[SC-L] SecAppDev hits the road
Greetings SC-L subscribers, I suspect many of you have heard of SecAppDev (http://secappdev.org) over the years. It's a non-profit training event that has hitherto been held in Leuven, Belgium for 1 week each Feb/Mar. Well, we're excited to say that this year we've added a second event: SecAppDev Dublin! Yes, SecAppDev will be hitting the road for its first foray outside of Belgium. For one week in July (15th-19th), we'll be making Dublin, Ireland our home. Just like the events in Belgium, we've lined up a great curriculum and faculty, to give each delegate a look at myriad aspects of developing secure applications. It's a pretty intense week-long immersion into the topics, for sure. Registration is now open. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with Dublin City University, Trinity College Dublin, KU Leuven and Solvay Brussels School of Economics and Management. SecAppDev Dublin is the first edition of our widely acclaimed courses to be run in Ireland. Our previous 9 courses took place in Belgium and were attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media. We pride ourselves on our world-class faculty, which, for SecAppDev Dublin, includes + Prof. dr. ir. Bart Preneel who heads COSIC, the renowned Leuven crypto lab. + Ken van Wyk, co-founder of the US CERT Coordination Center and widely acclaimed author and lecturer. + Prof. dr. Dan Wallach, head of Rice University's computer security lab. + Prof. dr. Mike Scott, previously the head of DCU's School of Computing, now Chief Cryptographer at Certivox. When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats. The course takes place from July 15th to 19th at the Science Gallery, Trinity College, Dublin. For more information visit the web site: http://secappdev.org. Seating is limited, so do not delay registering to avoid disappointment. Registration is on a first-come, first-served basis. A 25% discount is available for Early Bird registration until June 15th. Alumni, public servants, and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: #MobAppSecTri Scholarship Program
Hey SC-Lers, Gunnar Peterson (@OneRaindrop) and I (@KRvW) are once again giving away to a few deserving Mobile App Developers a small number of FREE tickets to our next Mobile App Sec Triathlon. If you know any deserving students / interns (especially in the greater New York City region), point them in our direction for a chance to get a free seat. See http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html for details. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Fwd: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!!
Greetings SC-L, For all of you who are interested in mobile app sec (or interested in learning more about it), we released OWASP iGoat version 2.0 today. See the details in our announcement below. Cheers, Ken van Wyk Begin forwarded message: From: Kenneth R. van Wyk k...@krvw.com Subject: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!! Date: February 26, 2013 2:48:48 PM EST To: owasp-igoat-proj...@lists.owasp.org owasp-igoat-proj...@lists.owasp.org OWASP iGoat Project: Thanks to iGoat lead developer, Sean Eidemiller, it gives me great pleasure to announce the immediate release of OWASP iGoat version 2.0! See the project web site at: https://www.owasp.org/index.php/OWASP_iGoat_Project for more information, or go directly to the source repository to download at: http://code.google.com/p/owasp-igoat/ The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source code) designed to introduce iOS developers to many of the security pitfalls that plague poorly-written apps. Like its namesake, OWASP's WebGoat tool, iGoat is intended to teach software developers about these issues by stepping them through a series of exercises, each of which focuses on a single aspect of iOS security. OWASP iGoat is an ideal tool to use in a classroom setting to teach iOS developers (and technically minded IT Security staff with at least some exposure to object oriented programming). Exercises include many typical problem issues (and their solutions) including: - Securing sensitive data in transit - Securing sensitive data at rest - Securely connecting to back-end authentication services - Side channel data leakage (e.g., system screen shots, cut-and-paste, and keystroke logging via the autocorrection feature) - Making use of the system keychain to store small amounts of consumer-grade sensitive data New to version 2.0: - iGoat is now a true Universal app, so it builds and runs on iPhones, iPod Touches, as well as iPads. Full screen views are supported on all of these devices. (It also runs on the iPhone simulator included with XCode, of course -- which is ideal for a classroom environment.) - A few behind the scenes improvements were made to the iGoat platform itself, making it easier to work with and develop new exercises. These include: o Storyboards for main screen navigation. o ARC support for object memory management. - General code clean-ups. Requirements: To build and run iGoat, you'll need a Mac running OS X (real or virtual machine), with XCode installed. iGoat was built for Mountain Lion, but should run fine on any OS X newer than Snow Leopard. We recommend the latest XCode and built iGoat using XCode version 4.6. Similarly, iGoat was built on iOS 6.1, but should be backwards compatible with at least version 5.x. We invite the OWASP community to download and try iGoat, and we welcome your suggestions for improvements. We're always looking for willing participants to contribute to the project as well! Cheers, Ken van Wyk OWASP iGoat Project Leader ___ Owasp-igoat-project mailing list owasp-igoat-proj...@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-igoat-project signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Apple Employees Hacked By Visiting iPhoneDevSDK - Mac Rumors
Here is an interesting twist to the recent Apple hack. I hope no SC-Lers are using iphonedevsdk! http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/ Cheers, Ken van Wyk KRvW Associates, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: MobAppSecTri Scholarship Program
Hey SC-Lers, We're giving away to a few deserving Mobile App Developers a small number of FREE tickets to our Mobile App Sec Triathlon. If you know any deserving students / interns, point them in our direction for a chance to get a free seat. See http://mobappsectriathlon.blogspot.com/2012/09/announcing-mobappsectri-scholarship.html for details. Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Cheat Sheet for iOS Developers
Hi SC-L, Hey, it dawned on me that I never posted a pointer to the OWASP iOS Developer Cheat Sheet that was published a couple months ago. https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet As the initial author of the cheat sheet, I'd sure love to get feedback and -- better yet -- participation on it. Like all OWASP docs, it's open source, so find things you want to add/improve and join in. Either way, I hope you find it useful. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Mobile app security blog, FYI
Greetings SC-L, FYI, Gunnar Peterson (@OneRaindrop) and I (@KRvW) launched a blog last month on the topic of mobile app security. The blog can be found at http://mobappsectriathlon.blogspot.com Full disclosure: On the blog, you will see advertisements for the MobAppSecTriathlon event that Gunnar and I are running in November, but the blog is free and we hope you'll find the topics we post on to be interesting and thought provoking. Even if you have no interest in joining us for the Triathlon event, we hope you'll stop by and check out the blog. Registered and authenticated Google+ users may submit comments as well, which we welcome. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP Cheat Sheet for iOS App Developers
Title: OWASP Cheat Sheet -- iOS App Developers Author: Kenneth R. van Wyk Source: OWASP - the Open Web Application Security Project Date Published: 2012-07-17 Excerpt: This document is written for iOS app developers and is intended to provide a set of basic pointers to vital aspects of developing secure apps for Appleās iOS operating system. It follows the OWASP Mobile Top 10 Risks list. Full article at: https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Join us for our 2012 Mobile App Sec Triathlon: www.mobileappsectriathlon.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Test
Foo Cheers, Ken ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] HNS - Biggest X Window security hole since 2000
Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing closing parenthesis, allowed local users to execute code with root privileges, giving them the ability to overwrite system files or initiate denial of service attacks. So, it sounds like a single byte change in the entire X src tree could fix a bug that could give an attacker complete control of a system. Lovely... Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com pgpyqSfoo0SaU.pgp Description: PGP signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] HNS - Biggest X Window security hole since 2000
On Thursday 04 May 2006 12:40, Gadi Evron wrote: Hmm, I think this was fixed in earlier X versions. Not impossible, but the article clearly indicated that it's in 6.9.0 and 7.0.0, which are the most current in general circulation, I believe. But, some bugs are so important that they deserved to be fixed more than once. It sure wouldn't be the first time that a bug found its way back into a src tree. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com pgpSwossK0g5Q.pgp Description: PGP signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] AJAX: Is your application secure enough?
Another interesting paper passing through slashdot today is AJAX: Is your application secure enough? You can find it at http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/ Looks to me like an interesting read, fwiw. Much as I like the interactiveness that AJAX brings to the game, I can't help but think that there's tons of room for major security mistakes to be made, if only due to the complexity of knowing what's going on at each tier of the app all the time. Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Software security efforts at DTCC
FYI, some more mainstream coverage of software security issues. This article -- http://www.securitypipeline.com/183702555;jsessionid=SF0AM1XSETTOEQSNDBECKICCJUMEKJVN -- describes some software security process improvements under way at the Depository Trust and Clearing Company (DTCC). What I find encouraging is hearing about companies that are bringing their security and software development efforts together. YMMV... Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] CFP -- HICSS 2007
Greetings SC-L subscribers: FYI, a Call for Participation for the Hawaii International Conference on System Sciences (HICSS) Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack is out. The conference takes place 3-6 January 2007 in Waikoloa on the Big Island of Hawaii. The CFP can be found below. Cheers, Ken van Wyk -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com == HICSS-40: Call for Papers Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack Hawaii International Conference on System Sciences Waikoloa, Big Island, Hawaii, January 3-6, 2007 Call For Participation The Secure Software Architecture, Design, Implementation and Assurance minitrack focuses on the research and automation required to develop secure software systems that do not compromise other system properties such as performance or reliability. Current security engineering methods are demonstrably inadequate, as software vulnerabilities are currently being discovered at the rate of over 4,000 per year. These vulnerabilities are caused by software designs and implementations that do not adequately protect systems and by development practices that do not focus sufficiently on eliminating implementation defects that result in security flaws. An opportunity exists for systematic improvement that can lead to secure software architectures, designs, and implementations. The following topics are appropriate topics for research papers: - Static analysis tools and techniques for detecting security flaws and software vulnerabilities in source or binary code - Dynamic analysis tools for detecting security flaws and software vulnerabilities in source or binary code - Model checking tools for detecting security flaws and software vulnerabilities in software systems - Software architectures and designs for securing against denial-of-service attacks and other software exploits - Coding practices for improved security and secure library implementations - Computational security engineering - Other tools and techniques for reducing or eliminating vulnerabilities during development and maintenance Co-Chairs Sven Dietrich, CERT Daniel Plakosh, CERT/CC Robert C. Seacord, CERT/CC Address email to the minitrack chairs to [EMAIL PROTECTED] Program Committee Julia Allen, SEI/CMU Hal Burch, CERT/CC Brian Chess, Fortify Software Bob Fleck, Secure Software Michael Howard, Microsoft Derek M. Jones, Knowledge Software Ltd Alan Krassowski, Symantec Fred Long, University of Wales, Aberystwyth Tom Longstaff, CERT Robert Martin, MITRE Leon Moonen, Delft University of Technology James W. Moore, MITRE Samuel Redwine, James Madison University David Riley, University of Wisconsin - La Crosse John Steven, Cigital Carol Woody, CERT Kenneth R. van Wyk, KRvW Associates, LLC Paper Review And Proceedings Publication HICSS conferences are devoted to the most relevant advances in the information, computer, and system sciences, and encompass developments in both theory and practice. Accepted papers may be theoretical, conceptual, tutorial, or descriptive in nature. Submissions must not have been previously published. Submissions undergo a double-blind peer referee process. Those selected for presentation at the conference will be published in the HICSS-40 conference proceedings. Instructions For Paper Submission HICSS papers must contain original material not previously published nor currently submitted elsewhere. It is recommended that authors contact the Minitrack Chair(s) by email for guidance regarding appropriate content. HICSS will conduct double-blind reviews of each submitted paper. Submit full paper according to detailed author instructions to be found on the HICSS web site (http://www.hicss.hawaii.edu/hicss_40/apahome40.htm ) by May 1. The preferred format for papers submission is PDF. Important 2006 Dates June 15, 2006 - Authors may contact Minitrack Chairs for guidance and indication of appropriate content at any time before June 15. August 15, 2006 - Deadlines to submit full papers. All papers will be submitted in double column publication format and limited to 10 pages including diagrams and references. Papers undergo a double-blind review. September 15, 2006 - Authors receive notification regarding paper acceptances through the review system, not from the Minitrack Chairs. Acceptance may be conditional; revisions may be requested before final acceptance of paper. Attendance by at least one author and presentation of the paper at the conference is a requirement of acceptance. September 16, 2006 - Authors submit final version of papers following author instructions posted on this site. At least one author of each paper must register by this date with specific plans to attend the conference to present the paper. Early registration fee applies until this date. September 17, 2006 - General registration
[SC-L] ZDNET: LAMP lights the way in open-source security
Interesting article out on ZDNet today: http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm The article refers to the US government sponsored study being done by Stanford University, Symantec, and Coverity. It says, The so-called LAMP stack of open-source software has a lower bug density--the number of bugs per thousand lines of code--than a baseline of 32 open-source projects analyzed, Coverity, a maker of code analysis tools, announced Monday. This surprised me quite a bit, especially given LAMP's popular reliance on scripting languages PHP, Perl, and/or Python. Still, the article doesn't discuss any of the root causes of the claimed security strengths in LAMP-based code. Perhaps it's because the scripting languages tend to make things less complex for the coders (as opposed to more complex higher level languages like Java and C#/.NET)? Opinions? Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] AJAX security paper
FYI, here's a pointer to a just-published paper on AJAX security. Hope you find it useful, particularly in light of AJAX's quick rise in popularity. http://www.it-observer.com/articles/1062/ajax_security/ Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Book review: Essential PHP Security
I know that a lot of the folks on this list would consider the words PHP Security to be an oxymoron. That said, there's a book out on the subject, and it's been reviewed on /. The review can be found at: http://books.slashdot.org/books/06/02/13/1426220.shtml Cheers, Ken van Wyk P.S. It was nice to see a few SC-L folks at S3 in San Diego last week. -- KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Administrative: whitelisting on SC-L
Hi SC-L folks: I don't mean to intrude in the bug and flaw debate, but I do want to make sure that you're all aware of the whitelisting that I'm doing on the list these days, since I switched the list management from Majordomo to Mailman. Specifically, in order to cut down on spam, I have Mailman set to drop any posting sent from _any_ address that is not explicitly subscribed to the list. That means, for example, if you subscribe via an email exploder or alias at your site, that your submissions get automatically /dev/nulled. The solution, for anyone that wants to post and is subscribed similarly to the above scenario, is to subscribe your personal address and set it to NOT receive SC-L postings. That way, your mail alias/exploder will continue to function as you set it up, AND you'll be able to post. Since I get ZERO notification when messages (mostly spam) are dropped by the whitelist, I have no way of knowing who is in this situation. So, if you want the ability to post, drop me a note and I'll be happy to set you up with a no-mail subscription. (Don't worry, you won't/shouldn't get duplicates.) Cheers, Ken van Wyk SC-L Moderator ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Managing the insider threat through code obfuscation
On Thursday 15 December 2005 09:26, Jose Nazario wrote: if the person can develop exploits against the holes in the code, what makes you think they can't fire up a runtime debugger and trace the code execution and discover the same things? Nothing makes me think that at all; in fact, I was quite skeptical of the various product claims, which is why I wanted to hear about others' experience with them. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Missing URL -- ZDNet: Attackers switching to applications, media players
Sorry, I neglected to include the URL for the story that I cited. It can be found at: http://news.zdnet.com/2100-1009_22-593.html?tag=zdfd.newsfeed Cheers, Ken ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Administrative: SC-L changes
Greetings all, FYI, I have moved the securecoding.org site and SC-L mailing list over to a different host. The new host should be quite a bit faster, as it's used by a much (!) smaller number of domains than the old one. More importantly, at least for SC-L, is that I've changed the mailing list manager from Majordomo to Mailman. That means that the user interface for subscribing, unsubscribing, digest vs. normal, etc., is now completely different. Additionally, Mailman automatically handles archiving of the list, so the list traffic (from now on) will be nicely archived for easy viewing and such. For any and all subscription changes, just point your browsers to http://www.securecoding.org/list/ and you'll see a link to the Mailman page. For those so inclined, it should now be easier for you to change between digest and non-digest format for the list. Mailman makes that quite easy for users. Please try to follow the instructions on the Mailman page. If that doesn't work, contact me and I'll be happy to make the change for you. Lastly, I did a bit of testing of Mailman before doing the cutover, but I'm by no means a Mailman expert (yet). I _hope_ that all goes smoothly, but I ask you all to be patient if there are any unexpected burps and such. Thanks for your patience. Cheers, Ken van Wyk --- KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org http://krvw.com/mailman/listinfo/sc-l
[SC-L] Fwd from CIO Update: Why is application security so elusive?
FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons why secure software is so hard to find. Unlikely to be anything new to SC-L readers, but it could be worth a quick read in any case. In particular, his recommendations (to his presumably mostly CIO audience) are quite different than what you might expect to find, say, here on SC-L. In any case, you can find the article at: http://www.cioupdate.com/trends/article.php/3548306 (Full disclosure: CIO Update is run by Jupiter Media, who also owns the site (eSecurityPlanet.com) where I'm a monthly columnist.) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] SC-L changes
Greetings SC-L folks, Although it's been particularly quiet here recently, I've also been moving the list over to a new system, which has caused some additional outages. (Read: tree fell in the forest and no one heard it.) In any case, the new system should be fully functional in the next day or two, so on the off chance that anyone does post anything, please bear with me while I get things up and running. I'll probably send out one or two tests to ensure that things are flowing. Sorry for any inconvenience... Cheers, Ken van Wyk SC-L moderator
[SC-L] Wall Street Journal article on Software Security and upcoming events
Hi all, FYI, a couple of interesting things going on in the software security space that those here on SC-L might appreciate: - Good article/interview in yesterday's Wall Street Journal on the topic of Software Security. The interview is with Gary McGraw, and I'm sure that no one here will be too surprised by the content. It's just great to see that kind of visibility and attention being given to Software Security. Check it out (registration/subscription required) at http://online.wsj.com/article/0,,SB112128453130584810,00-search.html?KEYWORDS=cigitalCOLLECTION=wsjie/archive (Or just find a paper copy -- you know, the kind that our grandparents used to read. ;-) - A couple of upcoming, fairly mainstream IT Security conferences both have numerous Software Security sessions on their agendas (including, for full disclosure, my own sessions at each). I'm refering to CSI's upcoming 32nd annual conference (14-16 November in Washington, DC) and SANS's Silicon Valley event (24-30 September in San Jose, CA). Here too, it's encouraging to me to see software security sessions prominently on the programs of these traditionally IT Security focused events. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] ANNOUNCING: 2nd US OWASP AppSec Conference - Oct 11-12 - Near DC
[Ed. Crossposted, as I thought that it was relevant here as well. KRvW] Originally From: Dave Wichers [EMAIL PROTECTED] Dear Colleague, OWASP is proud to announce its second annual U.S. Application Security Conference. This year's conference will be held October 11-12 at the NIST campus in Gaithersburg, Maryland near Washington, DC. This location was chosen in order to encourage government, industry, and academia to get together and talk about the pressing problems we all face in application security today. Our first conference last year in NY had almost 150 attendees. We are expecting to have almost double that at this year's conference. NIST's auditorium can hold 700 people so we have plenty of room this year. Lets fill it up! A few firsts for our 2nd US conference: - Sponsorship: This conference is being sponsored by the National Institute of Standards and Technology (NIST) - Significant Government Participation: Representives of various government agencies, including NIST and the Department of Homeland Security (DHS) will be speakers at the conference - Training: A 1-day training course on the Fundamentals of Web Application Security is being offered the day prior to the conference - Its not being held on a weekend :-) Full details on the conference are available on the OWASP website at http://www.owasp.org/conferences/appsec2005dc.html This year's speakers include: a.. Joe Jarzombek - Director of Software Assurance at the Department of Homeland Security a.. Ron Ross - FISMA Project Lead - NIST a.. Jeff Williams - OWASP Chair and CEO Aspect Security a.. Jack Danahy - CEO Ounce Labs a.. Paul Black - SAMATE Project Lead and OWASP Conference Sponsor - NIST a.. Diniz Cruz - OWASP .NET Project Lead a.. Arian Evans - OWASP Tools Project Lead - FishNet Security a.. Jeremy Poteet - Author of Canning SPAM - CSO appDefense OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn all aspects of application security, including people, process, and technology perspectives. You'll hear presentations on topics like: - DHS plans for Software Assurance - Status of the Federal Information Security Management Act (FISMA) Project - A Business Case for Software Assurance - Attacking Web Services - .NET Security - Software Assurance Metrics - A Survey of Application Security Tools - Details on the new OWASP Guide v2 - Details on the OWASP .NET Project - Defending a High Profile Political Web Site - How to Select an Application Security Assessment Vendor The exact agenda is still being developed and will be posted to the site as soon as possible. REGISTRATION DETAILS: As a non-profit charitable organization, and with NIST's sponsorship, OWASP has been able to keep the cost to $300 per seat if you are able to register prior to Sept. 10, 2005. The cost to government employees is only $250 prior to Sept. 10th. Registration information is available at: http://www.owasp.org/docroot/owasp/Registration/index.jsp PLEASE NOTE THAT ALL TICKETS ARE NON REFUNDABLE TO REDUCE ADMINISTRATION COSTS FOUNDATIONS OF APPLICATION SECURITY COURSE - Oct 10: OWASP has arranged to have a one-day hands on Web Application Security training course the day prior to the conference. This one day class will be held at the nearby Holiday Inn and is only $600 for conference attendees. Registration for this course can be done via the conference registration page. More details on this training course is available at: http://www.owasp.org/conferences/appsec2005dc/training.html EVENING SOCIAL EVENT - Oct 11: An optional dinner event is being held at the Holiday Inn Gaithersburg, which is the same location where the training is to be held on the 10th, and where discounted rooms are being made available to all conference attendees (see Accommodations below). This event involves a dinner at the hotel from 7-9 PM, followed by drinks at O'Malley's Irish Pub right in the hotel or out by the hotel's indoor pool adjacent to the pub. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community. ACCOMODATIONS: Information about local accomodations, including reduced rate rooms at the nearby Holiday Inn is available at: http://www.owasp.org/conferences/appsec2005dc/accommodations.html If you know others that would be interested in attending the 2nd annual US OWASP conference, please forward them this email and let them know about this opportunity. Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org
[SC-L] Secure programming with the OpenSSL API, Part 2: Secure handshake
FYI, there's a new(ish) article by Kenneth Ballard out on IBM's developerWorks site, on the topic of secure use of OpenSSL. It's actually part 2 in a series, but there's a pointer there to part 1 also. The abstract follows, along with the URL to the full article: Securing the handshake during a Secure Sockets Layer session (SSL) is vital, since almost all of the security involving the connection is set up inside the handshake. Learn how to secure the SSL handshake against a man in the middle (MITM) attack -- in which the intruding party masquerades as another, trusted source. This article also introduces the concept of digital certificates and how the OpenSSL API handles them. http://www-128.ibm.com/developerworks/linux/library/l-openssl2.html?ca=dgr-lnxw02SecureHandshake Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Tech News on ZDNet -- OS makers: Security is job No. 1
FYI, somewhat interesting story today on ZDNet (see http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about operating system makers paying more attention to security. Note the differing (public) statements by Microsoft and Apple... Being fundamentally a glass half full sort of person, I think that it's refreshing to hear that OS vendors are making their products' security a higher priority than it's typically been in the past. There's also an implicit message here regarding a proactive software security posture vs. firewall and IDS it after the product is released. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Mobile phone OS security changing?
Greetings, I noticed an interesting article about a mobile phone virus affecting Symbian-based phones out on Slashdot today. It's an interesting read: http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220tid=100tid=193tid=137 What particularly caught my attention was the sentence, Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure? Apart from the author implying that this is an or situation, it's something that many of us have been saying for a very long time. (See my/Mark Graff's related op-ed from over a year ago at: http://www.securecoding.org/authors/oped/feb132004.php) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Application Insecurity --- Who is at Fault?
Greetings++, Another interesting article this morning, this time from eSecurityPlanet. (Full disclosure: I'm one of their columnists.) The article, by Melissa Bleasdale and available at http://www.esecurityplanet.com/trends/article.php/3495431, is on the general state of application security in today's market. Not a whole lot of new material there for SC-L readers, but it's still nice to see the software security message getting out to more and more people. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Mobile phone OS security changing?
On Wednesday 06 April 2005 09:26, Michael Silk wrote: The last thing I want is my mobile phone updating itself. I imagine that sort of operation would take up battery power, and possibly cause other interruptions ... (can you be on a call and have it update itself?) I vividly remember a lot of similar arguments a few years ago when desktop PCs started doing automatic updates of OS and app software. Now, though, my laptop gets its updates when it's connected and when I'm not busy doing other things. My main point, though, is that the status quo is unacceptable in my opinion. If a nasty vulnerability is found in most of today's mobile phone software, the repair process -- take the phone to the provider/vendor and have them burn new firmware -- just won't cut it. For that matter, a lot of PDAs are in the same boat. Sure, we'd all prefer better software in those devices to begin with, but as long as there are bugs and flaws, the users of these devices need a better way of getting the problems fixed. Personally, I would prefer a phone that doesn't connect to the internet at all rather than a so called 'secure' phone. For the most part, those days are over. From reading the article it seems like the application asks to be installed, (is that correct?) so it doesn't seem like that big of a problem [unless phones start to get into the 'trusted'/'non-trusted' application area..] Fortunately, no one would ever think of removing that query from the worm or circumventing the mechanism in the OS, so that it copies itself without notice in the future. ;-\ Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] eSecurityPlanet article on Fortify source code scanner
FYI, interesting article on eSecurityPlanet regarding Fortify's commercial source code scanning tool -- see the full text at http://www.esecurityplanet.com/patches/article.php/3439021 Among other things, the article says, In addition to new language support for C# -- the software already supports C, C++, PL/SQL, Java Server Pages (JSP) and Java -- Fortify has added four new analyzers, a rules manager and an audit manager to prioritize the level of software flaws. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] How do we improve s/w developer awareness?
Greetings, In my business travels, I spend quite a bit of time talking with Software Developers as well as IT Security folks. One significant different that I've found is that the IT Security folks, by and large, tend to pay a lot of attention to software vulnerability and attack information while most of the Dev folks that I talk to are blissfully unaware of the likes of Full-Disclosure, Bugtraq, PHRACK, etc. I haven't collected any real stats, but it seems to me to be at least a 90/10% and 10/90% difference. (Yes, I know that this is a gross generalization and there are no doubt significant exceptions, but...) I believe that this presents a significant hurdle to getting Dev folks to care about Software Security issues. Books like Gary McGraw's Exploiting Software do a great job at explaining how software can be broken, which is a great first step, but it's only a first step. Am I alone in this opinion or have others noticed the same sort of thing? It's going to be a long, slow battle, in my opinion. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Open Source failure analysis tool released for Linux
ljknews wrote: At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote: I believe that we don't do enough to analyze and learn from software failures. I believe the industry as a whole does plenty to analyze software failures, particularly considering how little is done to avoid those errors. Added analysis in the face of near-zero remediation would be useless. How many times do we see buffer overflow as the cause, yet even on this mailing list people still defend the use of languages that not only permit but actually promote such errors. Well, I did say ...analyze AND learn :-) Seriously, though, there's plenty of data on the symptoms of failures -- advisories, securitytracker.com, etc., but not enough on the causes in my opinion. And, to exacerbate the problems, in every software security tutorial that I do, I ask the students how many of them read information from places like bugtraq, full-disclosure, phrack, and such. Among the software developers, _maybe_ 5% of them say that they do. Admittedly, the percentage is better among the IT Security folks that I talk to, but they're not generally the ones that are writing the software. Of course, that's not a scientific survey or anything, but I sure get the feeling that very few software dev folks spend any/much time analyzing failures. Cheers, Ken
[SC-L] eWeek: App Developers Need to Redouble Security Efforts
FYI, there's an interesting article in eWeek today -- see http://www.eweek.com/article2/0,1759,1663716,00.asp -- regarding a recent Gartner study on software security. Among other things, it says, Gartner predicts that if 50 percent of software vulnerabilities were removed prior to production use for purchased and internally developed software, enterprise configuration management costs and incident response costs each would be reduced by 75 percent. Enjoy... Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] ComputerWorld interview with Theo de Raadt on Software Security
FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on the state of software security, and OpenBSD in particular. See http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the complete text. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] eSecurityPlanet column on Software Security
Greetings all, Wow, it sure has been quiet here for a couple weeks. Perhaps it's just those late summer (or winter, for you southern hemispherians) vacations... In any event, just an FYI here. My September eSecurityPlanet column hit the streets today (see http://www.esecurityplanet.com/views/article.php/3404191) if you're interested. It's on the topic of Software Security. I should point out that it's primarily written for an IT Security audience. It's slow progress convincing them that Software Security is more than running a pen test against an application a week before it goes live in the data center... Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Grass roots secure coding efforts
Greetings all, One of the things that I hear most from software developers when I deliver secure coding tutorials and such is that they're likely to be unable to do things like detailed threat modeling, risk analyses, etc. The reason most often cited is that they're under tight deadlines and there's not enough time in the schedule for such activities. Of course, to really expect any sort of culture shift, there would need to be top-level support for adopting secure coding practices. That said, I often spend some time brainstorming lists of things that the students can consider trying by themselves as soon as they are back in their offices. I'm talking about grass roots sorts of activities that won't break the bank (or schedule) here. Some of the things that the students have suggested include the following: - Informal peer review of code modules - Incorporation of (usually free) static code review tools in the code reviews - Setting up an information sharing site/portal/drive internally for developers to load useful links, tools, experiences, etc. - and so on Most often, the students agree that these sorts of things are the types of simple first steps that they could reasonably expect to take. Anyone here have other suggestions on other first steps that developers might consider, even in the absence of top-level embracing of a more secure development methodology? (No, I'm not suggesting that a simple list like this be any sort of substitute for a more in-depth program, but it's a starting point for developers to experiment with in trying to improve the security of their software dev practices.) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Programming languages -- the third rail of secure coding
Greetings, It appears as though we may well have discovered software security's third rail over the last couple of weeks in the discussions regarding programming language choices. I don't mean to fan those flames by any means, trust me. However, I noticed several announcements for PHP version 5 (see http://www.zend.com/ for the official announcement and press release) over the weekend. PHP has long been the whipping boy of secure programming, and version 5 appears to add a great deal of new functionality to this popular language. Secure or not, there's a lot of PHP users and coders out there, and this added complexity certainly enhances its trinity of trouble profile (with respect to Gary McGraw's Exploiting Software). Along those lines, there's a good article at http://otn.oracle.com/pub/articles/hull_asp.html that compares PHP5 against ASP.NET, including the security features of each. Happy reading... Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Protecting users from their own actions
Wall, Kevin wrote: Isn't this something that users probably shouldn't be given a choice on? Normally I would think that corporate security policy dictate keeping the AV software / signatures up-to-date as well as dictating the (personal) firewall configurations. Some centrally administered software should do these things... I agree that central administration works best in today's corporate environments, but I was referring also to the more general desktop environments as well, right down to the home and SOHO users that have to install and/or update their own. Aside from that issue, though, the primary point that I wanted to get across is that there are substantial limitations to what we can accomplish through user education. I believe that our software -- from enterprise app servers through desktop emailers and browsers -- needs to do better at protecting users, even when they make decisions that we would think to be unwise. Cheers, Ken van Wyk
[SC-L] Protecting users from their own actions
Hi All, FYI... This topic has come up here a few times, so I thought that I'd send a pointer to my July eSecurityPlanet column (http://www.esecurityplanet.com/views/article.php/3377201 - free, no registration required). In the column, I take the seemingly unpopular view --at least in this group -- that we can't count on things like user awareness training to prevent users from doing things like clicking on unsafe email attachments. I also make a plug for better software security across the industry. Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] ACM Queue article and security education
James Walden wrote: I'd like to open a discussion based on this quote from Marcus Ranum's ACM Queue article entitled Security: The root of the problem: Thanks. I also read Marcus's article with interest. Caveat: clearly, I have a biased outlook, since software security training is one of the things that I do for a living. Overall, I like and agree with much of what Marcus said in the article. I don't, however, believe that we can count on completely putting security below the radar for developers. Having strong languages, compilers, and run-time environments that actively look out for and prevent common problems like buffer overruns are worthy goals, to be sure, but counting solely on them presumes that there are no security problems at the design, integration, or operations stages of the lifecycle. Even if the run-time environment that Marcus advocates is _perfect_ in its protection, these other issues are still problematic and require the developers and operations staff to understand the problems. From my perspective, security education is only beginning to climb an initial upward curve. While classes in security topics are becoming more common in undergraduate computer science course catalogs, their presence is far from universal. I don't know of any university that requires such a class for an undergraduate CS degree; if any such programs exist, they're not common. I agree with you on this, certainly. My nephew is a senior in an undergrad CS curriculum and his university has yet to discuss security in any of his course work, to my knowledge. While there are non-university classes and workshops that teach software security, I doubt that a majority of developers have attended even one such class. Software security has to be integrated into the CS curriculum before we can expect a majority of developers to have the appropriate skills, and then there will still be the issue of applying them under deadline pressure. Yup, but in the belt and suspenders approach that I like to advocate, I'd like to see software security in our undergrad curricula as well as professional training that helps developers understand the security touch points throughout the development process -- not just during the implementation phase. Cheers, Ken van Wyk http://www.KRvW.com
[SC-L] SPI, Ounce Labs Target Poorly Written Code
FYI, a couple of announcements from SPI Dynamics and Ounce Labs hit eWeek.com today -- see http://www.eweek.com/article2/0,1759,1617901,00.asp for the full text. According to the article, SPI Dynamics has released its SecureObjects product, which is a series of (presumably) securely written objects that developers can make use of for performing various security-related tasks (e.g., input validation) in their code. The article quotes SPI Dynamics' CTO as saying, It doesn't require developers to learn about security, which strikes me as being a rather bold statement. Meanwhile, Ounce Labs has put out a new version of its Prexis source code scanner. It currently scans C and C++, but the article says that a Java version will be available in July. Reports of user experiences with these tools would be appreciated here. Cheers, Ken P.S. Anyone interested in seeing a bit of Budapest can check out some of the shots I took while I was there at http://www.vanwyk.org/ken/galleries.php -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] LinuxWorld | Secure coding attracts interest, investment
Greetings all, FYI, it looks like we're at the beginning of a new wave of software security tools. There's a few commercial products beginning to hit the market that take static src code scanning to a new level. See the link below for a LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer tool in addition to Fortify's Source Code Analysis suite. These appear to pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave off. Anyone here willing/able to share some _user_ level experiences with any of these tools? It'll be interesting to hear how they hold up in real software development environments. http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1 Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Microsoft threat modeling tool available for free
Greetings, Almost missed this one while I was out of the office for a couple days... Microsoft have announced the free availability of a threat modeling tool by Frank Swiderski, who is also writing a soon-to-be released book on threat modeling. Details on the tool (warning: requires .NET framework to be installed) as well as the book are available at: http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1displaylang=en Has anyone here tested the tool yet? Opinions? I'm a firm believer that not enough effort is paid to the threat analysis process during the design phase, so any tool that makes that easier should be a good thing -- even if it doesn't run on my Debian/Sarge desktop system. :-) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Interesting article on minimizing privileges
Anyone looking for a great introduction to putting the principle of least privilege into action, check out David Wheeler's article at: http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges It cites one of my favorite examples of least privilege, Wietse Venema's Postfix program. Great stuff, check it out. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Andy Tanenbaum on Linux's origins and security
Andy Tanenbaum, the author of the MINIX operating system, recently posted an opinion piece on the origins of Linux. It's a fascinating albeit somewhat lengthy read -- see http://www.cs.vu.nl/~ast/brown/ for the full text. At the very end of the document, he talks about the security of a microkernel system like (his own) MINIX vs. that of a monolithic kernel like Linux. He writes, With all the security problems Windows has now, it is increasingly obvious to everyone that tiny microkernels, like that of MINIX, are a better base for operating systems than huge monolithic systems. Linux has been the victim of fewer attacks than Windows because (1) it actually is more secure, but also (2) most attackers think hitting Windows offers a bigger bang for the buck so Windows simply gets attacked more. As I did 20 years ago, I still fervently believe that the only way to make software secure, reliable, and fast is to make it small. Fight Features. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] MIT study on software development processes
Hi all, I just saw a Slashdot story (http://developers.slashdot.org/article.pl?sid=04/04/30/1421223mode=threadtid=126tid=156tid=185) announcing an MIT study on software development processes used around the world. The report itself can be found at http://ebusiness.mit.edu/research/papers/178_Cusumano_Intl_Comp.pdf I haven't read through the whole thing, but the slashdot entry indicates that the study found some interesting things, in particular the low use of specification documents in the design cycle. Although it doesn't seem to address security per se, I thought that SC-L readers might find it an interesting read nonetheless. Cheers, Ken -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Yoran on the state of software security
Greetings all, I was asked to clarify what I posted yesterday re Amit Yoran's recent public statements on the topic of software security. On Tuesday 20 April 2004 03:27, an SC-L reader wrote: Ken, could you clarify a little please? Happy to, see below. I detect a slighly snide tone that suggests that you disagree with the assertion that it is inexplicable to produce software that suffers from buffer overruns. Is that really your position? If so, why? Heavens no! Sorry for the ambiguity. Indeed, the issue of buffer overruns is probably the principal one that convinced me to co-author Secure Coding with Mark Graff. I'd like to see them become the polio of the tech world. What I was trying to make light about in my note is whether Yoran got that notion from my statement in my TechTV interview -- that we have to focus more of our attention at improving software security. That was where the me neither... came from, because I have no delusions that he would have caught my segment on the show -- or that it would have influenced him in any way even if he had. Of course there are lots of other security issues (not least social engineering ones) but in what way is security /harmed/ by disciplined programming in appropriate languages supported by appropriate tools? Our experience is that such rigorous software engineering approaches result in more robust and secure product and a significant cost saving over less rigorous approaches. Yes, I fully concur. I found it encouraging that Yoran is raising software security as a major issue also. I do wish that he'd used other examples than only buffer overruns, but it's a good step in the right direction. I'm particularly big on improving the design phase, long before any line of code (overrun or not) has been written. Does that help clarify my point? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Anyone looked at security features of D programming language?
Hi all, I just saw an interesting article about a programming language that's under development called D. (See full article at http://www.osnews.com/story.php?news_id=6761) The description of the language is, D is a (relatively) new addition to the C family of programming languages, intended as a successor to C++ but also incorporating ideas and improvements from other C-like languages such as Java and C#. It is an object-oriented, garbage-collected, systems programming language that is compiled to executable rather than bytecode. The specification and reference compiler are currently at version 0.82, and are expected to reach 1.0 within the year. The reference compiler runs on both Windows and Linux x86, and the frontend if Open-Sourced. A port of the frontend to GCC is underway and already functional on Linux x86 and Mac OS X. Has anyone here looked into the security strengths/weaknesses of D? Care to discuss or summarize for the rest of us? Does it inherit the problems of C while trying to improve on C++ et al? Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] Computerworld op/ed on vulnerability patch cycle
Alexander Antonov wrote: I believe the issue of automatic updates was already discussed on other security-related lists. Yes, I agree, but that's not what I was commenting on specifically. Certainly, we've seen automatic patches for a few years now. (And for many systems, e.g., desktop users, I believe that they're a good thing, in general.) The column, however, advocates _slowing down_ the patch and distribution process so that all (subscribed) users of the product get the patch and install it more-or-less simultaneously. In my view, that doesn't do much, if anything, to make matters better. If anything, it punishes those that promptly install (after appropriate testing, no doubt) patches because it forces them to wait for the stragglers to catch up. That said, I certainly agree with the column's notion that the current patching process that most product vendors use is not meeting our needs. Cheers, Ken van Wyk http://www.KRvW.com
[SC-L] Administrivia Request: Aloha, the moderator is back
Aloha all, Just got back from a couple of weeks of sun and golf in Hawaii with my wife and, although I was checking email daily (thanks to T-Mobile unlimited GPRS data), it's been pretty quiet here on SC-L. In any case, though, I'm back now and open for business, FYI. And here's a bit of food for thought... I've been invited to be on an upcoming TechTV segment on the topic of computer viruses. I'm not sure how much leeway I'll have in steering the discussions, but if appropriate, I'd sure like to slip in a good word for software security as a vital topic that isn't being adequately addressed presently. I'd love to hear suggestions from this group as to what _the_ key message is that you think I should try to get across to the viewers. Responses on or offline would be most appreciated. Mahalo, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com
[SC-L] Humor: Secure coding in the comics (Foxtrot)
Those of us that are lucky (?) enough to get the FoxTrot comic strip (http://www.foxtrot.com) may have noticed that yesterday's and today's strips were discussing a software security topic. The author, Bill Amend, addresses the issue of the recent leak of some Microsoft source code. Check it out at: http://www.ucomics.com/foxtrot/2004/03/03/ and http://www.ucomics.com/foxtrot/2004/03/04/ ...well *I* thought it was funny. YMMV ;-) Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com