Re: [SC-L] Secure Development World ?
On Fri, 14 Mar 2008, Steven M. Christey wrote: > > Gadi, > > All indications are that it was cancelled. Would have been nice if they'd > informed the speakers. Too bad, too - it was looking like it would be a > great conference. They didn't inform me I am speaking, a Google alert did. They informed me it was cancelled, but just a couple of weeks to the conference and the web page doesn't indicate it. So making sure. > > - Steve > > > On Fri, 14 Mar 2008, Gadi Evron wrote: > >> I am trying to understand if this conference is cancelled or not? >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> ___ >> > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Silver Bullet turns 2: Mary Ann Davidson
hi sc-l, We just posted the 24th episode of the Silver Bullet Security Podcast. This time I speak with Mary Ann Davidson. Our conversation was almost exclusively focused on software security. What makes Mary Ann's position so interesting is that she is one of the only major CISOs whose role is tightly focused on software security (in this case Oracle product security). That's very cool. Check it out: http://www.cigital.com/silverbullet/show-024/ As usual, thanks to IEEE Security & Privacy magazine for co-sponsoring the podcast with Cigital. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Development World ?
Gadi, All indications are that it was cancelled. Would have been nice if they'd informed the speakers. Too bad, too - it was looking like it would be a great conference. - Steve On Fri, 14 Mar 2008, Gadi Evron wrote: > I am trying to understand if this conference is cancelled or not? > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
I'm not sure if the post made the list, but I outlined what I believe is a huge difference between government and beltway contractors, and the private sector. DoD (and most gov/gov-contractor corps) fall squarely into the "assurance" camps. Private sector is heavily into "mitigation" and "response". I get a completely different feel, due to entirely different organizational/business realities, from software startups and silicon valley in general. That's great that you see this, though. Good news. -ae On Fri, Mar 14, 2008 at 7:06 AM, Mike Lyman <[EMAIL PROTECTED]> wrote: > Arian J. Evans wrote: > > Overall security is not a feature or a function that you can monetarize. > > It's not even cool or sexy. It's an emergent behavior that is only > > observed when it is making your software harder to use. > > > > Maybe it is just the US Department of Defense environment where I am > currently working but I see developers start to see this as cool and > sexy. Most are picking it up quickly and a few are even interested in > diving in deep into the security world. They ask great questions and are > doing a lot of independent research on it. We are in an environment > where they get security awareness training a few times a year and are > constantly bombarded with security messages but some of them really are > getting into it. It gives them something new to learn and it is driving > them to go deeper into some development subjects that they normally > would not ever be allowed to look at due to delivery schedules. Security > is giving them a good excuse to go learn more. > -- > > Mike Lyman > [EMAIL PROTECTED] > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > -- Arian Evans software security stuff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
hi sc-l, As many of you know, I have been doing this stuff for over a decade now. In terms of developer awareness and uptake, we have made great strides in the last three years. I taught my first training class on software security at Goldman in 2001. Since then, we've trained well over 8000 developers and others on software security (at Cigital where I work). Attitudes have definitely shifted, and the market continues to grow. Demand is up and interest is high. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 3/14/08 10:06 AM, "Mike Lyman" <[EMAIL PROTECTED]> wrote: Arian J. Evans wrote: > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > Maybe it is just the US Department of Defense environment where I am currently working but I see developers start to see this as cool and sexy. Most are picking it up quickly and a few are even interested in diving in deep into the security world. They ask great questions and are doing a lot of independent research on it. We are in an environment where they get security awareness training a few times a year and are constantly bombarded with security messages but some of them really are getting into it. It gives them something new to learn and it is driving them to go deeper into some development subjects that they normally would not ever be allowed to look at due to delivery schedules. Security is giving them a good excuse to go learn more. -- Mike Lyman [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Software Security Bibliography
Hi sc-l, I have been having some out of band threads with a couple of people about what to read in software security. I posted this once before to the list, but it's worth doing again... In my book "Software Security" there is an extensive annotated bibliography published as Chapter 13. The entire contents of that chapter are available for free on the book's website at this URL: http://www.swsec.com/book/annotated-biblio-from-SS.pdf Be forewarned, the bibliography is annotated with my opinions about the work cited and some may disagree with me. That's what science is all about! There are some new books that have been published since the bibliography was built. Finding those is left as an exercise to the reader. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
All, I just got back from SD West where I spoke twice in the security track. My third year working this show I was shocked to find larger audiences, avid participation, and (what excited me the most) very clueful development types. Awareness will continue to be a big part of "getting the word out there". But what Gunnar attempted to do with his track at QCon was excellent and we should learn from it. He 1) organized a set of talks that followed each other clearly, building on previous content and 2) focused on more intermediate or advanced content. Too often, the security talks at conferences overlap. Even this year's SD West had two threat modeling talks and a secure design talk. I'm also sick of their patronizing structure and titles: "Top 10 Web Vulnerabilities". Smart developers interested in learning this stuff can avail themselves of strong web tutorials from a variety of sources at this point. Overlapping talks comprised mostly of top ten lists leave developers with the empty "So what do I do about it?" feeling. At SD West, I positioned my two talks as "advanced". I laughed looking at the conference board. I personally accounted for about half of the advanced talks for the conference. My "Static Analysis Tool Customization" talk generated great discussion. I was pleased. Almost every audience member worked for an organization that was piloting or had already adopted a tool. They had really used it, and crashed against a rock. Because experience varied (Coverity, KLocwork, Fortify, and Ounce experience all represented) we got to talk about more than just one tool. Comparison was very demonstrative. People took copious notes, stayed after, discussion continued. Yes, we still need more awareness but people want more advanced talks. They're ready. At SD Best, I'm working to modernize the curriculum. I'm working with the development track leads to make sure that things cohere. Rather than mixing old-school buffer overflow information, with web security, with some process help, with some tool demos, I'm going to try to organize instruction around some of the newer stuff that developers are beginning to play with and be excited about. We'll focus on web services and web 2.0. In my mind, teaching people to "think destructively" is important, but brining it back around and showing what to do about vulnerabilities is hugely important at a dev. conference. Last year I pushed speakers in this track to give constructive advice. I'll do the same this year. Whether we're speaking to security guys or developers, it's time to show people patterns and approaches that will help them solve the problems we've been talking about for years. Sum: Modernize advice. Talk to people in the languages and frameworks that they're using now. Get practical and constructive. Teach people how to build it right. Move beyond awareness to intermediate and advanced topics. It's time to raise the bar. John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Gunnar Peterson [EMAIL PROTECTED] I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web 2.0 security. The presentations were great, the audience was engaged and enthusiastic but small; it turns that it is hard to compete with the likes of Martin Fowler, Joshua Bloch, and Richard Gabriel. Even when what they are talking about is some nth level refinement and what we are talking about is all the gaping holes in the previous a-m refinements and how to close some of them. http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software security definition(s)
Arian J. Evans wrote: > What is "secure" software? > It is one quality of an application that can be measured > by the emergent behaviors of the software while trying to > meet and enforce its use-case in a given run-time environment. > Fairly new to the list so if I cover things discussed before or breach some list standards here feel free to jump all over me. What is secure software good discussion to help us set our sights on where we need to go. Want to keep it grounded in the reality of today though just a bit. I think one of the problems we have in the security industry is "secure" itself is a bad term. Somebody, somewhere can find a way to attack any computer as long as it exists. I've often told folks I'm beginning to work with that you could power off a computer, encase it in a block of cement, dump in it the ocean to try to secure the data in it it and Robert Ballard could probably located it and retrieve it for anybody willing to pay for it and meanwhile it hasn't been very useful to you. Even short of that drastic of a step, if users can use it, somebody can attack it. Features themselves are double edged swords; "del *.*" or "sudo rm *" can be useful commands or very dangerous ones. Even with draconian input validation, users could mess up the integrity of the data just by fat fingering input or selecting the wrong item in a pick list or a disk controller going bad could cause garbage. Somebody reading over a user's sholder can comprise the confidentially of the data or listening to them at lunch time. (Ever want to know what is going on at Microsoft just go to the opening day of any major science fiction movie at any theater in the Redmond area.) Flooded network pipes or cut cables can create DoS attacks. A user walking away from his desk without locking the computer opens up non-repudiation issues. "Secure" can be successfully attacked in too many ways and proven insecure. I try to focus more on secure enough to do the job it needs to do in the environment it will operate in. That adds a lot of complexity that is difficult to deal with since it makes simple check lists less useful but it can also simplify things. I've had experiences where we removed security features because they were unnecessary for the application and its environment. Had a design team engineer FT Knox to that could have protected data for years when that data was going live on a public website in less than 24 hours. They were rather surprised to have security remove things that were way too costly for the nature of what they were doing. Just started as the security reviewer/lead on a new project yesterday. Went into my standard introductions about how this is an ever changing world and what passes as good enough today may be wide open tomorrow and we just have to live with that fact. We don't have the time or budget to fully inject security into their development life cycle at this time or dive deep into their code but any improvement is still improvement. What we do now will make them better on the next version or the next project. (Have seen that happen in a big way with some of the teams we work with.) We may have a larger budget next time or get more mileage out of the same budget because of what they learn now. As is all too typical, our customers get us engaged after the project is already in progress so we can't inject security considerations from the beginning and help drive the design or the application or the specifications. We do what we can while in progress. It'll be better than it would have been without our efforts. When we are done, will it be secure? No, we couldn't ultimately achieve that anyway but will it be secure enough for its intended use and environment is the better question. Should be but even then I won't give concrete answer. Based on what we know today it probably will be but somewhere somebody may well be crafting that next attack that blows us out of the water. -- Mike Lyman [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] quick question - SXSW
Arian J. Evans wrote: > Overall security is not a feature or a function that you can monetarize. > It's not even cool or sexy. It's an emergent behavior that is only > observed when it is making your software harder to use. > Maybe it is just the US Department of Defense environment where I am currently working but I see developers start to see this as cool and sexy. Most are picking it up quickly and a few are even interested in diving in deep into the security world. They ask great questions and are doing a lot of independent research on it. We are in an environment where they get security awareness training a few times a year and are constantly bombarded with security messages but some of them really are getting into it. It gives them something new to learn and it is driving them to go deeper into some development subjects that they normally would not ever be allowed to look at due to delivery schedules. Security is giving them a good excuse to go learn more. -- Mike Lyman [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Development World ?
Yes it is cancelled. At 1:13 AM -0500 3/14/08, Gadi Evron wrote: >I am trying to understand if this conference is cancelled or not? >___ >Secure Coding mailing list (SC-L) SC-L@securecoding.org >List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l >List charter available at - http://www.securecoding.org/list/charter.php >SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) >as a free, non-commercial service to the software security community. >___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Secure Development World ?
I am trying to understand if this conference is cancelled or not? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
