RE: [SC-L] How do we improve s/w developer awareness?

[snip] > > Remember that little incident in 2000 when the London > millennium bridge was > closed immediately after opening due to excessive wobbling when people > walked across it? I can't guarantee that my recollection is > accurate, but > I'm sure they were trying to put this down to that s

Re: [SC-L] How do we improve s/w developer awareness?

der Mouse said: >>Changing liability laws on the other hand is a simple solution. > > But at what price? It would kill off open source completely, as far as > I can see, in the jurisdiction(s) in question. (How many open source > projects could afford to defend a liability suit even if they (a)

RE: [SC-L] How do we improve s/w developer awareness?

<[EMAIL PROTECTED]> From: "Peter Amey" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Secure Coding Mailing List List-Post: List-Subscribe:

Re: [SC-L] How do we improve s/w developer awareness? [Virus Checked]

cc: [EMAIL PROTECTED] Sent by: Subject: Re: [SC-L] How do we improve s/w developer awareness? [Virus Checked]

Re: [SC-L] How do we improve s/w developer awareness?

> Changing liability laws on the other hand is a simple solution. But at what price? It would kill off open source completely, as far as I can see, in the jurisdiction(s) in question. (How many open source projects could afford to defend a liability suit even if they (a) wanted to and (b) had a

RE: [SC-L] How do we improve s/w developer awareness?

to one major company as we email each other on issues. Regards, George Greenarrow1 InNetInvestigations-Forensics - Original Message - From: "George Capehart" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 28, 2004 5:18 PM Subject: Re: [SC-L]

RE: [SC-L] How do we improve s/w developer awareness?

I've been trying to get IT Auditors and the Audit community in general to apply the same due dilligence to operating systems (infrastructure or general controls) that they apply to applications systems testing. I'm not aware of anyone in the IT Audit community doing OS audits - to verify that t

Re: [SC-L] How do we improve s/w developer awareness?

George Capehart wrote: Yes, assuming management cares . . . and that's *my* broken record . . . :) If the tone of my comments was a bit harsh, it is most emphatically not intended to be directed at your thoughts. It is only because of my intense frustration with the situation. When "Management" w

Re: [SC-L] How do we improve s/w developer awareness?

On Tuesday 30 November 2004 11:58, Evans, Arian allegedly wrote: > I've almost completely ignored this thread because like > George I believe it's the same old broken record I first > heard Marcus Ranum spin up a decade ago. When it comes to > this subject I feel like we [security professionals] ar

Re: [SC-L] How do we improve s/w developer awareness?

each other on issues. Regards, George Greenarrow1 InNetInvestigations-Forensics - Original Message - From: "George Capehart" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, November 28, 2004 5:18 PM Subject: Re: [SC-L] How do we improve s/w developer awar

Re: [SC-L] How do we improve s/w developer awareness?

On Thursday 11 November 2004 10:26, Kenneth R. van Wyk allegedly wrote: > Greetings, > > In my business travels, I spend quite a bit of time talking with > Software Developers as well as IT Security folks. One significant > different that I've found is that the IT Security folks, by and > large, t

Re: [SC-L] How do we improve s/w developer awareness?

[ Apologies to moderator for the resend. I've not PGP/MIME signed this one, as I guess that's the reason for the last copy disappearing. ] [Ed. Apologies back at ya, as I'm on the road this week and trying my best to deal with a brain-damaged web emailer. KRvW] On Fri, Nov 12, 2004 at 08:24:59A

Re: [SC-L] How do we improve s/w developer awareness?

<[EMAIL PROTECTED]> In-Reply-To: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Secured by aspStation Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Se

RE: [SC-L] How do we improve s/w developer awareness?

Hi, > We certainly have a lot to learn from the other communities, but > security is > worse than the other *-ilities, because it is more difficult to see. > Consumers can tell which operating system is easier to use, and > which one is > faster, but there is no way to know which is more secure

Re: [SC-L] How do we improve s/w developer awareness?

At 3:39 PM + 11/12/04, M Taylor wrote: >RISK Digest (comp.risks) is about the closest, >although not security focused it does discuss system failures beyond >buffer overflows and TCP/IP protocol suite. It does not exclude familiar >risks (and documented failures) of buf

Re: [SC-L] How do we improve s/w developer awareness?

I think we have to go one step further. Its nice to know what the attack patterns are. A better thing to do is to know how to identify them during threat modeling, and then apply safeguards to mitigate the risk. ie: We need a merge of thoughts from "Exploiting Software" and "Building Secure Softw

Re: [SC-L] How do we improve s/w developer awareness?

ge - > From: "Gunnar Peterson" <[EMAIL PROTECTED]> > To: "Yousef Syed" <[EMAIL PROTECTED]> > Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]> > Sent: Friday, November 12, 2004 6:58 AM > Subject: Re: [SC-L] How do we improve s/w deve

RE: [SC-L] How do we improve s/w developer awareness?

ssage- From: [EMAIL PROTECTED] on behalf of Gary McGraw Sent: Fri 11/12/2004 8:39 AM To: ljknews; Secure Coding Mailing List Subject: RE: [SC-L] How do we improve s/w developer awareness? One of the reasons that Greg Hoglund and I wrote Exploiting Software was to gain a basic underdstanding of wha

Re: [SC-L] How do we improve s/w developer awareness?

On Thu, Nov 11, 2004 at 04:56:20PM -0500, ljknews wrote: > At 2:48 PM -0500 11/11/04, Paco Hope wrote: > > >On 11/11/04 11:46 AM, "ljknews" <[EMAIL PROTECTED]> wrote: > >> As a software developer, I care about such issues, but the compiliations > >> you list are largely not applicable to the opera

RE: [SC-L] How do we improve s/w developer awareness?

On the usability and software security front, you may be interested in the "Principle 6: Keep it Simple" discussion found in Chapter 5 of Building Secure Software (pages 104-107). gem This electronic message transmissi

Re: [SC-L] How do we improve s/w developer awareness?

ssage - From: "Gunnar Peterson" <[EMAIL PROTECTED]> To: "Yousef Syed" <[EMAIL PROTECTED]> Cc: "Secure Coding Mailing List" <[EMAIL PROTECTED]> Sent: Friday, November 12, 2004 6:58 AM Subject: Re: [SC-L] How do we improve s/w developer awareness? >

RE: [SC-L] How do we improve s/w developer awareness?

One of the reasons that Greg Hoglund and I wrote Exploiting Software was to gain a basic underdstanding of what we call "attack patterns". The idea is to abstract away from platform and language considerations (at least some), and thus elevate the level of attack discussion. We identify and discu

Re: [SC-L] How do we improve s/w developer awareness?

> Making software secure should be a requirement of the development > process. I've had the priviledge to have worked on some very good > projects where the managers emphasised security in the beginning of > the projects life cycle since it was a requirement of the client. Making software se

Re: [SC-L] How do we improve s/w developer awareness?

At 2:48 PM -0500 11/11/04, Paco Hope wrote: >On 11/11/04 11:46 AM, "ljknews" <[EMAIL PROTECTED]> wrote: >> As a software developer, I care about such issues, but the compiliations >> you list are largely not applicable to the operating system and programming >> languages with which I work. > >Advi

Re: [SC-L] How do we improve s/w developer awareness?

essage - From: Gunnar Peterson <[EMAIL PROTECTED]> To: "Kenneth R. van Wyk" <[EMAIL PROTECTED]> Subject: Re: [SC-L] How do we improve s/w developer awareness? Date: Thu, 11 Nov 2004 10:34:24 -0600 > > I agree. In general "classic" IT Security types

Re: [SC-L] How do we improve s/w developer awareness?

I agree. In general "classic" IT Security types are too focused on the problem and not focused enough on the solution side of the equation. Development is in many cases simply blissfully unaware of real security or thinks its someone else's job. In terms of dealing with developers and getting them

Re: [SC-L] How do we improve s/w developer awareness?

On the one hand, we're revisiting a topic that comes up like clockwork every 3 months or so. Someone rants that it's the developers' fault, then someone will inject a recommendation that tools can allow us to use trained monkeys, and then someone will bring out an obscure operating system or langu

Re: [SC-L] How do we improve s/w developer awareness?

At 10:26 AM -0500 11/11/04, Kenneth R. van Wyk wrote: >In my business travels, I spend quite a bit of time talking with Software >Developers as well as IT Security folks. One significant different that I've >found is that the IT Security folks, by and large, tend to pay a lot of >attention to