Re: [SC-L] [article] When risk management goes bad
Gary, On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw wrote: > I wrote my latest SearchSecurity article based on conversations I have been > having with a number of CSOs and > security execs. It’s about what happens when risk management goes bad. The > biggest failure condition seems > to be “ignoring the lows” entirely. "High" technology risks, such as chained exploits, are "low" business risks in the context of ISO 31000 et al. -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] BSIMM-V Article in Application Development Times
Stephen, On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries wrote: > Leaving the definition of agile aside for the moment, doesn’t the fact that > the BSIMM measures > organisation wide activities but not individual dev teams mean that we could > be drawing inaccurate > conclusions from the data? E.g. if an organisation says it is doing Arch > reviews, code reviews and > sec testing, it doesn’t necessarily mean that every team is doing all of > those activities, so it may give > the BSIMM reader a false impression of the use of those activities in the > real world. > > In addition to knowing which activities are practiced organisation wide, it > would also be valuable to > know which activities work well on a per-team or per-project basis. My reading of the "Roles" section of BSIMM-V.pdf is that the people interviewed for the BSIMM sample are: 1. Executive Leadership (or CISO, VP of Risk, CSO, etc) 2. Everyone else within the Software Security Group (SSG) What you are asking to be included is what is referred to as the "Satellite" within BSIMM-V.pdf and I believe this may also require the inclusion of http://cmmiinstitute.com/cmmi-solutions/cmmi-for-development/ too (why not :) ). The issue with this is that it would invalidate the statistics from the prior five BSIMM releases due to the inclusion of new questions and in additional these new statistics were not gathered over time either hence the improvements measured over time within BSIMM would be invalid too due tot he new dataset. Furthermore, Gary, Sammy and Brian have limited time to interview all 67 BSIMM participating firms. However, I would be interested to know the "BSIMM Advisory Board" i.e. http://bsimm.com/community/ view on this is and if it would be possible to undertake this additional sampling within their own BSIMM participating firm to determine if there is additional value would be gained for BSIMM? However, I suspect that an objective measurement would be too hard to quantify due to internal politics of each BSIMM participating firm but I could be wrong. -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Top Ten - Comparison of 2013, 2010, 2007, 2004 and 2003 Releases
The comparison of the 2013, 2010, 2007, 2004 and 2003 releases of the OWASP Top Ten can be downloaded from https://github.com/cmlh/OWASP-Top-Ten-2013/releases -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Security in open source components
... and I found https://github.com/jeremylong/DependencyCheck#readme today (i.e. Sunday 28 October 2012) via GitHub. On Fri, Oct 26, 2012 at 10:34 AM, Christian Heinrich < christian.heinr...@cmlh.id.au> wrote: > Grant, > > ... and > http://www.scmagazine.com.au/News/320617,redhat-project-fights-java-vulnerabilities.aspx > was published yesterday (25 Oct). > > On Mon, Oct 1, 2012 at 3:19 PM, Christian Heinrich > wrote: > > Grant, > > > > Below are the discussions related to Maven and the paper referenced: > > 1. http://krvw.com/pipermail/sc-l/2012/002786.html > > 2. http://krvw.com/pipermail/sc-l/2012/002788.html > > > > On Fri, Sep 28, 2012 at 9:10 AM, Grant Murphy > wrote: > >> I don't have the original mail but some time ago a thread on this list > >> mentioned this article: > >> > >> > http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact > -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Security in open source components
Grant, ... and http://www.scmagazine.com.au/News/320617,redhat-project-fights-java-vulnerabilities.aspx was published yesterday (25 Oct). On Mon, Oct 1, 2012 at 3:19 PM, Christian Heinrich wrote: > Grant, > > Below are the discussions related to Maven and the paper referenced: > 1. http://krvw.com/pipermail/sc-l/2012/002786.html > 2. http://krvw.com/pipermail/sc-l/2012/002788.html > > On Fri, Sep 28, 2012 at 9:10 AM, Grant Murphy wrote: >> I don't have the original mail but some time ago a thread on this list >> mentioned this article: >> >> http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Security in open source components
Grant, Below are the discussions related to Maven and the paper referenced: 1. http://krvw.com/pipermail/sc-l/2012/002786.html 2. http://krvw.com/pipermail/sc-l/2012/002788.html On Fri, Sep 28, 2012 at 9:10 AM, Grant Murphy wrote: > I don't have the original mail but some time ago a thread on this list > mentioned this article: > > http://www.sonatype.com/Products/Why-Sonatype/Reduce-Security-Risk/Security-Brief -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] security in open source components
Johan, Since each git commit is SHA-1 and is popular with open source projects then it would be possible incorporate them as a "submodule" as part of your larger superproject within git but it does have some limitations outlined within http://stackoverflow.com/questions/996164/is-anyone-really-using-git-super-subprojects Let me know if this addresses your concern or if I am way off? On Wed, Apr 25, 2012 at 6:22 AM, Johan Peeters wrote: > These points are important. However, I am also concerned about > component distribution. > How can I be sure that the binary component my build script retrieves > from, say, Maven Central is the one released by the relevant open > source project? I know there are checksums and such, but I remain to > be convinced that this typically affords adequate protection or that > it even could do so. If my fears are well-founded, current > distribution mechanisms of open source components provide the ideal > opportunity for installing back-doors on the server side. > I hope I am just being paranoid and the authors neglected to talk > about distribution because it is obviously secure. I certainly would > have been happier if distribution had been analysed and found secure, > or, even, not terribly insecure. > Does anyone else share these concerns? Or can anyone allay my fears? -- Regards, Christian Heinrich http://cmlh.id.au/contact ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
