[SC-L] Q: SQL Query Sanitizer Library?

[Jeffrey Walton]

Hi All,

Is anyone aware of an open source library for sanitizing SQL queries
from untrusted sources?

Jeff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] IPSec Stack Compromise

[Jeffrey Walton]

Hi All,

I have been following the allegations of the ipsec stack compromise on
a few mailing lists (full disclosure and fun sec). Outside of the
initial email's claims, I have not seen anything substantive. There
has been some entertaining trolling
(http://www.collegehumor.com/video:1926079).

Is anyone aware of concrete weaknesses, and if so, tests to expose
the weaknesses?

Jeff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Building versus Breaking

[Jeffrey Walton]

Hi Steve,

On Wed, Aug 31, 2011 at 4:45 PM, Steven M. Christey
co...@linus.mitre.org wrote:

 While I'd like to see Black Hat add some more defensive-minded tracks, I
 just realized that this desire might a symptom of a larger problem: there
 aren't really any large-scale conferences dedicated to defense / software
 assurance.  (The OWASP conferences are heavily web-focused;
I believe OWASP is moving towards Application Security in general. At
the chapter meetings I attend, we were told the acronym is probably
going to be changed to Open Web and Application Security Project.

 Dept. of Homeland Security has its software assurance forum and working
 groups, but those are relatively small.)
Homeland Security also has the HOST program, which partners with
industry, http://www.cyber.st.dhs.gov/host/. I'm just mentioning it
because its seems to be a bit more than a [low volume] forum.

 If somebody built it, would anybody come?
If the prices is right ;)

Jeff

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] A new blog on application security - armoredcode.com

[Jeffrey Walton]

On Fri, Mar 16, 2012 at 12:50 PM, Paolo Perego thesp0...@gmail.com wrote:
 Hi list, just 2 lines for promoting my new blog on application security:
 http://armoredcode.com
 The idea is to talk about appsec using the developers language so talking
 about testing frameworks and practices, libraries to enforce security, how
 to read a penetration test report, some hands on with live code examples
 and some interviews with appsec and developers superstar.

 If you would like to add it on your feed, it would be great.
For the love of higher power, please discuss the tool chain's static
analysis capabilities, and suggest a clean compile as a security gate
(gcc: -Wall -Wextra -Wconversion).

From my experience, its nearly impossible to 'quick audit' a GNU
project. Entering `make CFLAGS=-Wall -Wextra -Wconversion ... causes
so much output its difficult to locate/triage issues.

You will be swimming against the tide with some of the l33t k3rn3l
hack3rz: Gcc is crap [1].

Jeff

[1] [PATCH] Don't compare unsigned variable for 0 in sys_prctl(),
http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-11/msg08325.html.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] SearchSecurity: Cyber Security and the Law

[Jeffrey Walton]

Hi Dr. McGraw,

 Cyber Intelligence Sharing and Protection Act (CISPA) passed by
 there House in April) has very little to say about building security in.
I'm convinced (in the US) that users/consumers need a comprehensive
set of software liability laws. Consider the number of mobile devices
that are vulnerable because OEMs stopped providing (or never provided)
patches for vulnerabilities. The equation [risk analysis] needs to be
unbalanced just a bit to get manufacturers to act (do nothing is cost
effective at the moment).

Jeff

On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 This month's [in]security article takes on Cyber Law as its topic.  The US 
 Congress has been debating a cyber security bill this session and is close to 
 passing something.  Sadly, the Cybersecurity and Internet Freedom Act 
 currently being considered in the Senate (as an answer to the problematic  
 Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House 
 in April) has very little to say about building security in.

 Though cyber law has always lagged technical reality by several years, 
 ignoring the notion of building security in is a fundamental flaw.

 http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems

 Please read this month's article and pass it on far and wide.  Send a copy to 
 your representatives in all branches of government.  It is high time for the 
 government to tune in to cyber security properly.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Chinese Hacking, Mandiant and Cyber War

[Jeffrey Walton]

On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,

 No doubt all of you have seen the NY Times article about the Mandiant report 
 that pervades the news this week.  I believe it is important to understand 
 the difference between cyber espionage and cyber war.  Because espionage 
 unfolds over months or years in realtime, we can triangulate the origin of an 
 exfiltration attack with some certainty.  During the fog of a real cyber war 
 attack, which is more likely to happen in milliseconds,  the kind of forensic 
 work that Mandiant did would not be possible.  (In fact, we might just well 
 be Gandalfed and pin the attack on the wrong enemy as explained here: 
 http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.)

 Sadly, policymakers seem to think we have completely solved the attribution 
 problem.  We have not.  This article published in Computerworld does an 
 adequate job of stating my position: 
 http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9

 Those of us who work on security engineering and software security can help 
 educate policymakers and others so that we don't end up pursuing the folly of 
 active defense.

I'm somewhat surprised a report of that detail was released for public
consumption. The suspicion in me tells me its not entirely accurate or
someone has an agenda. There's too much information in there that
would be cloaked under national security given  other circumstances.

There also appears to be a fair of FUD-fanning going on:
Additionally, there is evidence that Unit 61398 aggressively recruits
new talent from the Science and Engineering departments of
universities such as Harbin Institute of Technology. The US
equivalent would be like saying the NSA actively recruits
Mathematicians and Computer Scientists.

Jeff

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] OWASP Podcast 95 is live!

[Jeffrey Walton]

Hi Jim,

Do you know if there is a slide deck available with the talk? It
sounds like there is, but Dr. Bernstein's Talk page
(http://cr.yp.to/talks.html) does not list an OWASP talk.

Jeff

On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote:
 I'm very pleased to announce that OWASP Podcast 95 is live! Special
 thanks to Thomas Herlea who helped edit and produce this show.

 This episode features Dan J. Bernstein, a computer science research
 professor from the university of Illinois. He is speaking on
 Cryptography Worst Practices.

 Dan is a very sharp and controversial character. I hope you enjoy.

 Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3
 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml

 Thanks for listening!

 Aloha,
 Jim Manico
 OWASP Board Member
 @Manicode
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Sad state of affairs

[Jeffrey Walton]

On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote:
 I was just listening to a podcast interviewing a security executive from a
 prominent vendor.  The response to vulnerabilities was to raise the
 cost/complexity of exploiting bugs rather than actually employing secure
 coding practices.  What saddened me most was that the approach was
 apparently effective enough.
+1. Software security is in a sad state. What I've observed: let the
developers deliver something, then have it pen tested, and finally fix
what the pen testers find. I call it catch me if you can security.

I think the underlying problem is the risk analysis equations. Its
still cost effective to do little or nothing. Those risk analysis
equations need to be unbalanced.

And I don't believe this is the solution:
http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems.
Too many carrots and too few sticks means it becomes more profitable
to continue business as usual.

Jeff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Sad state of affairs

[Jeffrey Walton]

On Fri, Sep 20, 2013 at 11:34 PM, Rafal Los ra...@ishackingyou.com wrote:

 Wait a minute, this relationship is a bit confused I think. Prasad said it 
 well- often the result of a maturing software security program is that the 
 simple and easy bugs disappear and the ones that are left are difficult to 
 find and complex in exploitation.

 This is known as eliminating the low hanging fruit. While this doesn't 
 eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. 
 Making the software as free of bugs as possible necessarily makes the ones 
 left in the system difficult to find and exploit. Then you work in good 
 anomaly detection mechanisms and have a great case for *reasonably* secure 
 software.

Well, the end goal of software security is to safe guard the data. All
a bad guy wants to do is collect, egress and monetize the data (sans
National Security concerns). If the data is not safe, then the
definition of reasonable has problems.

Consider: I was part of two breaches. The one in the 1990's cost me
about $10,000 to fix (I found out after I was sued). The second was in
New York last summer that cost me $75 to fix (have a card re-issued
and shipped next-day service).

If you ask the companies involved if their processes were reasonable,
they would probably say YES. After all, the companies followed best
practices, minimized their losses and maximized their profits. If you
ask me, I would say NO.

Picking low hanging fruit is not enough. Ironically, we're not even
doing that very well (as BM noted). If you don't agree, take some time
to cruise ftp.gnu,org and look at the state of those projects (and its
not just free software). But I consider it a failure of security
professionals since its our job to educate developers and improve
their processes.*

 Of course, this is all predicated on you knowing and being able to define the 
 word reasonable.
:)

 Just my opinion.
And my jaded opinion :)

Jeff

* There's some hand waiving here since some (many?) argue its a waste
of time and money to teach developers; and the money is better spent
on building tools that make it hard/difficult to do things incorrectly
in the first place. I kind of think its a mixture of both.

 - Reply message -
 From: Jeffrey Walton noloa...@gmail.com
 To: Bobby G. Miller b.g.mil...@gmail.com
 Cc: Secure Coding List sc-l@securecoding.org
 Subject: [SC-L] Sad state of affairs
 Date: Fri, Sep 20, 2013 10:01 PM


 On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote:
 I was just listening to a podcast interviewing a security executive from a
 prominent vendor.  The response to vulnerabilities was to raise the
 cost/complexity of exploiting bugs rather than actually employing secure
 coding practices.  What saddened me most was that the approach was
 apparently effective enough.
 +1. Software security is in a sad state. What I've observed: let the
 developers deliver something, then have it pen tested, and finally fix
 what the pen testers find. I call it catch me if you can security.

 I think the underlying problem is the risk analysis equations. Its
 still cost effective to do little or nothing. Those risk analysis
 equations need to be unbalanced.

 And I don't believe this is the solution:
 http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems.
 Too many carrots and too few sticks means it becomes more profitable
 to continue business as usual.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] The FTC and Software Security

[Jeffrey Walton]

On Wed, Sep 16, 2015 at 2:58 PM, Gary McGraw  wrote:
> hi sc-l,
>
> I just posted some thoughts on the FTC and software security.
>
> Have a look: http://bit.ly/gem-FTC

+1, well written.

I've kinda ignored the FTC over the years, and focused on the state
laws covering data breaches and notifications (48 states and the
district have them,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx).

But breach notification and FTC actions are reactive, and not proactive.

Consumers still need a stick. Too much carrot is making the mule's fat
:) Once consumers can take action, then the risks will become real and
companies will start moving towards the defensive security posture
Cigital can help provide.

jeff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___