hi sc-l,
The transcript for episode 37 (an interview with Virgil Gligor) was just
published in IEEE Security Privacy magazine. Here is a link to a pdf file:
http://www.cigital.com/silverbullet/shows/silverbullet-037-vgligor.pdf
The original episode can be found here:
hi sc-l,
One of our sc-l listeners (gunnar) suggested Bob Blakley as an interview
target. Bob is a particularly interesting guy because he both a well-respected
scientist very active in the security research community and a real
practitioner who among other things designed the CORBA security
+1
great interview
-gunnar
On Jul 17, 2009, at 11:25 AM, Gary McGraw wrote:
hi sc-l,
One of our sc-l listeners (gunnar) suggested Bob Blakley as an
interview target. Bob is a particularly interesting guy because he
both a well-respected scientist very active in the security research
hi sc-l,
While I was on vacation last month, Gartner held its Information Security
Summit in Washington. John Pescatore, one of Gartner's senior analysts and an
important proponent of software security asked me to participate in a panel
(together with Howard Schmidt) on the Obama
Hello SC-L,
We've been rather busy at the OWASP Podcast Series lately!
Since June 1st the OWASP Podcast Team has released 9 Podcasts!
Please take a look at our show list at
http://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows
Recent features Podcasts include
1. An interview with
Dear colleagues,
the AppSec Brasil 2009 Conference had a few issues receiving emails sent
from Gmail in the last couple of weeks. So, if you or anyone you know sent
us a proposal, please verify that a confirmation email was received. If not,
please send us the proposal again.
Sorry for the
hi sc-l,
I'm just back from vacation and still rinsing the sand off. I am a bit behind
announcing the debut of Reality Check #7. This episode features Jerry Archer,
CSO of Intuit. Intuit has an extensive software security initiative underway
which jerry and I discuss in this podcast:
I apologize for the shameless self promotion, but I wanted to let you
know that the interview I did with Ross Anderson at AppSec EU 2009 [1]
is now available as an OWASP Podcast here:
http://www.owasp.org/index.php/Podcast_28
and on iTunes [2]. It covers some very interesting topics and expands
All,
I wanted to let you know that the Software Assurance Forum for Excellence in
Code (SAFECode) will be accepting comments on its paper, Fundamental
Practices for Secure Software Development: A Guide to the Most Effective
Secure Development Practices in Use Today, through the end of July.
As
**OWASP APPSEC BRASIL 2009**
**2nd CALL FOR PRESENTATIONS**
Colleagues,
OWASP is currently soliciting presentations for the OWASP AppSec
Brasil 2009 Conference that will take place at Câmara dos Deputados in
Brasília, DF on October 27th through 30th of 2009. There will be
training courses on
**OWASP APPSEC BRASIL 2009**
**2nd CALL FOR TRAINING SESSIONS**
Colleagues,
OWASP is currently soliciting training proposals for the OWASP AppSec
Brasil 2009 Conference which will take place at Câmara dos Deputados
(Deputy Chamber) in Brasília, DF, on October 27th through October 30th
2009.
Dear secure coding friends,
In exactly one year -- June 21-24, 2010 -- let's all meet in beautiful
Stockholm, Sweden. OWASP Sweden, Norway, and Denmark hereby invite you to
OWASP AppSec Research 2010.
AppSec Research = AppSec Europe
This conference was formerly known as OWASP AppSec Europe. We
Very nice work.
Since this is written under the creative common 3 license, I put a copy
(with attribution to Lenny) on OWASP.org at
http://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet in case
anyone wishes to collaborate on this guide.
- Jim
- Original Message -
From:
Good idea :-)
On Fri, Jun 19, 2009 at 11:15 PM, Jim Manicoj...@manico.net wrote:
Very nice work.
Since this is written under the creative common 3 license, I put a copy
(with attribution to Lenny) on OWASP.org at
http://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet in case
The market for doing freelance writing has all but disappeared. You
could consider writing a book but you would probably earn more money
working at MacDonalds bagging fries than writing. In terms of
presentations, most conferences/events also do not pay. If you managed
to however put together
hi sc-l,
We all know that justifying our activities from a business perspective is
essential to a healthy and successful software security initiative. Real data
helps. In the Boardroom, numbers are king.
Jim Routh (CSO of KPMG and ex CSO of DTCC) and I wrote this month's informIT
article
hi sc-l,
When it rains it pours...especially in Virginia these days.
Silver Bullet number 39 is an interview with Matt Blaze, security and privacy
luminary. Matt and I spent lots of time digging into Matt's public policy
work. Matt is an important voice of sanity whose opinions I greatly
**OWASP APPSEC BRASIL 2009**
**CALL FOR TRAINING SESSIONS**
Colleagues,
OWASP is currently soliciting training proposals for the OWASP AppSec
Brasil 2009 Conference which will take place at Câmara dos Deputados
(Deputy Chamber) in Brasília, DF, on October 27th through October 30th
2009. There
FYI, a short but interesting read on usability vs. security in software.
http://www.usabilitynews.com/news/article5692.asp
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
(This email is digitally signed with a free x.509 certificate from
CAcert. If you're
hi sc-l,
Episode 6 of the Reality Check security podcast features our own Andy
Steingruebl chatting with me about Paypal's software security initiative. This
was a fun episode for me, because though I have known Andy for a while I had
little insight into his software security initiative.
Hello SC-L,
OWASP Podcast #23, an interview with Dr. Boaz Gelbord, is now live.
http://www.owasp.org/download/jmanico/owasp_podcast_23.mp3
Boaz co-authored the 2009 OWASP Security Spending Benchmarks Project with
Jeremiah Grossman. Boaz is also the new OWASP Developers Guide project lead.
hi sc-l,
You may recall the CFP that Ming Chow and I put out back in the Fall for a
special issue on Securing Online Games. After some great submissions and lots
of hard work, I am pleased to announce that IEEE Security Privacy magazine's
May/June 2009 edition was just released. The issue
OWASP PCI Project :: Introduction and Call for Participation!
We are formally introducing the OWASP PCI Project to the Web
Application Security community! The industry needs a workspace for PCI
QSAs* and Application Security experts to work constructively together
- the OWASP PCI Project will
Hello SC-L,
OWASP Podcast #22, an interview with Dan Cornell, CTO of the Denim Group - is
now live! http://www.owasp.org/index.php/Podcast_22
Dan is a smart cookie who puts in incredible amount of time volunteering for
OWASP. He's a great guy with a very pragmatic perspective on Application
hi all,
In my view, the European market now looks very similar to the US market of 2-3
years ago (not a decade ago). I predict a rash of pen testing, folllowed by
adoption of SDLC integration. This will, of course, evolve in a very European
way and there will be important regional
hi sc-l,
Silver Bullet 38 just went live. This episode features an up-and-coming
professor Kay Connelly from Indiana University. Kay focuses on privacy and
security. Much of her work takes into account the essential human nature of
technology. Her work with seniors, security, and usability
hi sc-l,
Cigital has acquired the European operations of Security Innovation. A press
release went out this morning.
http://www.cigital.com/news/index.php?pg=artartid=158
We believe that the European software security market is 2-3 years behind the
US market, but poised for rapid growth that
Thought I'd throw this out there in case you hadn't heard already:
http://www.fcw.com/Articles/2009/04/10/Web-Facebook-GSA.aspx .
It's starting to affect me real-world already. those of us in the DC area, ramp
up your incident response rates now, cause you know it's coming and you know
it's
Well, this is hardly a matter of who has a more ancient history, there can be
no argument about that. It all ultimately comes down to a business decision.
Software security has been picking up in the States because consumers are
beginning to demand it explicitly in addition to expecting it
Hello sc-l,
OWASP Podcast #19 and #20 were both released this week!
OWASP Podcast #19 is a 55 minute news commentary program
http://www.owasp.org/download/jmanico/owasp_podcast_19.mp3
OWASP Podcast #20 is a 13 minute interview with Mike Baily; the researcher who
disclosed multiple CSRF
Reminder: One week until the workshop.
Web 2.0 Security Privacy 2009
Claremont Resort in Oakland, California
May 21, 2009
http://w2spconf.com/2009/
The goal of this one day workshop is to bring together researchers and
practitioners from academia and industry to focus on understanding Web
Brad,
You can also look at The CERT Sun Microsystems Secure Coding Standard for Java
at:
https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java
Which has many examples of secure/insecure Java source code.
rCs
-Original
ljknews ljkn...@mac.com wrote:
At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
Quoting ljknews ljkn...@mac.com:
At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
They can be really hard to figure out,
And yet people keep choosing those
At 9:15 AM -0400 5/8/09, SC-L Reader Dave Aronson wrote:
ljknews ljkn...@mac.com wrote:
At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
Quoting ljknews ljkn...@mac.com:
At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
They can be really
Thanks Karen, that site may have enough of what I can use. Still a
bit of work to do, but worth pursuing. The other sources were a bit
too short on the snippets side, which is my fault for not making the
question better.
I don't know how many of you used to read the C-Lint ads that said
See here:
http://suif.stanford.edu/~livshits/work/securibench-micro/
-Ben
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
Behalf Of Goertzel, Karen [USA]
Sent: Wednesday, May 06, 2009 12:40 PM
To: Brad Andrews; sc-l@securecoding.org
Subject: Re: [SC-L] Insecure
Brad, I recommend you approach this problem in reverse. Think of the
bug you want people to hunt for and then put together an appropriate
regular expressions in Google Code Search
(http://www.google.com/codesearch)
For instance lang:java request getParameter .*price might be a good
starting
At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
Quoting ljknews ljkn...@mac.com:
At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
They can be really hard to figure out,
And yet people keep choosing those programming languages.
Greetings,
I'm experimenting (on paper initially) with a technique for improving
resiliency of web applications, and to do so am looking for examples
of server side scripts (PHP, Perl, whatever) that have security
vulnerabilities, to see if the technique would work. If you have
scripts you'd be
: There are several applications designed specifically for this:
:
: Mutillidae
:
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
:
: Foundstone's Hacme Bank and Hacme Travel
: http://www.foundstone.com/us/resources-free-tools.asp
:
: WebGoat
:
Does anyone know of a source of insecure Java snippets? I would like
to get some for a monthly meeting of leading technical people. My
idea was to have a find the bug like the old C-Lint ads.
Does anyone know of a source of something like this.
Brad
Hi Jeremy,
: I'm experimenting (on paper initially) with a technique for improving
: resiliency of web applications, and to do so am looking for examples
: of server side scripts (PHP, Perl, whatever) that have security
: vulnerabilities, to see if the technique would work. If you have
: If
Jeremy,
CVE is littered with these kinds of issues, for PHP especially. The
scripts are often open source, fully-functional packages that just happen
to have lots of security issues. Sometimes the root cause is buried
fairly deep in the code, but the people who find these bugs often care
only
We keep a big catalog here:
http://www.fortify.com/vulncat
On 5/6/09 10:41 AM, Brad Andrews andr...@rbacomm.com wrote:
Does anyone know of a source of insecure Java snippets? I would like
to get some for a monthly meeting of leading technical people. My
idea was to have a find
The Real Software blog by Jim Bird has a good post about how his
software security assurance program has evolved over time, and now,
SAMM is helping out.
http://swreflections.blogspot.com/2009/04/opensamm-shows-way.html
p.
--
~ ~ ~ ~~~ ~~ ~
Pravir
FYI, some eWeek coverage of application security and how it is being
taken more seriously in the enterprise these days. No big surprises
for long-time SC-L folks, but still an interesting read from a fairly
mainstream IT Security outlet.
Web 2.0 Security Privacy 2009
Claremont Resort in Oakland, California
May 21, 2009
http://w2spconf.com/2009/
The goal of this one day workshop is to bring together
researchers and practitioners from academia and industry
to focus on understanding Web 2.0 security and privacy
issues, and
Hi list,
Security Compass is pleased to announce the launch of SecCom Labs at
http://labs.securitycompass.com - our site dedicated to free security
resources for software developers.
The first major contribution is a security analysis of the Core J2EE
Patterns. We reviewed every pattern and
Hello sc-l,
OWASP Podcast 17 - an Interview with Robert RSnake Hansen - is now live.
Show Notes: https://www.owasp.org/index.php/Podcast_17
Direct Download: http://www.owasp.org/download/jmanico/owasp_podcast_17.mp3
RSS: http://www.owasp.org/download/jmanico/podcast.xml
iTunes:
hi sc-l,
Greetings from San Fran. The timing on this article is great...just before RSA.
http://news.cnet.com/8301-1009_3-10222698-83.html?tag=newsEditorsPicksArea.0
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
RSA records all the sessions and makes the recordings available for
purchase at some exorbitant fee.
On 4/15/09, Brad Andrews andr...@rbacomm.com wrote:
Are any of these going to be recorded? That would help those of us
with no travel budget or time. :)
Brad
Quoting Gary McGraw
hi sc-l,
I'm pleased to report that even in the face of global recession, the software
security space continues to grow. The space as a whole, tracked through the
annual revenue of tools and services vendors, is approaching $500M.
As many of you know, I publish an annual state of the practice
hi sc-l,
Presumably some of you will be at RSA this year. I'm doing three panels and a
talk (with Brian Chess) on the BSIMM. One of the panels (the one on
surveillance) has already generated some press interest:
I'm also doing a panel on security in voting systems. Podcast at
https://365.rsaconference.com/blogs/podcast_series_rsa_conference_2009/2009/04/15/jeremy-epstein-rr-107-technology-lessons-learned-from-election-2008
Hope to see many of you at the panel - Tue @ 410pm.
--Jeremy
On Wed, Apr 15,
Are any of these going to be recorded? That would help those of us
with no travel budget or time. :)
Brad
Quoting Gary McGraw g...@cigital.com:
hi sc-l,
Presumably some of you will be at RSA this year. I'm doing three
panels and a talk (with Brian Chess) on the BSIMM.
BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:Microsoft CDO for Microsoft Exchange
VERSION:2.0
BEGIN:VTIMEZONE
TZID:(GMT-05.00) Eastern Time (US Canada)
X-MICROSOFT-CDO-TZID:10
BEGIN:STANDARD
DTSTART:16010101T02
TZOFFSETFROM:-0400
TZOFFSETTO:-0500
Hi Jim,
I check the web site daily before you even announce the podcasts.
Tremendous stuff as you don't lob softball questions plus you get
quickly to the point.
Thanks for your effort; I've learned a lot from them already.
Keep up the great work,
Stephen
On Fri, Apr 10, 2009 at 1:16 AM, Jim
Hi sc-l,
Today Brian, Sammy and I briefed an industry group in the financial services
vertical called the FSTC (Financial Services Technology Forum) about the BSIMM.
We've often discussed outreach on this list and the importance of not becoming
too insular in the software security community.
I had the pleasure of interview Dr. Brian Chess from Fortify Software for OWASP
Podcast 15. Brian talked about BSIMM and more - demonstrated a lot of class as
always. Have a listen!
Direct Link: http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3
To stay connected to the OWASP Podcast
The cat's out of the bag. LAMN is being acquired by ASSCERT we
decided that some certifications *are* valid.
On Wed, Apr 1, 2009 at 11:25 AM, SC-L Reader Dave Aronson
securecoding2d...@davearonson.com wrote:
Y'all-
I think I've finally found the right certification for me! Check out
the
hi sc-l,
In the 4the episode of Reality Check, I interview Brad Arkin who runs the
Software Security Group at Adobe. Brad worked for Cigital a million years ago
and helped me found Cigital's SSG in 1997 (along with John Viega). He also
worked for @stake and Symantec focusing on all aspects
no prob.
On 4/1/09 12:33 PM, Bill Brenner bbren...@cxo.com wrote:
Folks: This will be going up tomorrow instead of today, because some work
is being done to the podcast-uploading system we use. I'll give you a
shout the second it launches on CSO.
Thanks,
Bill Brenner
Senior Editor, CSO
Yes, yes. We know. It's April 1st and all's right with the world.
--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com
-Original Message-
From: sc-l-boun...@securecoding.org on behalf of SC-L Reader Dave Aronson
Sent: Wed 01-Apr-09 11:25
To: Secure
--
Call for Papers
MetriSec 2009
5th International Workshop on SECURITY MEASUREMENTS AND METRICS
(Formerly the Workshop on Quality of Protection - QoP)
The core problem is that the language/format mixes code and data with no
way to differentiate between them.
I'm with you on this one.
smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
Good news today from the Software Assurance Maturity Model (SAMM) group.
http://www.opensamm.org/2009/03/samm-10-released/
Their release says:
The Beta release has been out for quite a while now (since August
2008) and lots of organizations and individuals have provided
excellent feedback
Hey Ken.
Thanks for sending this out. I've mentioned it before, but today I'm
proud to announce that the Software Assurance Maturity Model (SAMM)
version 1.0 has been released and is freely available for download
from http://www.opensamm.org
For those unfamiliar, SAMM is an open framework to
My company, Aspect Security, is producing a full line of secure coding
CBTs based on our large curriculum of live application security training
courses that we have.
I am not aware of any other initiatives like this, but there might be
others.
-Dave
-Original Message-
From:
Brad, take a peek at http://denimgroup.com/service_sec_training.html
On Wed, Mar 25, 2009 at 11:21 AM, Brad Andrews andr...@rbacomm.com wrote:
Does anyone know of any good CBT training on secure development,
especially covering higher level issues and secure code review?
Brad
Ok, so your point then is that a desire for type-safety influenced the
hardware architecture of these machines. Fair enough, though I don't know
enough of the history of these machines to know how accurate it is. But how
can I doubt you Gary? :)
I was mainly reflecting in my comments though
Hi Andy,
The code/data mix is certainly a problem. Also a problem is the way stacks
grow on many particular machines, especially with common C/C++ compilers. You
noted a Burroughs where things were done better. There are many others. C is
usually just a sloppy mess by default.
Language
Thanks for all the replies. I did want to emphasize that I am
specifically looking for CBT versions of courses, not the
instructor-led variety. Someone asked me about what was available and
I said I would ask around. I have only seen the instructor-led ones
myself.
Thanks for all the
On Wed, Mar 25, 2009 at 10:18 AM, ljknews ljkn...@mac.com wrote:
Worry about enforcement by the hardware architecture after
you have squeezed out all errors that can be addressed by
software techniques.\
Larry,
Given the focus we've seen fro Microsoft and protecting developers from
At 1:00 PM -0700 3/25/09, Andy Steingruebl wrote:
On Wed, Mar 25, 2009 at 10:18 AM, ljknews
mailto:ljkn...@mac.comljkn...@mac.com wrote:
Worry about enforcement by the hardware architecture after
you have squeezed out all errors that can be addressed by
software techniques.\
Larry,
This is kind of a funny discussion, to those of us over a certain
age. When I was a young-un :-), the argument was that you couldn't
write real software in a high level language like C because it was
too inefficient compared to assembly language, and you lost
flexibility since you didn't have
On Mon, Mar 23, 2009 at 7:22 AM, Gary McGraw g...@cigital.com wrote:
hi guys,
I think there is a bit of confusion here WRT root problems. In C, the
main problem is not simply strings and string representation, but rather
that the sea of bits can be recast to represent most anything. The
Mason,
I know you and Jim are already aware of the OWASP Legal Project, which
has the Secure Software Development contract annex:
http://www.owasp.org/index.php/Category:OWASP_Legal_Project, which was
developed by Jeff Williams.
For everyone else, this guideline has been available at OWASP for
Thanks Dave. Yeah, we have the OWASP and SANS stuff plus a bunch of other
from DHS and so on. Mostly we're looking for things people have done that
actually worked. IOW, examples of controls are even better than research
or whitepapers.
This initiative is actually unrelated to the
Brad Andrews wrote:
Perhaps we will get to a world where all the management overhead
doesn't matter, but until then, the extra cost for type safety should
be weighed against other factors, not just discounted out of hand.
I usually just lurk on this list, but in this case I'll bite - what
Mase,
I'm excited to see what FS-ISAC comes up with at the conference. In my
experience, the OWASP Secure Contract Annex is a great resource. That
said, sometimes people are looking for an interim quick and dirty
way to evaluate vendors for security while they work on building
application
On 3/21/09 6:43 PM, Jim Manico j...@manico.net wrote:
What really bothers me is that the CSSLP looks appsec operations focused - not
developer SDLC focused (or so I've heard). The SANS cert for software
security seems to drill a lot more into actual activities a developer should
take in order
Paco,
Does certification belong in the realm of Secure Coding?
What is it we are really trying to achieve with a certification?
-Rob
On Mon, Mar 23, 2009 at 4:22 PM, Paco Hope p...@cigital.com wrote:
On 3/21/09 6:43 PM, Jim Manico j...@manico.net wrote:
What really bothers me is that the
Which is why I list that I have _had_ a CISSP, but am currently
non-financial.. It was too damn easy to pass and too damn hard to
keep up with the CPE point entry...
:) I was LAMN member #8 :) Best number :)
Cheers
Bret
At 03:38 PM 21/03/2009, Joe Teff wrote:
I notice certs like CISSP when
fwiw, I've interviewed my fair share of CISSPs who didn't have a basic
understanding of infosec... with the boot camps these days, people don't
learn anything... they cram for 1-2 wks, shoving everything into
short-term rote memory, and then they take the test and promptly forget
everything...
Hey John,
I like where your head is at - great list.
Regarding:
Builds adaptors so that bugs are automatically entered in tracking systems
Does the industry have:
1) A standard schema for findings, root causes, vulnerabilities, etc, and
the inter-relation of these key terms (and others?)
2)
hi sc-l,
For what it's worth, I am involved in the project with jmr...as is Sammy
Migues. jmr was our BSIMM participant from DTCC. Their software security
initiative is most impressive.
gem
On 3/22/09 9:08 AM, Mason Brown mbr...@sans.org wrote:
Jim Routh, CISO at Depository Trust and
On Sat, Mar 21, 2009 at 2:43 PM, Matt Parsons mparsons1...@gmail.com wrote:
I was asked the following questions on a job phone interview and wondered
what the proper answers were. I was told their answers after the
interview. I was also told that the answers to these questions were one or
On Sun, 22 Mar 2009, Gary McGraw wrote:
hi sc-l,
For what it's worth, I am involved in the project with jmr...as is Sammy
Migues. jmr was our BSIMM participant from DTCC. Their software security
initiative is most impressive.
I don't know much TOO much about supply chain issues, but I
Great idea but why would you say CISSP is meaningless or MCSE is
meaningless? Certifications are like technology. They have a place where
they fit. CISSP became so popular and prolific because of the vast field of
coverage (10 domains) that a certified practitioner had to study,
understand, relate
Hello everyone,
To reinforce Mason's request, we're looking for any collection of controls
(contractual, technical, people, process, etc.) that organizations should
request, demand, cajole, enforce, etc. when out-sourcing software development
to ensure the required software security in the
Here are the answers that I was given for the following questions by a
non-technical recruiter.
1. What are the security functions of SSL? Encryption and authentication
2. What is a 0 by 90 bytes error. Buffer over flow.
3. What is a digital signature, Not what it is? The
hi pub,
once long ago I spilt a bottle of wine with dan geer in Palo Alto to lament his
dead disk drive. we decided the conference sucked anyway and proceeded to the
Cowper. we argued for hours about whether a buffer overflow was a bug or a
flaw. if you find one in a code pile (say, caused
hi all,
my preference is to lead with an Architectural Risk Analysis (and has been
since 1997).
gem
http://www.cigital.com/~gem
On 3/20/09 3:07 PM, Jim Manico j...@manico.net wrote:
This is why I'm not fond if leading with a tool. I prefer to lead with
architectural/design analysis and
Two areas that don't seem to immediately lend themselves to design/
spec
level solutions are (1) transitive trust and (2) interaction errors
between multiple components that are all working correctly. I'd
love to
hear from people who've had to solve these problems in the real world.
I notice certs like CISSP when hiring. It says the person has a basic
understanding of all IS security areas. Nothing more. If someone can't pass
the CISSP then I have to wonder why.
-Original Message-
From: Paco Hope p...@cigital.com
To: SC-L@securecoding.org SC-L@securecoding.org
* Steven M. Christey:
Two areas that don't seem to immediately lend themselves to design/spec
level solutions are (1) transitive trust and (2) interaction errors
between multiple components that are all working correctly. I'd love to
hear from people who've had to solve these problems in the
Paco Hope p...@cigital.com wrote:
just as overly-simplistic as
someone who disparages all credentials equally.
On that note... my company (BAE Systems) has been pushing for people
to become CISSPs, because in turn the main client (US gov) has been
pushing for contractors to have a bunch of
I would argue that the security 'bugs' you've described are in fact
functional deficiencies in the implemented design. That is, the exploit
of them has a direct impact on functional performance of the
application, even if it's just a problem with error handling (input
validation).
I would further
I have to post this blog in response.
http://labs.mudynamics.com/2008/07/14/zen-and-the-art-of-fixing-p1-bugs
Love the security testing IS functional testing, BTW.
K.
---
http://www.pcapr.net
On Thu, Mar 19, 2009 at 4:28 PM, Benjamin Tomhave
list-s...@secureconsulting.net wrote:
Why are we
So, what you're saying is that security bugs are really design flaws,
assuming a perfect implementation of the design. Ergo, security bug is
at best a misnomer, and at worst a fatal deficiency in design acumen.
:)
-ben
Goertzel, Karen [USA] wrote:
Except when they're hardware bugs. :)
I
801 - 900 of 2400 matches
Mail list logo