Re: [SC-L] has any one completed a python security code review`

), and the absence of rate limitation on expensive operations can create DoS vulnerabilities. All these were found the old fashioned way, with a code audit. Pascal Meunier ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information

Re: [SC-L] CERIAS : Beware SQL injections due to missing prepared statement support

: Here's one for the daily UGH! Great points raised by Pascal Meunier (see below) about poorly implemented language support for Prepared Statement SQL calls. In particular, Python's pyPGSQL actually takes its prepared statement and translates internally to an old-style concatenated string query

Re: [SC-L] Lateral SQL injection paper

trust boundaries are crossed, but the importance of the find seems a little exaggerat ed. Regards, Pascal Meunier Kenneth Van Wyk wrote: Greetings SC-Lers, Things have been pretty quiet here on the SC-L list... I hope everyone saw David Litchfield's recent announcement of a new category

Re: [SC-L] Coding with errors in mind - a solution?

On 8/31/06 8:05 PM, mikeiscool [EMAIL PROTECTED] wrote: On 9/1/06, Pascal Meunier [EMAIL PROTECTED] wrote: On 8/30/06 3:46 PM, Tim Hollebeek [EMAIL PROTECTED] wrote: What you've proposed are exceptions. They do help (some) in separating the normal logic from error handling

Re: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.?

I take exception (haha!) at having them dismissed like this. It sounds like you encountered some badly written exception handling code. Error handling can also be really bad, where at every call layer the original error gets filtered or translated to a point where you just know something went

Re: [SC-L] Coding with errors in mind - a solution?

be part of good programming practices. Pascal Meunier Tim Hollebeek Research Scientist Teknowledge, Corp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael S Hines Sent: Wednesday, August 30, 2006 11:07 AM To: sc-l@securecoding.org

Re: [SC-L] Coding with errors in mind - a solution?

be highlighted and caught. It's not revolutionary, but it's better than what we have now. Would it be good enough? I can picture people deleting those assert statements that just make their programs crash ;) Pascal Meunier On 8/30/06 2:07 PM, Michael S Hines [EMAIL PROTECTED] wrote: a simple

Re: [SC-L] secure integer library

Nice. I'll mention it in my secure programming class this semester. I'd be interested in any exercises/labs based on it, appropriate for undergrads. Cheers, Pascal On 8/17/06 10:04 AM, Robert C. Seacord [EMAIL PROTECTED] wrote: The CERT/CC has released a beta version of a secure integer

Re: [SC-L] bumper sticker slogan for secure software

On 7/20/06 11:58 AM, Florian Weimer [EMAIL PROTECTED] wrote: * der Mouse: Absolute security is a myth. As is designing absolutely secure software. I have high hopes in formal methods. All formal methods do is push bugs around. Basically, you end up writing in a higher-level

Re: [SC-L] bumper sticker slogan for secure software

, nobody can help you. Pascal -Original Message- From: Pascal Meunier [mailto:[EMAIL PROTECTED] Sent: Thu Jul 20 13:54:42 2006 To: Florian Weimer; der Mouse Cc: SC-L@securecoding.org Subject: Re: [SC-L] bumper sticker slogan for secure software On 7/20/06 11:58 AM, Florian

Re: [SC-L] bumper sticker slogan for secure software

On 7/20/06 3:46 PM, Florian Weimer [EMAIL PROTECTED] wrote: * Pascal Meunier: But it's true for stupid bugs like buffer overflows and format string vulnerabilities, in which we're still swimming, and the proof is the fact that those aren't possible in some languages. Could you name

Re: [SC-L] bumper sticker slogan for secure software

On 7/20/06 3:11 PM, Florian Weimer [EMAIL PROTECTED] wrote: * Pascal Meunier: Also, writing it twice with different languages, especially at different levels of abstraction, makes it less likely that the same bugs will appear in both. Algorithmic issues such as denial of service

Re: [SC-L] Bumper sticker definition of secure software

). -It conveys the notion that insecure software is shoddy; -It conveys the notion that there are people who will find out that you run insecure software; -It may motivate some people to care about security by invoking social stigma ;) Cheers, Pascal Meunier Purdue University CERIAS On 7/15/06 3:27

Re: [SC-L] Re: [Owasp-dotnet] RE: 4 Questions: Latest IE vulnerability, Firefox vs IE security, User vs Admin risk profile, and browsers coded in 100% Managed Verifiable code

information about it. I am also interested in the Linux Security Modules Interface. Regards, Pascal Meunier On 4/2/06 6:49 PM, Crispin Cowan [EMAIL PROTECTED] wrote: This is exactly what AppArmor http://en.opensuse.org/Apparmor was designed for: conveniently confining applications to only be able

Re: [SC-L] eWeek: AJAX Poses Security, Performance Risks

On 1/30/06 1:09 PM, Kenneth R. van Wyk [EMAIL PROTECTED] wrote: Any AJAX experts here want to comment on the eWeek article cited below? http://www.eweek.com/article2/0,1895,1916673,00.asp It claims, among other things that, AJAX dramatically increases the amount of XML network traffic