[SC-L] InternetNews Realtime IT News - New York Plans Application Security Program

Now here's an interesting development in the software security space. Seems that New York State is going to start requiring contracted application developers to conform with a minimum set of practices (as covered in the SANS Application Security Procurement Language,

[SC-L] Silver Bullet 34: Bill Brenner

hi sc-l, Ever wonder what it's like to cover security from a media perspective? Bill Brenner (once at TechTarget and now Sr Ed at CSOonline and CSO magazine) is my victim in the 34th Silver Bullet. http://www.cigital.com/silverbullet/show-034/ A bit less on software security this time, but

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

* Steven M. Christey: Yet smart people insist that it's still input validation, even when presented with the example I gave. So So what's the perspective difference that's causing the disconnect? Some technologies are designed as if to discourage proper output encoding. Most

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

On Tue, 13 Jan 2009, Greg Beeley wrote: Steve I agree with you on this one. Both input validation and output encoding are countermeasures to the same basic problem -- that some of the parts of your string of data may get treated as control structures instead of just as data. Note that I'm

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

What is a business rule? Something like If the customer has changed the shipment address from a previous order, we must re-request his or her credit card details? How would you implement *that* using input validation? The example I often use is 'equity can only be used as debt collateral,

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors

Hi Chris, You certainly have a point. There are occasional stories on software security that are not disaster coverage or top ten's, but not enough (sample from this set: http://www.cigital.com/~gem/press/). gem company www.cigital.com podcast www.cigital.com/silverbullet blog

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote: To all, I'll ask a more strategic question - assuming we're agreed that the Top 25 is a non-optimal means to an end, what can the software security community do better to raise awareness and see real-world change? From a Web

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

Brian Chess, Sammy Migues and I continue to pound out the software assurance maturity model. Expect more on that soon. Working with a large real-world data set has really been amazing. For those of you just getting wind of this, see: http://www.informit.com/articles/article.aspx?p=1271382