[SC-L] Q: SQL Query Sanitizer Library?
Hi All, Is anyone aware of an open source library for sanitizing SQL queries from untrusted sources? Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] IPSec Stack Compromise
Hi All, I have been following the allegations of the ipsec stack compromise on a few mailing lists (full disclosure and fun sec). Outside of the initial email's claims, I have not seen anything substantive. There has been some entertaining trolling (http://www.collegehumor.com/video:1926079). Is anyone aware of concrete weaknesses, and if so, tests to expose the weaknesses? Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Hi Steve, On Wed, Aug 31, 2011 at 4:45 PM, Steven M. Christey co...@linus.mitre.org wrote: While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; I believe OWASP is moving towards Application Security in general. At the chapter meetings I attend, we were told the acronym is probably going to be changed to Open Web and Application Security Project. Dept. of Homeland Security has its software assurance forum and working groups, but those are relatively small.) Homeland Security also has the HOST program, which partners with industry, http://www.cyber.st.dhs.gov/host/. I'm just mentioning it because its seems to be a bit more than a [low volume] forum. If somebody built it, would anybody come? If the prices is right ;) Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] A new blog on application security - armoredcode.com
On Fri, Mar 16, 2012 at 12:50 PM, Paolo Perego thesp0...@gmail.com wrote: Hi list, just 2 lines for promoting my new blog on application security: http://armoredcode.com The idea is to talk about appsec using the developers language so talking about testing frameworks and practices, libraries to enforce security, how to read a penetration test report, some hands on with live code examples and some interviews with appsec and developers superstar. If you would like to add it on your feed, it would be great. For the love of higher power, please discuss the tool chain's static analysis capabilities, and suggest a clean compile as a security gate (gcc: -Wall -Wextra -Wconversion). From my experience, its nearly impossible to 'quick audit' a GNU project. Entering `make CFLAGS=-Wall -Wextra -Wconversion ... causes so much output its difficult to locate/triage issues. You will be swimming against the tide with some of the l33t k3rn3l hack3rz: Gcc is crap [1]. Jeff [1] [PATCH] Don't compare unsigned variable for 0 in sys_prctl(), http://linux.derkeiler.com/Mailing-Lists/Kernel/2006-11/msg08325.html. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Cyber Security and the Law
Hi Dr. McGraw, Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that are vulnerable because OEMs stopped providing (or never provided) patches for vulnerabilities. The equation [risk analysis] needs to be unbalanced just a bit to get manufacturers to act (do nothing is cost effective at the moment). Jeff On Wed, Aug 1, 2012 at 10:28 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, This month's [in]security article takes on Cyber Law as its topic. The US Congress has been debating a cyber security bill this session and is close to passing something. Sadly, the Cybersecurity and Internet Freedom Act currently being considered in the Senate (as an answer to the problematic Cyber Intelligence Sharing and Protection Act (CISPA) passed by there House in April) has very little to say about building security in. Though cyber law has always lagged technical reality by several years, ignoring the notion of building security in is a fundamental flaw. http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems Please read this month's article and pass it on far and wide. Send a copy to your representatives in all branches of government. It is high time for the government to tune in to cyber security properly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Chinese Hacking, Mandiant and Cyber War
On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, No doubt all of you have seen the NY Times article about the Mandiant report that pervades the news this week. I believe it is important to understand the difference between cyber espionage and cyber war. Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be Gandalfed and pin the attack on the wrong enemy as explained here: http://searchsecurity.techtarget.com/news/2240169976/Gary-McGraw-Proactive-defense-prudent-alternative-to-cyberwarfare.) Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position: http://news.idg.no/cw/art.cfm?id=94AB4F98-9BBD-1370-154D49FAA7706BE9 Those of us who work on security engineering and software security can help educate policymakers and others so that we don't end up pursuing the folly of active defense. I'm somewhat surprised a report of that detail was released for public consumption. The suspicion in me tells me its not entirely accurate or someone has an agenda. There's too much information in there that would be cloaked under national security given other circumstances. There also appears to be a fair of FUD-fanning going on: Additionally, there is evidence that Unit 61398 aggressively recruits new talent from the Science and Engineering departments of universities such as Harbin Institute of Technology. The US equivalent would be like saying the NSA actively recruits Mathematicians and Computer Scientists. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] OWASP Podcast 95 is live!
Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico jim.man...@owasp.org wrote: I'm very pleased to announce that OWASP Podcast 95 is live! Special thanks to Thomas Herlea who helped edit and produce this show. This episode features Dan J. Bernstein, a computer science research professor from the university of Illinois. He is speaking on Cryptography Worst Practices. Dan is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Sad state of affairs
On Fri, Sep 20, 2013 at 11:34 PM, Rafal Los ra...@ishackingyou.com wrote: Wait a minute, this relationship is a bit confused I think. Prasad said it well- often the result of a maturing software security program is that the simple and easy bugs disappear and the ones that are left are difficult to find and complex in exploitation. This is known as eliminating the low hanging fruit. While this doesn't eliminate ALL bugs, I ultimately believe that's a fools' errand anyway. Making the software as free of bugs as possible necessarily makes the ones left in the system difficult to find and exploit. Then you work in good anomaly detection mechanisms and have a great case for *reasonably* secure software. Well, the end goal of software security is to safe guard the data. All a bad guy wants to do is collect, egress and monetize the data (sans National Security concerns). If the data is not safe, then the definition of reasonable has problems. Consider: I was part of two breaches. The one in the 1990's cost me about $10,000 to fix (I found out after I was sued). The second was in New York last summer that cost me $75 to fix (have a card re-issued and shipped next-day service). If you ask the companies involved if their processes were reasonable, they would probably say YES. After all, the companies followed best practices, minimized their losses and maximized their profits. If you ask me, I would say NO. Picking low hanging fruit is not enough. Ironically, we're not even doing that very well (as BM noted). If you don't agree, take some time to cruise ftp.gnu,org and look at the state of those projects (and its not just free software). But I consider it a failure of security professionals since its our job to educate developers and improve their processes.* Of course, this is all predicated on you knowing and being able to define the word reasonable. :) Just my opinion. And my jaded opinion :) Jeff * There's some hand waiving here since some (many?) argue its a waste of time and money to teach developers; and the money is better spent on building tools that make it hard/difficult to do things incorrectly in the first place. I kind of think its a mixture of both. - Reply message - From: Jeffrey Walton noloa...@gmail.com To: Bobby G. Miller b.g.mil...@gmail.com Cc: Secure Coding List sc-l@securecoding.org Subject: [SC-L] Sad state of affairs Date: Fri, Sep 20, 2013 10:01 PM On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller b.g.mil...@gmail.com wrote: I was just listening to a podcast interviewing a security executive from a prominent vendor. The response to vulnerabilities was to raise the cost/complexity of exploiting bugs rather than actually employing secure coding practices. What saddened me most was that the approach was apparently effective enough. +1. Software security is in a sad state. What I've observed: let the developers deliver something, then have it pen tested, and finally fix what the pen testers find. I call it catch me if you can security. I think the underlying problem is the risk analysis equations. Its still cost effective to do little or nothing. Those risk analysis equations need to be unbalanced. And I don't believe this is the solution: http://searchsecurity.techtarget.com/opinion/Congress-should-encourage-bug-fixes-reward-secure-systems. Too many carrots and too few sticks means it becomes more profitable to continue business as usual. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] The FTC and Software Security
On Wed, Sep 16, 2015 at 2:58 PM, Gary McGrawwrote: > hi sc-l, > > I just posted some thoughts on the FTC and software security. > > Have a look: http://bit.ly/gem-FTC +1, well written. I've kinda ignored the FTC over the years, and focused on the state laws covering data breaches and notifications (48 states and the district have them, http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx). But breach notification and FTC actions are reactive, and not proactive. Consumers still need a stick. Too much carrot is making the mule's fat :) Once consumers can take action, then the risks will become real and companies will start moving towards the defensive security posture Cigital can help provide. jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___