Paco,
Does certification belong in the realm of Secure Coding?
What is it we are really trying to achieve with a certification?
-Rob
On Mon, Mar 23, 2009 at 4:22 PM, Paco Hope wrote:
> On 3/21/09 6:43 PM, "Jim Manico" wrote:
>
>> What really bothers me is that the CSSLP looks appsec operation
It may not always be true, but languages with stronger type safety
normally also have a larger execution overhead. This is somewhat
unavoidable since the extra checking to make sure the types match does
take machine cycles. Of course the compiler can enforce a lot of
these rules, so some
Hi sc-l,
I tend to agree with Prasad, though in a fit of fractal possibility, I also
agree with Jeremy. Turns out I wrote something about this very issue in May
2007 for darkreading:
Certifiable http://www.darkreading.com/document.asp?doc_id=123606
gem
(supposedly on vacation in SC)
http://
Brad Andrews wrote:
> [..]
> Perhaps we will get to a world where all the "management overhead"
> doesn't matter, but until then, the extra cost for type safety should
> be weighed against other factors, not just discounted out of hand.
>
Hi Brad,
Could you please explain what you mean by "t
On 3/21/09 6:43 PM, "Jim Manico" wrote:
> What really bothers me is that the CSSLP looks appsec operations focused - not
> developer SDLC focused (or so I've heard). The SANS cert for software
> security seems to drill a lot more into actual activities a developer should
> take in order write sec
Mase,
I'm excited to see what FS-ISAC comes up with at the conference. In my
experience, the OWASP Secure Contract Annex is a great resource. That
said, sometimes people are looking for an interim "quick and dirty"
way to evaluate vendors for security while they work on building
application securi
Brad Andrews wrote:
> Perhaps we will get to a world where all the "management overhead"
> doesn't matter, but until then, the extra cost for type safety should
> be weighed against other factors, not just discounted out of hand.
I usually just lurk on this list, but in this case I'll bite - w
Sure, but I would challenge that it is a rather meaningless statement.
I can keep my children safer if I keep them inside and eliminate all
the sharp corners, but then they will never get to use the swimming
pool in our back yard. Type safety can be good and appropriate, but
it is not
Thanks Dave. Yeah, we have the OWASP and SANS stuff plus a bunch of other
from DHS and so on. Mostly we're looking for things people have done that
actually worked. IOW, examples of controls are even better than research
or whitepapers.
This initiative is actually unrelated to the procuremen
hi guys,
I think there is a bit of confusion here WRT "root" problems. In C, the main
problem is not simply strings and string representation, but rather that the
"sea of bits" can be recast to represent most anything. The technical term for
the problem is the problem of type safety. C is no
Mason,
I know you and Jim are already aware of the OWASP Legal Project, which
has the Secure Software Development contract annex:
http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was
developed by Jeff Williams.
For everyone else, this guideline has been available at OWASP for ma
Hi Mason,
The DHS Software Assurance Initiative has an Acquisition Working Group:
https://buildsecurityin.us-cert.gov/swa/acqwg.html
The efforts of the WG just got released on the NDU Press site:
http://www.ndu.edu/inss/press/books/irmc.pdf
The body of the document provides guidance on how to
12 matches
Mail list logo