Saw this article:
http://cordis.europa.eu/ictresults/popup.cfm?section=newstpl=articleID=89864AutoPrint=True,
and was wondering if anyone on this list knows anything about the
project
or Dr Bengt Nordström at Chalmers University in Göteborg Sweden. Sounds to
me like they're reinventing all the
hi sc-l,
Markus Schumacher of Virtual Forge (a German firm specializing in software
security and SAP) has created a set of animations to help train technical
people about common Web attacks. Cigital is now hosting some of the videos
(which you may find useful in your work). You can find
hi sc-l,
Bill Cheswick is the Silver Bullet victim for episode 28. ches and I had
plenty of fun discussing many aspects of security, including his opinion that
we haven't made much progress in software security! Interesting.
Have a listen and please feel free to hop on the website and post a
hi sc-l,
Those of you who read Exploiting Online Games
http://www.exploitingonlinegames.com know why I believe online games are a
harbinger of software security issues to come. IEEE SP magazine will publish
a special issue on online game security next year. You can find the CFP here:
Hi Stephen,
Yes, organizations must resolve the issues discovered by the automated tools,
at least to the extent that the tool no longer complains.
While implementing both options of requirement 6.6 is recommended, it is not
required by PCI DSS.
Instead of doing what you propose, I
Gunnar -- agreed. And for all the fake security in the
name of PCI going on right now out there -- let's also
keep in mind that it is completely valid and legitimate
to attempt to operationalize software security.
We scoff because to date it hasn't been done well (at all).
That is just as much a
Hi Michael,
So, unfortunately for the WAF vendors, people can just use a static source
code analysis tool or a web application vulnerability scanner instead of
purchasing and deploying a WAF.
I don't know much about PCI 6.6 (yet), but don't the organizations
have to mitigate the
At 10:43 PM -0400 6/30/08, Mary and Glenn Everhart wrote:
There is another reason I have seen quite often: you can't readily ask
the designer of
the code what it does when he is dead, or when he has left the company
(esp. if he works for a competitor).
When I participated (as author) in
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't
hear often.)
http://www.internetnews.com/ec-news/article.php/3755916
In talking with my customers over the past several months, I always
find it interesting that the vast majority would sooner have root
canal than submit
At 9:44 AM -0400 6/30/08, Kenneth Van Wyk wrote:
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't
hear often.)
http://www.internetnews.com/ec-news/article.php/3755916
In talking with my customers over the past several months, I always
find it interesting that the
Ken,
Customers not wanting to part with source code is one of the reasons, at
Veracode, we decided to take our static binary analysis technology to
market as SaaS. You get the benefit of both automation, as with static
source code analysis, and an external assessment, yet you don't have to
part
I too was wondering how much of a boon 6.6 would be to the WAF vendors and/or
the companies that do security code reviews. That is, until 4/22, when the PCI
SSC issued a press release
(https://www.pcisecuritystandards.org/pdfs/04-22-08.pdf) announcing an
information supplement clarifying
That is not a bad thing ;)
Management, Developers, Security Professionals - can only result in one
thing.. better security.
http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept
CALL FOR PAPERS
===
International Symposium on Engineering Secure Software and Systems (ESSoS)
February 04-06, 2009
Leuven, Belgium
http://distrinet.cs.kuleuven.be/events/essos2009/
CONTEXT AND MOTIVATION
Trustworthy, secure software is a core ingredient of the modern world.
Subject says it all. Any of you going to be at the FIRST conference?
If you are and want to hook up for a chat--perhaps over a beer--then
drop me a note.
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME
hi sc-l,
I'm sitting on my porch this morning talking with Ken about the book he and
Mark Graff are working on for the software security series. Ken says hi (we'll
see if he approves this posting).
You guys all know Gunnar Peterson who not only has an active blog that often
covers software
FYI, interesting eWeek article on some of Vista's security features
that are provided to developers. (I misinterpreted the article's
title a bit, but it quickly becomes clear in the article. At first, I
thought it was about giving $$ bonuses to vista programmers -- it
reminded me of an
OWASP needs your help with a new important project.
We're creating the OWASP Application Security Desk Reference (ASDR) to
capture and organize all the foundational knowledge in application
security. Like the Physicians' Desk Reference for doctors, this book is
a well-organized reference work
hi sc-l,
At RSA this year, I did a quick video interview with Dennis Fisher an old
friend who is now the lead editor of Search Security. The resulting video is
here:
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1316612,00.html
Here are the questions I answered during
Ken,
I wanted to announce my book to you and your subscribers.
The book Building A Secure Software Construction: A Security Programmer's
Guide is written for college students (undergraduate or community) as a
guide of how to create a development process that focuses on both quality
and security
FYI, interesting announcement out of KU Leuven in Belgium and the SANS
institute:
http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description:
hi sc-l,
As some of you may know, selected Silver Bullet episodes are published in IEEE
Security privacy magazine as the interview column. We recently placed the
entire set of available transcripts on the Silver Bullet web page as pdf files.
As an example, USA Today reporter Jon Swartz's
FYI, a bit of MA activity going on in the software security (product)
space:
http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
smime.p7s
Description: S/MIME
hi sc-l,
I started thinking about web 3.0 (sometimes called the semantic web) around
RSA to prep for a video shoot that the CNBC was doing. Brian Sletten helped
bring me up to speed in a series of conversations about what's going on
technically. Not much is available yet on the security
hi sc-l,
Silver Bullet episode 26 just went live:
http://www.cigital.com/silverbullet/show-026/
This episode has the best sound quality we've achieved to date. (Sorry about
episode 25 sound problems. Dell has been banished from the loop!)
Adam and I have a particularly interesting
Dan Geer said:
The general-purpose computer must die or we must put everything under
surveillance. Either option is ugly, but 'all of the above' would be
lights-out for people like me, people like you, people like us. We're
playing for keeps now.
On Tue, May 13, 2008 at 1:51 PM, David A. Wheeler [EMAIL PROTECTED] wrote:
If you interpret the definition of these terms of general purpose and
surveillance differently, i.e., limit applications to least
privilege, and locally monitor their behavior, then I'd agree. But
this is another
But the difference is who is in final control. In the end, the users of
computers should be in final control, not their makers, or we have given
up essential liberty. We can develop systems which provide suites of
more specialized privileges to particular functions, without giving up
Hi Andy,
Great post. I especially like the part about making choices. Having
users type passwords into websites that protect all their assets
pretty clearly isn't working. Cardspace is pretty clearly a massive
improvement. That said, I don't think the choice is between perfect
liberty and
Hi andy (and everybody),
Indeed. I vote for personal computer liberty over guaranteed iron clad
security any day. For amusing and shocking rants on this subject google up
some classic Ross Anderson. Or heck, I'll do it for you:
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
A related and more
On Mon, May 5, 2008 at 10:24 AM, Gary McGraw [EMAIL PROTECTED] wrote:
hi sc-l,
Here's an article about Mundie's keynote at RSA. It's worth a read from a
software security perspective. Somehow I ended up playing the foil in this
article...go figure.
It's taken me some time to draft a reply, for which I must apologize,
but since Jeremy Epstein mentioned me by name, I must respond. This is
actually responding to four messages from Jeremy Epstein, Larry Kilgallen,
and Jerry Leichter.
From: Epstein, Jeremy [EMAIL PROTECTED]
Subject: Re:
hi sc-l,
Here's an article about Mundie's keynote at RSA. It's worth a read from a
software security perspective. Somehow I ended up playing the foil in this
article...go figure.
http://reddevnews.com/features/article.aspx?editorialsid=2470
So what do you guys think? Is this end-to-end
Hi Gary,
I think they are doing it, Cardspace is the key enabling technology to
making it happen. Given how many enterprises are federation-enabled (and
how simply the rest can be), the biggest missing piece right now is that
we need an Identity Provider for the Internets.
Of course this only
http://media.omediaweb.com/rsa2008/mediaplayerVO.htm?speaker=1_4
And if you want to listen to it, there it is as well.
Gunnar Peterson wrote:
Hi Gary,
I think they are doing it, Cardspace is the key enabling technology to
making it happen. Given how many enterprises are federation-enabled
Hi,
2 weeks left for the conference!
We would like to invite you to the European OWASP Application Security
Conference! After successful OWASP Conferences in the United States (San
Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back
in Belgium: 5 tutorials and 2
FYI, here's an interesting article (and follow-on discussions) about a
recent bug in the GCC compiler collection.
http://lwn.net/Articles/278137/
The bug, which has been documented in a CERT advisory, affects C code
in which, under some circumstances, buffer bounds checking can be
Ken,
Comment below.
FYI, here's an interesting article (and follow-on discussions) about a
recent bug in the GCC compiler collection.
http://lwn.net/Articles/278137/
The bug, which has been documented in a CERT advisory, affects C code
in which, under some circumstances, buffer bounds
The bug, which has been documented in a CERT advisory, affects C code
in which, under some circumstances, buffer bounds checking can be
optimized out to produce binaries that are susceptible to buffer
overflows. [...]
Of course, many/most SC-Lers will no doubt jump on this as another
Ken, a good example. For those of you who want to reach much further
back, Paul Karger told me of a similar problem in the compiler (I don't
remember the language) used for compiling the A1 VAX VMM kernel, that
optimized out a check in the Mandatory Access Control enforcement, which
separates
At 1:00 PM -0400 5/1/08, Epstein, Jeremy wrote:
Ken, a good example. For those of you who want to reach much further
back, Paul Karger told me of a similar problem in the compiler (I don't
remember the language)
VAX Pascal, before VMS was on Alpha (and long before Itanium).
used for
At 3:12 PM -0400 5/1/08, Leichter, Jerry wrote:
The VAX VMM effort died with the announcement of the Alpha, in late 1992
- though obviously the death was decided internally once the move to
Alpha was decided, which would have been somewhat earlier. The origins
of the VAX VMM effort date back
Let me suggest something a little differently:
Perhaps when speaking of web app security, an already enormous area, it is
not so useful to enlarge it still more, but fools rush in.
One way to look at web code (and many other kinds) is that we are sending
strings to an interpreter and it does
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
jt
-Original Message-
From: Jim
On Tue, 29 Apr 2008, Joe Teff wrote:
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
Sure. You've protected one app and transferred risk to any other
process/app that uses the data. If they use that data to create dynamic
sql, then what?
If I understand this correctly, it's difficult to exploit because if you can
alter database types, you probably can send arbitrary SQL statements to the
database somehow already. In that case, what extra capabilities does this
attack give you?
When I design applications using Postgresql, I
So I'd like to pull this back to a few salient points. Weirdly,
some folks seem quick to dismiss the paper with a
didactic shot of folks shouldn't code that way anyway
which has nothing to do with the subject.
1. I think everyone on SC-L gets the idea of strong
patterns and implementations, and
Greetings SC-Lers,
Things have been pretty quiet here on the SC-L list...
I hope everyone saw David Litchfield's recent announcement of a new
category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf)
He refers to this new category as
David's papers are always interesting, but I think
the most interesting thing is that we are starting
to see advanced SQL injection like his recent
work on cursor attacks/snarfing being used in the
wild in mass-SQL injection exploits.
Attackers are using multiple layers of encoding for
both
Anyone else have a take on this new attack method?
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
In Java (for Insert/Update/etc) just use PreparedStatement + variable
binding.
There are similar constructs in all languages.
Although the
No, there is not a direct connection but Green and InfoSec do have a few
degrees of connection.
InfoSec - Is a part of - IT - manages - Datacenters - suck up 3% of
word power - is becoming more expensive - Green - Al Gore
RSA conferences *were *focused on infosec, and on cryptography in
At 8:14 AM -0500 4/11/08, Wall, Kevin wrote:
In the context, I think his concern was that in the past, the RSA
conferences were focused on infosec, and on cryptography in particular.
Apparently,
based on Stephen and gem's comments, it seems to have lost its focus. I think
that's all that
Hi all,
Larry has it right. There was very little technical content at RSA this year.
All of the vendors on the show floor had pitches that sounded exactly the same.
Last year there was much more software security presence.
The good news for our field is that at the (small) executive forum,
Hi sc-l,
Greetings from RSA. This year the marketing people outnumber the technical
people 1000 to 1. There are over 18,000 people here. You do the math.
I recently moved my monthly security column from darkreading to informIT. I am
refocusing the column on software security and business.
Hi,
We would like to invite you to the European OWASP Application Security
Conference! After successful OWASP Conferences in the United States (San
Jose), Europe (Milan), Asia (Taiwan) and Australia (Queensland), we are back
in Belgium: 5 tutorials and 2 conference tracks in the historic center
Thanks for the feedback Stephen. It's been a blast doing Silver Bullet for the
last two years.
For our next episode, I'm going to interview Jon Swartz who covers security for
USA Today. That should be a twist! We're also planning to syndicate Silver
Bullet through informIT soon.
gem
p.s.
Mary -- Thank you for your reply and clarification.
I am 100% on board with you about folks inventing
taxonomies and then telling business owners and
developers what artifacts they need to look for,
measure, etc. without any real cost or business
justification with regards to to your costs vs.
I'll second this Gary. You've done nice work here.
I think Mary Ann's comments are some of the most
interesting concerning what our industry needs to
focus on in the near future. (and I'd love to see you
focus on this with your series)
Her comments reminded me of a discussion on this
list with
Hi all,
I have been specifically targeting developer conferences these last
twelve months. I've had rejections from the likes of OSCON, and in
fact, I was rejected from BlackHat, too. I have worked out the pattern
to these conferences.
You gotta SEX IT UP.
Instead of submitting talks like
Gary,
Good interview.
The discussion on being unable to develop trust relationships with
contractors who release exploits was interesting, and I wished that
there was more discussion on that point. I would have thought signing
a contract made it easier to sue for breach of contract than
Has anybody had opportunity to look at this tool for PHP source code
analysis? Just wondering about the relative merits vs other tools
already available.
http://www.0x00.com/?i=530
--
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog:
I am trying to understand if this conference is cancelled or not?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
Yes it is cancelled.
At 1:13 AM -0500 3/14/08, Gadi Evron wrote:
I am trying to understand if this conference is cancelled or not?
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
Arian J. Evans wrote:
What is secure software?
It is one quality of an application that can be measured
by the emergent behaviors of the software while trying to
meet and enforce its use-case in a given run-time environment.
Fairly new to the list so if I cover things discussed before or
I hate to start a random definition thread, but Ben asked me a good
question and I'm curious if anyone else sees this matter in the
same fashion that I do. Ben asked why I refer to software security
as similar to artifacts identified by emergent behaviors:
Software security is an emergent
On Wed, Mar 12, 2008 at 3:05 PM, Andy Steingruebl [EMAIL PROTECTED] wrote:
On a related note a quick perusal of the JavaOne conference tracks
doesn't show a lot of content in this area either. Is this due to a
lack of interest, or people in the security world not pitching talks
to the
We would like to invite the community to review and comment on the
current version of the CERT C Secure Coding Standard available online at
www.securecoding.cert.org http://www.securecoding.cert.org before
Version 1.0 is published. To comment, you can create an account on the
Secure Coding wiki
Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not
see many
discussions that pay attention to security, or any other software engineering
oriented concerns,
explicitly.
There was a discussion of scalability for web services that featured the
developers from digg,
First, thanks for that Bill, it exemplifies my point perfectly. A couple
thoughts...
one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an added
On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
I had just a quick query for everyone out there, with an attached thought.
How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know... it's a big
Ben,
Your point is a good one -- the software security community needs to
be vigilant in reaching out to developers and spreading the word.
FWIW, some dev conferences have done this. I spoke at SD West in
2006, and there was a significant security track there. Still, it'd
be great to
On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw [EMAIL PROTECTED] wrote:
Hey andy,
You mean AJAX one? Last time I went there was zero interest and even less
clue about security among attendees. The only shining light was a long
conversation I had with bill joy about security critical
I agree.
Reaching the development community, that's precisely what we are
trying to do at secappdev. Thanks for helping with that too, Ken.
I have also taken some security-related sessions to conferences such
as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU.
I would love to hear
my responses inline
On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
I think you misunderstood my points a little bit. SXSW was just a
current conference example. As Gary's pointed out, there are many
conferences. It's possible SXSW wasn't a good example, but it was
I agree this is a big issue, there is no cotton picking way that the
security people are solving these problems, it has to come from the
developers. I put together a track for QCon which included Brian Chess
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on
ESAPI and Web
So two thoughts Ben, purely my 0.02 USD:
1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
particularly the domain of widgets and WS interfaces for all the usual
suspect platforms (flickr, facebook etc.) as well as most startups:
They just don't care.
They will never care.
Hi again,
I rebooted the security track completely at SD West in 2003 (thanks to tami who
I cc'ed here). I'm on the advisory board.
We're slowly inching our way toward SDL/touchpoints/CLASP stuffs at SD West,
though when I tried to cover the touchpoints and enterprise security in 2006,
I had just a quick query for everyone out there, with an attached thought.
How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know... it's a big
party for developers - particularly the Web 2.0 clique - but I'm just
curious.
I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books
articles. I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
implementing the concepts. I have
Hi Andy,
We build and then execute plans to do that kind of activity all the time at
Cigital. Unfortunately, the plans are all highly tailored to the politics and
operations of our specific customers, and they are proprietary.
Basically they do involve several aspects in common if you step
Andy,
You wrote...
I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books
articles. I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
There is a list on
http://www.owasp.org/index.php/Education_Module_Good_WebAppSec_Resources
I am currently reading a Secure Programming with Statical Analysi which I
like.
Regards
Seba
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jim Manico
Sent:
How to break web software is one of the best web security coder-
centric books I have read. Its concise and useful.
Sent from my iPhone
On Mar 7, 2008, at 7:45 AM, Lawson, David L
[EMAIL PROTECTED] wrote:
I've read several secure coding books in the past, and was wondering
if
anyone has
Do you really mean secure coding only, or are you looking for books on
secure software development more generally?
--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.902.6981
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] on behalf of Lawson, David L
Sent: Fri
Hi David,
There is a list of software security / secure coding books at:
http://www.sans-ssi.org/references.php
Gary McGraw has a blog post in which some of these references are
chronologically ordered at:
David,
I like Secure Coding in C and C++
(http://www.cert.org/books/secure-coding/)
The guy who wrote it is a bit of a jerk, but it has a lot of good
technical information.
Another book I like is The Art of Software Security Assessment
I'd check out Security: What Every Programmer Needs to Know by
Daswani, Kern and Kesavan. I haven't read it cover to cover yet, but
it seems to cover the topics in a nice amount of detail.
-dhs
Dean H. Saxe, CISSP, CEH
[EMAIL PROTECTED]
Great spirits have often encountered violent
Hello Andy,
Once an application is released or put into production, what are
organizations doing to keep the applications secure? As new
Some organizations purchase web application security scanners and perform
periodic
scanning (this could be done by the soc) or use a service such as
Overall I concur with Bruce on this. PCI has too broad of a
constituent base to cover to be truly effective. Some fixes were
added after the TJX breach, but look at how much TJX paid versus how
much the laid aside to pay. I am betting that the TJX lawyers
produced documents showing that they
Once an application is released or put into production, what are
organizations doing to keep the applications secure? As new
vulnerabilities and classes of exploits are released, how is that
information being fed back to developers so they can update/patch in
the software. At the network most
Worse than that, I think that until businesses universally understand the
value of secure coding practices, they will resist the up-front cost to
take on such a transformational program.
SOX vs PCI would make for a good case study. SOX is very high level and
generic, which led to much confusion
Greetings SC-L,
So here's a question to ponder. Now that PCI DSS 1.1 is out there
(save a couple June 2008 deadlines still looming), has it been good or
bad for software security as a whole?
It does require secure development processes (as prescribed by OWASP).
It does require sensitive
Greetings SC-L,
So, I've always done my best to keep SC-L non-commercial since its
inception in 2003. I'm curious, though, how you the readers would
react to accepting sponsorships in the form of sponsored by:
banners at the bottom of each posting.
The banner presently points to the
Hi sc-l,
Episode 23 of Silver Bullet just went up thid afternoon. In this episode, I
have a conversation with Veracode founder and CTO Chris Wysopal (aka Weld
Pond). We do lots of yabbering about software security as you might expect.
Check it out:
FYI, from Michael Howard's blog:
Today SAFECode, the Software Assurance Forum for Excellence in Code,
introduced its first white paper, Software Assurance: An Overview of
Current Industry Best Practices.
The organization was founded by Microsoft, Symantec, EMC, SAP and
Juniper to advance
It seems like this exchange is focused on whether bug / flaw classes can
be applied to All programming languages or not. Isn't the question at
hand which languages have the property Subject to bug / flaw class XXX
(true | false), and not whether you can find one or more class that fits
the All
Gentleman,
Thanks for the contributions to my question. They've been helpful!
Vincent
Vincent Verhagen wrote:
Hi all,
I was referred to this list by a fellow security consultant for this
specific question. Please forgive me if this is the wrong forum :)
We're in the process of creating
On Mon, 4 Feb 2008, ljknews wrote:
(%s to fill up disk or memory, anybody?), so it's marked with
All and it's not in the C-specific view, even though there's a heavy
concentration of format strings in C/C++.
It is marked as All ?
What is the construct in Ada that has such a
hi sc-l,
As you probably know, around half of the Silver Bullet podcasts are printed as
the Interview department of IEEE Security Privacy magazine. We just put a
transcript of the spaf (Gene Spafford) interview on the website:
hi sc-l,
Last week we released the 22nd edition of Silver Bullet. This time, I have a
conversation with Ed Amoroso, CISO of ATT. Ed has a deep interest in
software security and has been a high level executive champion for years. In
the podcast we discuss software security, bugs/flaws,
1101 - 1200 of 2400 matches
Mail list logo
