Re: [SC-L] [External] Re: SearchSecurity: Dynamism

Reference monitors were a lovely concept, largely invented for multilevel security kernels and trusted computing bases, but are almost nonexistent in that context. Yes, they'd be lovely to have, but even the NSA folks seem to have abandoned them... ___

Re: [SC-L] has any one completed a python security code review`

And don't forget the entire run-time environment in which the python code runs. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -

Re: [SC-L] has any one completed a python security code review`

You should look at Ka-Ping Yee's PhD thesis: http://pvote.org and the Pvote Software Review Assurance Document, Apr 3 2007. Google finds it quickly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc -

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

... and of course Multics solved the Y2K problem in 1965, deferring the overflow for many additional decades. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

And don't forget the Paul Karger paper from Oakland, which applies access controls to executables and effectively provides implementations for Saltzer-Schroeder's least privilege and more: @InProceedings{Karger87, Key=Karger, Author=P.A. Karger, Title=Limiting the Damage Potential of

Re: [SC-L] COBOL Exploits

Searching through http://www.csl.sri.com/neumann/illustrative.html gives these COBOL-related RISKS items. The initial character descriptors are defined there. In the citations, * R relates to RISKS (archives at risks.org) * S relates to SIGSOFT Software Engineering Notes (archives at

Re: [SC-L] Bumper sticker definition of secure software

Gary, If you think security is a funny topic, try this one: http://haha.nu/funny/funny-math/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter

Re: [SC-L] Hiring folks that are familar with SC practices

Nice discussion. It arose years ago when software development managers typically had NO experience in software development, but were thought to be good managers. Many disasters ensued. The other side of the coin is that good developers are often TERRIBLE managers. I once wrote Psychosocial

Re: [SC-L] Managed Code and Runtime Environments - Another layer of added security?

Der Mouse is barking up the right rathole. *** BEGIN SOAPBOX *** Having cut my security eye-teeth in Multics from 1965 to 1969, I am continually drawn back into discussions of what Multics did right that has been systematically (!) ignored by almost all subsequent operating systems. For the

Re: [SC-L] Top security papers

Matt, You will find lots of references that might appeal to your needs in an emerging DARPA report on my web site: http://www.csl.sri.com/neumann/chats4.pdf There's an appendix by Virgil Gligor that might be very helpful to you, which does not yet appear in the html (but will as soon as I move

Re: [SC-L] ACM Queue article and security education

Gee, Some of us have been saying that for 40 years.