Re: [SC-L] Building conferences (was: informIT: Building versus Breaking)
hi sc-l, This minor flame war reminds me of the '80s! Hurray. I have worked hard to inject software security (the building kind) into two conferences: The first was the SD West/SD East set of shows where I started a software security track, did a keynote, invited Schneier to speak, etc. The track was a great success as were the big talks, but the shows were killed when IDC went down (or was absorbed by UBC). Software Development magazine disappeared or was absorbed into Dr Dobbs at the same time and we had a software security column going there too. Alas. The second involves working on making the RSA Conference application security track as strong as possible (and about building versus breaking). I am on the PC of RSA for the second year running. This will be a multi-year project, I'm sure. This doesn't really count, but we have a BSIMM Conference every year as well where the 42 companies participating in the BSIMM project get together to talk software security initiative shop talk. There are no plans to make that into a public conference. gem From: Martin Gilje Jaatun secse-ch...@sislab.nomailto:secse-ch...@sislab.no Date: Fri, 2 Sep 2011 04:59:59 -0400 To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: [SC-L] Building conferences (was: informIT: Building versus Breaking) Karen Goertzel wrote: There are these: ISC(2) Secure Software Conference Series - https://www.isc2.org/PressReleaseDetails.aspx?id=650 ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/ SecSE - http://www.sintef.org/secse SSIRI - http://paris.utdallas.edu/ssiri11/ All conferences are not created equal - ESSOS, SecSE and SSIRI are all academic, peer-reviewed conferences/workshops, and probably do not have the same sex appeal as BlackHat. Even in academic communities it seems that there are few that appreciate the difference between security features and secure features (judging by some submissions we get to SecSE). [...] conferences. I'm in the process of updating some research on how and where software security assurance is being taught by colleges and universities, and what I'm finding is that the topic has been pretty much marginalised into an aspect of information assurance - i.e., it's being taught mostly to postgraduates who are majoring in IA and I think you're right - to take our local university, NTNU; they have a course on software security, but it's an elective offered to postgraduates in the final year before they start their MSc thesis, which probably means that only those students who already have a special interest in security will choose it. -Martin ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) Simple. Owasp esapi + owasp appsensor + honeypot = win I'd still consider that defensive. If you want cyber warfare and are willing to go over to the dark side, you can define your own custom AppSensor response actionsto act offensively. For instance, you could easily try to download malware to the attacker or mount a DoS attack against them. Personally, I don't recommend such escalation though, even if it is a tit-for-tat strategy. Reacting in that manner is likely to make you a criminal as well. -kevin -- Blog: http://off-the-wall-security.blogspot.com/ The most likely way for the world to be destroyed, most experts agree, is by accident. That's where we come in; we're computer professionals. We *cause* accidents. -- Nathaniel Borenstein ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
On 9/3/2011 11:22 AM, Kevin W. Wall wrote: On Fri, Sep 2, 2011 at 6:19 PM, Chris Schmidt chrisisb...@gmail.com wrote: On Sep 2, 2011, at 10:44 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: What we need is to start building software that can fight back. Then we could become part of cyber warfare which is much sexier than software assurance. :) Simple. Owasp esapi + owasp appsensor + honeypot = win I'd still consider that defensive. If you want cyber warfare and are willing to go over to the dark side, you can define your own custom AppSensor response actionsto act offensively. For instance, you could easily try to download malware to the attacker or mount a DoS attack against them. Personally, I don't recommend such escalation though, even if it is a tit-for-tat strategy. Reacting in that manner is likely to make you a criminal as well. -kevin That may be, but there are ways to fight back without breaking the law.. Hence the honeypot, let the attacker exploit the hell out of a system that does absolutely nothing track all of his movements and gather as much intel about them as possible - then provided you have good audit logging you have more information than you can handle about the attack to forward on to the feds for appropriate vanning. Granted, this is making some pretty hefty assumptions about the state of the app in question, the skill of the attacker, and the vanning abilities of the men in black, but it is far more sexy than purely writing defensive code alone. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___