Re: [SC-L] BSIMM-V Article in Application Development Times
Hi Stephen, I agree that would be interesting. While we have data at the firm level for all BSIMM participants, and at the BU level for many BSIMM participants, we don't formally capture data on development methodology (as opposed to software security activities) for each development team (which may number well into the double digits for many BSIMM participants). Also, in nearly all cases, it would be very hard to characterize an entire firm or even an entire business unit in larger firms as Agile or not. Many larger firms use Agile for only a small percentage of projects (e.g., for mobile or cloud things, if they're a traditional waterfall shop and are just evolving into new technology stacks). Even those firms who do Agile often do it in different ways across different development teams, even in the same business unit. The teams with very large applications or critical applications that go through more testing might do 3-4 week sprints while others do 2-week sprints. However, they might be using exactly the same process, so I'm not sure the frequency of deployment would work as the measure of agility. As for writing Agile rather than Agile above, firms and teams who call themselves Agile mean many different things with that word. I've run into some teams who feel very agile in their quarterly development cycles and at least one that scrums its way through various parts of their waterfall process. Cheers, --Sammy. -Original Message- From: SC-L [mailto:sc-l-boun...@securecoding.org] On Behalf Of Stephen de Vries Sent: Tuesday, December 17, 2013 5:21 AM To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM-V Article in Application Development Times On 13 Dec 2013, at 22:51, Gary McGraw g...@cigital.com wrote: From time to time we talk about getting to the dev community here. This article is at least in the right publication! Read it and pass it on: http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx Hi Gary, In the current BSIMM-V dataset is it possible to narrow the data down to only organisations practising Agile dev? I think it would be interesting to see which BSIMM activities are popular with agile houses, and which not. Ideally, it would be nice to not only differentiate between Agile and non-agile, but different degrees of agile based on the length of iterations and/or the frequency of deployments. E.g. less-agile = 3 month iterations and multi-month deploys, more-agile = continuous delivery with multiple deploys per day. regards, Stephen de Vries http://www.continuumsecurity.net Twitter: @stephendv ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] BSIMM-V Article in Application Development Times
In the current BSIMM-V dataset is it possible to narrow the data down to only organisations practising Agile dev? I think it would be interesting to see which BSIMM activities are popular with agile houses, and which not. One of the reasons not to do this is that publishing data that would be split into too many or too small pools would potentially allow someone to reverse-engineer the exact results of some of the participating companies. Aggregate data provides a level of anonymity. Moreover, I think this sort of split would be largely arbitrary. Especially for large companies, it's often not straightforward to classify them as agile or non-agile. Many companies also have mixed-mode dev shops with waterfall product management bolted on top of an agile dev team, or an agile dev team throwing code over the wall to a traditional ops team, or a mix of agile and non-agile teams working side by side. Now, some observed activities clearly are purely development activities, and some would not make any sense at all as dev team activities. How would you classify the results if the company had agile dev teams but waterfall product management? Ideally, it would be nice to not only differentiate between Agile and non-agile, but different degrees of agile based on the length of iterations and/or the frequency of deployments. E.g. less-agile = 3 month iterations and multi-month deploys, more-agile = continuous delivery with multiple deploys per day. Even in purely agile shops, not everyone has a concept of an iteration (kanban is a continuous flow of tasks - which is often how maintenance of legacy software would be done), and deploying means different things for different industries (think embedded systems that have no update channel). In addition, I don't think you can measure agility through purely measuring cadence. The point of being agile is to be able to respond to change, and not all companies _need_ to be reinventing their product daily like a budding startup with an existential crisis. Although continuous integration would probably help the majority of companies, on the product management (i.e., backlog management) side, it depends on your customers and industry whether more is indeed better. - Antti ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] US DoD RFI on software assurance
All, This may be of interest - an RFI is a way to both provide information and influence future procurements by pointing out areas that need to be emphasized. https://www.fbo.gov/index?s=opportunitymode=formid=3c867a45671f0cde56fca2bf81bdaf44tab=documentstabmode=list --Jeremy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] BSIMM-V Article in Application Development Times
hi sc-l, From time to time we talk about getting to the dev community here. This article is at least in the right publication! Read it and pass it on: http://adtmag.com/blogs/watersworks/2013/12/bsimm-v-released.aspx Salubrious solstice! One week and one day to go. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS IMPORTANT DATES Paper submission deadline: February 26, 2014 (11:59pm US-PST) Workshop acceptance notification date: March 29, 2014 Workshop date: Sunday, May 18, 2014 Workshop paper submission web site: https://www.easychair.org/conferences/?conf=w2sp2014 W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers, cloud, mobile and their eco-system. We have had seven years of successful W2SP workshops. This year, we will additionally invite selected papers to a special issue of the journal. W2SP is held in conjunction with the IEEE Symposium on Security and privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel in San Jose, California. W2SP will continue to be open-access: all papers will be made available on the workshop website, and authors will not need to forfeit their copyright. We are seeking both short position papers (2–4 pages) and longer papers (a maximum of 10 pages). Papers must be formatted for US letter (not A4) size paper with margins of at least 3/4 inch on all sides. The text must be formatted in a two-column layout, with columns no more than 9 in. high and 3.375 in. wide. The text must be in Times font, 10-point or larger, with 12-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. The scope of W2SP 2014 includes, but is not limited to: Analysis of Web, Cloud and Mobile Vulnerabilities Forensic Analysis of Web, Cloud and Mobile Systems Security Analysis of Web, Cloud and Mobile Systems Advances in Penetration Testing Advances in (SQL/code) Injection Attacks Trustworthy Cloud-based, Web and Mobile services Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile Systems Security and Privacy as a Service Usable Security and Privacy Security and Privacy Solutions for the Web, Cloud and Mobile Identity Management, Psuedonymity and ANonymity Security/Privacy Web Services/Feeds/Mashups Provenance and Governance Security and Privacy Policy Management for the Web, Cloud and Mobile Next-Generation Web/Mobile Browser Technology Security/Privacy Extensions and Plug-ins Online Privacy and Security frameworks Advertisement and Affiliate fraud Studies on Understanding Web/Cloud/Mobile Security and Privacy Technical Solutions for Security and Privacy legislation Solutions for connecting the Business, Legal, Technical and Social aspects on Web/Cloud/Mobile Security and Privacy. Technologies merging Economics with Security/Privacy Innovative Security/Privacy Solutions for Industry Verticals Any questions should be directed to the program chair: tgrandi...@proficiencylabs.com. WORKSHOP CO-CHAIRS Larry Koved (IBM Research) Matt Fredrikson (University of Wisconsin - Madison) PROGRAM CHAIR Tyrone Grandison (Proficiency Labs) PROGRAM COMMITTEE Aaron Massey (Georgia Institute of Technology) Adrienne Porter Felt (Google) Aleecia M. McDonald (Center for Internet Society) Alex Smolen (Twitter) Alexander Polyakov (ERPScan) Amine Cherrai (Amine Cherrai Consulting) Anand Prakash (E-Billing Solutions Pvt. Ltd) Bhavani Thuraisingham (University of Texas - Dallas) Brad Malin (Vanderbilt University) Carrie Gates (CA Technologies) Christy Philip Matthew (Offcon Info Security) Dieter Gollmann (Hamburg University of Technology) Elena Ferrari (University of Insubria) Gerome Miklau (University of Massachusetts - Amherst) Hakan Hacigumus (NEC Labs) Ilya Mironov (Microsoft Research) James Kettle (Context Information Security) Kimberley Hall (Security Advisory Management Services Ltd) Michael Franz (University of California - Irvine) Michael Waidner (Technische Universitat Darmstadt) Monica Chew (Mozilla) Pierangela Samarati (University of Milan) Rafae Bhatti (Price Waterhouse Coopers) Reginaldo Silva (Ubercomp) Rose Gamble (University of Tulsa) Sabrina De Capitani di Vimercati (University of Milan) Sean Thorpe (University of Technology - Jamaica) Sid Stamm (Mozilla) Simson Garfinkel (Naval Postgraduate School) Szymon Gruszecki Varun Bhagwan (Yahoo) Vinnie Moscaritolo (Silent Circle) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 92: Jon Callas
hi sc-l, Just in time for turkey-induced coma listening time, Silver Bullet episode 92 features Jon Callas. Jon is an old school geek (on the net since 1979) who has occupied a front row seat during all of the crypto wars. His company Silent Circle is actively trying to build a real secure email solution that even the NSA can't break. We had a very interesting chat. We even talked directly about Snowden. I hope you like it: http://www.cigital.com/silver-bullet/show-092/ As always, your feedback on the podcast is welcome. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 91: Caroline Wong
hi sc-l, Episode 91 of Silver Bullet features a conversation with Cigital's Caroline Wong. We talk a lot about BSIMM (behind the scenes) as part of the BSIMM-V launch. BSIMM-V will be officially released at 9am EST 10.30.13! As an experienced practitioner (Symantec, eBay, Zynga), Caroline brings a management perspective to the BSIMM project, directly focused on metrics and measurement. (Nothing like real data.) We also discuss bug bounty programs, Software Security Initiative (SSI) in a box (leveraging measurement of course), and issues facing women in computer science. Have a listen: http://www.cigital.com/silver-bullet/show-091http://www.cigital.com/silver-bullet/show-091/ And stay tuned for more about BSIMM-V! gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] BSIMM-V is alive
hi sc-l, I am proud to announce that the BSIMM-V document is complete and the website has been entirey revised/updated. Please download a copy of BSIMM-V today: http://bsimm.com BSIMM-V describes the software security initiatives at sixty-seven firms, including: Adobe, Aetna, Bank of America, Box, Capital One, Comerica Bank, EMC, Epsilon, F-Secure, Fannie Mae, Fidelity, Goldman Sachs, HSBC, Intel, Intuit, JPMorgan Chase Co., Lender Processing Services Inc., Marks and Spencer, Mashery, McAfee, McKesson, Microsoft, NetSuite, Neustar, Nokia, Nokia Siemens Networks, PayPal, Pearson Learning Technologies, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, TomTom, Vanguard, Visa, VMware, Wells Fargo, and Zynga. All told, the BSIMM describes the work of 975 SSG members working with a satellite of 1,953 people to secure the software developed by 272,358 developers. Software security measurement. gem If you are thinking about developing a software security program, or enhancing your existing one, the BSIMM will provide you a tried and true measurement and planning tool developed by some of the top security practitioners in the world. BSIMM-V is the continued evolution of this data driven set of real world software security practices, making it more relevant than ever. If you don’t think that a software security program or BSIMM is right for you, well… it’s only a matter of time! Gary Warzala CISO, Visa Improving any engineering process requires a solid set of empirical metrics from which we can compare and contrast our own processes. Software security is no exception, and for far too long the community has been relying too heavily on anecdotal 'evidence.' Those excuses are no longer valid. Nowhere else will you find a more solid set of real world observations than in the BSIMM study. I'm happy to see with the release of BSIMM-V that the model has continued to grow and improve since its inception. Kenneth R. van Wyk KRvW Associates, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 90: Matthew Green
hi sc-l, On one of the best Silver Bullet security podcasts in many a moon, I interview Matthew Green, research professor at Johns Hopkins university. Remember that university professor whose NSA-related posting was given a takedown notice? That was Matthew. Find out what he thought of all that: http://www.cigital.com/silver-bullet/show-090/ We also discuss, the difference between theoretical crypto and applied crypto, why software securty is so dang hard, ARA, and breakfast cereal. Have a listen and pass it on. As always, your feedback is welome. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Atlanta event OCT 1st
hi sc-l, As part of gearing up our Atlanta office, Cigital is co-sponsoring an event with TAG (technology association of georgia) on Tuesday October 1st. The event will feature a fireside chat with Marcus Ranum and me about software and software security. Why is software still so bad, and what are we doing about it? is the official abstract. The event is open to TAG members and others in the Atlanta area. If you're interested or if you know people in Atlanta who might like to come, please pass along this URL : http://bit.ly/1b5qhp4 Hope to see some sc-l readers in Atlanta. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [External] Re: Sad state of affairs
I agree that ONE end goal of software security is to safeguard data - but it is not the only goal...and may not even be the primary goal, depending on the type of system the software is part of. In a safety-critical system, safeguard the data takes on a very different meaning from what one thinks of in a typical information system. Yes, I may in fact be trying to safeguard input sent from logical or physical sensors so that the data can't be tampered with in a way that can threaten the safe operation of the system. But safeguarding the data in that case is only a means to an end - the main goal is to prevent someone from intentionally exploiting a flaw in the software in order to instigate a physical failure that could threaten health, lives, the environment, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com If you're not failing every now and again, it's a sign you're not doing anything very innovative. - Woody Allen From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Jeffrey Walton [noloa...@gmail.com] Sent: 21 September 2013 00:24 To: Rafal Los Cc: Secure Coding List; Bobby G. Miller Subject: [External] Re: [SC-L] Sad state of affairs On Fri, Sep 20, 2013 at 11:34 PM, Rafal Los ra...@ishackingyou.com wrote: Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the low hanging fruit. While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Well, the end goal of software security is to safe guard the data. All a bad guy wants to do is collect, egress and monetize the data (sans National Security concerns). If the data is not safe, then the definition of reasonable has problems. Consider: I was part of two breaches. The one in the 1990's cost me about $10,000 to fix (I found out after I was sued). The second was in New York last summer that cost me $75 to fix (have a card re-issued and shipped next-day service). If you ask the companies involved if their processes were reasonable, they would probably say YES. After all, the companies followed best practices, minimized their losses and maximized their profits. If you ask me, I would say NO. Picking low hanging fruit is not enough. Ironically, we're not even doing that very well (as BM noted). If you don't agree, take some time to cruise ftp.gnu,org and look at the state of those projects (and its not just free software). But I consider it a failure of security professionals since its our job to educate developers and improve their processes.* Of course, this is all predicated on you knowing and being able to define the word reasonable. :) Just my opinion. And my jaded opinion :) Jeff * There's some hand waiving here since some (many?) argue its a waste of time and money to teach developers; and the money is better spent on building tools that make it hard/difficult to do things incorrectly in the first place. I kind of think its a mixture of both. - Reply message - From: Jeffrey Walton noloa...@gmail.com To: Bobby G. Miller b.g.mil...@gmail.com Cc: Secure Coding List sc-l@securecoding.org Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -
Re: [SC-L] [External] Sad state of affairs
On the other hand, isn't it somewhat analagous to hiring 24/7 armed security guards and installing a state of the art physical security system in a museum, and passing and enforcing strict laws against grand larceny? The secure coding alternative would be for museums to stop displaying priceless art works. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com If you're not failing every now and again, it's a sign you're not doing anything very innovative. - Woody Allen From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Bobby G. Miller [b.g.mil...@gmail.com] Sent: 20 September 2013 19:47 To: sc-l@securecoding.org Subject: [External] [SC-L] Sad state of affairs I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [External] Re: Sad state of affairs
So all it takes to call code secure is to apply sufficient quantities of bandaids, bubblegum and barbed wire? Job security yes, secure coding NO. Just my opinion, but I think we need to hold to a much higher standard. On Mon, Sep 23, 2013 at 6:08 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote: I agree that ONE end goal of software security is to safeguard data - but it is not the only goal...and may not even be the primary goal, depending on the type of system the software is part of. In a safety-critical system, safeguard the data takes on a very different meaning from what one thinks of in a typical information system. Yes, I may in fact be trying to safeguard input sent from logical or physical sensors so that the data can't be tampered with in a way that can threaten the safe operation of the system. But safeguarding the data in that case is only a means to an end - the main goal is to prevent someone from intentionally exploiting a flaw in the software in order to instigate a physical failure that could threaten health, lives, the environment, etc. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com If you're not failing every now and again, it's a sign you're not doing anything very innovative. - Woody Allen From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Jeffrey Walton [noloa...@gmail.com] Sent: 21 September 2013 00:24 To: Rafal Los Cc: Secure Coding List; Bobby G. Miller Subject: [External] Re: [SC-L] Sad state of affairs On Fri, Sep 20, 2013 at 11:34 PM, Rafal Los ra...@ishackingyou.com wrote: Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the low hanging fruit. While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Well, the end goal of software security is to safe guard the data. All a bad guy wants to do is collect, egress and monetize the data (sans National Security concerns). If the data is not safe, then the definition of reasonable has problems. Consider: I was part of two breaches. The one in the 1990's cost me about $10,000 to fix (I found out after I was sued). The second was in New York last summer that cost me $75 to fix (have a card re-issued and shipped next-day service). If you ask the companies involved if their processes were reasonable, they would probably say YES. After all, the companies followed best practices, minimized their losses and maximized their profits. If you ask me, I would say NO. Picking low hanging fruit is not enough. Ironically, we're not even doing that very well (as BM noted). If you don't agree, take some time to cruise ftp.gnu,org and look at the state of those projects (and its not just free software). But I consider it a failure of security professionals since its our job to educate developers and improve their processes.* Of course, this is all predicated on you knowing and being able to define the word reasonable. :) Just my opinion. And my jaded opinion :) Jeff * There's some hand waiving here since some (many?) argue its a waste of time and money to teach developers; and the money is better spent on building tools that make it hard/difficult to do things incorrectly in the first place. I kind of think its a mixture of both. - Reply message - From: Jeffrey Walton noloa...@gmail.com To: Bobby G. Miller b.g.mil...@gmail.com Cc: Secure Coding List sc-l@securecoding.org Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution:
Re: [SC-L] Sad state of affairs
Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the low hanging fruit. While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Of course, this is all predicated on you knowing and being able to define the word reasonable. Just my opinion. /// Rafal Los - Reply message - From: Jeffrey Walton noloa...@gmail.com To: Bobby G. Miller b.g.mil...@gmail.com Cc: Secure Coding List sc-l@securecoding.org Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
On Fri, Sep 20, 2013 at 11:34 PM, Rafal Los ra...@ishackingyou.com wrote: Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the low hanging fruit. While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Well, the end goal of software security is to safe guard the data. All a bad guy wants to do is collect, egress and monetize the data (sans National Security concerns). If the data is not safe, then the definition of reasonable has problems. Consider: I was part of two breaches. The one in the 1990's cost me about $10,000 to fix (I found out after I was sued). The second was in New York last summer that cost me $75 to fix (have a card re-issued and shipped next-day service). If you ask the companies involved if their processes were reasonable, they would probably say YES. After all, the companies followed best practices, minimized their losses and maximized their profits. If you ask me, I would say NO. Picking low hanging fruit is not enough. Ironically, we're not even doing that very well (as BM noted). If you don't agree, take some time to cruise ftp.gnu,org and look at the state of those projects (and its not just free software). But I consider it a failure of security professionals since its our job to educate developers and improve their processes.* Of course, this is all predicated on you knowing and being able to define the word reasonable. :) Just my opinion. And my jaded opinion :) Jeff * There's some hand waiving here since some (many?) argue its a waste of time and money to teach developers; and the money is better spent on building tools that make it hard/difficult to do things incorrectly in the first place. I kind of think its a mixture of both. - Reply message - From: Jeffrey Walton noloa...@gmail.com To: Bobby G. Miller b.g.mil...@gmail.com Cc: Secure Coding List sc-l@securecoding.org Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
Well, one of the objectives of employing secure coding practices is just that - to raise the cost and complexity of exploiting bugs. Cheers, Prasad On Sep 20, 2013, at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] HP Protect keynote
hi sc-l, HP just put up a video of the keynote I delivered yesterday at HP Protect. Here it is! http://www.cigital.com/justice-league-blog/2013/09/17/zombies-just-what-dr-mcgraw-ordered/ gem p.s. Who knows Dinis in a can?? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Architecture Risk Analysis
hi marinus, Sorry for the (spam filter related) delay! Two of the steps that we define in the ARA article address your idea directly. Step1: known-attack analysis certainly leverages knowledge about components, packages, and design patterns (associated with known attacks) and stuff you inherit. And, step3: dependency analysis is almost entirely focused on what you suggest. Have a read: http://bit.ly/1b2f5Zk gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com From: Marinus van Aswegen mvanaswe...@gmail.commailto:mvanaswe...@gmail.com Date: Monday, September 16, 2013 3:15 PM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: [SC-L] SearchSecurity: Architecture Risk Analysis Garry, We have a step were we figure out how the various architecture intersect and synthesize together. After all you inherit more than you define and deliver. Marinus - hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Architecture Risk Analysis
Garry, We have a step were we figure out how the various architecture intersect and synthesize together. After all you inherit more than you define and deliver. Marinus - hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Architecture Risk Analysis
hi sc-l, Software security in general spends a lot of time talking about bugs---too much time, I believe. We all know that software defects come in two major subclasses: bugs (in the implementation) and flaws (in the design). So, how do you find and FIX flaws? That's what this month's SearchSecurity column is about. This article about finding security flaws in software with Architecture Risk Analysis. It is co-authored by Jim DelGrosso who is a Principal Consultant at Cigital and runs the Architecture practice. We know this approach works, because we actually use it every day (and have done so for over a decade): http://bit.ly/1b2f5Zk No, it's not easy, and yes it takes experience. Oh well. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com p.s. Long link for Mr Wall: http://searchsecurity.techtarget.com/opinion/Opinion-Software-insecurity-software-flaws-in-application-architecture ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] HP Protect Keynote (next week 9.17.13)
hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] HP Protect Keynote (next week 9.17.13)
I'll be there and am looking forward to seeing it Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop giving developers PDFs/badometers , c) create security Labels for APIs/Apps and d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue the application security knowledge created by tools and humans :) For the record I'm gutted that HP can't organise an 'Conference Band' like the 'Owasp band' so that we can do our yearly rendition of the 'SQL Injection Blues' :) Dinis On 15 Sep 2013 09:39, Gary McGraw g...@cigital.com wrote: hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDB http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] HP Protect Keynote (next week 9.17.13)
hi dinis, I will be covering the basics for sure. I agree with all of your points below. The trickiest one you bring up is security labels which though it may be a good idea is a political swamp. I am up for an HP Protect band, but I am pretty sure such an idea has never crossed the corporate HP mind! See you in DC. gem From: Dinis Cruz dinis.c...@owasp.orgmailto:dinis.c...@owasp.org Date: Sunday, September 15, 2013 5:54 AM To: gem g...@cigital.commailto:g...@cigital.com Cc: Casey Callaway ccalla...@cigital.commailto:ccalla...@cigital.com, Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Re: [SC-L] HP Protect Keynote (next week 9.17.13) I'll be there and am looking forward to seeing it Can you cover the need to: a) 'talk' to developers using UnitTests, b) stop giving developers PDFs/badometers , c) create security Labels for APIs/Apps and d) use open source tools like the O2 Platform (and ThreadFix) to integrate+glue the application security knowledge created by tools and humans :) For the record I'm gutted that HP can't organise an 'Conference Band' like the 'Owasp band' so that we can do our yearly rendition of the 'SQL Injection Blues' :) Dinis On 15 Sep 2013 09:39, Gary McGraw g...@cigital.commailto:g...@cigital.com wrote: hi sc-l, This year's keynote talk at HP Protect will be all about software security. How do I know? Well, I'm giving the talk. You can register here if you want to attend HP Protect in Washington, DC. http://h30627.www3.hp.com/ The Discover Performance magazine featured an article about software security as one part of the run up to the HP Protect Conference. You can read that here: http://bit.ly/153CFDBhttp://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html It's great news for the field that we're being asked to talk about software security at a major conference as the keynote. I hope to see some of you there. gem company www.cigital.comhttp://www.cigital.com podcast www.cigital.com/silverbullethttp://www.cigital.com/silverbullet blog www.cigital.com/justiceleaguehttp://www.cigital.com/justiceleague book www.swsec.comhttp://www.swsec.com twitter @cigitalgem p.s. Long URL for Kevin http://h30458.www3.hp.com/us/us/discover-performance/security-leaders/2013/sep/in-software-security-maturity-is-hard-won_1322645.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.orgmailto:SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Top Ten - Comparison of 2013, 2010, 2007, 2004 and 2003 Releases
The comparison of the 2013, 2010, 2007, 2004 and 2003 releases of the OWASP Top Ten can be downloaded from https://github.com/cmlh/OWASP-Top-Ten-2013/releases -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: 5 Tech Trends and Software Security
hi sc-l, SearchSecurity just posted my August article about the intersection of software security and 5 major tech trends. It is enhanced with BSIMM data to spice it up. Have a read http://bit.ly/137efaX (and pass it on!). Here is a (big ass) URL for Kevin: http://searchsecurity.techtarget.com/opinion/Five-major-technology-trends-affecting-software-security-assurance As always, your feedback is welcome. I'm pleased that our field is getting such good exposure on Tech Target. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleage book www.swsec.com twitter @noplasticshower ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 88: Christian Collberg
hi sc-l, Christian Collberg has been among the best academicians in software protection for over a decade. His book Surreptitious Software which is really about obfuscation, watermarking and digital content protection is part of my Software Security Series http://buildingsecurityin.com. Christian is also an artist and a world traveller with a very interesting global perspective. Have a listen to the 88th consecutive Silver Bullet Security Podcast featuring Christian Collberg: http://www.cigital.com/silver-bullet/show-088/ As always, your feedback is welcome (including suggestions for new Silver Bullet victims). gem company www.cigital.com blog ww.cigital.com/justiceleague book www.swsec.com twitter @noplasticshower ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Ruxcon 2013 Final Call For Papers
Ruxcon 2013 Final Call For Papers Melbourne, Australia, October 26th-27th CQ Function Centre http://www.ruxcon.org.au/call-for-papers/ The Ruxcon team is pleased to announce the final call for papers for Ruxcon. This year the conference will take place over the weekend of the 26th and 27th of October at the CQ Function Centre, Melbourne, Australia. The deadline for submissions is the 31st of August. .[x]. About Ruxcon .[x]. Ruxcon is ia premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. For more information, please visit the http://www.ruxcon.org.au .[x]. Important Dates .[x]. August 31 - Call For Presentations Close October 26-27 - Ruxcon Conference .[x]. Topic Scope .[x]. o Topics of interest include, but are not limited to: o Mobile Device Security o Virtualization, Hypervisor, and Cloud Security o Malware Analysis o Reverse Engineering o Exploitation Techniques o Rootkit Development o Code Analysis o Forensics and Anti-Forensics o Embedded Device Security o Web Application Security o Network Traffic Analysis o Wireless Network Security o Cryptography and Cryptanalysis o Social Engineering o Law Enforcement Activities o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc) .[x]. Submission Guidelines .[x]. In order for us to process your submission we require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Ruxcon * As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time. If you have any enquiries about submissions, or would like to make a submission, please send an email to presentati...@ruxcon.org.au The deadline for submissions is the 31st of August. .[x]. Contact .[x]. o Email: presentati...@ruxcon.org.au o Twitter: @ruxcon ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] OWASP Podcast 95 is live!
On 07/02/2013 02:55 AM, Jeffrey Walton wrote: Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff I found what seemed to be the right deck on djb's talks page: http://cr.yp.to/talks/2012.03.08-1/slides.pdf On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote: I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] OWASP Podcast 95 is live!
There's also a Flash thingie that shows the slides in sync with the audio at SecAppDev's site: http://secappdev.org/lectures/144 Haven't found a video with a human in it, yet. Wonder if it exists somewhere... Andri [http://themoll.com] On Jul 2, 2013, at 9:55 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote: I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] OWASP Podcast 95 is live!
http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf -- Jim Manico @Manicode (808) 652-3805 On Jul 1, 2013, at 8:55 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote: I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] OWASP Podcast 95 is live!
Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote: I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Podcast 95 is live!
I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Top 5 Reasons to Implement Threat Modeling
Hi Secure Coders, As always, the Verizon Data Breach report highlighted some interesting stats on attacks and breaches over the last year. And, no surprise that hacking accounts for a high chunk of those attack vectors, with SQL Injection still prominent. In order to build software securely, we cannot stress enough the importance of proactively threat modeling applications and we’ve identified 5 of the top reasons to do so. Avoiding a single breach is a good enough reason alone to implement threat modeling but hey, for you skeptics out there, we've compiled a handful of other key considerations as well. Here's the blog post: http://myappsecurity.com/5-reasons-threat-modeling/ Please take a look – any and all feedback is welcome! Thanks, Reef Dsouza Product Manager MyAppSecurity http://www.myappsecurity.com/ LinkedIn http://www.linkedin.com/in/reefdsouza ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 87: James Walden
hi sc-l, Last month, Cigital consultant Joe Harless suggested that I interview his NKU professor James Walden. It was a good idea. Thanks Joe. I have known James for years. He uses Software Security in some of his classes and he thinks about software security all day. Trained as a particle physicist, James is one of the leaders in academic software security. We talk about all sorts of things, top ten lists, breaking versus fixing, bugs and flaws. James teaches a Secure Software Engineering course that is right up our ally here at sc-l. Have a listen: http://www.cigital.com/silver-bullet/show-087/ And if you have a suggestion for a Silver Bullet episode, let me know! gem company www.cigital.com justiceleague www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] TechTarget: Proactive Security in Financial Services
hi sc-l, The Financial Services sector is an important advocate for real software security. At FS-ISAC this Spring in Florida, I moderated a panel about that (including JP Morgan Chase, Capital One and Fidelity). The panel resulted in a writeup posted today (and published in Information Security Magazine). http://bit.ly/163miTX (kevin longlink http://searchsecurity.techtarget.com/opinion/McGraw-Financial-services-develop-a-proactive-posture?utm_medium=EMasrc=EM_ERU_22003825utm_campaign=20130610_ERU%20Transmission%20for%2006/10/2013%20(UserUniverse:%20608797)_myka-repo...@techtarget.comutm_source=ERUsrc=5135013) As always, your feedback is welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleage book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Need a help for an article
Hi Punit, Good on you for selecting information security as a topic of interest. We need more grads in our field! The state of the art for buffer overflows, heap overflows, and other memory corruption bugs is so advanced that it may take you a little while to get on top of it before being able to write about it simply enough for the average Joe to understand it. They seem simple enough, but there's so much nuance and almost an obsessive amount of detail to get right to get a reliable exploit. Almost anyone can cause a program to crash, but it's the freaks who can turn an unexploitable null dereference bug into a workable exploit. To me, the freaks are more interesting than the exploits. I am not trying to dissuade you from writing about IT security, as many programmers think that buffer overflows are solved due to ASLR and DEP, or as soon as they use the /GS switch. This is not the case - it just makes it much harder. So it's not an old topic, it's now an extremely arcane topic. How much time do you want to invest in writing your article? I would suggest going down a different route - find the usual suspects on SlideShare, Twitter or Google+ who REALLY knows their stuff and ask them for an interview them to get the human angle on modern day memory exploitation trickery. This way, you don't need to necessarily master the issue, and you can report on the state of the art with a human angle. I would suggest searching for anyone who does reverse engineering for fun or a living who has 200-500 followers as being a good starting point. The big names in our industry are generally interesting folks in their own right. In the old days, we'd call them eccentric, and to me, this is the angle that I would take time to read if done right. thanks, Andrew On Tue, Jun 4, 2013 at 1:22 AM, Punit Mehta punit9...@gmail.com wrote: Hi all , I am a second year computer science undergraduate student at a university. I want to publish an article based on computer security. I had thought of some like Buffer Overflow , Heap Overflow , Format String attack etc. But they sound too old. My aim is to publish some fresh and interesting stuff based on computer security. I have searched a lot But may be because of my limited knowledge , I am not able to find out appropriate topics to work on . So , it would be grateful if someone could suggest me some nice , recent topics ( which can include secure coding in different languages or even beyond that ). I just want to get the topic and pointer to some resources from which I can learn it. Any kind of help is hearty welcomed..! :) Thanks in advance ! Regards, Punit Mehta ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 86: Wenyuan Xu
hi sc-l, Ever wonder what it is like to be a Chinese scholar living and teaching in the US or a woman teaching computer science and engineering? We talk about that in the 86th episode of the Silver Bullet Security Podcast featuring University of South Carolina professor Wenyuan Xu: bit.ly/14e8h29 http://t.co/A1aymA09tw We also discuss embedded device security (cars, electricity billing systems, medical devices), software security, and the distinctly American phenomenon of tailgating. Have a listen. As always your feedback is welcome. gem company www.cigital.com blog www.cigital.com/justiceleage book www.swsec.com twitter @noplasticshower ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SecAppDev hits the road
Greetings SC-L subscribers, I suspect many of you have heard of SecAppDev (http://secappdev.org) over the years. It's a non-profit training event that has hitherto been held in Leuven, Belgium for 1 week each Feb/Mar. Well, we're excited to say that this year we've added a second event: SecAppDev Dublin! Yes, SecAppDev will be hitting the road for its first foray outside of Belgium. For one week in July (15th-19th), we'll be making Dublin, Ireland our home. Just like the events in Belgium, we've lined up a great curriculum and faculty, to give each delegate a look at myriad aspects of developing secure applications. It's a pretty intense week-long immersion into the topics, for sure. Registration is now open. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with Dublin City University, Trinity College Dublin, KU Leuven and Solvay Brussels School of Economics and Management. SecAppDev Dublin is the first edition of our widely acclaimed courses to be run in Ireland. Our previous 9 courses took place in Belgium and were attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media. We pride ourselves on our world-class faculty, which, for SecAppDev Dublin, includes + Prof. dr. ir. Bart Preneel who heads COSIC, the renowned Leuven crypto lab. + Ken van Wyk, co-founder of the US CERT Coordination Center and widely acclaimed author and lecturer. + Prof. dr. Dan Wallach, head of Rice University's computer security lab. + Prof. dr. Mike Scott, previously the head of DCU's School of Computing, now Chief Cryptographer at Certivox. When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats. The course takes place from July 15th to 19th at the Science Gallery, Trinity College, Dublin. For more information visit the web site: http://secappdev.org. Seating is limited, so do not delay registering to avoid disappointment. Registration is on a first-come, first-served basis. A 25% discount is available for Early Bird registration until June 15th. Alumni, public servants, and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] 2013 OWASP Mobile Top 10 Call For Data
Hello All, We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more formal publication. We are encouraging everyone to get involved. The current Mobile Top Ten Risks are located here: https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risks - What do we need? - Right now we are looking for data that represents the current state of mobile application security. We are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues. The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions. We will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project. - How can you contribute? - Contributing data is easy. All we require is anonymized statistics on the vulnerabilities you’ve seen in 2012-Present. If you have data on real-world incidents and attacks to share, these will be of great value as well as they will allow real-world impact to be better assessed. This can be just aggregate percentages, no need to tell us how many apps you’re doing if you’re not comfortable with that. Something like the below: Issue: Something related to geolocation Percentage Affected: X% Number Affected: Y (only if you are comfortable with this) Brief Description: This is a problem because xyz and also, bad things. The data you submit does not necessarily have to reflect the current Top 10, it has to reflect what you are observing in the applications you analyze. At the same time, we would certainly love feedback on what you believe is correct or incorrect about the current list. - What happens next? - After a 60 day period we will review all submissions and re-draft the Mobile Top Ten based on the prevalence and impact of data provided by participants. After the submission period ends, there will be follow-on discussions and work to analyze the data. Participation in this initiative may require up to 10 hours of efforts per week, so please take this into consideration before signing up. - Spread the word. Make a difference! - Also, any help spreading the word on the Mobile Security Project is immensely helpful. A Tweet/Facebook/Linkedin post, blog entry, etc. This initiative will fail if people don't know about it. Anyone that you can promote this initiative to will help the cause. We thank all of you in advance for your participation and hard work in making this initiative a success. Your participation will be noted and recorded when compiling the list of contributors for the final release of the Mobile Top 10 Risks documentation. - Get in touch and get involved. - Please direct any questions or concerns to the Top 10 Refresh leaders, Jason Haddix (jason.had...@owasp.org), Jack Mannino (jack.mann...@owasp.org), and Mike Zusman (mike.zus...@owasp.org). We will be using a Google Group to collaborate on the Top 10 refresh: https://groups.google.com/a/owasp.org/forum/?hl=enfromgroups#!forum/owasp-mobile-top-10-risks The OWASP Mobile Security project’s mailing list is also another way to get in touch with other contributors (owasp-mobile-security-proj...@lists.owasp.org). Thank you! Regards, Jim Manico OWASP Board Member and Volunteer @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] MoST 2013 - Mobile Security and Technology workshop - final call for participation
Call for participation: One week until the workshop! The workshop and program chairs invite you to participate in the 2nd MoST workshop. Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. The list of this year's accepted papers / presentations can be found on the workshop home page: http://mostconf.org/2013/ Mobile Security Technologies (MoST) 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013), http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp, http://ieee-security.org/TC/SPW2013 Registration details for the SPW 2013 workshops, including MoST 2013, can be found on the Symposium's registration page: http://www.regonline.com/Register/Checkin.aspx?EventID=1181099 Scroll down to the workshops registration information. In particular, you will see that if you register for MoST 2013, you can attend any, or all, of the Thursday workshops. Thanks. (my apologies if you receive multiple copies of this announcement)___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation
Call for participation: Only three weeks until the workshop! The workshop and program chairs invite you to participate in the 7th W2SP workshop. The goal of this one-day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web security and privacy issues, and to establish new collaborations in these areas. The list of this year's accepted papers / presentations can be found on the workshop home page: http://w2spconf.com/2013/ W2SP 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013), http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp, http://ieee-security.org/TC/SPW2013 Registration details for the SPW 2013 workshops, including MoST 2013, can be found on the Symposium's registration page: http://www.regonline.com/Register/Checkin.aspx?EventID=1181099 Scroll down to the workshops registration information. In particular, you will see that if you register for W2SP 2013, you can attend any, or all, of the Friday workshops. Thanks. (my apologies if you receive duplicate announcements)___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Correction: W2SP 2013 - Web 2.0 Security and Privacy workshop - Final call for participation
*** My apologies for another email. Only ONE week until the workshop! *** Call for participation: Only ONE week until the workshop! The workshop and program chairs invite you to participate in the 7th W2SP workshop. The goal of this one-day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web security and privacy issues, and to establish new collaborations in these areas. The list of this year's accepted papers / presentations can be found on the workshop home page: http://w2spconf.com/2013/ W2SP 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013), http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp, http://ieee-security.org/TC/SPW2013 Registration details for the SPW 2013 workshops, including MoST 2013, can be found on the Symposium's registration page: http://www.regonline.com/Register/Checkin.aspx?EventID=1181099 Scroll down to the workshops registration information. In particular, you will see that if you register for W2SP 2013, you can attend any, or all, of the Friday workshops. Thanks. (my apologies for the duplicate announcement) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CFP: Workshop on Risk Perception in IT Security and Privacy at SOUPS
Short position statements due next Thursday, May 30 Workshop on Risk Perception in IT Security and Privacy A workshop of the Symposium On Usable Privacy and Security (SOUPS) http://cups.cs.cmu.edu/soups/2013/ For full details, please see: http://cups.cs.cmu.edu/soups/2013/risk.html This workshop is an opportunity to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Important Dates: Submission Deadline: May 30, 2013, 5pm PDT Notification Deadline: June 10, 2013 5pm PDT Anonymization: Papers are NOT to be anonymized Length: 1-2 page position statements SCOPE AND FOCUS Willingness to perform actions for security purposes is strongly determined by the costs and perceived benefit to the individual. When end-users' perceptions of risk are not aligned with organization or system, there is a mismatch in perceived benefit, leading to poor user acceptance of the technology. For example, organizations face complex decisions when pushing valuable information across the network to mobile devices, web clients, automobiles and other embedded systems. This may impose burdensome security decisions on employees and clients due to the risks of devices being lost or stolen, shoulder surfing, eavesdropping, etc. Effective risk communication can provide a shared understanding of the need for, and benefits of secure approaches and practices. While risk perception has been studied in non-IT contexts, how well people perceive and react to IT risk is less well understood. How systems measure IT risk, how it is best communicated to users, and how to best align these often misaligned perspectives is poorly understood. Risk taking decisions (policies) are increasingly being pushed out to users who are frequently ill prepared to make complex technical security decisions based on limited information about the consequences of their actions. In other risk domains we know that non-experts think and respond to risk very differently than experts. Non-experts often rely on affect, and may be unduly influenced by the perceived degree of damage that will be caused. Experts, and risk evaluation systems, use statistical reasoning to assess risk. The purpose of this workshop is to bring together researchers and practitioners to share experiences, concerns and ideas about how to address the gap between user perception of IT risks and security / organizational requirements for security and privacy. Topics of interest include: Human decision and different attack types: Malware, eavesdropping, inadvertent loss / disclosure of information, phishing, browser attacks, etc. Research methods and metrics for assessing perception of risk Assessing value of assets and resources at risk Communicating and portrayal of risk - security indicators, status indicators, etc. Organizational versus personal risk The psychology of risk perception Behavioral aspects of risk perception Real versus perceived risk Other topics related to measuring IT risk and/or user perception of IT risk The goal of this workshop is to explore these and related topics across the broad range of IT security contexts, including enterprise system, personal systems, and especially mobile and embedded systems. This workshop provides an informal and interdisciplinary setting that includes the intersection of security, psychological, and behavioral science. Everyone who attends the workshop participates. Panel discussions will be organized around topics of interest where the workshop participants will be given an opportunity to give brief presentations, which may include current or prior work in this area, as well as pose challenges in IT security and privacy risk perception. SUBMISSIONS We are soliciting 1-2 page position statements that express the nature of your interest in the workshop, the aspects of risk perception of interest to you including the topic(s) that you would like to discuss during the workshop, including the panel discussions. Email inquiries may be sent to to: riskperception2...@gmail.com. IMPORTANT DATES Paper submission deadline - May 30, 2013, 5pm PDT Notification of paper acceptance - June 10, 2013 5pm PDT ORGANIZERS Larry Koved, IBM T. J. Watson Research Center L Jean Camp, Indiana University ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Ruxcon 2013 Call For Papers
Ruxcon 2013 Call For Presentations Melbourne, Australia, October 26th-27th CQ Function Centre http://www.ruxcon.org.au/call-for-papers/ The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 2013. This year the conference will take place over the weekend of the 26th and 27th of October at the CQ Function Centre, Melbourne, Australia. .[x]. About Ruxcon .[x]. Ruxcon is ia premier technical computer security conference in the Australia. The conference aims to bring together the individual talents of the best and brightest security folk in the region, through live presentations, activities and demonstrations. The conference is held over two days in a relaxed atmosphere, allowing attendees to enjoy themselves whilst networking within the community and expanding their knowledge of security. Live presentations and activities will cover a full range of defensive and offensive security topics, varying from previously unpublished research to required reading for the security community. For more information, please visit the http://www.ruxcon.org.au .[x]. Important Dates .[x]. May 7th - Call For Presentations Open September 7th - Call For Presentations Close October 22-23 - Ruxcon/Breakpoint Training October 24-25 - Breakpoint Conference October 26-27 - Ruxcon Conference .[x]. Topic Scope .[x]. o Topics of interest include, but are not limited to: o Mobile Device Security o Virtualization, Hypervisor, and Cloud Security o Malware Analysis o Reverse Engineering o Exploitation Techniques o Rootkit Development o Code Analysis o Forensics and Anti-Forensics o Embedded Device Security o Web Application Security o Network Traffic Analysis o Wireless Network Security o Cryptography and Cryptanalysis o Social Engineering o Law Enforcement Activities o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc) .[x]. Submission Guidelines .[x]. In order for us to process your submission we require the following information: 1. Presentation title 2. Detailed summary of your presentation material 3. Name/Nickname 4. Mobile phone number 5. Brief personal biography 6. Description of any demonstrations involved in the presentation 7. Information on where the presentation material has or will be presented before Ruxcon * As a general guideline, Ruxcon presentations are between 45 and 60 minutes, including question time. If you have any enquiries about submissions, or would like to make a submission, please send an email to presentati...@ruxcon.org.au .[x]. Contact .[x]. o Email: presentati...@ruxcon.org.au o Twitter: @ruxcon ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] W2SP 2013 - Web 2.0 Security and Privacy workshop - call for participation
Only three weeks until the workshop. Call for participation! The workshop and program chairs invite you to participate in the 7th W2SP workshop. The goal of this one-day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web security and privacy issues, and to establish new collaborations in these areas. The list of this year's accepted papers / presentations can be found on the workshop home page: http://w2spconf.com/2013/ W2SP 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013), http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp, http://ieee-security.org/TC/SPW2013 Registration details for the SPW 2013 workshops, including MoST 2013, can be found on the Symposium's registration page: http://www.regonline.com/Register/Checkin.aspx?EventID=1181099 Scroll down to the workshops registration information. In particular, you will see that if you register for W2SP 2013, you can attend any, or all, of the Friday workshops. Thanks. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 85:Mobile Security with Jim Routh and Scott Matsumoto
hi sc-l, Is mobile security a brand new day or the same old same old? The answer depends on how you look at the problem. If you are a practitioner in the trenches, there are many new and interesting shiny bits to mobile security. If you are a security veteran, things look very familiar. In this episode of Silver Bullet, Jim Routh, Scott Matsumoto and I take on the Necker Cube of mobile security. Jim Routh is the ultimate security practitioner (until recently the global head of software security at JPMC and now a major CSO). Scott Matsumoto, Cigital Principal and head of mobile security, is a software veteran with years of experience. I do what I can to guide the conversation with an eye on both the distant past and the quickly approaching future. Have a listen and pass it on: http://www.cigital.com/silver-bullet/show-085/ As always, your feedback is both welcome and encouraged. What do YOU think? Same old same old or brand new day? gem company www.cigital.com blog www.cigital.com/justiceleague (see especially https://www.cigital.com/justice-league-blog/2013/04/30/mobile-different-or-same-sht-different-day/) book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] BSIMM Diagrams
Thanks Ivan! Unfortunately I wasn't able to look at this straight away, and when I go to the link now I get ME-ERR-002 Sorry, we couldn't find the page you were looking for. Would you be able to put it up again? Cheers! - Craig. On 18 April 2013 20:13, Iván Arce ivan.w.a...@gmail.com wrote: Here's a treemap visualization of the same BSIMM measurement from Craig Heath's blogpost. http://www-958.ibm.com/v/297862 The ordering I've found most useful is Domain-Maturity Level-Practice with the area of rectangular boxes based on the total coun tof activities in each (practice,level) combination and coloring based on count of observed activities. Level-domin-Practice seems useful too. The data file I used is available on the same site. The visualization tool allows reodering the categories and changing the area/color coding ranges inteactively. Unfortunately this requires the Java plugin enabled in the browser. If there's interest I'll try to find a non Java, non-windows-only fat-client (ie. Tableau Public) way of publishing it. PLease send comments or any other feedback to the SC-L list thanks, -ivan On 4/10/13 10:29 AM, Craig Heath wrote: Hi all! List members might be interested in a blog post I've just made here: http://bit.ly/ZEWluE I attended the BSIMM Europe Open Forum last month, and one of the topics that came up was how to show BSIMM assessment results usefully on a diagram. The spider chart as used in the BSIMM document is great for a high-level visual comparison of a software security initiative with an industry benchmark, but lacks detail of which specific activities are undertaken. At the forum, Sammy Migues shared something he uses called an equalizer diagram, which is great for showing gaps in coverage of software security activities, but lacks comparison with a benchmark. I wondered whether it would be possible to produce a diagram which combines the advantages of both, and the post linked above describes an attempt at that. I'll be happy to discuss further either here or in the comments on the blog. Thanks! - Craig Heath. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC ( http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] BSIMM Diagrams
Thanks for sharing Ivan, However, java in the browser is not acceptable, so could you please find another way to share the visualization tool please? This may not be an easy request to fulfill since I would not launch any executable code (java or otherwise), without a minimal level of assurance... Best regards, Daniel Halber daniel.hal...@gmail.com -- *From*: Iván Arce ivan.w.arce () gmail com *Date*: Thu, 18 Apr 2013 16:13:52 -0300 -- Here's a treemap visualization of the same BSIMM measurement from Craig Heath's blogpost. http://www-958.ibm.com/v/297862 The ordering I've found most useful is Domain-Maturity Level-Practice with the area of rectangular boxes based on the total coun tof activities in each (practice,level) combination and coloring based on count of observed activities. Level-domin-Practice seems useful too. The data file I used is available on the same site. The visualization tool allows reodering the categories and changing the area/color coding ranges inteactively. Unfortunately this requires the Java plugin enabled in the browser. If there's interest I'll try to find a non Java, non-windows-only fat-client (ie. Tableau Public) way of publishing it. PLease send comments or any other feedback to the SC-L list thanks, -ivan On 4/10/13 10:29 AM, Craig Heath wrote: Hi all! List members might be interested in a blog post I've just made here: http://bit.ly/ZEWluE I attended the BSIMM Europe Open Forum last month, and one of the topics that came up was how to show BSIMM assessment results usefully on a diagram. The spider chart as used in the BSIMM document is great for a high-level visual comparison of a software security initiative with an industry benchmark, but lacks detail of which specific activities are undertaken. At the forum, Sammy Migues shared something he uses called an equalizer diagram, which is great for showing gaps in coverage of software security activities, but lacks comparison with a benchmark. I wondered whether it would be possible to produce a diagram which combines the advantages of both, and the post linked above describes an attempt at that. I'll be happy to discuss further either here or in the comments on the blog. Thanks! - Craig Heath. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] c0c0n 2013 - Call For Papers and Call For Workshops
/ _ \ / _ \|__ \ / _ \/_ |___ \ ___| | | | ___| | | |_ __ ) | | | || | __) | / __| | | |/ __| | | | '_ \/ /| | | || ||__ | (__| |_| | (__| |_| | | | | / /_| |_| || |___) | \___|\___/ \___|\___/|_| |_| ||\___/ |_|/ ### c0c0n 2013 - Call For Papers and Call For Workshops ### August 22-24, 2013 - Cochin, India Buenos días from the God’s Own Country! We are extremely delighted to announce the Call for Papers and Call for Workshops for c0c0n 2013 http://www.is-ra.org/c0c0n/, a 3-day Security and Hacking Conference (1 day pre-conference workshop and 2 day conference), full of interesting presentations, talks and of course filled with fun! The conference topics are divided into four domains as follows: Info Sec - Technical Info Sec - Management Digital Forensics and Investigations Cyber Laws and Governance. We are expecting conference and workshop submissions on the following topics, but are not limited to: New Vulnerabilities and Exploits/0-days Open Source SecurityHacking Tools Antivirus/Firewall/UTM Evasion Techniques Software Testing/Fuzzing Network and Router Hacking Malware analysis Reverse Engineering Mobile Application Security-Threats and Exploits Advanced Penetration testing techniques Web Application Security Hacking Browser Security Hacking virtualized environment WLAN and Bluetooth Security Lockpicking physical security Honeypots/Honeynets Exploiting Layer 8/Social Engineering Cloud Security Critical Infrastructure SCADA networks Security National Security Cyber Warfare Cyber Forensics, Cyber Crime Law Enforcement IT Auditing/Risk management and ISO 27001 Presentations/topics that haven't been presented before will be preferred. # CFP Review Committee: # 0x01 - Fyodor Bom #fygrave 0x02 - Vivek Ramachandran For more details about the Review Committee, visit - http://is-ra.org/c0c0n/cfp.html # Submission Guidelines: # Email your submission to: cfp [at] is-ra [dot]org Email subject should be: CFP c0c0n 2013 - Paper Title Email Body: Personal Information: = Speaker Name: Job Role/Handle: Company/Organization: Country: Email ID: Contact Number: Speaker Profile: (max 1000 words) If there is additional speaker please mention it here following the above format. Presentation Details: = Name/Title of the presentation: Paper Abstract: (max 3000 words) Presentation Time Required (20, 30, 50 Minutes) Is there any demonstration? Yes or No Are you releasing any new tool? Yes or No Are you releasing any new exploit? Yes or No Have you presented the paper before on any other security / technology conference(s)? Yes or No Other Needs Requirements: === Do you need any special equipment? We will be providing 1 LCD projector feed, 2 screens, microphones, wired and/or wireless Internet. If you have any other requirement, Please mention it here and the reason. # Remember these Dates! # CFP Opens: 03 Apr 2013 CFP Closing Date: 26 May 2013 Speakers list (First Set) online: 02 Jun 2013 Workshop Dates: 22 Aug 2013 Conference Dates: 23 - 24 Aug 2013 *NOTE:* We should not promote vendor/product oriented submissions hence it will be rejected. ## Speaker Benefits: ## Complimentary Conference registration. Complementary Accommodation for 2 nights. Complementary conference passes. Invitation to Day 1 Networking Dinner / Party. Travel Reimbursement - The selected speaker will receive travel reimbursement, to the extent available with existing ISRA /conference funds. Only one speaker will be eligible for the benefits in case there are two or more speakers for a talk. Thanks and Regards, -c0c0n Team- ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: #MobAppSecTri Scholarship Program
Hey SC-Lers, Gunnar Peterson (@OneRaindrop) and I (@KRvW) are once again giving away to a few deserving Mobile App Developers a small number of FREE tickets to our next Mobile App Sec Triathlon. If you know any deserving students / interns (especially in the greater New York City region), point them in our direction for a chance to get a free seat. See http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html for details. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CFP: International Workshop on Secure Software Engineering (SecSE-13@AReS)
Hi SC-L, Just a short mail to remind you that we are organizing SecSE for the seventh time - this year on September 3rd in historic Regensburg, Germany. As an added bonus, Gary McGraw has agreed to give an invited talk on BSIMM4, in addition to the tutorial on software security he will give at the main conference (http://ares-conference.eu). We welcome all kinds of papers on techniques, experiences and lessons learned for engineering secure and dependable software - see the workshop webpage at http://sintef.org/secse (which forwards to our new fancy page hosted by KU Leuven) for more information. Submit your papers by March 30th at https://confdriver.ifs.tuwien.ac.at/ares2013. Cheers, Martin Gilje Jaatun SecSE organizing chair ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] BSIMM talk at RSA
hi sc-l, Please come hear my talk Bug Parades, Zombies and the BSIMM: A Decade of Software Security today at the RSA Conference. The talk is at 10:40am in room 132. I'll be making some of the BSIMM Update data from the RSA BSIMM Mixer public. 63 firms and counting. gem ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Fwd: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!!
Greetings SC-L, For all of you who are interested in mobile app sec (or interested in learning more about it), we released OWASP iGoat version 2.0 today. See the details in our announcement below. Cheers, Ken van Wyk Begin forwarded message: From: Kenneth R. van Wyk k...@krvw.com Subject: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!! Date: February 26, 2013 2:48:48 PM EST To: owasp-igoat-proj...@lists.owasp.org owasp-igoat-proj...@lists.owasp.org OWASP iGoat Project: Thanks to iGoat lead developer, Sean Eidemiller, it gives me great pleasure to announce the immediate release of OWASP iGoat version 2.0! See the project web site at: https://www.owasp.org/index.php/OWASP_iGoat_Project for more information, or go directly to the source repository to download at: http://code.google.com/p/owasp-igoat/ The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source code) designed to introduce iOS developers to many of the security pitfalls that plague poorly-written apps. Like its namesake, OWASP's WebGoat tool, iGoat is intended to teach software developers about these issues by stepping them through a series of exercises, each of which focuses on a single aspect of iOS security. OWASP iGoat is an ideal tool to use in a classroom setting to teach iOS developers (and technically minded IT Security staff with at least some exposure to object oriented programming). Exercises include many typical problem issues (and their solutions) including: - Securing sensitive data in transit - Securing sensitive data at rest - Securely connecting to back-end authentication services - Side channel data leakage (e.g., system screen shots, cut-and-paste, and keystroke logging via the autocorrection feature) - Making use of the system keychain to store small amounts of consumer-grade sensitive data New to version 2.0: - iGoat is now a true Universal app, so it builds and runs on iPhones, iPod Touches, as well as iPads. Full screen views are supported on all of these devices. (It also runs on the iPhone simulator included with XCode, of course -- which is ideal for a classroom environment.) - A few behind the scenes improvements were made to the iGoat platform itself, making it easier to work with and develop new exercises. These include: o Storyboards for main screen navigation. o ARC support for object memory management. - General code clean-ups. Requirements: To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. iGoat was built for Mountain Lion, but should run fine on any OS X newer than Snow Leopard. We recommend the latest XCode and built iGoat using XCode version 4.6. Similarly, iGoat was built on iOS 6.1, but should be backwards compatible with at least version 5.x. We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! Cheers, Ken van Wyk OWASP iGoat Project Leader ___ Owasp-igoat-project mailing list owasp-igoat-proj...@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-igoat-project signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Software Security on MSNBC Sunday morning TV (9:20am)
hi sc-l, I am slated to be a guest on MSNBC's Up With Chris Hayes tomorrow morning (Sunday 2.24) 9:20-10:00am. They wanted to fly me to NY for the show, but the plan now is to do this from the DC studios. We'll be talking about Cyber War. About the show: http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0 You can bet I will harp on software security! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Software Security on MSNBC Sunday morning TV (9:20am)
hi sc-l, It's still early on Sunday, but here is a pointer to the episode: http://nbcnews.to/YqeokE gem From: gem g...@cigital.commailto:g...@cigital.com Date: Saturday, February 23, 2013 4:21 PM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Subject: Software Security on MSNBC Sunday morning TV (9:20am) hi sc-l, I am slated to be a guest on MSNBC's Up With Chris Hayes tomorrow morning (Sunday 2.24) 9:20-10:00am. They wanted to fly me to NY for the show, but the plan now is to do this from the DC studios. We'll be talking about Cyber War. About the show: http://www.nytimes.com/2012/06/24/fashion/chris-hayes-has-arrived-with-up.html?_r=0 You can bet I will harp on software security! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] See you next week at RSA 2013
hi sc-l, I know many sc-l readers will be headed out to San Francisco next week for the usual week of chaos surrounding RSA. Should be a blast as always. This year I am involved in two public appearances at the RSA conference, both of which will discuss software security explicitly. The first is a CSO Panel featuring Gary Warzala (Visa), Jason Witty (US Bank), Eric Grosse (Google), and Howard Schmidt (retired US Gov). One of the six key questions we will address during the panel is what a CSO can and should do about software security, security engineering and building things properly. That panel is Wednesday 2.27 at 1pm. The second appearance is even more relevant to software security. I will give my Bug Parades, Zombies, and the BSIMM talk Thursday 2.28 at 10:40am. I plan to discuss the ancient history of software security and accelerate to now. I hope you will come see what we've got cooking! If you do come to the talks, make sure to come say hello. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
There have been reports about military and industrial secrets and what ought to be secrets being sent to China for decades now. It has been clear (at least in these reports) that US companies were required to have their technology built within China inorder to have access to Chinese markets, and the US Government has approved such technology transfers time and again, regardless of concerns for what it does in the long term.I seem to recall this at least as far back as Clinton's time, maybe further. So we are seeing a continuation of a pattern which has been accepted for many years of transfer of knowhow and of aggressive Chinese state support of that transfer. While arguable the time to lock the barn door started decades ago, and continues now, this report should surprise nobody. The economic espionage (and other espionage possibly) is old news and might be better handled by measures to perhaps make some of their take be designed to be dangerous to use. (If for example you steal my avionics, might I not be justified in seeing that what you steal is jiggered so the planes crash now and then? Or happen to hit some unpleasant resonances once in a while?) Such things would make it dangerous to steal... Also is there no counter-espionage going on? At any rate, treating this as a surprise and a reason to prepare for war seems useful only to those who want to create emergencies, perhaps to further diminish our civil liberties. When I was young there was lots of fear about impending nuclear war, but nobody treated spy scandals on either side as reasons for conflict. They did try to reduce exposure. That can be done here too. One thing that might be looked at is whether the air gap that was supposed to protect many SCADA systems could not be made to exist in reality, as an alternative to replacing all the old gear in use. New mandates are not needed so much as something like pointing out that the uninsured liability risk of not having such gaps can be rather large, and some public monitoring to find vulnerable sites. As for the worries even DoD has about hidden functions in ICs sourced from abroad, the more such sourcing is domestic only, and enforced so, the more such seems real. Securing infrastructure from spying or outside influence is a huge job, made harder by decades of use of systems not designed to resist attacks (so that only the civilian losses due to untrustworthy actions seem to drive fixes) and failure to use software designed for stronger protection. There are measures that can be taken, but many are not general practice, but are lab work. (Ever consider how much mischief occurs because we don't design our interpreters (hardware or software) to reliably tell data apart from code? This permeates whole classes of attacks. While language purists will point out that type enforcement should imply this, the basic code/data confusion problem alone causes most of the flaws I read about. That ought to suggest generic approaches to anyone who considers it awhile.) On the other hand, if the point of all the sabre rattling is to give excuses for increasing government pervasiveness, and perhaps ventures into wishful thinking that fighting another war like, say, the Korean War, will allow the problems to be solved, it won't do anything useful and is likely to cause great damage, domestically and otherwise. The political folks here really need to be dealing with experts outside their set of Usual Suspects to devise honest fixes, and let those fixes be visible. Talk about how the government in its wisdom will fix things, given how thoroughly it has NOT fixed things over decades now, sounds like subscribing to a 19th century snake-oil salesman to treat a modern epidemic. Maybe some of the above might suggest some other ways... Glenn Everhart On 02/20/2013 09:34 AM, Gary McGraw wrote: hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be Gandalfed and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and
[SC-L] CFP: MoST 2013 - Mobile Security and Technology workshop -- DEADLINE EXTENSION
To avoid conflict with a major conference deadline this week and to accommodate popular requests, we have extended the submission deadline of MoST 2013 to March 1 and the notification deadline to March 29. Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. Please consult the workshop website (http://www.mostconf.com) for additional details.___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Apple Employees Hacked By Visiting iPhoneDevSDK - Mac Rumors
Here is an interesting twist to the recent Apple hack. I hope no SC-Lers are using iphonedevsdk! http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/ Cheers, Ken van Wyk KRvW Associates, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Chinese Hacking, Mandiant and Cyber War
hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be Gandalfed and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [External] Chinese Hacking, Mandiant and Cyber War
I agree - and grow increasingly frustrated with those who insist on confusing cyber war with cyber espionage (and vice versa). But I've found it's quite easy to get them to understand the difference by simply asking them to drop the prefix cyber from each. Cyber war is simply war fought on an electronic battlefield with digital weapons. The general objectives are the same as physical warfare: disable/destroy the adversary's capabilities. In cyber espionage, by contrast, the objective is to obtain information that is held secret by the adversary. This said, espionage is never an end in itself - information must be used for something to have any value. Thus the (possible) source of confusion (other than that pesky cyber tag): one may undertake cyber espionage in aid of cyber war - just as one sends out spies to learn secrets to give one's side a strategic advantage in warfare (or soldiers to do reconnaissance before battle - which is a form of tactical espionage). The problem is that the origin of the cyber attacks involved may be the same, and the timing of the cyber attacks may be (near) simultaneous, so that in the heat of the moment, one might be forgiven for misconstruing as cyber war what is in fact cyber espionage in aid of cyber war. But as the objectives of the two are quite different, the attack patterns are also very likely to be different. So there is no excuse for anyone with more than the most superficial level of understanding of things cyber to confuse one with the other. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com If you're not failing every now and again, it's a sign you're not doing anything very innovative. - Woody Allen From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Gary McGraw [g...@cigital.com] Sent: 20 February 2013 09:34 To: Secure Code Mailing List Cc: Bruce Schneier; Ross Anderson Subject: [External] [SC-L] Chinese Hacking, Mandiant and Cyber War hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be Gandalfed and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be Gandalfed and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. I'm somewhat surprised a report of that detail was released for public consumption. The suspicion in me tells me its not entirely accurate or someone has an agenda. There's too much information in there that would be cloaked under national security given other circumstances. There also appears to be a fair of FUD-fanning going on: Additionally, there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology. The US equivalent would be like saying the NSA actively recruits Mathematicians and Computer Scientists. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Won't it be great if they can finally make survivable software-intensive systems a reality?
http://www.newscientist.com/article/mg21729045.400-the-computer-that-never-crashes.html === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com If you're not failing every now and again, it's a sign you're not doing anything very innovative. - Woody Allen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Active Defense is Irresponsible
hi sc-l, This morning, NPR did a story http://www.npr.org/2013/02/13/171843046/victims-of-cyberattacks-now-going-on-offense-against-intruders about the idea of Active Defense which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?) At Cigital, we believe this is a recipe for disaster. The last thing we need in computer security is a bunch of vigilante yoo-hoos and lynch mobs. Rule of law anyone? I talked all about this in my SearchSecurity column in November: Proactive defense prudent alternative to cyberwarfarehttp://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare (November 1, 2012) In fact, I have been a vocal opponent to the Cyber War drum beating that seems to pervade Washington. Here's what I had to say to Threatpost about the issue (warning: poor sound quality): http://threatpost.com/en_us/blogs/gary-mcgraw-cyberwar-and-folly-hoarding-cyber-rocks-111312 I have also been voicing these thoughts at think tanks like CNAS and in academic venues. Here are three pointers to recent talks: http://www.ists.dartmouth.edu/events/abstract-mcgraw.html http://www.kcl.ac.uk/sspp/departments/warstudies/newsevents/eventsrecords/mcgraw.aspx http://www.eecs.umich.edu/eecs/etc/events/showevent.cgi?2626 FWIW, I am going to be on a panel about this at a private event during RSA with the founders of CrowdStrike on the opposing side. Should be interesting. Given their dunderheaded philosophy, maybe I should bring a security detail along. If you feel as strongly as we do about this issue, please send this to your Representatives. They need to read it: Separating the Threat from the Hype: What Washington Needs to Know About Cyber Securityhttp://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf in AMERICA'S CYBER FUTURE: SECURITY AND PROSPERITY IN THE INFORMATION AGE VOLUMES I AND IIhttp://www.cnas.rsvp1.com/node/6405?mgh=http%3A%2F%2Fwww.cnas.orgmgf=1, Center for a New Amercian Security (June 2011). What's the alternative to throwing rocks? Making sure our houses are not glass by building security in. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Call for Presentations: OWASP AppSec Research EU 2013
[Apologies for multiple copies of this announcement] = Call for Presentations: OWASP AppSec Research EU 2013 = The German Chapter of the Open Web Application Security Project (OWASP) is proud to organize this years' OWASP AppSec Research EU conference. OWASP AppSec conferences are the premier gathering for Software Security leaders and researchers. It brings together the application security community to share cutting-edge ideas, initiatives and technological advancements. === Important information === Date: August 20-23, 2013 Location: Emporio Hamburg http://www.emporio-hamburg.de/en/ WebSite: http://appseceu.org/ === Topics === OWASP AppSec conferences are true security conferences, with expected talks and presentations all around (web) application security. Non-technical talks (see below) are welcome too. Please refrain from submitting marketing talks or having sales pitches in your talk. We are interested in all topics related to Web Application Security and OWASP, in particular: * Secure development: frameworks, best practices, secure coding, methods, processes, SDLC * Vulnerability analysis: code review, pentest, static analysis * Threat modelling * Mobile security * Cloud security * Browser security * HTML5 security * OWASP tools or projects in practice * New technologies, paradigms, tools * Privacy in web apps, Web services (REST, XML) and data storage * Operations and software security * Management topics in Application Security: Business Risks, Outsourcing/Offshoring, Awareness Programs, Project Management, Managing SDLC === Program Committee === - Dinis Cruz, OWASP O2 Platform - Sebastien Deleersnyder, OWASP BeNeLux - Jeremiah Grossman, WhiteHat Security - Dr. Boris Hemkemeier, OWASP Germany - Achim Hoffmann, OWASP Germany - Dr. Giles Hogben, Cloud Security Alliance - Dr. Martin Johns, SAP Research - Holger Junker, Federal Office for Information Security (BSI) - Alex kuza55 Kouzemtchenko, Coverity - Jim Manico, OWASP USA - Dr. Konstantinos Papapanagiotou, OWASP Greece - Prof. Dr. Sachar Paulus, University of Applied Science in Brandenburg - Thomas Roessler, World Wide Web Consortium (W3C), ICANN Board Member - David Ross, Microsoft - Dr. Sebastian Schinzel, University Erlangen-Nuremberg - Dr. Dirk Wetter, OWASP Germany (head industry PC) - John Wilander, OWASP Sweden, Linköping University - Michal Zalewski, Google Inc === Deadlines === * Submission of proposals by: April 14, 2013 (11:59pm GMT) * Notification of acceptance: April 30, 2013 * Publication of program: May 10, 2013 * Conference Date: August 22-23, 2012 === Submission === To submit a proposal, please submit online (see link very below) an abstract of your intended presentation (500 to 4000 chararters) and a brief biography (150 to 800 characters). Your planned presentation time is 40 minutes (excl. ~5 minutes for discussion and change of speaker). Feel free to attach a preliminary version of your presentation if available. Any proposal submitted is subject to a democratic vote by the program committee (pc). Keep in mind: The better your description the better our picture (do not count on fail open). Please watch out for any mistakes as after approval by the PC we take your abstract and publish it 1:1 in our program. All proposals for this industry part have to be submitted through EasyChair: https://www.easychair.org/conferences/?conf=appseceu2013. === Terms === By your submission you agree to the OWASP [1]. It requires that you use an OWASP presentation template [2]. You are welcome to include your company logo to the first and last slide. All presentation slides will be published on the conference website. Please make sure that any pictures and other materials in your slides doesn't violate any copyrights. You are solely liable for copyright violations. You may choose any CC licence [3] for your slides, including CC0. OWASP does suggest open licenses [4]. Participants and speakers are all warmly invited to attend the conference dinner on Thursday. Subject to the budget situation there's an extra evening program for all accepted speakers. Unfortunately we can't cover travel expenses or costs for accomodations. === Related Cf{P^2,T} === Please note that there are two related CfPs for this conference: * Call for research papers: https://www.owasp.org/index.php/AppSecEU2013/CfPapers * Call for trainings: https://www.owasp.org/index.php/AppSecEU2013/CfTrainings === References === [1] https://www.owasp.org/index.php/Speaker_Agreement [2] https://www.owasp.org/images/7/76/OWASP_Presentation_Template.zip [3] http://creativecommons.org/licenses [4] https://www.owasp.org/index.php/OWASP_Licenses -- Martin Johns http://www.martinjohns.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted
[SC-L] CFP: MoST 2013 - Mobile Security and Technology workshop (2nd call)
On behalf of the workshop co-chairs and program chair, we would like to invite you participate in the second Mobile Security Technologies (MoST) Workshop. http://mostconf.org/2013/ Mobile Security Technologies (MoST) 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013) http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp http://ieee-security.org/TC/SPW2013 Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. Topics We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of MoST 2013 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies Important Dates - Paper submission deadline: February 22, 2013 (11:59pm US-PST). - Acceptance notification: March 18, 2013. - Camera-Ready Early Registration Deadline: April 1, 2013 - Organizing Committee - Hao Chen, University of California, Davis - Larry Koved, IBM Research Program Committee - Hao Chen, University of California, Davis - Yan Chen, Northwestern University - Adrienne Porter Felt, Google Inc. - Markus Jakobsson, PayPal, Inc. - Xuxian Jiang, North Carolina State University - Wenjing Lou, Virginia Polytechnic Institute and State University - Adrian Ludwig, Google Inc. - Ahmad-Reza Sadeghi, Ruhr University Bochum - Kapil Singh, IBM Research - Larry Koved, IBM Research - David Wagner, University of California, Berkeley Please consult the workshop website (http://www.mostconf.com) for additional details.___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CFP: W2SP 2013 - Web 2.0 Security and Privacy workshop (2nd call)
On behalf of the workshop co-chairs and program chair, we would like to invite you participate in the seventh Web 2.0 Security and Privacy workshop. http://w2spconf.com/2013/cfp.html Web 2.0 Security and Privacy workshop is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013) http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) chaired by L. Jean Camp http://ieee-security.org/TC/SPW2013 W2SP brings together researchers, practitioners, web programmers, policy makers, and others interested in the latest understanding and advances in the security and privacy of the web, browsers and their eco-system. We have had six years of successful W2SP workshops. W2SP is held in conjunction with the IEEE Symposium on Security and privacy, which will take place from May 19-22, 2013, at the Westin St. Francis Hotel in San Francisco. W2SP will continue to be open-access: all papers will be made available on the workshop website, and authors will not need to forfeit their copyright. We are seeking both short position papers (2–4 pages) and longer papers (a maximum of 10 pages). Papers must be formatted for US letter (not A4) size paper with margins of at least 3/4 inch on all sides. The text must be formatted in a two-column layout, with columns no more than 9 in. high and 3.375 in. wide. The text must be in Times font, 10-point or larger, with 12-point or larger line spacing. Authors are encouraged to use the IEEE conference proceedings templates. The scope of W2SP 2013 includes, but is not limited to: - Trustworthy cloud-based services - Privacy and reputation in social networks - Security and privacy as a service - Usable security and privacy - Security for the mobile web - Identity management and psuedonymity - Web services/feeds/mashups - Provenance and governance - Security and privacy policies for composible content - Next-generation browser technology - Secure extensions and plug-ins - Advertisement and affiliate fraud - Measurement study for understanding web security and privacy Any questions should be directed to the program chair: ka...@us.ibm.com. IMPORTANT DATES Paper submission deadline: March 1, 2013 (11:59pm US-PST) Workshop acceptance notification date: March 30, 2013 Workshop date: Friday, May 24, 2013 WORKSHOP CO-CHAIRS Larry Koved (IBM Research) Matt Fredrikson (University of Wisconsin - Madison) PROGRAM CHAIR Kapil Singh (IBM Research) PROGRAM COMMITTEE Adam Barth (Google) Suresh Chari (IBM Research) Hao Chen (University of California, Davis) Mihai Christodorescu (IBM Research) David Evans (University of Virginia) Matt Fredrikson (University of Wisconsin - Madison) Vinod Ganapathy (Rutgers University) Collin Jackson (Carnegie Mellon University) Rob Johnson (Stony Brook) Ben Livshits (Microsoft Research) Alexander Moshchuk (Microsoft Research) Charlie Reis (Google) V.N. Venkatakrishnan (University of Illinois at Chicago) Please consult the workshop website (http://w2spconf.com/2013/cfp.html) for additional details. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: 13 Design Principles for 2013
Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of security. On the software side, esp in the case of Twitter, Facebook et al, the equivalent is David Gelernter. I did a mashup of these titans and I must say I think there is a fair(and increasing) amount of impedance mismatch. Meaning many of S S's fundamental assumptions do not apply in Gelernter's universe. For example how do I completely mediate in a federation? Answer: you dont you have partial control at best. http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html Gunnar Sent from my mobile Original message From: Gary McGraw g...@cigital.com Date: To: Secure Code Mailing List SC-L@securecoding.org Cc: Parizo, Eric epar...@techtarget.com Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013 hi sc-l, Merry new year to you all. About the hardest part of software security is design. Everything about it is hard: secure design, threat modeling, architectural risk analysis, etc. Even convincing slow pokes that there is a difference between bugs and flaws is hard (you should see the reviews my talk got from the expert RSA program committee this year…hah!). For many years I have struggled with how to teach people ARA and security design. The only technique that really works is apprenticeship. Short of that, a deep understanding of security design principles can help. in 1975 Salzer and Schroeder wrote one of the most important papers in computer security. In it, they introduced the concept of security principles. I riffed on that this month in my SearchSecurity column. Please read it and pass it on. Give a copy to all of the software architects you know. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: 13 Design Principles for 2013
Excellent idea Gunnar! This is the kind of conceptual comparison that we don't do enough of. gem From: Gunnar Peterson gun...@arctecgroup.netmailto:gun...@arctecgroup.net Reply-To: Gunnar Peterson gun...@arctecgroup.netmailto:gun...@arctecgroup.net Date: Thursday, January 17, 2013 6:39 PM To: gem g...@cigital.commailto:g...@cigital.com, Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: epar...@techtarget.commailto:epar...@techtarget.com epar...@techtarget.commailto:epar...@techtarget.com Subject: RE: [SC-L] SearchSecurity: 13 Design Principles for 2013 Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of security. On the software side, esp in the case of Twitter, Facebook et al, the equivalent is David Gelernter. I did a mashup of these titans and I must say I think there is a fair(and increasing) amount of impedance mismatch. Meaning many of S S's fundamental assumptions do not apply in Gelernter's universe. For example how do I completely mediate in a federation? Answer: you dont you have partial control at best. http://1raindrop.typepad.com/1_raindrop/2008/06/mashup-of-the-titans.html Gunnar Sent from my mobile Original message From: Gary McGraw g...@cigital.commailto:g...@cigital.com Date: To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: Parizo, Eric epar...@techtarget.commailto:epar...@techtarget.com Subject: [SC-L] SearchSecurity: 13 Design Principles for 2013 hi sc-l, Merry new year to you all. About the hardest part of software security is design. Everything about it is hard: secure design, threat modeling, architectural risk analysis, etc. Even convincing slow pokes that there is a difference between bugs and flaws is hard (you should see the reviews my talk got from the expert RSA program committee this year…hah!). For many years I have struggled with how to teach people ARA and security design. The only technique that really works is apprenticeship. Short of that, a deep understanding of security design principles can help. in 1975 Salzer and Schroeder wrote one of the most important papers in computer security. In it, they introduced the concept of security principles. I riffed on that this month in my SearchSecurity column. Please read it and pass it on. Give a copy to all of the software architects you know. http://searchsecurity.techtarget.com/opinion/Thirteen-principles-to-ensure-enterprise-system-security gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.orgmailto:SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CFP: MoST 2013 - Mobile Security and Technology workshop
On behalf of the workshop co-chairs and program chair, we would like to invite you participate in the second Mobile Security Technologies (MoST) Workshop. Mobile Security Technologies (MoST) 2013 is co-located with The 34th IEEE Symposium on Security and Privacy (IEEE SP 2013) http://www.ieee-security.org/TC/SP2013/ and is an event of The IEEE Computer Society's Security and Privacy Workshops (SPW 2013) http://ieee-security.org/TC/SPW2013 Mobile Security Technologies (MoST) brings together researchers, practitioners, policy makers, and hardware and software developers of mobile systems to explore the latest understanding and advances in the security and privacy for mobile devices, applications, and systems. Topics We are seeking both short position papers (2-4 pages) and longer papers (a maximum of 10 pages). The scope of MoST 2013 includes, but is not limited to, security and privacy specifically for mobile devices and services related to: - Device hardware - Operating systems - Middleware - Mobile web - Secure and efficient communication - Secure application development tools and practices - Privacy - Vulnerabilities and remediation techniques - Usable security - Identity and access control - Risks in putting trust in the device vs. in the network/cloud - Special applications, such as medical monitoring and records - Mobile advertisement - Secure applications and application markets - Economic impact of security and privacy technologies Important Dates - Paper submission deadline: February 22, 2013 (11:59pm US-PST). - Acceptance notification: March 18, 2013. - Camera-Ready Early Registration Deadline: April 1, 2013 - Organizing Committee - Hao Chen, University of California, Davis - Larry Koved, IBM Research Program Committee - Hao Chen, University of California, Davis - Yan Chen, Northwestern University - Adrienne Porter Felt, Google Inc. - Markus Jakobsson, PayPal, Inc. - Xuxian Jiang, North Carolina State University - Wenjing Lou, Virginia Polytechnic Institute and State University - Adrian Ludwig, Google Inc. - Ahmad-Reza Sadeghi, Ruhr University Bochum - Kapil Singh, IBM Research - Larry Koved, IBM Research - David Wagner, University of California, Berkeley Please consult the workshop website (http://www.mostconf.com) for additional details.___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Twelve Most Common BSIMM Activities
hi sc-l, Greetings from NOLA where I am sailing this weekend. Ever wonder what the twelve most common software security activities are? Because of the BSIMM data, we actually know. Have a look for yourself: http://searchsecurity.techtarget.com/news/2240174114/Twelve-common-software-security-activities-to-lift-your-program gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.cigital.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Silver Bullet: Thomas Rid
Well done gentlemen! I think the interview (debate at times) was extremely well done - there was some synergy in views, some flushing out of semantics, details, .. Well. Done. -Ali On Fri, Nov 30, 2012 at 11:25 PM, Gary McGraw g...@cigital.com wrote: hi sc-l, Earlier this month, I had the pleasure of visiting Thomas Rid and giving a talk on cyber war at King's College London. Thomas and I had a great discussion after the talk, and I asked him to do a silver bullet episode. http://www.cigital.com/silver-bullet/show-080/ Episode 80 is a bit off the beaten track for silver bullet, but really interesting. Lots of discussion about policy makers, war studies, and the way foreign policy and deterrence works. I think you'll like it. If you found my SearchSecurity piece on cyber war interesting this month, you will for sure. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Security in open source components
Grant, ... and http://www.scmagazine.com.au/News/320617,redhat-project-fights-java-vulnerabilities.aspx was published yesterday (25 Oct). On Mon, Oct 1, 2012 at 3:19 PM, Christian Heinrich christian.heinr...@cmlh.id.au wrote: Grant, Below are the discussions related to Maven and the paper referenced: 1. http://krvw.com/pipermail/sc-l/2012/002786.html 2. http://krvw.com/pipermail/sc-l/2012/002788.html On Fri, Sep 28, 2012 at 9:10 AM, Grant Murphy gmur...@redhat.com wrote: I don't have the original mail but some time ago a thread on this list mentioned this article: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Podcast 93
SC-L, I'm very pleased to announce that OWASP Podcast 93, and interview with Frank Piessens from SecAppDev.org, is now live! http://secappdev.org/pages/31 In this show, Frank discusses why secure development is so difficult and presents various potential solutions to the problem being researched by the academic community. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_93.mp3 iTunes subscription: http://itunes.apple.com/podcast/owasp-security-podcast/id300769012?mt=2 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Special thanks to Thomas Herlea for curating this and future SecAppDev.org presentations. Thanks for listening. - Jim Manico OWASP Volunteer j...@owasp.org @manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Security in open source components
Grant, Below are the discussions related to Maven and the paper referenced: 1. http://krvw.com/pipermail/sc-l/2012/002786.html 2. http://krvw.com/pipermail/sc-l/2012/002788.html On Fri, Sep 28, 2012 at 9:10 AM, Grant Murphy gmur...@redhat.com wrote: I don't have the original mail but some time ago a thread on this list mentioned this article: http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] BSIMM4 Released Today
hi sc-l, Once every blue moon, software security makes it into the major press. BSIMM4 did it today. http://blogs.wsj.com/cio/2012/09/26/bank-cyberattacks-underscore-need-for-security-processes/ I think it's great when the major players get past the train wreck mentality that seems to pervade security coverage. gem p.s. This Dennis Fisher podcast is worth a listen too: https://threatpost.com/en_us/blogs/gary-mcgraw-bsimm4-and-how-avoid-being-slowest-zebra-092612 company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com From: gem g...@cigital.commailto:g...@cigital.com Date: Tuesday, September 18, 2012 9:56 AM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: Sammy Migues smig...@cigital.commailto:smig...@cigital.com, Jacob West j...@hp.commailto:j...@hp.com Subject: BSIMM4 Released Today hi sc-l, Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms. If you ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty of light on current practice. Download a copy today (for free under the Creative Commons) at http://bsimm.comhttp://bsimm.com/ BSIMM4 provides insight into fifty-one of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga. Some numerical highlights of BSIMM4: • BSIMM4 includes 51 firms from 12 industry verticals • BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition • The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score) • BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 100 developers • BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers Of particular interest to readers of sc-l, for the first time in the BSIMM project, new activities were observed in addition to the original 109, resulting in the addition of two new activities to the model going forward. The activities are: Simulate software crisis and Automate malicious code detection. As always, your feedback is welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] BSIMM4 Released Today
hi sc-l, Today we released BSIMM4, the fourth edition of the BSIMM model built directly from data observed in 51 firms. If you ever wonder what software assurance looks like in commercial practice (and how to measure it), the BSIMM sheds plenty of light on current practice. Download a copy today (for free under the Creative Commons) at http://bsimm.comhttp://bsimm.com/ BSIMM4 provides insight into fifty-one of the most successful software security initiatives in the world and describes how these initiatives evolve, change, and improve over time. The multi-year study is based on in-depth measurement of leading enterprises including Adobe, Aon, Bank of America, Box, Capital One, The Depository Trust Clearing Corporation (DTCC), EMC, F-Secure, Fannie Mae, Fidelity, Google, Intel, Intuit, JPMorgan Chase Co., Mashery, McKesson, Microsoft, Nokia, Nokia Siemens Networks, QUALCOMM, Rackspace, Salesforce, Sallie Mae, SAP, Scripps Networks, Sony Mobile, Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, Vanguard, Visa, VMware, Wells Fargo, and Zynga. Some numerical highlights of BSIMM4: • BSIMM4 includes 51 firms from 12 industry verticals • BSIMM4 has grown 20% since BSIMM3 and is ten times bigger than the original 2009 edition • The BSIMM4 data set has 95 distinct measurements (some firms measured multiple times, some firms with multiple divisions measured separately and rolled into one firm score) • BSIMM4 continues to show that leading firms on average employ two full time software security specialists for every 100 developers • BSIMM4 describes the work of 974 software security professionals working with a development-based satellite of 2039 people to secure the software developed by 218,286 developers Of particular interest to readers of sc-l, for the first time in the BSIMM project, new activities were observed in addition to the original 109, resulting in the addition of two new activities to the model going forward. The activities are: Simulate software crisis and Automate malicious code detection. As always, your feedback is welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: MobAppSecTri Scholarship Program
Hey SC-Lers, We're giving away to a few deserving Mobile App Developers a small number of FREE tickets to our Mobile App Sec Triathlon. If you know any deserving students / interns, point them in our direction for a chance to get a free seat. See http://mobappsectriathlon.blogspot.com/2012/09/announcing-mobappsectri-scholarship.html for details. Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] AppSec Security CBT - Top 10
FREE *NO-SIGN-UP* on demand, online software security for you and anyone you want to share it with -- just tech fun https://www.trustwave.com/sae_sample/owasp-top-10/Start.htm Time to make the popcorn and/or pour a glass of scotch ;) If you have any questions your welcome to ring me at 973-202-0122 Tom Brennan Trustwave SpiderLabs This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Cheat Sheet for iOS Developers
Hi SC-L, Hey, it dawned on me that I never posted a pointer to the OWASP iOS Developer Cheat Sheet that was published a couple months ago. https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet As the initial author of the cheat sheet, I'd sure love to get feedback and -- better yet -- participation on it. Like all OWASP docs, it's open source, so find things you want to add/improve and join in. Either way, I hope you find it useful. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Mobile app security blog, FYI
Greetings SC-L, FYI, Gunnar Peterson (@OneRaindrop) and I (@KRvW) launched a blog last month on the topic of mobile app security. The blog can be found at http://mobappsectriathlon.blogspot.com Full disclosure: On the blog, you will see advertisements for the MobAppSecTriathlon event that Gunnar and I are running in November, but the blog is free and we hope you'll find the topics we post on to be interesting and thought provoking. Even if you have no interest in joining us for the Triathlon event, we hope you'll stop by and check out the blog. Registered and authenticated Google+ users may submit comments as well, which we welcome. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 77: Gary Warzala of Visa
hi sc-l, Greetings from Buenos Aires where I am pushing the software security agenda in South America this week in a series of four talks. Silver Bullet's 77th episode features Gary Warzala, CISO of Visa. Our discussion mirrors some of what we talked about during our fireside chat in Bloomington, Indiana when we opened the new Cigital office there in May. Ever wonder what a CISO does all day or what they think about? Tune in and find out. http://www.cigital.com/silver-bullet/show-077/ For the purposes of this list, Visa is serious about software security, which we discuss during the podcast. As always, your feedback is welcome. Thanks as always to Ryan MacMichael for his behind the scenes work on Silver Bullet. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Gary, Could you elaborate a bit more? Specifically, what kind of incentives you have in mind? How would they work? The debate about what to do to improve software security at a national or larger scale is mostly populated with abstractions and generic ideas but the enumeration and description of concrete, specific measures to deploy is notably scant. -ivan On 8/3/12 9:32 AM, Gary McGraw wrote: hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
All, OWASP has a document which was targeted at the Brazilian government at first and then translates into English. It contains several proposals of government actions to improve the application security (and information security) landscape. The English version is available here: https://www.owasp.org/index.php/OWASP_Brasil_Manifesto/en The original version is here: https://www.owasp.org/index.php/OWASP_Brasil_Manifesto Hope this fits as concrete proposals. ;-) Regards, Lucas On Thu, Aug 9, 2012 at 10:45 AM, Iván Arce ivan.w.a...@gmail.com wrote: Gary, Could you elaborate a bit more? Specifically, what kind of incentives you have in mind? How would they work? The debate about what to do to improve software security at a national or larger scale is mostly populated with abstractions and generic ideas but the enumeration and description of concrete, specific measures to deploy is notably scant. -ivan On 8/3/12 9:32 AM, Gary McGraw wrote: hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Homo sapiens non urinat in ventum. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
hi greg, Good question. I'm biased of course, but I think a BSIMM type measurement is the best way to approach this. (See http://bsimm.com.) However, regardless of measurement I strongly believe that incentives are way better than regulations and penalties. Because the Senate bill was blocked yesterday by a Republican filibuster http://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-b y-gop-filibuster.html we may have a chance to revisit some of these ideas next session! On the BSIMM front, we now have 51 firms measured and will be compiling BSIMM4 next week for release in the Fall. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 8/2/12 3:13 PM, Greg Beeley greg.bee...@lightsys.org wrote: How would we recognize good engineering? It seems to me like the very same problem faced by the idea of software liability law - that it is hard to define good engineering for software security - would be faced by an incentive program. If good engineering is fuzzy enough to give a big corporate legal dept the upper hand against an individual, wouldn't it be similarly fuzzy enough to counter the fairness of a tax incentive? Tax breaks are a big deal - I doubt the government is going to want to issue tax breaks to a company because the company claims they have achieved level X in a CMM -- think about the economic cost in demonstrating something like that to the point where it is fair and worth something. I also doubt that a metric based on vulnerability counts will work -- that will just encourage companies to hide vulnerabilities, fixing them silently and/or with great delay, instead of disclosing them. Not that I think that incentives inherently wouldn't work -- rather I'd be interested in seeing some discussion here on some of the above issues. One alternative that has worked well in many other areas of manufacturing -- encourage some kind of limited warranty, at least in certain industries. For consumer mobile devices, it might be something as simple as, if your device's security is ever compromised due to a flaw in the bundled device software, we'll repair it free of charge. The big challenges are 1) getting customers to care about their device's security, and 2) making a vendor's commitment to security recognizable by the customer. By no means ideal, but at least a talking point. - Greg Gary McGraw wrote, On 08/02/2012 08:40 AM: Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage- bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L)
[SC-L] SearchSecurity: Cyber Security and the Law
hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
How would we recognize good engineering? It seems to me like the very same problem faced by the idea of software liability law - that it is hard to define good engineering for software security - would be faced by an incentive program. If good engineering is fuzzy enough to give a big corporate legal dept the upper hand against an individual, wouldn't it be similarly fuzzy enough to counter the fairness of a tax incentive? Tax breaks are a big deal - I doubt the government is going to want to issue tax breaks to a company because the company claims they have achieved level X in a CMM -- think about the economic cost in demonstrating something like that to the point where it is fair and worth something. I also doubt that a metric based on vulnerability counts will work -- that will just encourage companies to hide vulnerabilities, fixing them silently and/or with great delay, instead of disclosing them. Not that I think that incentives inherently wouldn't work -- rather I'd be interested in seeing some discussion here on some of the above issues. One alternative that has worked well in many other areas of manufacturing -- encourage some kind of limited warranty, at least in certain industries. For consumer mobile devices, it might be something as simple as, if your device's security is ever compromised due to a flaw in the bundled device software, we'll repair it free of charge. The big challenges are 1) getting customers to care about their device's security, and 2) making a vendor's commitment to security recognizable by the customer. By no means ideal, but at least a talking point. - Greg Gary McGraw wrote, On 08/02/2012 08:40 AM: Hi Jeff, I'm afraid I disagree. The hyperbolic way to state this is, imagine YOUR lawyer faced down by Microsoft's army of lawyers. You lose. Software liability is not the way to go in my opinion. Instead, I would like to see the government develop incentives for good engineering. gem On 8/2/12 10:26 AM, Jeffrey Walton noloa...@gmail.com wrote: Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bu g-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 76: David Evans
hi sc-l, The 76th episode of Silver Bullet features a chat with Dave Evans, a professor at UVa and a well-respected security researcher. David and I discuss (among other things) the founding of the Interdisciplinary Major in Computer Science (BA) at Uva and why a broad approach to Computer Science and Computer Security is a good idea, why data privacy gets short shrift in the United States, why people think (for no apparent reason) that their mobile devices are secure, groceries, David's research on Secure Computation, and the Udacity project. We close out the discussion with a story about David's trip to the World Cup in Korea and a choice between GEB and scheme. As always your feedback on the podcast is welcome. I'm also actively seeking female interviewees for the podcast, so if you have any suggestions for future interviews, do tell! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Silver Bullet 76: David Evans
Oops! forgot to include the URL. Here it is: http://www.cigital.com/silver-bullet/show-076/ gem From: gem g...@cigital.commailto:g...@cigital.com Date: Friday, July 27, 2012 2:27 PM To: Secure Code Mailing List SC-L@securecoding.orgmailto:SC-L@securecoding.org Cc: David Evans ev...@cs.virginia.edumailto:ev...@cs.virginia.edu Subject: Silver Bullet 76: David Evans hi sc-l, The 76th episode of Silver Bullet features a chat with Dave Evans, a professor at UVa and a well-respected security researcher. David and I discuss (among other things) the founding of the Interdisciplinary Major in Computer Science (BA) at Uva and why a broad approach to Computer Science and Computer Security is a good idea, why data privacy gets short shrift in the United States, why people think (for no apparent reason) that their mobile devices are secure, groceries, David's research on Secure Computation, and the Udacity project. We close out the discussion with a story about David's trip to the World Cup in Korea and a choice between GEB and scheme. As always your feedback on the podcast is welcome. I'm also actively seeking female interviewees for the podcast, so if you have any suggestions for future interviews, do tell! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Cheat Sheet for iOS App Developers
Title: OWASP Cheat Sheet -- iOS App Developers Author: Kenneth R. van Wyk Source: OWASP - the Open Web Application Security Project Date Published: 2012-07-17 Excerpt: This document is written for iOS app developers and is intended to provide a set of basic pointers to vital aspects of developing secure apps for Apple’s iOS operating system. It follows the OWASP Mobile Top 10 Risks list. Full article at: https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Join us for our 2012 Mobile App Sec Triathlon: www.mobileappsectriathlon.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Mobile Security = Software Security
Hi Gary, I agree with everything you write in the article (although I was a bit peeved at having to register to read it...). It ties nicely in with a related topic that is being discussed a lot recently: The danger of QR codes, where people argue that you shouldn't scan QR codes with your smartphone, since you don't know where they take you, and you might get infected with something (as allegedly carried out by Th3 J35t3r a few months back). Again, this is discussing the wrong problem - why are we accepting to use smartphone browsers that fall over at the merest whiff of an attack? -Martin On 07/06/2012 02:29 PM, Gary McGraw wrote: hi sc-l, In April, my monthly [in]security column moved over to SearchSecurity (TechTarget). This month's installation appears in Information Security magazine as well as on the usual websites. Because of all of the great work Cigital has done in mobile security, there was plenty of fodder to draw from for a pithy article on mobile security. Take home message? Build security in! Every software security Touchpoint is relevant and useful when it comes to mobile security. Have a read, and pass it on. Pile on the hits: http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobile-security-Its-all-about-mobile-software-security Your feedback is always welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiaceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Mobile Security = Software Security
hi martin, Great to see you in Athens this week. Sorry about the registration thing. As an author, I get very little say in the matter. I hope you registered as Mickey Mouse or Bill Gates. gem On 7/15/12 2:50 PM, Martin Gilje Jaatun secse-ch...@sislab.no wrote: Hi Gary, I agree with everything you write in the article (although I was a bit peeved at having to register to read it...). It ties nicely in with a related topic that is being discussed a lot recently: The danger of QR codes, where people argue that you shouldn't scan QR codes with your smartphone, since you don't know where they take you, and you might get infected with something (as allegedly carried out by Th3 J35t3r a few months back). Again, this is discussing the wrong problem - why are we accepting to use smartphone browsers that fall over at the merest whiff of an attack? -Martin On 07/06/2012 02:29 PM, Gary McGraw wrote: hi sc-l, In April, my monthly [in]security column moved over to SearchSecurity (TechTarget). This month's installation appears in Information Security magazine as well as on the usual websites. Because of all of the great work Cigital has done in mobile security, there was plenty of fodder to draw from for a pithy article on mobile security. Take home message? Build security in! Every software security Touchpoint is relevant and useful when it comes to mobile security. Have a read, and pass it on. Pile on the hits: http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobil e-security-Its-all-about-mobile-software-security Your feedback is always welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiaceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SearchSecurity: Mobile Security = Software Security
hi sc-l, In April, my monthly [in]security column moved over to SearchSecurity (TechTarget). This month's installation appears in Information Security magazine as well as on the usual websites. Because of all of the great work Cigital has done in mobile security, there was plenty of fodder to draw from for a pithy article on mobile security. Take home message? Build security in! Every software security Touchpoint is relevant and useful when it comes to mobile security. Have a read, and pass it on. Pile on the hits: http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobile-security-Its-all-about-mobile-software-security Your feedback is always welcome. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiaceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Application Security Quiz
After speaking with a lot of developers we realized they are looking for a fun, quick way to enhance their knowledge about the secure coding aspects of development. We have put together a series of interactive quizzes which test security professionals' and software developers' secure development awareness while teaching them how to build more secure software. Please find links to the first two, below. The first quiz is based on the OWASP Top Ten Project and the second quiz is based on best practices of secure coding. The OWASP Top 10 is a list detailing the most critical software security risks facing organizations with the goal of raising awareness about application security. Based on this knowledge an organization can measure the strength of its application security controls in place and determine what counter-measures to open threats need to be put in place.OWASP (https://www.owasp.org/index.php/Top_10_2010-Main https://www.owasp.org/index.php/Top_10_2010-Main?utm_source=MyAppSecurity+T estutm_campaign=5b871ec3a9-secure_coding_quiz6_25_2012utm_medium=email ). Try out your knowledge of these Top 10 threats by taking our quiz: http://www.myappsecurity.com/threat-modeling/owasp-top-ten-quiz/ http://www.myappsecurity.com/threat-modeling/owasp-top-ten-quiz/?utm_source =MyAppSecurity+Testutm_campaign=5b871ec3a9-secure_coding_quiz6_25_2012utm_ medium=email Secure Coding: The most efficient solution to managing one's application security risk is to take security into consideration right from the very beginning of the software development process and ensure that security is built in at every phase of the adopted software development lifecycle. This can be made possible by developers well educated on the available security resources needed to write secure code. Test your secure development awareness by taking our quiz: http://www.myappsecurity.com/threat-modeling/secure-coding-quiz/ http://www.myappsecurity.com/threat-modeling/secure-coding-quiz/?utm_source =MyAppSecurity+Testutm_campaign=5b871ec3a9-secure_coding_quiz6_25_2012utm_ medium=email We invite you to share these links and we welcome your comments and suggestions. Thanks, Anurag Archie Agarwal MyAppSecurity Cell - 919-244-0803 Email - anu...@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity Twitter: https://twitter.com/#!/myappsecurity ThreatModeler - A free threat modeling tool. Download your copy today from www.myappsecurity.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] nullcon Delhi 2012 Final call for Paper/Events (extended to 10th July) and First round of speakers
Hi All, nullcon team is pleased to announce: - First round of speakers - Prototype Talks - Exhibition/Demo Zone - Job Fair - Final Call for Events and Call for Papers for Delhi 2012 First round of speakers: 1. Mr. Raghu Raman (CEO NATGRID) - Keynote 1 2. Richard Thieme (World renowned speaker/author) - Keynote 2 - Staring into the Abyss: The Dark Side of Security and Professional Intelligence 3. Oxblood Ruffin (Founding member Cult of Dead Cow) - War 3.0: Information Warfare and The Computer Underground 4. Rahul Sasi - DTMF Fuzzing: Highly Harmful Audio Waves - Would be highlighting vulnerabilities in implementation of DTMF detection algorithms. 5. Ravishankar Borgaonkar .- Dirty use of USSD Codes in Cellular Network - Talks will cover how to play with USSD codes using femtocell architecture and exploit different services based on it. 6. Aditya Gupta - Attacking Angry Birds : Mobile Malwares on the Rise - Will be releasing AFE (Android Framework for Exploitation). 7. Joerg Simon - (Prototype Talk) - Fedora Security Lab and OSSTMM 8. Sai Lakshmi - TBA Looking forward to more interesting submissions for nullcon Delhi 2012. Prototype Talks: -- We are introducing a new sub-event - Prototype talks at nullcon Delhi 2012. The event provides opportunities to innovative companies to showcase their latest and new technology/products to the nullcon audience. The main aim behind Prototype is to enable and boost companies driving innovation in security domain and provide them a perfect platform to boast about their new technology and at the same time grab the attention of potential investors and business partners at minimal cost. For more details about the event, its costing and how your organization can participate kindly contact: info_at_nullcon.net Exhibition/Demo Zone nullcon delegates experience the creative genius with cutting edge talks, engaging and interactive technology exhibits. They see the world in unexpected new ways through our profoundly moving techno commercial and value added experience. nullcon Delhi 2012 will bring more than 30+ exhibitors. Job Fair --- nullcon is excited to host a special job fair organized for security professionals and organizations. nullcon job fair gives you open access to meet the heads of various security organizations, understand their requirements and offer them your competencies in return. It is an excellent opportunity for organizations to hire the best talent in information security industry and for security professionals to find better job prospects. nullcon job fair is a platform where prospective employer and employee can meet and interact with each other in an open environment. Call For Paper/Events Details ++ Categories: ——— The talk time duration includes time for questions and answers (5-10 minutes). 1. Research Category (40 mins - 1 hr) is a deep knowledge technical track that includes new research, tools, vulnerabilities, zero days or exploits. 2. Technical Category (30 mins - 1 hr) comprises of known security issues, case studies, twist to an existing research, tool, vulnerability, exploit or research-in-progress. Although this track is fairly technical, it covers known techniques and analysis and is specially created for security professionals who are not too much into new research, are auditors, management professionals and newbies. 3. Desi Jugaad (1 hr) is our signature research category talk and includes any local Indian/Asian hacks. Submission Topics: ——— 1. One of the topics of interest to us is Desi Jugaad(Local Indian/Asian Hack) and has a separate track of its own. Submissions can be any kind of local hacks that you have worked on (hints: electronic/mechanical meters, automobile hacking, Hardware, mobile phones, lock-picking, bypassing procedures and processes, etc. Be creative!) 2. The topics pertaining to security and hacking in the following domains(but not limited to): - Hardware Hacking(ex: RFID, Magnetic Strips, Card Readers, Mobile Devices, Electronic Devices) - Tools/exploits/Zero-days (noncommercial) - Programming/Software Development security and weaknesses - Network vulnerabilities. - Information Warfare, cyber espionage, cyber crime, cyber laws - Malware, Botnets - Web attacks and application hacking - New attack vectors - Mobile malware, vulnerabilities, exploits, VOIP and Telecom - Virtualization security, hacking VMs, breaking out of VMS etc - Cloud security, threats and exploitation - Critical Infrastructure - Satellite hacking - Wireless hacking - Forensics Submission Format: ——— Email the Paper to: cfp_at_nullcon.net Subject should be: CFP Delhi 2012 Paper Title Email Body: 1. Name 2. Handle 3. Track ( Time required in case of General/Business track) 4. Paper Title 5. Country(and City) of residence 6. Organization and Designation 7. Contact no. 8.
[SC-L] Flame provides an opportunity
hi sc-l, Whenever a computer security disaster story breaks (pretty much the only kind of coverage cyber security can expect in the major press) we have an opportunity (while people are paying attention) to talk about how to avoid future disasters. If we're lucky, we can leverage the NASCAR effect http://www.darkreading.com/security/application-security/208803559/if-you-build-it-they-ll-crash-it.html to discuss software security. In my view, the only way we can get in front of modern malware is by building security in. I wrote about that for SearchSecurity in May: Eliminating badware addresses malware problem http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem (May 2012). Some of the Flame dustup in the press this week riffed on that idea and even mentioned the BSIMM (in the WSJ CIO Journal): http://blogs.wsj.com/cio/2012/05/29/cios-should-see-flame-as-a-call-to-arms/?KEYWORDS=hickins Also check out a related radio segment from Marketplace (aired on NPR): http://www.marketplace.org/topics/tech/flame-malware-burns-through-cyberspace It actually works to use the NASCAR effect to get our message out! gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Silver Bullet 74: Bruce Schneier
hi sc-l, There are exactly two security gurus we have covered twice in Silver Bullet: Ross Anderson (who holds the all time record for hits) and Bruce Schneier. Both are very interesting thinkers and thought leaders in computer security. Episode 74 is the second Silver Bullet conversation with Bruce. We talked mostly about his new book Liars and Outliers, but the conversation ranged widely from economics to mixology. I think you'll enjoy it: http://www.cigital.com/silver-bullet/show-074/ As always, your feedback is welcome and encouraged. Please pass this episode on to your friends and colleagues. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___