I posted an lengthy email to the owasp-leaders list about this event which
you can read on my blog:
http://diniscruz.blogspot.com/2009/09/fortify-hands-on-demosession-at.html(in
there you can also see a couple more ideas that come up of that
owasp-leaders email thread)
Let me know if (after
hi sc-l,
A partial transcript for Bob Blakely's silver bullet episode will be published
in IEEE Security Privacy magazine in the upcoming issue. You can read a copy
yourself here:
http://www.cigital.com/silverbullet/shows/silverbullet-040-bblakely.pdf
gem
company www.cigital.com
blog
FYI, a couple of interesting developments in the software security
tool space:
http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator
smime.p7s
Description:
SC-L,
The Owasp Northern Virginia chapter is pleased to invite you to its next
session on Thursday September 17th. We will be hosting a presentation, demo and
hands on session of Fortify 360 (http://www.fortify.com). Fortify 360 includes
Fortify SCA (Source Code Analyzer) and the Fortify
hi sc-l,
Turns out lots of different kinds of enterprises are spearheading large scale
software security initiatives. VMware has an extensive software security
initiative that has leveraged and evolved the EMC approach. Kris Inglis runs
the product security group at VMware (what I would term
At 8:47 AM -0700 8/27/09, Benjamin Tomhave wrote:
Should any sort of overflow really be allowed?
It is not, except by management decision (in choosing an unsafe
language).
--
Larry Kilgallen
___
Secure Coding mailing list (SC-L)
Ben Tomhave wrote:
Wall, Kevin wrote:
I don't mean to split hairs here, but I think fundamental concept
vs intermediate-to-advanced concept is a red herring. In your case
of you teaching a 1 yr old toddler, NO is about the only thing
they understand at this point. That doesn't imply
Yet another perspective. I believe that this question may be somewhat
flawed as it doesn't take into consideration certain demographic
challenges. Right now the model seems to be based on either being
academic (sitting through a semester of some old fog with no real-world
experience blabbering
We are NOT craftsmen by any stretch of the imagination. If you have ever
worked in a large enterprise, the ability to change roles and be fluid
in one's career is rewarding yet has unintended consequences.
If I went to my boss tomorrow and said that I no longer want to be an
architect and
To be sure, inherently secure code is a misnomer. However, that being
said, my original contention was that certain common vulnerabilities
should be automatically managed these days rather than relying on
explicit code to catch them. Should any sort of overflow really be
allowed? I have to believe
I am not sure I agree that this is any more achievable than claiming a
bank building should allow all valid customers in, but keep out all
thieves. While we can and should make great strides, we will always
have some exposure because we have to let some things through. The
only way we
Personally I think secure coding should be included in the entire
curriculum irrespective of the level. People learn habits early on
that they tend to carry for as long as they are programmers. How many
programmers that learned the KR style of indentation for example
continue to use it as their
Not so much anti-social as untrusting, supicious, and paranoid. Actually, being
highly social could provide an excellent cover to fool the bad guys into
thinking one is a lot less security-savvy than one actually is.
Karen Mercedes Goertzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com
James McGovern wrote...
- Taking this one step further, how can we convince
professors who don't
teach secure coding to not accept insecure code from their students.
Professors seed the students thinking by accepting anything
that barely
works at the last minute. Universities need to be
hi sc-l,
Fred sent me some email today and reminded me that he has written about this
idea himself in IEEE Security Privacy magazine. We already had a link to his
article on the Silver Bullet website, but here's a direct link:
The Monoculture Risk Put in Context
IEEE Security and Privacy 7,
hi steve,
The bugs/flaw continuum is, in fact, a continuum. It's great that you guys
have begun to collect and publish information about flaws in the CWE. I agree
completely with your statement I suspect that design/architecture level
taxonomies will be very challenging to build.
Part of
The playing in traffic example is one extreme end of the spectrum. A
good analogy for the other end might be physics where you just teach
Newtonian theory it as if it were 100% accurate and then, if the
student decides to take a relativistic physics class, you teach them
on day 1 that everything
Matt Bishop wrote:
Instead, what you can do is frame the issues as good programming. When
teaching for loops, teach the idea of a limit (upper and lower
bounds). Then when you get to arrays, it's natural to discuss bounds
checking in the context of iteration (I don't phrase it that way, of
Goertzel, Karen [USA] wrote:
We teach toddlers from the time they can walk that they shouldn't
play in traffic. A year or two later, we teach them to look both ways
before crossing the street. Even later - usually when they're
approaching their teens, and can deal with grim reality, we give
Ben,
Let's just hope that the code isn't compiled with -O3 or similar,
creating an unintended bug. :)
http://isc.sans.org/diary.html?storyid=6820
Brings back memories -- the first day on the job as a summer intern I
had to track down a bug in a UNIX device driver. Turned out the
optimizer
Matt Bishop wrote:
And that's an artifact of a lack of resources for the type of grading.
Give classes the support to do this, and I suspect you'd see people get
in the habit of writing better code. Better, use students and people
from industry who know this stuff to staff a clinic analogous
So many mistakes have been made in
generations before mine that we are now trapped in a box of our own
making that has us squabbling over academic minutiae like how to teach
secure coding when we should not have to consider this topic at all -
the code itself should be inherently secure.
Brad Andrews writes...
I had proofs in junior high Geometry too, though I do not recall using
them outside that class. I went all the way through differential
equations, matrix algebra and probability/statistics and I don't
recall much focus on proofs. This was in the early 1980s in a good
Gary,
Great article and since you used attacks and categories in the same :)
sentence I am tempted to ask if you looked at WASC Threat
Classification project?
On Tuesday, August 25, 2009, Steven M. Christey co...@linus.mitre.org wrote:
Gary,
You said in the article:
The next category of
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:
Exploits are FUN.
I agree, at least to a point. Whenever I work exploits into my
workshops, the results are right on the mark. So long as the exploits
are balanced with just the right amount of remediations, it works great.
The key is
At 6:36 PM -0400 8/25/09, Steven M. Christey wrote:
Gary,
You said in the article:
The next category of attacks to expect are attacks that target defects in
design and architecture - which I call flaws.
I think it's already happening.
I think it has been happening for years. I use
Your example is spurious as a refutation of what I was trying to say (as I
suspect you already know). Obviously you're not going to try to teach a
not-yet-verbal infant a self-preservation concept that requires even the most
rudimentary reasoning.
That said, I'll be interested to hear from you
I too remember learning proofs in Jr. High. And I also believe the main
objective was to teach 12 and 13 year olds that it is possible to apply a
repeatable, disciplined process to how they approach problem solving. Certainly
not a worthless lesson, even if the mathematics involved are never
I see your point. On the other hand, there are times I worry that teach the
hacker mentality approach to secure development training smacks a bit too much
teaching future policemen the delights of robbery, rape, torture, and murder in
order to prepare the to defend the public against robbers,
Your Picasso - or, perhaps, Frank Lloyd Wright would be a better analogy -
definitely has a role in software development. I want his creativity up front
in the specification and high-level design of the building (the software
system). But when it comes to detailed design and testing, I'm going
Well, this topic gets muddy pretty quickly since I agree with many of
the comments made on this thread. We have to be careful with hype and
claims made by new models (BSIMM and OpenSAMM in particular) since
depending on how the 'rest of the world' sees them speaks directly to
our credibility as
Hello SC-L!
The OWASP Podcast Series continues to accelerate! We released 5 podcasts
this month which I hope you find to be of value.
39August 25, 2009Listen
Nowhttp://www.owasp.org/download/jmanico/owasp_podcast_39.mp3
| Show Notes /index.php/Podcast_39Interview with Gunnar Peterson
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:
First, security in the software development concept is at least an
intermediate concept, if not advanced.
Not at all. That would be like saying that correctness is also an
advanced concept, because it gets in the way of coding. Security is
For consistency's sake, I hope you agree that if security is an
intermediate-to-advanced concept in software development, then all the other
-ilities (goodness properties, if you will), such as quality, reliability,
usability, safety, etc. that go beyond just get the bloody thing to work are
On Aug 25, 2009, at 17:35, Benjamin Tomhave wrote:
You don't teach proofs - not really. The elementary and junior high
curriculum generally does not contain anything about proofs
I was talking about college students because that's when I was
properly taught programming. That may no longer
On Tue, Aug 25, 2009 at 4:09 AM, Stephan
Neuhausstephan.neuh...@disi.unitn.it wrote:
On Aug 25, 2009, at 02:35, Benjamin Tomhave wrote:
First, security in the software development concept is at least an
intermediate concept, if not advanced.
Not at all. That would be like saying that
On Aug 25, 2009, at 18:07, Andy Steingruebl wrote:
Sarcasmreally? First graders are learning to do math proofs instead
of basic addition? I'm quite surprised by this./Sarcasm
Yeah, sorry. When I wrote about students I meant college
students. I don't know, is that a difference between
Ben,
First, security in the software development concept is at least an
intermediate concept, if not advanced. Riffing on Brad's comments, it
seems irrational to think that you can jump straight from structural
basics with which many students struggle (OO anybody?) directly to
concepts that
The just get the bloody thing to work is usually an attitude foisted
on developers by the business side.
I work in an internal application security function for a large
enterprise and i'm yet to meet a developer who wasn't concerned about
security.
Developer education is very important and we
We teach toddlers from the time they can walk that they shouldn't play in
traffic. A year or two later, we teach them to look both ways before crossing
the street. Even later - usually when they're approaching their teens, and can
deal with grim reality, we give examples that illustrate exactly
On Aug 21, 2009, at 12:18 PM, Brad Andrews wrote:
This brings up a great point. How can we grade a program's security
level? Is it just a checkoff list? Which elements should be in
that checkoff list?
You may be interested in reading:
Teaching Secure Programming
IEEE Security and
I was thinking of a beginner-level programming class. I have and it
can be a challenge, especially if they don't have the programming
mindset. Even if they do, you don't have the time for the things you
spoke about. You are focusing on basic coding constructs first. :)
--
Brad
Now that you mention it
I was listening to the CERT podcast where you and a couple of others
discussed the BSIMM (probably a while back since I am well behind on
those). You made a statement along these lines and I immediately
thought that I disagreed! :)
I don't think software
Actually, we can't prove programs are bug free if by bug we also mean all
possible anomalous behaviours. My colleagues keep pointing this out to me when
I suggest that we should start leveraging the computational power of computing
grids to analyze complex software the same way other
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at
Great points Karen! We can't prove a program is secure in the same vein.
The danger I am spouting off about is the idea that we would solve the
software security problem if we just take a more scientific or
mature (or whatever) approach. I think those can definitely reduce
the risk, but
Are there any industry metrics that indicate what percentage of
full-time software developers actually learned coding in a university
setting? I actually learned in high-school, focused on business
administration in college (easiest major on the planet) and
learned/matured on the job. Likewise, I
Andy Steingruebl wrote:
I think our real question isn't just how to reach the professional
programmer trained via formal training programs, but also how to reach
the amateur programmer trained via books, trial+error, etc.
One area here is making sure examples are done correctly. The
Brad Andrews wrote:
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
Getting into exploits at this level is
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote:
If determination of functional correctness were extended from must
operate as specified under expected conditions to must operate as
specified under all conditions, functional correctness would necessarily
require security, safety, fault
Karen Goertzel wrote...
I'm more devious. I think what needs to happen is that we
need to redefine what we mean by functionally correct or
quality code. If determination of functional correctness
were extended from must operate as specified under expected
conditions to must operate as
Karen, Matt all,
Goertzel, Karen [USA] wrote:
I'm more devious. I think what needs to happen is that we need to redefine
what we mean by functionally correct or quality code. If determination of
functional correctness were extended from must operate as specified under
expected conditions
Here's an extract from the Information Assurance Technology Analysis Center
(part of DTIC) Software Security Assurance: A State of the Art Report
(http://iac.dtic.mil/iatac/download/security.pdf):
Courses on secure software development, secure programming, etc., typically
begin by introducing
Everyone,
Thank you for all of the input. Really. This information has been
extremely helpful!
Neil
Goertzel, Karen [USA] wrote:
Here's an extract from the Information Assurance Technology Analysis Center (part of
DTIC) Software Security Assurance: A State of the Art Report
A colleague and I have been looking at the problem a bit, in the context of
need for survivability in safety-critical systems. Below is an extract of the
paper Software Survivability: Where Safety and Security Converge authored by
Larry Feldman, Ph.D., and myself, and presented by our colleague
I spent a fair bit of time doing stuff relating to voting systems,
which all have embedded systems. (I am not one of the experts who
pulls them apart, lest anyone think I'm claiming credit for them.)
They are supposedly closed systems, but every time someone competent
has tried to attack them,
Thank you for all the info you guys have sent, it has been very
informative... :)
It is harder to steal the source (you need more electronical knowledge
and expensive debuggers and stuff) but it is possible... Do you guys
know some pages with security tips for embedded systems?
Neil Matatall wrote:
So where does secure coding belong in the curriculum?
Higher Ed? High School?
Undergrad? Grad? Extension?
Secure coding needs to be taught anytime programing is taught.
From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and confuse
We looked at the problem of voting system security specifically in the context
of insider threat for last year's IATAC State of the Art Report on the Insider
Threat to Information Systems - some of which involved rogue developers
engineering backdoors into such systems. Unfortunately the
I think we need to start indoctrinating kids in the womb. Start selling Baby
Schneier CDs alongside Baby Mozart. :)
Seriously, though, cyberspace is such an integral part of modern life, parents
need to inculcate online security into their toddlers the same way they teach
them to look both
Actually CJC, it's often even worse than that. In many cases, the customer or
consumer has an implicit requirement for security that remains unstated. Only
when the system fails and is successfully attacked does that requirement shift
from implicit to explicit. You mean it wasn't secure??
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote:
Inspired by the What is the size of this list? discussion, I decided I
won't be a lurker :)
A question prompted by
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
and the OWASP podcast
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
I am sure some things could be put into a basic class,
I completely agree, though how are we really going to reach this
point? We have been talking about this at least since I got into
development in the early 1980s. We are not anywhere closer, though we
have lots of neat tools that do lots of neat stuff. Unfortunately,
our programs are
While no customer is likely to say they don't care about software
working now that we are past Y2K, they don't think about it at all and
are unlikely to allow any schedule slippage to allow for making sure
that is true.
Customers only really care about the things they will pay for.
hi sc-l,
The 41st epsiode of Silver Bullet just went live. This episode features a
conversation with Fred Schneider, a computer sceince professor at Cornell and a
very important thought leader in security research. Fred was the author of the
seminal National Academies study Trust in
Inspired by the What is the size of this list? discussion, I decided I
won't be a lurker :)
A question prompted by
http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html
Here is where my enterpriseyness will show. I believe the answer to the
question of where secure coding belongs in the curiculum is somewhat
flawed and requires addressing the curiculum holistically.
If you go to art school, you are required to study the works of the
masters. You don't attempt
Another lurker revealing himself ... my name is Matt Bishop, and I
lurk at the University of California at Davis where I teach and do
research in lots of areas of computer security, including (surprise!)
what is traditionally called secure programming and secure software
development. For
I'm more devious. I think what needs to happen is that we need to redefine what
we mean by functionally correct or quality code. If determination of
functional correctness were extended from must operate as specified under
expected conditions to must operate as specified under all conditions,
Rafael -- to clarify concretely:
There are quite a few researchers that attack/exploit embedded
systems. Some google searches will probably provide you with names.
None of the folks I know of that actively work on exploiting embedded
systems are on this listbut I figure if I know a handful
hi neil,
For what it's worth, there is a list of universities with some kind of software
security curriculum on page 98 of Software Security http://swsec.com.
Remember, this list was created in 2006, and lots of other universities have
jumped on the bandwagon since then.
* University of
On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote:
Jeremiah Grossman and I were both pondering the size of the SCL
recently.
Is the list size public?
It's not public per se, but only in the sense that the number isn't
directly available--unless you ask for it.
The list has pretty
Hi SC-L,
I'm a Lurker. I work for CERT | SEI | CMU and monitor the list in an
attempt to keep an ear to the ground. While I'm not a professional
programmer I do have an undergrad and graduate degree in CS which
means I've been trained a little about programming. I'm really
interested in two
Fourth International Workshop on Secure Software Engineering (SecSE2010)
http://www.sintef.org/secse
In conjunction with ARES 2010
http://www.ares-conference.eu/conf/
February, 15th - 18th 2010
Andrzej Frycz Modrzewski Cracow College, Krakow, Poland
Call for Papers
===
Software is
We are preparing an exposition for static analysis tools that find
security relevant defects. Briefly, participating tool makers run their
tools on real programs. Researchers led by NIST analyze the tool
reports. Everyone reports results and experiences at a workshop. The
tool reports and
Good catch, that is exactly right. My oversight. A while back Fortify
released a white paper entitled Misplaced Confidence in Application
Penetration Testing [reg required]
http://www.fortify.com/security-resources/library/overviews.jsp
Tools also available to help measure.
On Aug 6,
Speaking of the lab environment, my thesis from 2006
(http://research.microsoft.com/en-us/um/people/livshits/papers/pdf/thesis.pdf)
explores the interplay between static and runtime in gory detail. I am not
aware of these hybrid approaches being integrated into commercial products.
Regards,
Mattyson -- I almost complete agree with you.
I will say - during ongoing deep dive assessments, we commonly find
that applications that have one or more authC/Z issues at launch, will
reintroduce them over time, if they write and push a lot of code.
Anecdotally I would say we see at least one
Arian J. Evans wrote...
The problem I had in the past with benchmarks was the huge degree of
customization in each application I would test. While patterns emerge
that are almost always automatable to some degree, the technologies
almost always require hand care-and-feeding to get them to an
Chris -- Good point with Larry's paper. NTO Spider is, by design, a
simplified scanner for unskilled users, and I do not think it was
designed to be an effective tool for deep dynamic analysis of a web
application. It is, however, probably the best scanner on the market
for people who don't have
Great answer, John. I especially like your point about web.xml.
This goes dually for black-box testing. There would be a lot of
advantage to being able to get (and compare) these types of config
files today for dialing in BBB (Better Black Box vs. blind black box)
testing. I don't think anyone is
While I completely agree with this statement, it is a much tougher
sell to management that is seeking to keep the company making money
(or perhaps even alive). I believe that having (and using) an
imperfect tool is better than nothing, so I would at least push for
that. Getting things
That is certainly true. I was just commenting on the issue of systems
that work together tightly. None do now (as far as I know), but this
should potentially allow that to happen.
I did here a few moans when this news came out, since IBM is not known
for inexpensiveness from what I
On 7/29/09 8:08 PM, silky michaelsli...@gmail.com wrote:
Of course it's a binary, it runs by itself, when there is a java vm
to run it. Just like you need a win32 vm to run a typical .exe.
You misunderstand the notion of virtual machines if you think of Win32 as a
virtual machine. There is
In a message dated July 30, 2009 10:09 AM EDT, Paco Hope wrote...
The Java Virtual Machine is a theoretical machine, and Java
code is compiled
down to Java bytecode that runs on this theoretical machine.
The Java VM is
the actual Windows EXE that runs on the real hardware. It reads these
Actually it's not vulnerable because the strings are escaped first. My point
is simply that using prepared statements would have been more robust than
escaping strings on the client side. I'm sorry I didn't make that clear, I'll
go edit my post now.
Thanks!
Pascal
Kenneth Van Wyk wrote:
Something occurred to me last night as I pondered where this discussion¹s
tendrils are taking us.
An point I only made implicitly is this: The questionfor yearshas been
³conduct your SA on source code or binary?². You can see that there are
interesting subtleties in even those languages that
First, I generally agree that there are many factors that make the true and
factual fidelity of static analysis really REALLY difficult.
However, I submit that by debating this point, you're belaboring the correct
angle of survivable Neptunian atmospheric entry with people that don't
generally
hi sc-l,
Christian Collberg (an important pioneer in software protection) just published
a great book called Surreptitious Software. It's just plain good.
http://www.amazon.com/Surreptitious-Software-Watermarking-Tamperproofing-Addison-Wesley/dp/0321549252
I blogged about the book on Justice
On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:
Realizing that java binaries hold a lot more is a mental shift
that probably must be actively kept in mind. Those with only Java
experience may think it is obvious, but how many developers did not
start with Java and have not purged this
Wow indeed. Does that makes IBM the only vendor to offer both Static
and Dynamic software security testing/analysis capabilities?
Thanks Regards,
Prasad N. Shenoy
On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wykk...@krvw.com wrote:
Wow, big acquisition news in the static code analysis space
Right now, officially, I think that is about it. IBM, Veracode, and
AoD (in Germany) claims they have this too.
As Mattyson mentioned, Veracode only does static binary analysis (no
source analysis). They offer dynamic scanning but I believe it is
using NTO Spider IIRC which is a simplified
Pretty much. Hp /spi has integrations as well but I don't recall devinspect
ever being a big hit. Veracode does both as well as static binary but as asaas
model. Watchfire had a RAD integration as well iirc but it clearly must not
haved had the share ounce does.
-Original Message-
Ah sorry didn't mean to leave you out Tom.
-Original Message-
From: Tom Brennan t...@owasp.org
Sent: July 28, 2009 1:24 PM
To: Matt Fisher m...@piscis-security.com; sc-l-boun...@securecoding.org
sc-l-boun...@securecoding.org; Prasad Shenoy prasad.she...@gmail.com;
Kenneth Van Wyk
Fortify (www.fortify.com) has Partnered with WhiteHat Security
(www.whitehatsec.com) too
Tom Brennan
Board Member - OWASP Foundation
Url: www.owasp.org | Tel: 973-202-0122
http://www.linkedin.com/in/tombrennan
-Original Message-
From: Matt Fisher m...@piscis-security.com
Date: Tue,
A quick note, in the Java world (obfuscation aside), the source and
binary is really the same thing. The fact that Fortify analizes
source and Veracode analizes class files is a fairly minor detail.
Jim Manico
On Jul 28, 2009, at 7:40 AM, Arian J. Evans arian.ev...@anachronic.com
wrote:
At 8:39 AM -1000 7/28/09, Jim Manico wrote:
A quick note, in the Java world (obfuscation aside), the source and
binary is really the same thing. The fact that Fortify analizes
source and Veracode analizes class files is a fairly minor detail.
It seems to me that would only be true for
Not so much about secure-coding, but more about how we take unit
testing and TDD very seriously:
http://labs.mudynamics.com/2009/07/23/large-scale-ruby-development-with-tdd/
Are there people on the sc-l that have a comparable large-scale ruby
project? I would love to hear about the gotchas of
701 - 800 of 2400 matches
Mail list logo