As the saying goes, a Unix server goes down and you have a bad weekend. A
Mainframe goes down and the earth stops rotating on its axis. To the latter
point, MQ Series and other messaging systems that communicate with Mainframes
and heritage(*) systems get next to no attention from the security c
In case anyone needs a summer project, I wonder what percentage of issues
discussed in the 111 shows are still issues today?
-gunnar
> On Jul 7, 2015, at 11:45 AM, Kevin W. Wall wrote:
>
> Ah, I see...so the dirty trick is that you are finally doing reruns.
> Syndication can't be far behind
Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of
security. On the software side, esp in the case of Twitter, Facebook et al, the
equivalent is David Gelernter.
I did a mashup of these titans and I must say I think there is a fair(and
increasing) amount of impedance
> but actually we should be making decisions at higher
> levels where the permission correspond to things the user understands
> (e.g. "my account at Google" or "my Flickr photos" or "this album in
> Picasa").
Salesforce.com oauth client for Android is a good example of this
http://wiki.develope
Advanced = goes through firewall
Persistent = tried more than once
Threat = people trying to get into valuable stuff
Nothing new to sc-l readers, but a Reasonably good marketing term esp by
infosec standards (yay we get to scare business people with something other
than an auditor's clipboard!);
from interview with iRobot CEO and founder Colin Angle:
Are you planning on developing apps for robots like Roomba and Scooba?
The robot operating system architecture will divide in half. The mobile
industry is moving far faster and is far larger than the robot industry. You’ve
got a couple of w
Hi Ken,
You raise some important points. Most infosec is approached as a set of
controls, but access control only takes you so far in the face of malice.
I like this quote from G.K. Chesterton
"The real trouble with this world of ours is not that it is an unreasonable
world, nor even that it i
Flip side of "Lifestyle Hacking" aptly described by Messrs McGraw and
Routh is when your organization cannot deliver the functionality/data/
usability that the consumers need.
http://1raindrop.typepad.com/1_raindrop/2010/03/bring-your-cloud-to-work-in-iraq.html
-gunnar
___
Its been awhile since there was a bugs vs flaws debate, so here is a
snippet from Jaron Lanier
Q: What's wrong with the way we create software today?
A: I think the whole way we write and think about software is wrong.
If you look at how things work right now, it's strange -- nobody --
a
design flaws. So we have only removed 50% of the problem.
for my part there have been many, many days when I would settle for
solving 50% of a problem
-gunnar
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscript
I am sure some things could be put into a basic class, but the ideas
are a bit deeper. Security at the "Hello World!" or Mortgage
Calculator program level seems quite difficult.
I am not so sure. Granted an entry level programmer is going to be an
expert, but they can be pretty effective
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
"Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
+1
great interview
-gunnar
On Jul 17, 2009, at 11:25 AM, Gary McGraw wrote:
> hi sc-l,
>
> One of our sc-l listeners (gunnar) suggested Bob Blakley as an
> interview target. Bob is a particularly interesting guy because he
> both a well-respected scientist very active in the security resea
Billions stolen in online robbery
Space trading game Eve Online has suffered a virtual version of the
credit crunch.
One of the game's biggest financial institutions lost a significant
chunk of its deposits as a huge theft started a run on the bank.
One of the bank's controllers stole about
hi gary
one other interesting note on twitter security that i am retweeting
from @cykyc & @focalintent:
you put your SSN in number-dash format, twitter automatically
obfuscates it to XXX-XX-!
Now we just need fortune 500 to run twitter instead of ERP, CRM, etc.
-gunnar
On May 15, 2009
ates & California Sciences Institute
Lloyd Ellam, Iceberg Networks
Dan Geer, In-Q-Tel
Andrew Jaquith, Forrester Research
Wayne Jansen, National Institute of Standards and Technology (NIST)
Gene Kim, Tripwire
Gunnar Peterson, Arctec Group
Chris Walsh, SurePayroll
___
>
> Two areas that don't seem to immediately lend themselves to design/
> spec
> level solutions are (1) transitive trust and (2) interaction errors
> between multiple components that are all working correctly. I'd
> love to
> hear from people who've had to solve these problems in the real worl
e war intended, but a healthy discussion should be in order.
>
> So please don't talk about "developers" as targets. They/we are the
> lowest on the totem pole. Direct your arrows at the people that you
> deal with. Plain and simple.
>
> Cheers,
> Stephen
>
&
wasting my time. Even if they do care,
>> they have no effect overall.
>>
>> Your target and blame is wrong; that's all that I am saying.
>>
>> Stephen
>>
>> On Wed, Nov 26, 2008 at 12:48 AM, Gunnar Peterson
>> <[EMAIL PROTECTED]> wrot
;developers". It
> offends me because you are putting the onus of knowing about software
> security on the wrong people.
>
> Cheers,
> Stephen
>
> On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson
> <[EMAIL PROTECTED]> wrote:
>> maybe the problem with least pri
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
4. apply all settings
5. figure out how to keep 1-4 in synch all the time
do all of this be
>
> http://validator.w3.org shows that page has 25 HTML errors.
>
fwiw, mac.com has 28 errors and 1 warning
-gunnar
p.s. my domain has 42 otoh i wrote the whole "design" from scratch in vi
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
Li
I strongly agree with James' ask. Its nice to hear from gurus, but we need to
hear about real world tradeoffs too. Sausage making aint pretty (ask Hank and
Ben), but its the real world and I for one am always fascinated with what
choices organizations make and why.
I am also very excited to hea
Ken van Wyk and I are teaching Building Secure Web Applications in Java/J2EE in
Minneapolis, September 30 - October 2. The summary is below, if you would like
more info please let me know. More details to follow.
Building Secure Web Applications in Java/J2EE
Course Description
This course teach
for the vast majority of the profession - slamming the magic pizza box in a
rack
is more preferable than talking to developers. in many cases the biggest
barrier
to getting better security in companies is the so-called information security
group. it has very little to do with technology, its a
> But the difference is who is in final control. In the end, the users of
> computers should be in final control, not their makers, or we have given
> up essential liberty. We can develop systems which provide suites of
> more specialized privileges to particular functions, without giving up
Hi Andy,
Great post. I especially like the part about making choices. Having
users type passwords into websites that "protect" all their assets
pretty clearly isn't working. Cardspace is pretty clearly a massive
improvement. That said, I don't think the choice is between perfect
liberty and pe
Hi Gary,
I think they are doing it, Cardspace is the key enabling technology to
making it happen. Given how many enterprises are federation-enabled (and
how simply the rest can be), the biggest missing piece right now is that
we need an Identity Provider for the Internets.
Of course this only
es & California Sciences Institute
Dan Conway, Indiana University
Lloyd Ellam, Iceberg Networks
Andrew Jaquith, The Yankee Group
Elizabeth Nichols, PlexLogic
Gunnar Peterson, Arctec Group
Bryan Ware, Digital Sandbox
Christine Whalley, Pfizer
1 http://securitymetrics.org/content/Wiki
I agree this is a big issue, there is no cotton picking way that the
security people are solving these problems, it has to come from the
developers. I put together a track for QCon which included Brian Chess
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on
ESAPI and Web
Another approach is decentralized specialized teams, centers of excellence
in current managementspeak, with a specific agenda and expertise on an area
deemed strategic. This approach is probably best paired with 2,3, or 4 from
your list. For example, a roving specialized threat modeling team that w
Local boy makes good
http://online.wsj.com/article/0,,SB112128453130584810,00-search.html
-gp
On 11/15/07 10:25 AM, "McGovern, James F (HTSC, IT)"
<[EMAIL PROTECTED]> wrote:
> I have observed an interesting behavior in that the vast majority of IT
> executives still haven't heard about the pri
g list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-
> That said, we should keep trying! I believe one answer is to take advantage
> of relative metrics over time.
>
I agree that this can be a practical starting point for organizations. I had
a client starting down the path with static analysis, they have thousands of
developers and many applicati
erated by Becky Bace: Three practitioners from thought
leading companies describe how they use metrics to make better decisions.
If you know others that would be interested this collaborative workshop,
please forward them this email and let them know about this opportunity.
Please co
> and that's the problem. the accountability for insecure coding should
> reside with the developers. it's their fault [mostly].
I find it fascinating that an industry like security, that has delivered a
grand total of TWO working mechanisms[1] over several decades of effort, is
so willing to thro
communication and any attachments.
>
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding
.
>
>>
>> -gp
>>
>> On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote:
>>
>>> Plus, check out Andrew Jaquith's excellent book:
>>>
>>> -Original Message-
>>> From: Gunnar Peterson [mailto:[E
we know it will get by without fud.
-gp
On 4/24/07 7:32 PM, "Gary McGraw" <[EMAIL PROTECTED]> wrote:
> Plus, check out Andrew Jaquith's excellent book:
>
> -----Original Message-
> From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
> Sent: Tue Apr 24 20:
d Cohen, Fred Cohen & Associates
Jeremy Epstein, webMethods
Dan Geer, Geer Risk Services
Andrew Jaquith, Yankee Group
Elizabeth Nichols, ClearPoint Metrics, Co-Chair
Gunnar Peterson, Arctec Group, Co-Chair
Russell Cameron Thomas, Meritology
___
Secure Co
> Just because people can look at a project in detail, doesn't mean they
> will. More to the point, just because people can, doesn't mean code
> auditing gurus will look at it.
>
And sometimes, when they do look they get booted out of the project
http://www.heise-security.co.uk/news/82500
-gp
JD Meier had a good post recently on influencing without authority, which is the
position security finds itself in:
1. assume all potential allies
2. clarify goals and priorities
3. diagnose the allies world
4. identify relevant currencies
5. deal with relationships
6. influence through give and t
-----Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson
> Sent: Thursday, March 08, 2007 9:13 AM
> To: [EMAIL PROTECTED]
> Cc: SC-L@securecoding.org
> Subject: Re: [SC-L] What defines an InfoSec Professional?
>
> actually
actually just the former. Robert Garigue characterized firewalls, nids, et al
as good network hygiene. The equivalent of a dentist telling you to brush your
teeth. An infosec pro needs much more depth than that. The model is charlemagne
http://1raindrop.typepad.com/1_raindrop/2007/02/thinking_ab
Along these same lines, I submit ³the Four Coders of the Apocalypse² by Dave
Thomas and Andy Hunt. One of the major areas we need to work is adoption.
Programmers are not all created equal, this presentation shows four types of
programmers, and describes what drives them and ideas on dealing with t
> 1. I haven't gotten a sense that a bakeoff matters. For example, if I wanted
> to write a simple JSP application, it really doesn't matter if I use Tomcat,
> Jetty, Resin or BEA from a functionality perspective while they may each have
> stuff that others don't, at the end of the day they are all
Sure it should be built into the language, and I assume it will be
eventually. Heck it only took 30 or 40 years for people to force developers
to use Try...Catch blocks.
-gp
On 12/21/06 9:30 AM, "McGovern, James F (HTSC, IT)"
<[EMAIL PROTECTED]> wrote:
> I have been noodling the problem space o
Found on the web -- local boy makes good:
Review by Ross Anderson
to appear in Jan/Feb 2007 IEEE S&P Magazine
Gary McGraw, "Software Security - Building Security In"
Addison-Wesley, 2006
`We must first agree that software security is not security software',
writes Gary McGraw in the first chapter
> Seeking perfect correctness as an approach to security is a fool's
> errand. Security is designing systems that can tolerate imperfect software.
>
Exactly. On "Curb Your Enthusiasm" this happened recently. Larry David was
frantically looking for a DVD case, but could not find it.
LD: "I don't
DTDs
http://www.google.com/codesearch?hl=en&lr=&q=file%3Adtd&btnG=Search
-gp
On 10/6/06 2:14 AM, "Robert C. Seacord" <[EMAIL PROTECTED]> wrote:
> Gadi,
>
> Here are some searches from Derek Jones:
>
> The new Google source code search page has opened up
> some interesting research possibiliti
I can't say enough good things about this interview:
Conversation with Bruce Lindsay
Design For Failure
http://www.acmqueue.org/modules.php?name=Content&pa=showpage&pid=233
BL: There are two classes of detection. One is that I looked at my own guts and
they didnt look right, and so I say this i
1) you don't have to run web services over port 80
2) you can run lots of interesting things over port 80 not just web services
3) web services are an incremental improvement over dcom, mq series, and
rmi-iiop. I do not see that the IDS and Systems monitoring situation is any
worse, since they ar
There may be a conflict here depending on the implementation in practice,
but not necessarily. SOA and Web Services often aggregate lots of endpoints
(enterprise service buses do this for example) into a smaller set of service
interfaces.
A couple of weeks ago at MetriCon, Pratyusa Manadhata gave
Secure software you're (not) soaking in it.
On 7/16/06 8:32 AM, "mikeiscool" <[EMAIL PROTECTED]> wrote:
> On 7/16/06, ljknews <[EMAIL PROTECTED]> wrote:
>> At 3:27 PM -0400 7/15/06, Goertzel Karen wrote:
>>> Content-class: urn:content-classes:message
>>> Content-Type: multipart/alternative;
>>>
Also, Andrew van der Stock did a presentation at OWASP Europe on Ajax security
http://www.greebo.net/?p=344
-gp
Quoting Kenneth Van Wyk <[EMAIL PROTECTED]>:
> FYI, I just found an article on Ajax security out on Security focus.
> The article is here:
>
> http://www.securityfocus.com/infocus/186
Title: Re: [SC-L] RE: Comparing Scanning Tools
Right, because their customers (are starting to) demand more secure code from their technology. In the enterprise space the financial, insurance, healthcare companies who routinely lose their customer’s data and provide their customers with vulnerab
raints. The quantification to date
> has only been the cliche: it is cheaper to fix X earlier in the lifecycle
> rather than later in which X could be pretty much any system quality.
>
>
>
> -Original Message-
> From: Gunnar Peterson [mailto:[EMAIL PROTECTED]
Hi James,
I think you are right to look at it as economic issue, but the other factor
to add into your model is not just the short term impact to developer
productivity (which is non-trivial), but also the long term effects of
making decisions *not* to deal with finding bugs.
"Cleaning up data br
"There is a well understood best practice in software development that
developers should not attempt to write their own cryptographic algorithms
because of the complexity, lack of peer review, and value of that which the
cryptographic functions are protecting. Developers, in contrast, routinely
wri
One of my colleagues referred to the current hiring situation for app sec
folks as being analogous to looking for Apache webmasters in 1994.
In his movie "He Got Game", Spike Lee cast NBA player Ray Allen in the lead
role because he said that it was easier to teach basketball players to act
than t
This comes back to that great concept called 'Faith-based' Security (see Gunnar Peterson's post http://1raindrop.typepad.com/1_raindrop/2005/11/net_and_java_fa.html ), which is when people are told so many times that something is secure, that that they believe that it MUST be secure. Some examples:
This comes back to that great concept called 'Faith-based' Security (see Gunnar Peterson's post http://1raindrop.typepad.com/1_raindrop/2005/11/net_and_java_fa.html ), which is when people are told so many times that something is secure, that that they believe that it MUST be secure. Some examples:
a lot of this gets back to a "framework versus roll your own debate"
http://1raindrop.typepad.com/1_raindrop/2005/05/wsmex_v_httpget.html
&
http://www.identityblog.com/2005/04/30.html#a210
also, for some good context security in ajax, rest, et. al. as well
as examples of how amazon and google
Good stuff, you (and your co-authors) are right: SOA and Web Services are
properly viewed as opportunities for security improvements, not security
nightmares.
Also, I have a paper here (http://www.arctecgroup.net/ISB1009GP.pdf) on Service
Oriented Security (SOS) Architecture
-gp
Quoting Gary McG
Perhaps a useful distinction that we could to assign responsibility is to
separate concerns in algorithms from the concerns of the system as a whole.
Butler Lampson describes how designing a computer system is different from
designing an algorithm:
"The external interface (that is, the requirement
So from a countermeasure standpoint, a bug can and should be fixed locally,
while a flaw may require that the countermeasure exists at a different level of
abstraction. For example, I assume no one thinks (in OO at least) that input
validation is resident in every method, but rather called external
Hi John,
Which of the following more aptly characterizes the problem?:
IMPL. BUG: Insufficient security-constraint existed on the admin
Servlet in
the app's deployment descriptor.
ARCH. FLAW: No façade component gated privileged functionality
-alternatively-
ARCH. FLAW: Privileged functio
That page is a link to the doc types
html:
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.html
txt
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.txt
pdf
http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.pdf
-gp
Q
The DHS/SEI portal Build Security In is now live, there is a ton of
resources and artifacts for developers to use to write more secure code:
https://buildsecurityin.us-cert.gov/portal/
The ones i worked on are here
Identity in Assembly and Integration
https://buildsecurityin.us-cert.gov/portal
CIO Asia has a column on "A Few Good Metrics"
http://cio-asia.com/ShowPage.aspx?
pagetype=2&articleid=2560&pubid=5&issueid=63
The article talks about using metrics to quantify risks and control
effectiveness.
"There's no denying that proven economic principles can—and should—be
applied to
roposed to also extend user stories to abuser stories (http://
www.johanpeeters.com/papers/abuser stories.pdf).
kr,
Yo
Gunnar Peterson wrote:
I have published a new paper on integrating security into Use
Case Modeling:
http://www.arctecgroup.net/secusecase.htm
-gp
--
Johan Pe
I have published a new paper on integrating security into Use Case
Modeling:
http://www.arctecgroup.net/secusecase.htm
-gp
Keith Brown has a good discussion of at least one of the design choices, namely
delegation vs. impersonation:
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html
&
http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsImpersonation.html
-gp
Quoting Gizmo <[EMA
It appears that the "user-obvious malware" would need to reach the anterior
insula to make a difference in computer security.
>From Business Week -- "Why Does logic often takes a backseat in making
decisons?":
"The National Hockey League and its players wrangle over a salary cap. The
impasse caus
Quoting "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>:
> You seem to be leaving out one of the largest open efforts at security.
> ISECOM at http://www.isecom.org covers security testing, secure coding,
> incident response and other security related topics.
>
> -Origin
I was thinking about something that Dave Winer said on the Gillmor Gang
about how the software industry moves forward when small groups (like 1
or 2) of developers get motivated to solve a problem. I was wondering
how this applies to software security, since it seems like a perfect
description for
I have blogged at a high level about some work I am doing on security aspects in
SOA and Web Services. Service Oriented Security (SOS) architecture defines a set
of architectural views, their key consituents, constraints, and relationships.
As the SOA space continues to evolve our software security
Agree. Also, the author's conclusion that:
"Efficiency and performance optimization will get more, not less,
important"
Security is already viewed as an obstacle to the above factors. Couple
that with the inherent complexity in concurrent programming models, and
you get three of security's arch
If you do the math on what comes next after the processor
manufacturers' free lunch is over, the implications to concurrency,
security, and privacy are huge:
http://www.gotw.ca/publications/concurrency-ddj.htm
How do traditional security mechanisms function in a massively
concurrent world? How
Gee, no my OS is better than yours? What are mailing lists for then?
[Ed. Nope, sorry. While our volume is low, I like to think that our
signal:noise
ratio is high. Let's keep it that way. Besides, Debian rocks! :-) KRvW]
If people on this list have not read it yet, the conversation with B
so the question then is how do we security professionals catch up to where the
anasazis were 700 hundred years ago:
http://riskman.typepad.com/perilocity/2004/08/cliff_forts_vs_.html
-gp
Quoting Greenarrow 1 <[EMAIL PROTECTED]>:
> As quoted in a recent email from the article, A Patch is a Patch
rmation to
> consumers about the security in software. Information like how many lines
> of code, what languages, what libraries, process used, security testing
> done, mechanisms included, and other information can and should be
> disclosed.
>
> --Jeff
>
> - Original Messa
> Making software secure should be a requirement of the development
> process. I've had the priviledge to have worked on some very good
> projects where the managers emphasised security in the beginning of
> the projects life cycle since it was a requirement of the client.
Making software se
I agree. In general "classic" IT Security types are too focused on the problem
and not focused enough on the solution side of the equation. Development is in
many cases simply blissfully unaware of real security or thinks its someone
else's job. In terms of dealing with developers and getting them
Interesting paper on usability issues as they pertain to security mechanisms and
their impact on the user experience, trust,and control
http://www.usable-security.net/articles.html
-Gunnar
This message was sent using IMP, the Inter
Hello, Here is a link to Part 1 of my 3 part series on collaboration between
security and development in the enterprise software development lifecycle:
http://www.arctecgroup.net/ISB0905GP.pdf
The focus is on proactive participation by security in the analysis and design
phases through to build
86 matches
Mail list logo