[SC-L] Secure Development Related PhD Work
I am considering many things for my own future at this point in time and one possibility is to return and earn the PhD I interrupted many years ago. If anyone knows a professor working in the area of secure development, including training developers on the topic (my M.S. was in C.S. from Illinois and focused on CBT-related themes), please let me know. I am open to many options now and would also consider employment work in that area if anyone knows of an ideal job for someone with 20+ development and 4+ years of infosec experience, including a lot of compliance work. I am located in the Dallas area now, but open to moving for the right opportunity. Please contact me off the list with any information. :) I can summarize the PhD findings if anyone is interested. Brad Andrews andr...@rbacomm.com CISM, CSSLP, GSEC, GCIH, GCIA, GCFW, GPCI___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Inherently Secure Code?
I am not sure I agree that this is any more achievable than claiming a bank building should allow all valid customers in, but keep out all thieves. While we can and should make great strides, we will always have some exposure because we have to let some things through. The only way we can have perfectly secure code is to not allow someone to use it. The same is true of bug free code, but that is another argument. :) Isn't this kind of like wanting the evil bit to be set in all malicious packets? Great idea, but not achievable. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Benjamin Tomhave list-s...@secureconsulting.net: we are now trapped in a box of our own making that has us squabbling over academic minutiae like how to teach secure coding when we should not have to consider this topic at all - the code itself should be inherently secure. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
I was thinking of a beginner-level programming class. I have and it can be a challenge, especially if they don't have the programming mindset. Even if they do, you don't have the time for the things you spoke about. You are focusing on basic coding constructs first. :) -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Stephan Neuhaus stephan.neuh...@disi.unitn.it: On Aug 21, 2009, at 17:51, Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? I have. I taught a security class to undergrads. It was easier than I thought, at least the basics were. I got them excited by a let's try to break things attitude. They wrote buffer overflow exploits (using freely available shellcode), they cracked linear congruential PRNGs, they subverted insecure protocols. As far as I can tell, they had a good time, since I had the highest retention rate for optional courses in that year: 40 signed up for the course and 39 took the final exam. Once they understood that the right mind-set is not oh come on, what can possibly go wrong? but okay, let's see what *can* go wrong, they were on their way. Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Functional Correctness
Now that you mention it I was listening to the CERT podcast where you and a couple of others discussed the BSIMM (probably a while back since I am well behind on those). You made a statement along these lines and I immediately thought that I disagreed! :) I don't think software security is as simple as that. I do agree that companies can (and should) do far more than they do and that many things could be eliminated with very mechanical fixes, but I don't think that gives a good long-term perspective. I also think that it will set management's expectation at a level that will ultimately be harmful. After all, we can just implement this maturity model and eliminate all our security problems, at least in the application, right? That is likely to end up resulting in even more resistance in the future when management questions why they need to keep spending more for software security, a secure architecture, etc. Don't people learn what they need to know at some point? I don't think we will ever be static. As soon as we remove the low hanging fruit, the fruit higher up the tree will be the problem. This isn't to say a maturity model is useless, but I remain skeptical that it will live up to the hype (low key now, but there) it is being presented with. I am sure this is not as smoothly presented as it needs to be, but I am fairly certain of the general thrust of my conviction. I suppose 20+ in software development helps. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Gary McGraw g...@cigital.com: Software security is an intensely practical problem that will require a practical approach. By studying organizations that are doing a decent job, perhaps we can draw some practical lessons. That's precisely what we're up to with the BSIMM http://bsi-mm.com. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What is the size of this list?
Great points Karen! We can't prove a program is secure in the same vein. The danger I am spouting off about is the idea that we would solve the software security problem if we just take a more scientific or mature (or whatever) approach. I think those can definitely reduce the risk, but I don't think it will reach the goal. I am all for getting 50% of the way there. That is a lot better than being 0% or even 25% of the way there! I am just VERY concerned that if we try to sell management the idea that we are now taking a scientific approach (or whatever the term), we will end up with implied promises that will lead them to expect perfection, which won't come. They will likely ignore all our disclaimers that we are only seeking a partial solution to what we can solve, at least in the current state of thinking. Getting them to even take any action is a challenge in many companies, so some could argue my concerns are foolish. I think they are important because you want to make sure any buy-in you eventually get expects the right things. If you don't do this, you will end up in an even worse position down the road. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Goertzel, Karen [USA] goertzel_ka...@bah.com: Actually, we can't prove programs are bug free if by bug we also mean all possible anomalous behaviours. My colleagues keep pointing this out to me when I suggest that we should start leveraging the computational power of computing grids to analyze complex software the same way other researchers are using grids to develop models of the natural world, the human genome, etc. They keep quoting that bloke Kurt Gödel with his pesky little incompletness theorem as proof that 100% complete analysis of software cannot be done. Frankly, I'm beginning to think this is their excuse for not even trying to get me to the 50%. But the point is, even if you can do everything right in terms of building software to be vulnerability-free and behaviourally-benign, you apparently cannot achieve 100% verification that you've done so. Ergo, assurance can never be 100%. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Has anyone who holds to this taught a beginning level programming class? Getting students to understand what a loop is can be hard enough, given limited time. Diving into exploits and buffer overflows can be much more difficult. I am sure some things could be put into a basic class, but the ideas are a bit deeper. Security at the Hello World! or Mortgage Calculator program level seems quite difficult. This bears some thinking through, but the security risks seem to be: - Make sure the input amount is in dollars. - Make sure the term is numeric and within reasonable ranges. - Make sure that interest rate is in the form of XX.XX. Other things checked for would be - Proper output. - Pausing at the right point so the output can be viewed correctly. I am sure I am missing things, but this should serve as a base. Where do you inject security there? Sure, you can note the importance of checking the data, but just because someone checks the input here doesn't mean they will have a clue on checking the input on a web form for an SQL injection attempt. I get students who can't loop to start over, they are certainly not going to catch that they need to do deeper input inspection, especially in a completely unrelated topic. I am probably blowing some smoke here and I may disagree with myself later, but I think this discussion is worth having. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Mike Lyman mlyman-ci...@comcast.net: Neil Matatall wrote: So where does secure coding belong in the curriculum? Higher Ed? High School? Undergrad? Grad? Extension? Secure coding needs to be taught anytime programing is taught. From my experience in my son's boy scout troop, I'm not sure I'd call it out as security and confuse middle school/junior high school students but I'd teach them basics like input validation and bounds checking as basic good programing. The security aspects can wait until later when they can better handle several concepts at once. After that is just needs to be part of the course and called out for what it is. There is room for stand alone security focused training and courses but it needs to be drilled in all along the way. I recall my own computer science instructors telling us *not* to spend time on bells and whistles and concentrate on the concept the lesson was covering. If the lesson was on pointers, adding things like error checking and user friendly features didn't count for anything. I can understand why that was said but it sends the wrong message and begins the development of bad habits. That was 20 to 30 years ago and most computer users' idea of security was locking their car doors but it did set us up for bad habits. Basics need to be drilled in early and always count for something even if the lesson is while loops. -- Mike Lyman mly...@west-point.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Functional Correctness
I completely agree, though how are we really going to reach this point? We have been talking about this at least since I got into development in the early 1980s. We are not anywhere closer, though we have lots of neat tools that do lots of neat stuff. Unfortunately, our programs are also a lot more complicated, making the correct proof much more difficult. Can we really believe it is just around the corner to prove this? -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Cassidy, Colin (GE Infra, Energy) colin.cass...@ge.com: Martin Gilje Jaatun wrote: Karen, Matt all, Goertzel, Karen [USA] wrote: I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Customer Demand
While no customer is likely to say they don't care about software working now that we are past Y2K, they don't think about it at all and are unlikely to allow any schedule slippage to allow for making sure that is true. Customers only really care about the things they will pay for. Many companies claim they can't stand poor software or services, but they still pay for them, so they will keep getting them. Until we convince them that good security really is important and that they must demand and pay for it, we won't make the progress we want to make. How many companies wouldn't even be doing the PCI level of effort if they weren't forced to do so? How many strictly limit it to their PCI environment rather than looking at the risk to the whole enterprise? Even major breaches don't help since the it can't happen here attitude is common all over, in spite of the fact it is a risky stance. While part of this is just a cynical rant, I think the base point is that we have a whole lot more selling to do on the need for software security before we can properly place it throughout the curriculum. That sales job is hard. The fact a few people have gotten it doesn't mean most have or that we are completely ready for the next step. I realize many here may not be saying that, but that is the message I get stepping back. And I am a dreamer/visionary. I like to think well ahead of things, but focusing too much there makes us likely to continue to be a niche area, leaving lots of vulnerabilities. Wouldn't a better focus be on the customer demand end? Stirring that up will do more to advance secure development than any number of maturity models. Unfortunately, it is a much more difficult task. I would bet it is also not as conceptually interesting to many. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Martin Gilje Jaatun secse-ch...@sislab.no: His stance on this is that if security were important to the customer, the customer would provide and prioritize security requirements. To me, this is a bit like saying If the customer doesn't explicitly state that the software should be Y2k-proof, he/she is not really bothered about it. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Integrated Dynamic and Static Scanning
While I completely agree with this statement, it is a much tougher sell to management that is seeking to keep the company making money (or perhaps even alive). I believe that having (and using) an imperfect tool is better than nothing, so I would at least push for that. Getting things that play well together is even better. I think a complete overhaul and digging security flaws out is even better, but is a much harder sell in many places in my experience. Perhaps I am too jaded, but you have to work with what you can get approved and paid for. The cost of the indispensable experience is much higher than most companies will stomach. :) Some companies do value it, but most haven't seen the light yet in my experience. While that is limited compared to many on this list, I think my perspective is something that is easy to lose track of when you are fixing security issues every day. Everyone doesn't share the vision, unfortunately. And some of those that see the problem don't have the budget and executive support to fix the problem -- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Andre Gironda and...@gmail.com: On 7/28/09, Brad Andrews andr...@rbacomm.com wrote: Experts can't be replaced by tools. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Integrated Dynamic and Static Scanning
That is certainly true. I was just commenting on the issue of systems that work together tightly. None do now (as far as I know), but this should potentially allow that to happen. I did here a few moans when this news came out, since IBM is not known for inexpensiveness from what I hear :) -- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com: Sometimes integration is a good and bad thing. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
Thanks Karen, that site may have enough of what I can use. Still a bit of work to do, but worth pursuing. The other sources were a bit too short on the snippets side, which is my fault for not making the question better. I don't know how many of you used to read the C-Lint ads that said find the bug in this C code. They were very difficult in all the cases I worked at. :) The whole point of their ad was that their product would find things you couldn't find easily in a manual review. I want something like that. Just playing tell me the security flaw in these 3 lines of code will not do quite the same thing. I will find a copy of Core Java to look through again, but I don't recall seeing things in this format when I looked before. The challenge with this is that I need something that fits well in a single PowerPoint slide (so it can be viewed while the participants eat). It also has to be fairly difficult. I am not sure that just not filtering user input is sufficiently strong. I want something that would take some thinking. I expect that I will have to design and format these myself, but I would love to have something sooner by using something that already did this. Thanks for the other replies. I am going to check out the NIST site some more. I will read over the other sites, but using them will take more effort than I was hoping for. Brad Quoting Goertzel, Karen [USA] goertzel_ka...@bah.com: The NIST SAMATE Reference Dataset has mainly C code in it, but there is also Java, C++, and PHP. There's a search function that allows you to search by programming language to find what you want. http://samate.nist.gov/SRD/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Insecure Java Code Snippets
Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] RSA panel
Are any of these going to be recorded? That would help those of us with no travel budget or time. :) Brad Quoting Gary McGraw g...@cigital.com: hi sc-l, Presumably some of you will be at RSA this year. I'm doing three panels and a talk (with Brian Chess) on the BSIMM. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Online Secure Development Training?
Thanks for all the replies. I did want to emphasize that I am specifically looking for CBT versions of courses, not the instructor-led variety. Someone asked me about what was available and I said I would ask around. I have only seen the instructor-led ones myself. Thanks for all the replies! :) Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___