While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) If somebody built it, would anybody come? - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Hi Ivan (and Sergio), Maybe I should have clarified my position. I have no problem with security researchers and whitehats that investigate and reverse engineer malware to make the world a better place. I have problems with those that create malware - under the guise of security research - which then gets used by the bad guys. I'm not saying that one can never stop breaking into things. I just don't like the glorification of creating malware by the so-called good guys. If all of that energy instead was placed into prevention, then we would be better off. Let's say this... I have a badness-ometer scale. On the left side of the scale is ignorance and darkness. The bad guys are operating on their own wits. There are no security researchers that publish their results. On the right side, we have today's world of infosec, where everybody is crawling all over themselves to make a name for themselves and get recognized - by tooting their horn and to see how cool that they can be hacking into stuff. It is what it is and I'm not under any illusion; I'm just not gonna accept this glorification of bad guys pretending to be good. Stephen P.S. One might argue that a whitehat or security researcher can't change sides and go into prevention, or in other words, be a Builder instead of a Breaker. They can't because they don't have the skills to do it. Which is precisely my point. On Fri, Sep 2, 2011 at 11:05 AM, iarce ia...@corest.com wrote: On 9/1/11 2:29 AM, Stephen Craig Evans wrote: Sergio, Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. I really take offense to your comment. I am seeing malware out in the field that is based on work by so-called noble security researchers. My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically yes. That is the kind of reply and opinion that very rapidly leads these debates to very divisive arguments. First you are taking offense then your are pejoratively dismissing other peoples work (by generically putting the quality or motivation of their work in question) and finally saying that you'd be better off if a whole community of people did not exist. Replace security researchers with any other collective and your statement would read very very nasty What I hate is that security researchers and the white hats try to present themselves as noble and as the good guys. It's f*cking bullsh*t and a total scam. Ten years later for me and the state of infosec is much worse. Hmm I wonder if I should take offense of that statement? You question the motivations and honesty of an entire group of people and imply they're responsible for an alleged degradation in the state of infosec. There is also a nasty faction of infosec that will never want to solve problems which will put themselves out of work. Yep, I am throwing down that gauntlet FWIW. Stephen, it is way past the time - it was 10 years go too- for people in the infosec community that claim to have an interest in improving the state of infosec to move away from confrontational stances and bigotry and to engage with the offensive security community in a constructive manner, putting prejudices aside and without invoking a moral high ground that they've not been given by divine intervention. Personally, I would be glad to put you out of work. Unfortunately I can't do it alone. sincerely, -ivan -- Ivan Arce CTO - Core Security Technologies ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- http://www.linkedin.com/in/stephencraigevans ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) Simple. Owasp esapi + owasp appsensor + honeypot = win I'd still consider that defensive. If you want cyber warfare and are willing to go over to the dark side, you can define your own custom AppSensor response actionsto act offensively. For instance, you could easily try to download malware to the attacker or mount a DoS attack against them. Personally, I don't recommend such escalation though, even if it is a tit-for-tat strategy. Reacting in that manner is likely to make you a criminal as well. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents. -- Nathaniel Borenstein ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
On 9/3/2011 11:22 AM, Kevin W. Wall wrote: On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) Simple. Owasp esapi + owasp appsensor + honeypot = win I'd still consider that defensive. If you want cyber warfare and are willing to go over to the dark side, you can define your own custom AppSensor response actionsto act offensively. For instance, you could easily try to download malware to the attacker or mount a DoS attack against them. Personally, I don't recommend such escalation though, even if it is a tit-for-tat strategy. Reacting in that manner is likely to make you a criminal as well. -kevin That may be, but there are ways to fight back without breaking the law.. Hence the honeypot, let the attacker exploit the hell out of a system that does absolutely nothing track all of his movements and gather as much intel about them as possible - then provided you have good audit logging you have more information than you can handle about the attack to forward on to the feds for appropriate vanning. Granted, this is making some pretty hefty assumptions about the state of the app in question, the skill of the attacker, and the vanning abilities of the men in black, but it is far more sexy than purely writing defensive code alone. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Hi Steve, On Wed, Aug 31, 2011 at 4:45 PM, Steven M. Christey co...@linus.mitre.org wrote: While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; I believe OWASP is moving towards Application Security in general. At the chapter meetings I attend, we were told the acronym is probably going to be changed to Open Web and Application Security Project. Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) Homeland Security also has the HOST program, which partners with industry, http://www.cyber.st.dhs.gov/host/. I'm just mentioning it because its seems to be a bit more than a [low volume] forum. If somebody built it, would anybody come? If the prices is right ;) Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Ding ding ding... End of first round. insert ring girl with below sign Largest application software security focused event in 2011 - don't miss: http://www.appsecusa.org Sept 20-23 2011 ### Ding ding ding... Now let's get it on Let's keep a professional..debate. Free speech only works with more free speech add bourbon for a party. On Sep 1, 2011, at 3:26 AM, Sergio 'shadown' Alvarez shad...@gmail.com wrote: Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. I really take offense to your comment. There's no offense within the truth. btw, I forgot trainings in that paragraph. I am seeing malware out in the field that is based on work by so-called noble security researchers. You are seeing?, woow, how? From this mail its clear you have no idea, and even less about the reverse engineering that is required to do such analysis. I am a reverse engineer, and I know what I'm talking about, but this is not the list to get into discussion about malware and reversing. My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically yes. Might I ask you a question? Why are you even in this mailinglist if you are the kind of guy or developer that just don't care about doing your products correctly? Based on your answer a whitehat for you is a nightmare, the one who is giving your boss the red pill and because of that you are 'force' to rewrite your code and do things as you should have done from the very beginning. People that follow your line of thinking are the ones who need to be replaced by people willing to learn in order to do better and more secure products. I agree with Gary and from knowing Gary from all of his posts and podcasts, this is not a new stance from him. I am in complete agreement with him and always have been. I do agree with Gary in that there is a need of having a new Conference about Defense Technologies and Awareness *for Developers*, that bring top notch security professionals and researchers together. I highlight *for developers* because for people who know what they are doing there are a bunch of conferences, and since you brought the topic malware, here you have some specifically for that topic: http://www.virusbtn.com/news/calendar/index Specially the VB Conference is really good. (Virus Bulletin) And while I am here, the Builders vs. Breakers term should be attributed to Mark Curphey. You can probably still find his original post. I'm sort of sick of the whole attribution thingy. I've seen many of that in academia 'research', where they just take research from some unknown researcher and put a label to it and clame attribution afterwards. The Builders vs Breakers meme has been discuss since *years*, I mean since before the 90s, and specially in other disciplines than software development. But since you've mentioned a specific person, a resent discussion which predates the author you've mentioned is here from June 3, 2008: http://marc.info/?l=cryptographym=121260561401776w=2 http://news.cnet.com/2300-1029_3-6240826.html?tag=ne.gall.pg Let me know if you find an article from the that Mark Curphey which predates that one and I'll give you another one older just to fit your needs. The next question is: Can we ever prevent people from being security researchers or white hats or black hats or bad guys? No. Can we prevent people from developing shitty code? Can we prevent people from talking BS? Neither. But I think we have to start to take the lipstick off of the pigs and recognize what it is. It's called Blackhat, isn't it? A blackhat is the first one willing to keep things secret, so that nobody knows anything. Thanks to whitehats and researchers who present their work and bring some light to blind people is that products evolve during the time. Otherwise we would still have products like Windows 95 or Windows NT 4.0 which were joke from a security point of view. When Bill Gates sent the famous letter to all the company ask to stop doing what ever it was they were doing and start auditing and reviewing the security of their developments, a lot of developers and project managers quit because they didn't want to rebuild right what they've built wrong. I believe you think like those developers and PMs, that's not the way to go. Very unfortunately, there is more glamour - and probably more reward - in breaking stuff. That's a media/press problem, they are guilty for that. I personally have great respect for products well engineered. What I hate is that security researchers and the white hats try to present
Re: [SC-L] informIT: Building versus Breaking
What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) === Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com Sorry, you have reached an imaginary number. If you require a real number, please rotate your phone by ninety degrees and try again. From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Rafal [ra...@ishackingyou.com] Sent: 01 September 2011 22:59 To: co...@linus.mitre.org; shad...@gmail.com Cc: a...@homeport.org; sc-l@securecoding.org Subject: Re: [SC-L] informIT: Building versus Breaking Steve, I think that the problem we have here is classic - defense isnta sexy. I think you could get DHS to sponsor one maybe? I think between some government funds, and some vendor support you'd be OK on costs, but the larger question of whether people would come... only time would tell. Rafal Los - Security Intelligence | Voice/Text: (765) 247-2325 | Twitter: @RafalLos Steven M. Christey co...@linus.mitre.org wrote: While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) If somebody built it, would anybody come? - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) If somebody built it, would anybody come? - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
I agree on the terminology of whitehat vs. blackhat here Sergio, but in almost every other regard I disagree completely. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books when it comes to secure software development. This is 100% false and misleading. Yes, there are great security tools out there, and yes there are great development conferences - however, the two *rarely* if *ever* intermingle. See my blog Cross Pollination; It's not just for Bees ( http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f or-bees.html) for my thoughts on this subject in particular. Additionally, students are taught how to write insecure code from the time they write their first Hello World application. This topic has been discussed a great many times and hasn't changed much. Go to your local bookstore and pick up a java book, flip to the section on JDBC and tell me that the first thing you learn to do is something other than build a dynamic SQL statement with untrusted user input. Show me an MVC book that covers proper contextual output encoding or building a Data Access Control policy. Pick up a Tomcat Book and tell me where it says you should disable the InvokerServlet. Pick up a .Net book and tell me where the chapter on using AntiXSS is. I could go on and on, but I really don't think it is necessary. Every year what is presented, in the best security conferences, are new techniques that developers need to be aware of in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or corner-cases which were not considered. I think we can agree that the majority of flaws that get exploited are due to improper or missing security controls. This is a fundamental flaw in engineering software. I have sat with some of the best software architects and looked at their architecture diagrams and specifications. I have seen the missing controls, I have seen the specifications lacking or using controls improperly. I have seen damn smart developers make really stupid mistakes when trying to make security decisions in code simply because they don't really understand what it means to write secure code. There are also a lot of tools and libraries which help development teams to do things right, specially libraries and templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves. They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a lot of developers don't use what is available to them. See above statements. Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more talks about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do any good to Blackhat. Again, I completely disagree. As a general rule, people that break software know enough about engineering to be able to spot flaws in code - they don't really *understand* terms like 'Agile' or 'Inversion of Control' and conversely most developers may have heard of SQL Injection or Cross Site Scripting but have *no* concept of the depth of the problems. Only by bringing the builders and the breakers together and getting them involved in the other side will we begin to see changes. Blackhat is a *perfect* opportunity to do this. Where else are there thousands of security professionals who are great at breaking stuff but not so good on understanding what it really takes to build something - how to architect software and systems - or the nuances of specific languages, libraries, and development methodologies. Also the argument that this is what the vendor area is for - complete and utter BS. You show me the magic box that takes poorly written code in one side and spits out well architected and secure code on the other and then we can talk. Products don't fix software problems - and we can all agree that the application is the attack surface that everyone should be focusing on right now I think. Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. And even then many good talks overlap unfortunately. Yes, Blackhat is absolutely about breaking stuff, this is a major part of the problem. Developers generally don't go to Blackhat - they go to JavaOne. How many talks are there at JavaOne on the latest 0-day in Spring or Struts. How many speakers go to ApacheCon to talk about the vulnerabilities in Cocoon or HTTPD? None! We want developers to come to blackhat and learn about doing this - but there are very few, if any development
Re: [SC-L] informIT: Building versus Breaking
Not many builders go to BlackHat. BlackHat is by Breakers, for Defenders. It is primarily attended by Defenders, with a smaller pool of dedicated Breakers. It is very valuable to our industry to have conferences focused on Breaking. Though they do have Builder and Defender talks. Some of my first BlackHat talks were on a statistical B-A-D WAF a few of us built, though statistical behavioral anomaly detection is boring, so we'd drop a few zero-days on products in the talk to keep folks awake. If you want to reach Builders: there are already dev-focused conferences and communities for Builders. Jeremiah Grossman and I have made a point at going to developer-focused conferences around the world, and been well received. So, I suspect they'll allow other security folks in too. Michael Coates has an excellent blog post suggesting an organization for OWASP along the above lines - and appealing to all three groups - it would be interesting to see other security conferences explore this structure: http://michael-coates.blogspot.com/2011/02/vision-for-owasp.html As for your concerns with over-emphasis on breaking Breaking is concrete, measurable, and actionable. There are many historical precedents for Breakers driving the innovations of Builders. For Example: The auto industry Builders learned substantively about safety from the Breakers. There are many lessons in the evolution of car safety features for us in how Breakers drive defense. From IR (cadaver research) to Black Box (crash testing) to SAST/DAST automation tools and test harnesses (Hybrid III and acceleration sleds) - the evolution of car safety was instrumentally fueled, if not driven, by the innovations of the Breakers. It makes sense that software security will benefit from many of the same analogues. So - it's no surprise there is so much emphasis on breaking! Finally - Breaking sells. It's really hard for Defenders to sell Building Secure to business owners without concrete measurements from Breakers. Basically, Breakers help Defenders get budget for things like Secure Builder research and programs. And Breakers provide measurement metrics on Builder progress. Let's face it - Breaking is far sexier than Building. When was the last time you saw an exciting presentation on -GS in Visual Studio? This may be why the SCL list is smaller than the dozens of other Breaker lists out there on the interwebs. Or it could be that the problem is so darn hard --- Arian Evans Builder and Breaker On Wed, Aug 31, 2011 at 7:16 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking stuff (see Exploiting Software from 2004), but I am worried about an overemphasis on breaking stuff. After a quick and dirty blog entry on the subject http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/, I sat down and wrote a better article about it: Software [In]security: Balancing All the Breaking with some Building http://www.informit.com/articles/article.aspx?p=1750195 I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of adding some building content to Blackhat. Go Adam! Do you agree that Blackhat could do with some building content?? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justoceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Hi Chris, Thanks for answering my email. There's one thing that I actually believe you people are not following here. Blackhat is a conference to present cutting-edge NEW offensive technologies, methodologies, techniques, etc. It is *not* about talking things there were already presented and talk about, for that there are other conferences with that specific purpose, maybe you are not aware of those. You should google a little bit. Search for: security conferences google calendar and you'll have a good panorama of conferences, check the schedules and you'll see there are conferences that cover pretty much all the topics. I understand that a lot of developers and project managers are willing to have technically *good* conferences focused on defense at all levels, but from there to propose Blackhat to become such a thing is 100% plain wrong. Probably a new conference should be created to satisfied the niche you are mentioning. Then if people who is technically capable are willing to present the material they usually use to give trainings to their customers, then that's another story. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books when it comes to secure software development. This is 100% false and misleading. If you read the following six book you'll have probably more than you might actually need (actually with the first 5): The Security Development Lifecycle: http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140/ref=sr_1_1?s=booksie=UTF8qid=1314826912sr=1-1 Threat Modeling: http://www.amazon.com/Threat-Modeling-Microsoft-Professional-Swiderski/dp/0735619913/ref=sr_1_1?s=booksie=UTF8qid=1314826965sr=1-1 Writing Secure Code, Second Edition: http://www.amazon.com/Writing-Secure-Second-Michael-Howard/dp/0735617228/ref=sr_1_3?s=booksie=UTF8qid=1314826965sr=1-3 Code Complete: A Practical Handbook of Software Construction: http://www.amazon.com/Code-Complete-Practical-Handbook-Construction/dp/0735619670 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities: http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/032126/ref=sr_1_1?s=booksie=UTF8qid=1314826625sr=1-1 Hunting Security Bugs: http://www.amazon.com/Hunting-Security-Bugs-Tom-Gallagher/dp/073562187X/ref=sr_1_2?s=booksie=UTF8qid=1314826641sr=1-2 Yes, there are great security tools out there, and yes there are great development conferences - however, the two *rarely* if *ever* intermingle. See my blog Cross Pollination; It's not just for Bees ( http://yet-another-dev.blogspot.com/2010/11/cross-pollination-its-not-just-f or-bees.html) for my thoughts on this subject in particular. I've read your blog and I understand your frustration. I know a buch of people who are great in both areas, and they work actively in the SDL process for big companies. I believe if a conference to present this kind of presentations is created they would be interested in doing some presentations there. Actually I would do a couple as well. But once the life time of such a conference technically is short, because once you've presented what has to be done, then the rest is up to the people who develop the software. New tool, yes there will always be new tool, as well there will always be people willing to talk. But for professionals once the message is transmitted there are two options or the developers understood or they need to get a training to understand. Also there it is the responsibility of the companies to train their people to make better products, big companies do that all the time and also even create internal conferences so that their developers get aware of what can go wrong. Additionally, students are taught how to write insecure code from the time they write their first Hello World application. This topic has been discussed a great many times and hasn't changed much. Go to your local bookstore and pick up a java book, flip to the section on JDBC and tell me that the first thing you learn to do is something other than build a dynamic SQL statement with untrusted user input. That's because there are crappy books all over the place. And professors who shouldn't be 'teaching' anymore unless they actualize their education material to the time they are living at. Are they teaching. GWBasic? NO, they are just teaching wrong. Thanks not my problem. It is an education problem, and we could discuss ages about this, because the even all the education models that I know of are fundamentally broken. Show me an MVC book that covers proper contextual output encoding or building a Data Access Control policy. Pick up a Tomcat Book and tell me where it says you should disable the InvokerServlet. Pick up a .Net book and tell me where the chapter on using AntiXSS is. I could go on and on, but I really don't
Re: [SC-L] informIT: Building versus Breaking
Sergio, Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. I really take offense to your comment. I am seeing malware out in the field that is based on work by so-called noble security researchers. My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically yes. I agree with Gary and from knowing Gary from all of his posts and podcasts, this is not a new stance from him. I am in complete agreement with him and always have been. And while I am here, the Builders vs. Breakers term should be attributed to Mark Curphey. You can probably still find his original post. The next question is: Can we ever prevent people from being security researchers or white hats or black hats or bad guys? No. But I think we have to start to take the lipstick off of the pigs and recognize what it is. It's called Blackhat, isn't it? Very unfortunately, there is more glamour - and probably more reward - in breaking stuff. What I hate is that security researchers and the white hats try to present themselves as noble and as the good guys. It's f*cking bullsh*t and a total scam. Ten years later for me and the state of infosec is much worse. There is also a nasty faction of infosec that will never want to solve problems which will put themselves out of work. Yep, I am throwing down that gauntlet FWIW. Stephen On Wed, Aug 31, 2011 at 1:01 PM, Sergio 'shadown' Alvarez shad...@gmail.com wrote: Hi gem, I've read your article to see what direction you were willing to take, before jumping into the conversation. Your post was exactly what I thought you were heading to. I disagree with your thought for many reasons. But first I would like to use proper terms so that we don't misuse some vocabulary: You said: Software security should be a balanced approach of offense and defense (white hat and black hat, if you will) Whitehat: reports what he/she has found. Network vulenerabilities, software security flaws, flawed crypto, design flaws, or whatever it is that the individual found it was broken or wrong. Blackhat: doesn't report what he/she found, because she/he want to keep it that way. Of course there are a lot of grays out there too. Defense is…well... defense. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books when it comes to secure software development. Every year what is presented, in the best security conferences, are new techniques that developers need to be aware of in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or corner-cases which were not considered. There are also a lot of tools and libraries which help development teams to do things right, specially libraries and templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves. They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a lot of developers don't use what is available to them. Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more talks about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do any good to Blackhat. I am not opposed to breaking stuff (see Exploiting Software from 2004), but I am worried about an overemphasis on breaking stuff. Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. And even then many good talks overlap unfortunately. Regards, Sergio On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote: hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking stuff (see Exploiting Software from 2004), but I am worried about an overemphasis on breaking stuff. After a quick and dirty blog entry on the subject http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/, I sat down and wrote a better article about it: Software [In]security: Balancing All the Breaking with some Building
Re: [SC-L] informIT: Building versus Breaking
There are these: ISC(2) Secure Software Conference Series - https://www.isc2.org/PressReleaseDetails.aspx?id=650 ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/ SecSE - http://www.sintef.org/secse SSIRI - http://paris.utdallas.edu/ssiri11/ But your point is taken. Most of the conferences in this domain appear to be outside the U.S. I'm not sure what THAT says about U.S. attitudes about software assurance (though I have my suspicions). More important is the question of who actually attends these conferences. I'm in the process of updating some research on how and where software security assurance is being taught by colleges and universities, and what I'm finding is that the topic has been pretty much marginalised into an aspect of information assurance - i.e., it's being taught mostly to postgraduates who are majoring in IA and related disciplines - rather than an aspect of software development. There are exceptions, of course - but by and large that seems to be the trend. And I think the same is true of the conferences. It's the security wonks who care about software assurance much more than the actual software developers. Take a look at: http://zastita.com/index.php?det=64494 === Karen Mercedes Goertzel, CISSP Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com Sorry, you have reached an imaginary number. If you require a real number, please rotate your phone by ninety degrees and try again. From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Steven M. Christey [co...@linus.mitre.org] Sent: 31 August 2011 16:45 To: Sergio 'shadown' Alvarez Cc: Adam Shostack; Secure Code Mailing List Subject: Re: [SC-L] informIT: Building versus Breaking While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) If somebody built it, would anybody come? - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Hi gem, I've read your article to see what direction you were willing to take, before jumping into the conversation. Your post was exactly what I thought you were heading to. I disagree with your thought for many reasons. But first I would like to use proper terms so that we don't misuse some vocabulary: You said: Software security should be a balanced approach of offense and defense (white hat and black hat, if you will) Whitehat: reports what he/she has found. Network vulenerabilities, software security flaws, flawed crypto, design flaws, or whatever it is that the individual found it was broken or wrong. Blackhat: doesn't report what he/she found, because she/he want to keep it that way. Of course there are a lot of grays out there too. Defense is…well... defense. To design and build proper software and hardware there are a lot of conferences out there, as well as trainings and a huge amount of literature. There are very good books when it comes to secure software development. Every year what is presented, in the best security conferences, are new techniques that developers need to be aware of in order to build secure products. Most of the presentations talk about things that were wrongly designed and/or corner-cases which were not considered. There are also a lot of tools and libraries which help development teams to do things right, specially libraries and templates like Microsoft Safeint as well as the safe APIs, which prevent developers from shooting themselves. They just need to use them. There are also managed languages, APIs to handle SQL securely, etc. It is just that a lot of developers don't use what is available to them. Blackhat is great as it is now, there are talks about new defense technologies from time to time too. Having more talks about defense would be use, in my opinion, to sale products than anything else. I don't believe it would do any good to Blackhat. I am not opposed to breaking stuff (see Exploiting Software from 2004), but I am worried about an overemphasis on breaking stuff. Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. And even then many good talks overlap unfortunately. Regards, Sergio On Aug 31, 2011, at 4:16 PM, Gary McGraw wrote: hi sc-l, I went to Blackhat for the first time ever this year (even though I am basically allergic to Las Vegas), and it got me started thinking about building things properly versus breaking things in our field. Blackhat was mostly about breaking stuff of course. I am not opposed to breaking stuff (see Exploiting Software from 2004), but I am worried about an overemphasis on breaking stuff. After a quick and dirty blog entry on the subject http://www.cigital.com/justiceleague/2011/08/09/building-versus-breaking-a-white-hat-goes-to-blackhat/, I sat down and wrote a better article about it: Software [In]security: Balancing All the Breaking with some Building http://www.informit.com/articles/article.aspx?p=1750195 I've also had a chat with Adam Shostack (a member of the newly formed Blackhat Advisors) about the possibility of adding some building content to Blackhat. Go Adam! Do you agree that Blackhat could do with some building content?? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justoceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___