[SC-L] Microsoft's message at RSA
hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
Hi Gary, I think they are doing it, Cardspace is the key enabling technology to making it happen. Given how many enterprises are federation-enabled (and how simply the rest can be), the biggest missing piece right now is that we need an Identity Provider for the Internets. Of course this only helps to solve the access control problem, not the defensive programming problem, you can still shoot yourself in the foot with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But at least it will be nice to have the banks and brokerage houses stop having people type their username and passwords into web browsers, and then blaming the consumer when things go amiss. -gp Gary McGraw wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Microsoft's message at RSA
http://media.omediaweb.com/rsa2008/mediaplayerVO.htm?speaker=1_4 And if you want to listen to it, there it is as well. Gunnar Peterson wrote: Hi Gary, I think they are doing it, Cardspace is the key enabling technology to making it happen. Given how many enterprises are federation-enabled (and how simply the rest can be), the biggest missing piece right now is that we need an Identity Provider for the Internets. Of course this only helps to solve the access control problem, not the defensive programming problem, you can still shoot yourself in the foot with SAML and WS-* (Brian Chess and I gave a talk on this at RSA). But at least it will be nice to have the banks and brokerage houses stop having people type their username and passwords into web browsers, and then blaming the consumer when things go amiss. -gp Gary McGraw wrote: hi sc-l, Here's an article about Mundie's keynote at RSA. It's worth a read from a software security perspective. Somehow I ended up playing the foil in this article...go figure. http://reddevnews.com/features/article.aspx?editorialsid=2470 So what do you guys think? Is this end-to-end trusted computing stuff going to fly with developers? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Invitation - OWASP AppSec Europe May 19-22 2008 - Belgium
Hi, 2 weeks left for the conference! We would like to invite you to the European OWASP Application Security Conference! After successful OWASP Conferences in the United States (San Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back in Belgium: 5 tutorials and 2 conference tracks in the historic center of Ghent on May 19-22 2008! More details and registration on http://www.owasp.org/index.php/AppSecEU08 The conference is stuffed with top notch presentations from industry recognized speakers and technical experts on the latest application security risks and trends. Conference (May 21-22) Keynotes * The Great Information Security Scrap Yard Challenge (Mark Curphey) * Software Security: State of the Practice 2008 (Gary McGraw) Topics * The OWASP ESAPI project - Dave Wichers * Trends in Web Hacking Incidents: What's hot for 2008 - Ofer Shezaf * Evaluation Criteria for Web Application Firewalls - Ivan Ristic * HTML5 security - Thomas Roessler * The OWASP Orizon Project internals - Paolo Perego * Remo presentation (Input Validation) - Christian Folini * Best Practices Guide: Web Application Firewalls (OWASP German chapter) - Alexander Meisel * Google-Hacking and Google-Shielding - Amichai Shulman * NTLM Relay Attacks - Eric Rachner * PHPIDS Monitoring attack surface activity - Mario Heiderich * Security in Agile Development - Dave Wichers * Security framework is not in the code - Sam Reghenzi * Exploiting Online Games - Gary McGraw * SHIELDS: metrics, tools and Internet services to improve security in application developments - Domenico Rotondi * Graph Analysis for WebApps: From Nodes to Edges - Simon Roses Femerling * The OWASP Education Project - Martin Knobloch * Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking - Matias Madou * Threat Modeling for Application Designers Architects - Shay Zalalichin * Scanstud: Evaluating static analysis tools - Martin Johns, * Office 2.0: Software as a Service, Security on the Sidelines? - John Heasman * How Data Privacy affects Applications and Databases - Dirk De Maeyer * The OWASP Anti-Samy project - Jason Li * Input validation: the Good, the Bad and the Ugly - Johan Peeters Refereed paper track * Refereed paper track keynote * Know Thyself! - Dieter Gollmann * Refereed paper track selections: * SWF and the Malware Tragedy - fukami and Ben Fuhrmannek * Building and Stopping Next Generation XSS Worms - Arshan Dabirsiaghi * Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing - Andrew Petukhov and Dmitry Kozlov * The Need for Fourth Generation Static Analysis Tools for Security: From Bugs to Flaws - Evgeny Lebanidze * Preventing SQL Injections in Online Applications: Study, Recommendations and Java Solution Prototype Based on the SQL DOM - Etienne Janot and Pavol Zavarsky * Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output - Matias Madou, Edward Lee, Jacob West and Brian Chess New for AppSec Europe: there is an expo with technical vendor demos and a Capture the Flag event! Tutorials (May 19-20) * Building and Testing Secure Web Applications * Leading the Development of Secure Applications * Building Secure Rich Internet Applications * Web Services and XML Security * Open Source ModSecurity Training OWASP Dinner (May 21) At every conference we have an evening social event the first night. They are always fun and allow participants to have some unstructured time to mingle with the other attendees. This year's event will be a Flemish buffet with special Belgian beers at the Monasterium (near the conference location). Cocktail Party (May 20) In what is also becoming a tradition, there will be a cocktail party the night before the conference begins, sponsored by Breach Security. The free and open for all conference attendees event will be held at the Vintage Wine Bar at 6:30pm (near the conference location). We would appreciate it if you let us know if you are coming so we can be ready, please mail [EMAIL PROTECTED] to confirm. The Open Web Application Security Project (OWASP) is a worldwide free and open community focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about application security risks. More details and registration on http://www.owasp.org/index.php/AppSecEU08 Hope to see you all in May! Conference Committee OWASP Conferences Chair: Dave Wichers - Aspect Security - dave.wichers 'at' owasp.org 2008 EU Planning Committee Chair: Sebastien Deleersnyder - Telindus - seba 'at' owasp.org Vendor Exhibition Chair: Pravir Chandra - Cigital - chandra 'at' cigital.com Capture the Flag Chair: Pieter Danhieux - Ernst Young - pieter.danhieux 'at' be.ey.com Refereed Papers Chair: Lieven Desmet - KU Leuven - Lieven.Desmet 'at' cs.kuleuven.ac.be
