Not many builders go to BlackHat. BlackHat is by Breakers, for
Defenders. It is primarily attended by Defenders, with a smaller pool
of dedicated Breakers.
It is very valuable to our industry to have conferences focused on
Breaking. Though they do have Builder and Defender talks. Some of my
first
Hello fellow SCLers.
Cross-Site Request Forgery (CSRF) has been generating a high volume of
questions for us in the last year, as well as noticing increased
discussions on the webappsec mailng lists. As Jeremiah noted over on
the WASC list - this is a welcome change really -- for most of the
last
That is a great question. According to Gartner, HA has the stench of
inevitability. And in general, I agree.
There are cases where dynamic and static each have clear strengths.
Pragmatic combination of of the two has promise is solving a broad
spectrum of test-cases. Additionally -HA can help
Great article, Gary. Many of your comments about static technology
challenges I have seen and verified first-hand, including
multi-million dollar cost overruns. After some great dialogue with
John Stevens, I suspect we have had similar experiences.
I was just about to write a similar article at a
Sebastian -
Looks like you got great replies! Lots of different theories and ideas here.
On a day to day basis - here are the most common backdoors in
webapps I've encountered over the last 15 years or so:
1) Developer Tools Backdoor hidden under obscure path
2) COTS module improperly deployed
, 2010 at 11:52 AM, Arian J. Evans
arian.ev...@anachronic.com wrote:
So to be clear -
You are saying that you do all of the below when you are analyzing
hundreds to thousands of websites to help your customers identify
weaknesses that hackers could exploit?
How do you find the time?
Not me
The world of web software is the future and the future is a wild
open-ended place by design. I for one would like to keep it that way.
You guys that write a lot of ideological software SDL-theory books can
keep your dinosaur Multics.
About 4 years ago I shifted my focus away from static analysis
Keyboard Cowboy,
Education is always a good thing. I think kids should have the opportunity
to learn both sides of software security. Great suggestion.
Kids, by nature, are drawn to things that are taboo and demonized. Which
hacking no doubt falls into, and according to Daniel, also Angelina
,
---
Arian Evans
On Wed, Apr 14, 2010 at 10:29 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
--On Tuesday, April 13, 2010 15:21:26 -0700 Arian J. Evans
arian.ev...@anachronic.com wrote:
Keyboard Cowboy,
Education is always a good thing. I think kids should have the opportunity
to
learn
In the web security world it doesn't seem to matter much. Top(n) Lists
are Top(n).
There is much ideological disagreement over what goes in those lists
and why, but the ratios of defects are fairly consistent. Both with
managed code and with scripting languages.
The WhiteHat Security statistics
fashion.
I hear ESAPI makes a good gun these days. Whadda they call that thing?
ESAPI(waf)?
---
Arian J. Evans
When a strong man, fully armed, guards his own homestead, his
possessions are undisturbed. Luke 11:21
___
Secure Coding mailing list (SC-L) SC-L
100% agree with the first half of your response, Kevin. Here's what
people ask and need:
Strategic folks (VP, CxO) most frequently ask:
+ What do I do next? / What should we focus on next? (prescriptive)
+ How do we tell if we are reducing risk? (prescriptive guidance again)
Initially they
The software security problem is a huge problem. There are not enough
CISSPs to even think about solving this problem.
CISSPs probably should have a tactical role helping categorize,
classify, and facilitate getting things done. Scanner jockeys and
network security folk will lead the operational
Rafael -- to clarify concretely:
There are quite a few researchers that attack/exploit embedded
systems. Some google searches will probably provide you with names.
None of the folks I know of that actively work on exploiting embedded
systems are on this listbut I figure if I know a handful
fancily marketed
assessments don't.
Shame, really.
-Matt.
-Original Message-
From: Chris Wysopal [mailto:cwyso...@veracode.com]
Sent: Tuesday, August 04, 2009 8:54 PM
To: Arian J. Evans; Matt Fisher
Cc: Kenneth Van Wyk; Secure Coding
Subject: RE: [SC-L] IBM Acquires Ounce Labs
-boun...@securecoding.org] On
Behalf Of Arian J. Evans
Sent: Tuesday, July 28, 2009 1:41 PM
To: Matt Fisher
Cc: Kenneth Van Wyk; Secure Coding
Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Right now, officially, I think that is about it. IBM, Veracode, and
AoD (in Germany) claims they have
Great answer, John. I especially like your point about web.xml.
This goes dually for black-box testing. There would be a lot of
advantage to being able to get (and compare) these types of config
files today for dialing in BBB (Better Black Box vs. blind black box)
testing. I don't think anyone is
Right now, officially, I think that is about it. IBM, Veracode, and
AoD (in Germany) claims they have this too.
As Mattyson mentioned, Veracode only does static binary analysis (no
source analysis). They offer dynamic scanning but I believe it is
using NTO Spider IIRC which is a simplified
On Sat, Mar 21, 2009 at 2:43 PM, Matt Parsons mparsons1...@gmail.com wrote:
I was asked the following questions on a job phone interview and wondered
what the proper answers were. I was told their answers after the
interview. I was also told that the answers to these questions were one or
I think that you are spot on, and people are sooner than
later going to be demanding that, as a by-product of our
shrinking economic reality.
Take this example (not to stir up a semantic pissing match):
Insufficient Input Validation
I get it. I understand the importance of it. But it is not
On Mon, Jan 19, 2009 at 9:45 AM, Stephen Craig Evans
stephencraig.ev...@gmail.com wrote:
Hi Arian,
SANS has spoken and I think that is a pretty clear indication what is
going on)
Have you been watching Wizard of Oz re-reruns again? This sentence sounds
too much like The Mighty Oz has
Hello all. Xposting to SCL and WASC:
Following-up to my commentary on the
WASC list about the SANS/CWE Top 25
I have repeatedly confirmed that the SANS/CWE
Top 25 is being actively used, and growing in
use, as a Standard.
I understand the spirit of intent and that the
makers are not
vendor
marketing around it we've been dealing with for years.
When many of our technology solutions still don't do
what they say they have been able to do for 4 or 5
years, maybe it's time to start blaming some new people.
--
--
Arian J. Evans.
Software. Security. Stuff.
On Mon, Jun 30, 2008 at 7
to enforce some syntax
structure upon the caller, in general I tend to
put all semantic responsibilities upon the callee,
and even assume the callee should enforce
some notion of syntax requirements upon
the caller, and feed said back to caller.
--
--
Arian J. Evans.
I spend most of my money
, to make money.
Interesting work by David, for sure, and
great ammo if we have to beat the strong
data typing drum in our software.
--
--
Arian J. Evans, software security stuff.
I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander.
On Mon, Apr 28, 2008
.
Regards -
Mary Ann
Arian J. Evans wrote:
I'll second this Gary. You've done nice work here.
I think Mary Ann's comments are some of the most
interesting concerning what our industry needs to
focus on in the near future. (and I'd love to see you
focus on this with your series)
Her
I'll second this Gary. You've done nice work here.
I think Mary Ann's comments are some of the most
interesting concerning what our industry needs to
focus on in the near future. (and I'd love to see you
focus on this with your series)
Her comments reminded me of a discussion on this
list with
I hate to start a random definition thread, but Ben asked me a good
question and I'm curious if anyone else sees this matter in the
same fashion that I do. Ben asked why I refer to software security
as similar to artifacts identified by emergent behaviors:
Software security is an emergent
On Wed, Mar 12, 2008 at 3:05 PM, Andy Steingruebl [EMAIL PROTECTED] wrote:
On a related note a quick perusal of the JavaOne conference tracks
doesn't show a lot of content in this area either. Is this due to a
lack of interest, or people in the security world not pitching talks
to the
my responses inline
On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
I think you misunderstood my points a little bit. SXSW was just a
current conference example. As Gary's pointed out, there are many
conferences. It's possible SXSW wasn't a good example, but it was
a
justification for security as a requirement in startup or most open
source software projects. That's my opinion, anyway.
---
Arian J. Evans
Software Security Stuff
On Wed, Mar 12, 2008 at 2:31 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
First, thanks for that Bill, it exemplifies my point
inline
On 6/6/07, McGovern, James F (HTSC, IT) [EMAIL PROTECTED]
wrote:
I really hope that this email doesn't generate a ton of offline emails and
hope that folks will talk publicly. It has been my latest thinking that the
value of tools in this space are not really targeted at developers but
1. This is a great first step. While it sounds so 2003: I still deal with
developers all the time that simply have no idea what to do or where to
begin for *very basic* issues. Input validation. Output encoding. Or try to
solve by doing crazy wild wrong things (dangerous-string blacklists,
comments:inline
On 4/24/07, Jeremy Epstein [EMAIL PROTECTED] wrote:
I've just caught up with 6 weeks of backlogged messages in this group,
better than me, I fell off all the lists when I moved last year. Pardon list
duplicity:
(1) SOX is a waste, as several people said, because it's just a
,
Arian J. Evans
Solipsistic Software Security Sophist at Large
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org
Great stuff Nash. To re-iterate one important statement: Many orgs
today will *only* respond to a working exploit. (I'm not sure what
the sample (%clue) of orgs I see is vs. Cigital's client, but...)
Pen-test vs. code review, black-box, white-box, whatever:
There is absolutely no difference at
-Original Message-
From: [EMAIL PROTECTED]
Sent: Friday, April 29, 2005 2:32 PM
To: SC-L
Subject: [SC-L] Why Software Will Continue to Be Vulnerable
This makes it highly unlikely that software companies are
about to start dumping large quantities of $$ into improving software
37 matches
Mail list logo