Re: [SC-L] quick question - SXSW
Hi Andrew,
I was reminded of what you said in your post when I read the beginning of
this prezo description from HITB 2007:
"Using a lethal combination of various client side attacks we'll smash the
same origin policy, punch our way through your firewall, and dropkick an
Oracle database on your internal network (and we're NOT talking about SQL
Injection!)."
All good points you make that I'll keep in mind for my next attempt in SE
Asia.
Cheers,
Stephen
> From: Andrew van der Stock <[EMAIL PROTECTED]>
> Date: Thu, Mar 27, 2008 at 6:02 AM
> Subject: Re: [SC-L] quick question - SXSW
> To: "Arian J. Evans" <[EMAIL PROTECTED]>
> Cc: Secure Coding Mailing List
>
>
> Hi all,
>
> I have been specifically targeting developer conferences these last
> twelve months. I've had rejections from the likes of OSCON, and in
> fact, I was rejected from BlackHat, too. I have worked out the pattern
> to these conferences.
>
> You gotta SEX IT UP.
>
> Instead of submitting talks like "Safe Ajax Coding Techniques" or
> "Securely using mainframe transactions in your web app", submit talks
> that are titled:
>
> "How we pillage your app, identity rape your users, steal all your
> money, and retire in the Caribbean with the loot"
>
> Then when you get there, start with a demo or three to end all demos.
> Totally scare them witless. Followed by a picture of a girly drink
> with an umbrella in it with a beach in the background, and take the
> girly drink to the talk, too. Once you've put the fear of god (or at
> least malicious attackers) into them, then you can:
>
> * Do the talk you had in mind all along ("Securely using
> mainframe ..."), and they'll learn what they needed to learn by
> attending your talk.
>
> This is not to say you should be a boring presenter, but we shouldn't
> shy away from saying to developers that they MUST do this stuff, or
> they'll be pwned.
>
> Just before the folks fill in their presenter feedback forms, do an
> ASTONISHING demo. Something they will remember when they're filling in
> the feedback. When you're at the top of the feedback pile, you'll get
> invited back.
>
> The program committees for these trendy conferences - with some very
> notable exceptions - are for the most part just as hostile /
> apathetic / know little about security as the attendees. Sometimes
> worse - many are truly hostile to security as it gets in the way of
> their "fast and crappy beats correct every time" mindset. So make your
> submission interesting to the program committee, so much so that they
> want to come see it, too. Once they start accepting the talks, sooner
> or later, after 10 years or so, we'll be able to submit the useful
> talks without any such cover. See the design pattern folks for proof.
>
> Arian - ARGH! Tell Anurag to check out ESAPI - it has already hard
> core white list encoding, direct object reference maps, easy user
> object manipulation (logout that actually does the right thing with
> one call, etc), safe system(), encrypted property files, integrity
> protection and encryption for hidden fields and cookies, and so on and
> on and on.
>
> Encoder::
> canonicalize() Simplifies percent-encoded and entity-encoded
> characters to their simplest form so that they can be properly
> validated.
> decodeFromBase64() Decode data encoded with BASE-64 encoding.
> decodeFromURL() Decode from URL.
> encodeForBase64()Encode for base64.
> encodeForDN()Encode data for use in an LDAP distinguished
> name.
> encodeForHTML() Encode data for use in HTML content.
> encodeForHTMLAttribute() Encode data for use in HTML attributes.
> encodeForJavascript()Encode for javascript.
> encodeForLDAP() Encode data for use in LDAP queries.
> encodeForSQL() This method is not recommended.
> encodeForURL() Encode for use in a URL.
> encodeForVBScript() Encode data for use in visual basic script.
> encodeForXML() Encode data for use in an XML element.
> encodeForXMLAttribute() Encode data for use in an XML attribute.
> encodeForXPath() This implementation encodes almost everything
> and may overencode.
> normalize() Normalizes special characters down to ASCII
> using the Normalizer built into Java.
>
> It's already done! However, there's more to do - let's work together
> on those gaps (client AJAX ESAPI) instead of re-inventing the wheel.
>
> thanks,
> Andrew
>
>
> On Mar 13, 2008, a
Re: [SC-L] quick question - SXSW
Hi all,
I have been specifically targeting developer conferences these last
twelve months. I've had rejections from the likes of OSCON, and in
fact, I was rejected from BlackHat, too. I have worked out the pattern
to these conferences.
You gotta SEX IT UP.
Instead of submitting talks like "Safe Ajax Coding Techniques" or
"Securely using mainframe transactions in your web app", submit talks
that are titled:
"How we pillage your app, identity rape your users, steal all your
money, and retire in the Caribbean with the loot"
Then when you get there, start with a demo or three to end all demos.
Totally scare them witless. Followed by a picture of a girly drink
with an umbrella in it with a beach in the background, and take the
girly drink to the talk, too. Once you've put the fear of god (or at
least malicious attackers) into them, then you can:
* Do the talk you had in mind all along ("Securely using
mainframe ..."), and they'll learn what they needed to learn by
attending your talk.
This is not to say you should be a boring presenter, but we shouldn't
shy away from saying to developers that they MUST do this stuff, or
they'll be pwned.
Just before the folks fill in their presenter feedback forms, do an
ASTONISHING demo. Something they will remember when they're filling in
the feedback. When you're at the top of the feedback pile, you'll get
invited back.
The program committees for these trendy conferences - with some very
notable exceptions - are for the most part just as hostile /
apathetic / know little about security as the attendees. Sometimes
worse - many are truly hostile to security as it gets in the way of
their "fast and crappy beats correct every time" mindset. So make your
submission interesting to the program committee, so much so that they
want to come see it, too. Once they start accepting the talks, sooner
or later, after 10 years or so, we'll be able to submit the useful
talks without any such cover. See the design pattern folks for proof.
Arian - ARGH! Tell Anurag to check out ESAPI - it has already hard
core white list encoding, direct object reference maps, easy user
object manipulation (logout that actually does the right thing with
one call, etc), safe system(), encrypted property files, integrity
protection and encryption for hidden fields and cookies, and so on and
on and on.
Encoder::
canonicalize() Simplifies percent-encoded and entity-encoded
characters to their simplest form so that they can be properly
validated.
decodeFromBase64() Decode data encoded with BASE-64 encoding.
decodeFromURL() Decode from URL.
encodeForBase64()Encode for base64.
encodeForDN()Encode data for use in an LDAP distinguished
name.
encodeForHTML() Encode data for use in HTML content.
encodeForHTMLAttribute() Encode data for use in HTML attributes.
encodeForJavascript()Encode for javascript.
encodeForLDAP() Encode data for use in LDAP queries.
encodeForSQL() This method is not recommended.
encodeForURL() Encode for use in a URL.
encodeForVBScript() Encode data for use in visual basic script.
encodeForXML() Encode data for use in an XML element.
encodeForXMLAttribute() Encode data for use in an XML attribute.
encodeForXPath() This implementation encodes almost everything
and may overencode.
normalize() Normalizes special characters down to ASCII
using the Normalizer built into Java.
It's already done! However, there's more to do - let's work together
on those gaps (client AJAX ESAPI) instead of re-inventing the wheel.
thanks,
Andrew
On Mar 13, 2008, at 4:11 AM, Arian J. Evans wrote:
> and Anurag will be releasing some APIs
> for java developers to actually do things like output encoding,
> where Java/J2EE is about 4 years behind the rest of the world.
thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
Re: [SC-L] quick question - SXSW
I'm not sure if the post made the list, but I outlined what I believe is a huge difference between government and beltway contractors, and the private sector. DoD (and most gov/gov-contractor corps) fall squarely into the "assurance" camps. Private sector is heavily into "mitigation" and "response". I get a completely different feel, due to entirely different organizational/business realities, from software startups and silicon valley in general. That's great that you see this, though. Good news. -ae On Fri, Mar 14, 2008 at 7:06 AM, Mike Lyman <[EMAIL PROTECTED]> wrote: > Arian J. Evans wrote: > > Overall security is not a feature or a function that you can monetarize. > > It's not even cool or sexy. It's an emergent behavior that is only > > observed when it is making your software harder to use. > > > > Maybe it is just the US Department of Defense environment where I am > currently working but I see developers start to see this as cool and > sexy. Most are picking it up quickly and a few are even interested in > diving in deep into the security world. They ask great questions and are > doing a lot of independent research on it. We are in an environment > where they get security awareness training a few times a year and are > constantly bombarded with security messages but some of them really are > getting into it. It gives them something new to learn and it is driving > them to go deeper into some development subjects that they normally > would not ever be allowed to look at due to delivery schedules. Security > is giving them a good excuse to go learn more. > -- > > Mike Lyman > [EMAIL PROTECTED] > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > -- Arian Evans software security stuff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
hi sc-l, As many of you know, I have been doing this stuff for over a decade now. In terms of developer awareness and uptake, we have made great strides in the last three years. I taught my first training class on software security at Goldman in 2001. Since then, we've trained well over 8000 developers and others on software security (at Cigital where I work). Attitudes have definitely shifted, and the market continues to grow. Demand is up and interest is high. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 3/14/08 10:06 AM, "Mike Lyman" <[EMAIL PROTECTED]> wrote: Arian J. Evans wrote: > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > Maybe it is just the US Department of Defense environment where I am currently working but I see developers start to see this as cool and sexy. Most are picking it up quickly and a few are even interested in diving in deep into the security world. They ask great questions and are doing a lot of independent research on it. We are in an environment where they get security awareness training a few times a year and are constantly bombarded with security messages but some of them really are getting into it. It gives them something new to learn and it is driving them to go deeper into some development subjects that they normally would not ever be allowed to look at due to delivery schedules. Security is giving them a good excuse to go learn more. -- Mike Lyman [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
All, I just got back from SD West where I spoke twice in the security track. My third year working this show I was shocked to find larger audiences, avid participation, and (what excited me the most) very clueful development types. Awareness will continue to be a big part of "getting the word out there". But what Gunnar attempted to do with his track at QCon was excellent and we should learn from it. He 1) organized a set of talks that followed each other clearly, building on previous content and 2) focused on more intermediate or advanced content. Too often, the security talks at conferences overlap. Even this year's SD West had two threat modeling talks and a secure design talk. I'm also sick of their patronizing structure and titles: "Top 10 Web Vulnerabilities". Smart developers interested in learning this stuff can avail themselves of strong web tutorials from a variety of sources at this point. Overlapping talks comprised mostly of top ten lists leave developers with the empty "So what do I do about it?" feeling. At SD West, I positioned my two talks as "advanced". I laughed looking at the conference board. I personally accounted for about half of the advanced talks for the conference. My "Static Analysis Tool Customization" talk generated great discussion. I was pleased. Almost every audience member worked for an organization that was piloting or had already adopted a tool. They had really used it, and crashed against a rock. Because experience varied (Coverity, KLocwork, Fortify, and Ounce experience all represented) we got to talk about more than just one tool. Comparison was very demonstrative. People took copious notes, stayed after, discussion continued. Yes, we still need more awareness but people want more advanced talks. They're ready. At SD Best, I'm working to modernize the curriculum. I'm working with the development track leads to make sure that things cohere. Rather than mixing old-school buffer overflow information, with web security, with some process help, with some tool demos, I'm going to try to organize instruction around some of the newer stuff that developers are beginning to play with and be excited about. We'll focus on web services and web 2.0. In my mind, teaching people to "think destructively" is important, but brining it back around and showing what to do about vulnerabilities is hugely important at a dev. conference. Last year I pushed speakers in this track to give constructive advice. I'll do the same this year. Whether we're speaking to security guys or developers, it's time to show people patterns and approaches that will help them solve the problems we've been talking about for years. Sum: Modernize advice. Talk to people in the languages and frameworks that they're using now. Get practical and constructive. Teach people how to build it right. Move beyond awareness to intermediate and advanced topics. It's time to raise the bar. John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Gunnar Peterson [EMAIL PROTECTED] I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web 2.0 security. The presentations were great, the audience was engaged and enthusiastic but small; it turns that it is hard to compete with the likes of Martin Fowler, Joshua Bloch, and Richard Gabriel. Even when what they are talking about is some nth level refinement and what we are talking about is all the gaping holes in the previous a-m refinements and how to close some of them. http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Arian J. Evans wrote: > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > Maybe it is just the US Department of Defense environment where I am currently working but I see developers start to see this as cool and sexy. Most are picking it up quickly and a few are even interested in diving in deep into the security world. They ask great questions and are doing a lot of independent research on it. We are in an environment where they get security awareness training a few times a year and are constantly bombarded with security messages but some of them really are getting into it. It gives them something new to learn and it is driving them to go deeper into some development subjects that they normally would not ever be allowed to look at due to delivery schedules. Security is giving them a good excuse to go learn more. -- Mike Lyman [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
On Wed, Mar 12, 2008 at 3:05 PM, Andy Steingruebl <[EMAIL PROTECTED]> wrote: > On a related note a quick perusal of the JavaOne conference tracks > doesn't show a lot of content in this area either. Is this due to a > lack of interest, or people in the security world not pitching talks > to the development conference organizer? Both. Java is a tricky one. There were security sessions early on in Java conferences, but they were about the stuff no one on the planet actually does -- e.g. container security, code signing, and JVM/applet permissions. I think that turned a lot of devs off of security in Java-land. In related news we're building J2EE courseware in a "by developers, for developers" fashion and Anurag will be releasing some APIs for java developers to actually do things like output encoding, where Java/J2EE is about 4 years behind the rest of the world. I imaged later this year or next year you'll see a few of us focusing on developer (versus security) conferences, though I don't think this changes the business problem/reality at all. -- Arian Evans software security stuff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
I think you misunderstood my points a little bit. SXSW was just a current conference example. As Gary's pointed out, there are many conferences. It's possible SXSW wasn't a good example, but it was meant more symbolically. More comments inline... Arian J. Evans wrote: > 1. This is largely the wrong crowd. Designers of small web2.0 stuffs, > particularly the domain of widgets and WS interfaces for all the usual > suspect platforms (flickr, facebook etc.) as well as most startups: > > They just don't care. > > They will never care. > I fundamentally disagree. Everybody is the right crowd, assuming the message is tailored appropriately. It's precisely the perspective you espouse that concerns me greatly. I don't believe the security industry _as_a_whole_ has maintained momentum, and I attribute that directly to the SEP* effect. This goes directly to my larger point about ingraining security considerations/thoughtfulness/practices into all aspects of the business (not just coding, btw). *See http://en.wikipedia.org/wiki/Somebody_Else%27s_Problem_field > 2. This "security DNA" notion -- I don't really buy it. I don't think > there's a big tipping point coming for "all hands in for writing secure > software" in our near future. Maybe if people start dying because > of insecure software, this will change, but until then ... > If everyone starts coding more responsibly, then at some point the genre of "secure coding" goes away, because it's inherent in everything that's written. Today, I'd settle for all externally-facing apps being coded to address the OWASP Top 10, and to get developers to think for a change before doing silly things like implementing client-side filtering in the client code. > I do see increasing awareness is mid to large size organizations > (fortune 2000 +). Developers are more aware and more interested > in security, but mostly in organizations that penalize (fire or > domote) individuals involved in public security blunders. > Hard-earned gains. How do we institutionalize these practices and get beyond playing the role of Law Enforcement for the security department? > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > On the first sentence, I say "yes, exactly!" On the second sentence, I couldn't disagree more. Security should not be "making your software harder to use." Address XSS, CSRF, SQL injection, and input/output filtering/encoding should not diminish the end-user experience. Things like 2-factor authentication might have that result, but we're not really talking about that right now. > Not until insurance or substantial penalties are the norm (if they are > ever the norm) will we have meaningful quantitative data to drive a > justification for security as a requirement in startup or most open > source software projects. That's my opinion, anyway. > I would really like for you to be wrong, but I can't really disagree with your base conclusion here. Hence my frustration. It provides a good case for shelving all security departments until the business starts taking major hits and they come begging for help. Honestly, I don't understand it. Businesses don't disagree that they need properly secured code/sites/etc. Yet, by the same token, they don't do what's necessary up front to secure their code/sites/etc. It's a truly bizarre disconnect that boggles my mind. Thanks for the response! :) -ben -- Benjamin Tomhave, MS, CISSP [EMAIL PROTECTED] LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] "A man without a goal is like a ship without a rudder." Thomas Carlyle ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Hi again, I rebooted the security track completely at SD West in 2003 (thanks to tami who I cc'ed here). I'm on the advisory board. We're slowly inching our way toward SDL/touchpoints/CLASP stuffs at SD West, though when I tried to cover the touchpoints and enterprise security in 2006, interest was weak. After 5 years of pounding we're getting there though! My suggestion? Get involved organizing these conferences and helping with thought leadership. And just for the record, having your PR dingbats submit (stupid)marketing talks does not count. Others getting the same treatment; SD Best Practices STAR West Better Software MISTI CSI NDSS Usenix security Rock on gem - Original Message - From: Andy Steingruebl <[EMAIL PROTECTED]> To: Gary McGraw Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; SC-L@securecoding.org Sent: Wed Mar 12 19:35:35 2008 Subject: Re: [SC-L] quick question - SXSW On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hey andy, > > You mean AJAX one? Last time I went there was zero interest and even less > clue about security among attendees. The only shining light was a long > conversation I had with bill joy about security critical decisions those guys > screwed up with Java (especially with regards to closure). > > A decade of evangelism only goes so far! Do help! Fair enough :) I was looking at the program for the just finished SD West and the security track actually looks to have been pretty good. I think one thing we're missing from there is more emphasis on actual SDL process, rather than focus on individual items within it. Activities like how to form a steering group within a company, how to bootstrap some of the practices, etc. Do folks here have suggestions of conferences we ought to be targeting with these sorts of presentations, papers, etc? JavaOne seems like it might have been a good place to target. There are some smaller developer conferences out there, some general security conferences, and there has been discussion here and within OWASP as well of how we can start better targeting these forums for our evangelizing... Thoughts? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
So two thoughts Ben, purely my 0.02 USD: 1. This is largely the wrong crowd. Designers of small web2.0 stuffs, particularly the domain of widgets and WS interfaces for all the usual suspect platforms (flickr, facebook etc.) as well as most startups: They just don't care. They will never care. SXSW has "* long tail" and "* design pattern" 2007 buzzword compliant presentations. You could probably get a snazzy "top 5 web2.0 security mistakes everyone is making" or "Top 5 Security Design-Patterns" in there, but I don't think it's the right audience. OSCON might be a better fit, if you praise Ruby and release some open source "security" project. 2. This "security DNA" notion -- I don't really buy it. I don't think there's a big tipping point coming for "all hands in for writing secure software" in our near future. Maybe if people start dying because of insecure software, this will change, but until then ... I do see increasing awareness is mid to large size organizations (fortune 2000 +). Developers are more aware and more interested in security, but mostly in organizations that penalize (fire or domote) individuals involved in public security blunders. Overall security is not a feature or a function that you can monetarize. It's not even cool or sexy. It's an emergent behavior that is only observed when it is making your software harder to use. Not until insurance or substantial penalties are the norm (if they are ever the norm) will we have meaningful quantitative data to drive a justification for security as a requirement in startup or most open source software projects. That's my opinion, anyway. --- Arian J. Evans Software Security Stuff On Wed, Mar 12, 2008 at 2:31 PM, Benjamin Tomhave <[EMAIL PROTECTED]> wrote: > First, thanks for that Bill, it exemplifies my point perfectly. A couple > thoughts... > > one, targeting designers is just as important as reaching out to the > developers themselves... if the designers can ensure that security > requirements are incorporated from the outset, then we receive an added > benefit... > > two, a re-phrasing around my original thought... somehow we need to get > security thinking and considerations encoded into the DNA of everyone in > the business, whether they be designers, architects, coders, analysts, > PMs, sysadmins, etc, etc, etc. Every one of those topics you mention > could (should!) have had implicit and explicit security attributes > included... yet we're still at the point where secure coding has to be > explicitly requested/demanded (often as an afterthought or bolt-on)... > > How do we as infosec professionals get people to the next phase of > including security thoughts in everything they do... with the end-goal > being that it is then integrated fully into practices and processes as a > bona fide genetic mutation that is passed along to future generations? > > To me, this seems to be where infosec is stuck as an industry. There > seems to be a need for a catalyst to spur the mutation so that it can > have a life of its own. :) > > fwiw. > > > -ben > > -- > Benjamin Tomhave, MS, CISSP > [EMAIL PROTECTED] > LI: http://www.linkedin.com/in/btomhave > Blog: http://www.secureconsulting.net/ > Photos: http://photos.secureconsulting.net/ > Web: http://falcon.secureconsulting.net/ > > [ Random Quote: ] > Augustine's Second Law of Socioscience: "For every scientific (or > engineering) action, there is an equal and opposite social reaction." > http://globalnerdy.com/2007/07/18/laws-of-software-development/ > > > > William L. Anderson wrote: > > Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I > > did not see many discussions that pay attention to security, or any > > other software engineering oriented concerns, explicitly. > > > > There was a discussion of scalability for web services that featured the > > developers from digg, Flickr, WordPress, and Media Temple. I got there > > about half-way through but the discussion with the audience was about > > tools and methods to handle high traffic loads. There was a question > > about build and deployment strategies and I asked about unit testing > > (mixed answers - some love it, some think it's strong-arm micro-mgt (go > > figure)). > > > > There was a session on OpenID and OAuth (open authorization) standards > > and implementation. These discussions kind of assume the use of secure > > transports but since I couldn't stay the whole time I don't know if > > secure coding was addressed explicitly. > > > > The main developer attendees at SXSW would call themselves designers and > > I would guess many of them are doing web development in PHP, Ruby, etc. > > I think the majority of attendees would not classify themselves as > > software programmers. > > > > To me it seems very much like at craft culture. That doesn't mean that a > > track on how to develop secure web services wouldn't be popular. In fact > > it might be worth
Re: [SC-L] quick question - SXSW
I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web 2.0 security. The presentations were great, the audience was engaged and enthusiastic but small; it turns that it is hard to compete with the likes of Martin Fowler, Joshua Bloch, and Richard Gabriel. Even when what they are talking about is some nth level refinement and what we are talking about is all the gaping holes in the previous a-m refinements and how to close some of them. http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73 -gp Kenneth Van Wyk wrote: > Ben, > > Your point is a good one -- the software security community needs to be > vigilant in reaching out to developers and spreading "the word". > > FWIW, some dev conferences have done this. I spoke at SD West in 2006, > and there was a significant security track there. Still, it'd be great > to see that sort of thing at more dev-specific conferences. > > Cheers, > > Ken van Wyk > SC-L Moderator > > On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote: > >> First, thanks for that Bill, it exemplifies my point perfectly. A couple >> thoughts... >> >> one, targeting designers is just as important as reaching out to the >> developers themselves... if the designers can ensure that security >> requirements are incorporated from the outset, then we receive an added >> benefit... >> >> two, a re-phrasing around my original thought... somehow we need to get >> security thinking and considerations encoded into the DNA of everyone in >> the business, whether they be designers, architects, coders, analysts, >> PMs, sysadmins, etc, etc, etc. Every one of those topics you mention >> could (should!) have had implicit and explicit security attributes >> included... yet we're still at the point where secure coding has to be >> explicitly requested/demanded (often as an afterthought or bolt-on)... >> >> How do we as infosec professionals get people to the next phase of >> including security thoughts in everything they do... with the end-goal >> being that it is then integrated fully into practices and processes as a >> bona fide genetic mutation that is passed along to future generations? >> >> To me, this seems to be where infosec is stuck as an industry. There >> seems to be a need for a catalyst to spur the mutation so that it can >> have a life of its own. :) >> >> fwiw. >> >> -ben >> >> -- >> Benjamin Tomhave, MS, CISSP >> [EMAIL PROTECTED] >> LI: http://www.linkedin.com/in/btomhave >> Blog: http://www.secureconsulting.net/ >> Photos: http://photos.secureconsulting.net/ >> Web: http://falcon.secureconsulting.net/ >> >> [ Random Quote: ] >> Augustine's Second Law of Socioscience: "For every scientific (or >> engineering) action, there is an equal and opposite social reaction." >> http://globalnerdy.com/2007/07/18/laws-of-software-development/ >> >> William L. Anderson wrote: >>> Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I >>> did not see many discussions that pay attention to security, or any >>> other software engineering oriented concerns, explicitly. >>> >>> There was a discussion of scalability for web services that featured the >>> developers from digg, Flickr, WordPress, and Media Temple. I got there >>> about half-way through but the discussion with the audience was about >>> tools and methods to handle high traffic loads. There was a question >>> about build and deployment strategies and I asked about unit testing >>> (mixed answers - some love it, some think it's strong-arm micro-mgt (go >>> figure)). >>> >>> There was a session on OpenID and OAuth (open authorization) standards >>> and implementation. These discussions kind of assume the use of secure >>> transports but since I couldn't stay the whole time I don't know if >>> secure coding was addressed explicitly. >>> >>> The main developer attendees at SXSW would call themselves designers and >>> I would guess many of them are doing web development in PHP, Ruby, etc. >>> I think the majority of attendees would not classify themselves as >>> software programmers. >>> >>> To me it seems very much like at craft culture. That doesn't mean that a >>> track on how to develop secure web services wouldn't be popular. In fact >>> it might be worth proposing one for next year. >>> >>> If you want to talk further, please get in touch. >>> >>> -Bill Anderson >>> praxis101.com >>> >>> Benjamin Tomhave wrote: I had just a quick query for everyone out there, with an attached thought. How many security and/or secure coding professionals are prevalently involved with the SXSW conference this week? I know, I know... it's a big party for developers - particularly the Web 2.0 clique - but I'm just curious. Here's why
Re: [SC-L] quick question - SXSW
On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave <[EMAIL PROTECTED]> wrote: > I think you misunderstood my points a little bit. SXSW was just a > current conference example. As Gary's pointed out, there are many > conferences. It's possible SXSW wasn't a good example, but it was meant > more symbolically. More comments inline... Oh, I did miss your point. Overall, I agree. I've had mixed experiences leading me to re-evaluate my stance. A security-unaware dev friend recently told me about Microsoft coming to some conference and demonstrating this new "SQL Injection" thing to them, and he told me how amazing and cool it was. He asked if I did SQL Injection. That's the first time in several years he's responded to what I've primarily worked on for 8+ years, and incidentally for over 10, and told him about over god-knows how many Guinness. I don't blame the Guinness. (who can?) > > They just don't care. > > > > They will never care. > > > I fundamentally disagree. Everybody is the right crowd, assuming the > message is tailored appropriately. It's precisely the perspective you > espouse that concerns me greatly. I don't believe the security industry > _as_a_whole_ has maintained momentum, and I attribute that directly to > the SEP* effect. This goes directly to my larger point about ingraining > security considerations/thoughtfulness/practices into all aspects of the > business (not just coding, btw). I think this approach is doomed to failure, though my thoughts and experiences are mixed. Whilst I have quit evangelizing secure software, I do meet more and more devs interested in software security -- whom were not merely 3 to 5 years ago. Something is definitely changing, but abstract interest in appsec != secure design & implementation. While this isn't an argument -- just an observation -- I hear this "build security in" notion preached most often from the following: (a) people new to the appsec "industry" (b) academic-minded & PHD-type folks into taxonomies (c) government folks/agencies out of touch with the business world (d) eager kids just-out-of infosec college joining our "industry" (e) people with livelyhood/agendas staked on these notions Maybe I'm just jaded, but it doesn't seem to work in many, and possibly most, cases. I think the the momentum is lost because all these "build security in" and "Secure SDLC" things don't work for a lot of people/organizations. I still have some suspicions this may be due to implementation, but... This industry cannot even get it's node-hierarchies right. Even the mitre CWE is fraught with node-confusion betwixt attack nodes, vulnerability nodes, and design & implementation weakness nodes. But at the end of the day the business doesn't care. "Will this model of car sell and will we get sued over defects in it?" That's the world. If "building secure cars" was the answer Volvo would have been a wild success many, many years ago. > If everyone starts coding more responsibly, then at some point the genre > of "secure coding" goes away, because it's inherent in everything that's > written. Today, I'd settle for all externally-facing apps being coded to > address the OWASP Top 10, and to get developers to think for a change > before doing silly things like implementing client-side filtering in the > client code. Client-side filtering isn't silly. It's smart. You probably mean using it as a security control, but it's that verbiage that arms legions of the clueless appsec auditors now joining our industry that don't know sh*t about software design or implementation, or business use-case, and cause software professionals to scoff at our industry. I can't tell you how many appsec reports I've seen that say "don't use client side validation -- it's dangerous" and I start looking for more best practice nonsense listed as "vulnerabilities". "Don't allow dangerous characters in input". WTF? "Insufficient input validation". For whom? I think I see your perspective though. I think the answer is: IDEs that make it harder to shoot oneself in the foot, secure frameworks, and secure environments (for all us text-editor types) and maybe even newer languages with some real notion of a data/function boundary -- those are the keys. Leave "secure coding" out of it. Combine that with security controls that provide meaningful mis-use case and fraud detection, instead of attack-vector blocking, and you and can even allow weak password reset questions. Which is what the business, and my mother, really wants. I hesitate to say this, this is like fumbling with flame-bait, but over the last two years I feel more and more like many in this industry, including OWASP which you mentioned, are going astray down this fantasy land of secure-coding and assurance. The government (and contracting agencies by proxy) are into assurance. The rest of the world is not. The private sector is into mitigation, insurance, fraud detection and incident response. OWASP noti
Re: [SC-L] quick question - SXSW
I agree. Reaching the development community, that's precisely what we are trying to do at secappdev. Thanks for helping with that too, Ken. I have also taken some security-related sessions to conferences such as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU. I would love to hear from anyone else in this niche. kr, Yo On 3/12/08, Kenneth Van Wyk <[EMAIL PROTECTED]> wrote: > Ben, > > Your point is a good one -- the software security community needs to > be vigilant in reaching out to developers and spreading "the word". > > FWIW, some dev conferences have done this. I spoke at SD West in > 2006, and there was a significant security track there. Still, it'd > be great to see that sort of thing at more dev-specific conferences. > > Cheers, > > Ken van Wyk > SC-L Moderator > > On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote: > > > First, thanks for that Bill, it exemplifies my point perfectly. A > > couple > > thoughts... > > > > one, targeting designers is just as important as reaching out to the > > developers themselves... if the designers can ensure that security > > requirements are incorporated from the outset, then we receive an > > added > > benefit... > > > > two, a re-phrasing around my original thought... somehow we need to > > get > > security thinking and considerations encoded into the DNA of > > everyone in > > the business, whether they be designers, architects, coders, analysts, > > PMs, sysadmins, etc, etc, etc. Every one of those topics you mention > > could (should!) have had implicit and explicit security attributes > > included... yet we're still at the point where secure coding has to be > > explicitly requested/demanded (often as an afterthought or bolt-on)... > > > > How do we as infosec professionals get people to the next phase of > > including security thoughts in everything they do... with the end-goal > > being that it is then integrated fully into practices and processes > > as a > > bona fide genetic mutation that is passed along to future generations? > > > > To me, this seems to be where infosec is stuck as an industry. There > > seems to be a need for a catalyst to spur the mutation so that it can > > have a life of its own. :) > > > > fwiw. > > > > -ben > > > > -- > > Benjamin Tomhave, MS, CISSP > > [EMAIL PROTECTED] > > LI: http://www.linkedin.com/in/btomhave > > Blog: http://www.secureconsulting.net/ > > Photos: http://photos.secureconsulting.net/ > > Web: http://falcon.secureconsulting.net/ > > > > [ Random Quote: ] > > Augustine's Second Law of Socioscience: "For every scientific (or > > engineering) action, there is an equal and opposite social reaction." > > http://globalnerdy.com/2007/07/18/laws-of-software-development/ > > > > William L. Anderson wrote: > >> Dear Ben, having just been at SXSW Interactive (I live in Austin, > >> TX) I > >> did not see many discussions that pay attention to security, or any > >> other software engineering oriented concerns, explicitly. > >> > >> There was a discussion of scalability for web services that > >> featured the > >> developers from digg, Flickr, WordPress, and Media Temple. I got > >> there > >> about half-way through but the discussion with the audience was about > >> tools and methods to handle high traffic loads. There was a question > >> about build and deployment strategies and I asked about unit testing > >> (mixed answers - some love it, some think it's strong-arm micro-mgt > >> (go > >> figure)). > >> > >> There was a session on OpenID and OAuth (open authorization) > >> standards > >> and implementation. These discussions kind of assume the use of > >> secure > >> transports but since I couldn't stay the whole time I don't know if > >> secure coding was addressed explicitly. > >> > >> The main developer attendees at SXSW would call themselves > >> designers and > >> I would guess many of them are doing web development in PHP, Ruby, > >> etc. > >> I think the majority of attendees would not classify themselves as > >> software programmers. > >> > >> To me it seems very much like at craft culture. That doesn't mean > >> that a > >> track on how to develop secure web services wouldn't be popular. In > >> fact > >> it might be worth proposing one for next year. > >> > >> If you want to talk further, please get in touch. > >> > >> -Bill Anderson > >> praxis101.com > >> > >> Benjamin Tomhave wrote: > >>> I had just a quick query for everyone out there, with an attached > >>> thought. > >>> > >>> How many security and/or secure coding professionals are prevalently > >>> involved with the SXSW conference this week? I know, I know... > >>> it's a big > >>> party for developers - particularly the Web 2.0 clique - but I'm > >>> just > >>> curious. > >>> > >>> Here's why: I'm increasingly frustrated by the disconnect between > >>> business/dev and security. I don't feel like we're being largely > >>> successful in getting the business and developers to include > >>> security as > >>> part of their sta
Re: [SC-L] quick question - SXSW
Hey andy, You mean AJAX one? Last time I went there was zero interest and even less clue about security among attendees. The only shining light was a long conversation I had with bill joy about security critical decisions those guys screwed up with Java (especially with regards to closure). A decade of evangelism only goes so far! Do help! gem www.cigital.com/~gem - Original Message - From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> To: Benjamin Tomhave <[EMAIL PROTECTED]> Cc: SC-L@securecoding.org Sent: Wed Mar 12 18:05:53 2008 Subject: Re: [SC-L] quick question - SXSW On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave <[EMAIL PROTECTED]> wrote: > I had just a quick query for everyone out there, with an attached thought. > > How many security and/or secure coding professionals are prevalently > involved with the SXSW conference this week? I know, I know... it's a big > party for developers - particularly the Web 2.0 clique - but I'm just > curious. > On a related note a quick perusal of the JavaOne conference tracks doesn't show a lot of content in this area either. Is this due to a lack of interest, or people in the security world not pitching talks to the development conference organizer? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw <[EMAIL PROTECTED]> wrote: > Hey andy, > > You mean AJAX one? Last time I went there was zero interest and even less > clue about security among attendees. The only shining light was a long > conversation I had with bill joy about security critical decisions those guys > screwed up with Java (especially with regards to closure). > > A decade of evangelism only goes so far! Do help! Fair enough :) I was looking at the program for the just finished SD West and the security track actually looks to have been pretty good. I think one thing we're missing from there is more emphasis on actual SDL process, rather than focus on individual items within it. Activities like how to form a steering group within a company, how to bootstrap some of the practices, etc. Do folks here have suggestions of conferences we ought to be targeting with these sorts of presentations, papers, etc? JavaOne seems like it might have been a good place to target. There are some smaller developer conferences out there, some general security conferences, and there has been discussion here and within OWASP as well of how we can start better targeting these forums for our evangelizing... Thoughts? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Ben, Your point is a good one -- the software security community needs to be vigilant in reaching out to developers and spreading "the word". FWIW, some dev conferences have done this. I spoke at SD West in 2006, and there was a significant security track there. Still, it'd be great to see that sort of thing at more dev-specific conferences. Cheers, Ken van Wyk SC-L Moderator On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote: First, thanks for that Bill, it exemplifies my point perfectly. A couple thoughts... one, targeting designers is just as important as reaching out to the developers themselves... if the designers can ensure that security requirements are incorporated from the outset, then we receive an added benefit... two, a re-phrasing around my original thought... somehow we need to get security thinking and considerations encoded into the DNA of everyone in the business, whether they be designers, architects, coders, analysts, PMs, sysadmins, etc, etc, etc. Every one of those topics you mention could (should!) have had implicit and explicit security attributes included... yet we're still at the point where secure coding has to be explicitly requested/demanded (often as an afterthought or bolt-on)... How do we as infosec professionals get people to the next phase of including security thoughts in everything they do... with the end-goal being that it is then integrated fully into practices and processes as a bona fide genetic mutation that is passed along to future generations? To me, this seems to be where infosec is stuck as an industry. There seems to be a need for a catalyst to spur the mutation so that it can have a life of its own. :) fwiw. -ben -- Benjamin Tomhave, MS, CISSP [EMAIL PROTECTED] LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] Augustine's Second Law of Socioscience: "For every scientific (or engineering) action, there is an equal and opposite social reaction." http://globalnerdy.com/2007/07/18/laws-of-software-development/ William L. Anderson wrote: Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not see many discussions that pay attention to security, or any other software engineering oriented concerns, explicitly. There was a discussion of scalability for web services that featured the developers from digg, Flickr, WordPress, and Media Temple. I got there about half-way through but the discussion with the audience was about tools and methods to handle high traffic loads. There was a question about build and deployment strategies and I asked about unit testing (mixed answers - some love it, some think it's strong-arm micro-mgt (go figure)). There was a session on OpenID and OAuth (open authorization) standards and implementation. These discussions kind of assume the use of secure transports but since I couldn't stay the whole time I don't know if secure coding was addressed explicitly. The main developer attendees at SXSW would call themselves designers and I would guess many of them are doing web development in PHP, Ruby, etc. I think the majority of attendees would not classify themselves as software programmers. To me it seems very much like at craft culture. That doesn't mean that a track on how to develop secure web services wouldn't be popular. In fact it might be worth proposing one for next year. If you want to talk further, please get in touch. -Bill Anderson praxis101.com Benjamin Tomhave wrote: I had just a quick query for everyone out there, with an attached thought. How many security and/or secure coding professionals are prevalently involved with the SXSW conference this week? I know, I know... it's a big party for developers - particularly the Web 2.0 clique - but I'm just curious. Here's why: I'm increasingly frustrated by the disconnect between business/dev and security. I don't feel like we're being largely successful in getting the business and developers to include security as part of their standard operating procedures. Developers are still oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes. I then look at SXSW from afar and think: a) shouldn't I be there evangelizing security? and, b) shouldn't a major thread to all these conferences be about how security is integrating with dev processes and practices, making it better? Maybe I'm just too idealist. I'm curious what everyone else thinks. cheers, -ben smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a
Re: [SC-L] quick question - SXSW
On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave <[EMAIL PROTECTED]> wrote: > I had just a quick query for everyone out there, with an attached thought. > > How many security and/or secure coding professionals are prevalently > involved with the SXSW conference this week? I know, I know... it's a big > party for developers - particularly the Web 2.0 clique - but I'm just > curious. > On a related note a quick perusal of the JavaOne conference tracks doesn't show a lot of content in this area either. Is this due to a lack of interest, or people in the security world not pitching talks to the development conference organizer? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
First, thanks for that Bill, it exemplifies my point perfectly. A couple thoughts... one, targeting designers is just as important as reaching out to the developers themselves... if the designers can ensure that security requirements are incorporated from the outset, then we receive an added benefit... two, a re-phrasing around my original thought... somehow we need to get security thinking and considerations encoded into the DNA of everyone in the business, whether they be designers, architects, coders, analysts, PMs, sysadmins, etc, etc, etc. Every one of those topics you mention could (should!) have had implicit and explicit security attributes included... yet we're still at the point where secure coding has to be explicitly requested/demanded (often as an afterthought or bolt-on)... How do we as infosec professionals get people to the next phase of including security thoughts in everything they do... with the end-goal being that it is then integrated fully into practices and processes as a bona fide genetic mutation that is passed along to future generations? To me, this seems to be where infosec is stuck as an industry. There seems to be a need for a catalyst to spur the mutation so that it can have a life of its own. :) fwiw. -ben -- Benjamin Tomhave, MS, CISSP [EMAIL PROTECTED] LI: http://www.linkedin.com/in/btomhave Blog: http://www.secureconsulting.net/ Photos: http://photos.secureconsulting.net/ Web: http://falcon.secureconsulting.net/ [ Random Quote: ] Augustine's Second Law of Socioscience: "For every scientific (or engineering) action, there is an equal and opposite social reaction." http://globalnerdy.com/2007/07/18/laws-of-software-development/ William L. Anderson wrote: > Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I > did not see many discussions that pay attention to security, or any > other software engineering oriented concerns, explicitly. > > There was a discussion of scalability for web services that featured the > developers from digg, Flickr, WordPress, and Media Temple. I got there > about half-way through but the discussion with the audience was about > tools and methods to handle high traffic loads. There was a question > about build and deployment strategies and I asked about unit testing > (mixed answers - some love it, some think it's strong-arm micro-mgt (go > figure)). > > There was a session on OpenID and OAuth (open authorization) standards > and implementation. These discussions kind of assume the use of secure > transports but since I couldn't stay the whole time I don't know if > secure coding was addressed explicitly. > > The main developer attendees at SXSW would call themselves designers and > I would guess many of them are doing web development in PHP, Ruby, etc. > I think the majority of attendees would not classify themselves as > software programmers. > > To me it seems very much like at craft culture. That doesn't mean that a > track on how to develop secure web services wouldn't be popular. In fact > it might be worth proposing one for next year. > > If you want to talk further, please get in touch. > > -Bill Anderson > praxis101.com > > Benjamin Tomhave wrote: >> I had just a quick query for everyone out there, with an attached >> thought. >> >> How many security and/or secure coding professionals are prevalently >> involved with the SXSW conference this week? I know, I know... it's a big >> party for developers - particularly the Web 2.0 clique - but I'm just >> curious. >> >> Here's why: I'm increasingly frustrated by the disconnect between >> business/dev and security. I don't feel like we're being largely >> successful in getting the business and developers to include security as >> part of their standard operating procedures. Developers are still >> oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection >> holes. >> >> I then look at SXSW from afar and think: a) shouldn't I be there >> evangelizing security? and, b) shouldn't a major thread to all these >> conferences be about how security is integrating with dev processes and >> practices, making it better? >> >> Maybe I'm just too idealist. I'm curious what everyone else thinks. >> >> cheers, >> >> -ben >> > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not see many discussions that pay attention to security, or any other software engineering oriented concerns, explicitly. There was a discussion of scalability for web services that featured the developers from digg, Flickr, WordPress, and Media Temple. I got there about half-way through but the discussion with the audience was about tools and methods to handle high traffic loads. There was a question about build and deployment strategies and I asked about unit testing (mixed answers - some love it, some think it's strong-arm micro-mgt (go figure)). There was a session on OpenID and OAuth (open authorization) standards and implementation. These discussions kind of assume the use of secure transports but since I couldn't stay the whole time I don't know if secure coding was addressed explicitly. The main developer attendees at SXSW would call themselves designers and I would guess many of them are doing web development in PHP, Ruby, etc. I think the majority of attendees would not classify themselves as software programmers. To me it seems very much like at craft culture. That doesn't mean that a track on how to develop secure web services wouldn't be popular. In fact it might be worth proposing one for next year. If you want to talk further, please get in touch. -Bill Anderson praxis101.com Benjamin Tomhave wrote: > I had just a quick query for everyone out there, with an attached thought. > > How many security and/or secure coding professionals are prevalently > involved with the SXSW conference this week? I know, I know... it's a big > party for developers - particularly the Web 2.0 clique - but I'm just > curious. > > Here's why: I'm increasingly frustrated by the disconnect between > business/dev and security. I don't feel like we're being largely > successful in getting the business and developers to include security as > part of their standard operating procedures. Developers are still > oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes. > > I then look at SXSW from afar and think: a) shouldn't I be there > evangelizing security? and, b) shouldn't a major thread to all these > conferences be about how security is integrating with dev processes and > practices, making it better? > > Maybe I'm just too idealist. I'm curious what everyone else thinks. > > cheers, > > -ben > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
