Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Crispin Cowan
mikeiscool wrote: On 7/17/06, Crispin Cowan [EMAIL PROTECTED] wrote: Goertzel Karen wrote: I've been struggling for a while to synthesise a definition of secure software that is short and sweet, yet accurate and comprehensive. My favorite is by Ivan Arce, CTO of Core Software, coming out

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Gary McGraw
I wrote a book with viega a few years ago called building secure software...it was not about that company (at all). Software security: building security in. gem P.s. I actually like ivan's quip as reported by crispy. -Original Message- From: Dave Aronson [mailto:[EMAIL PROTECTED]

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Holger.Peine
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aronson If you really want to compress that to bumper-sticker size, how about Secure Software: Does what it's meant to. Period. This encompasses both can't be forced NOT to do what it's meant to do, and can't be

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread mikeiscool
On 7/17/06, Crispin Cowan [EMAIL PROTECTED] wrote: mikeiscool wrote: On 7/17/06, Crispin Cowan [EMAIL PROTECTED] wrote: Goertzel Karen wrote: I've been struggling for a while to synthesise a definition of secure software that is short and sweet, yet accurate and comprehensive. My

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Crispin Cowan
mikeiscool wrote: On 7/17/06, Crispin Cowan [EMAIL PROTECTED] wrote: supposed to goes to intent. I don't know. I think there is a difference between this does what it's supposed to do and this has no design faults. That's all I was trying to highlight. The difference between supposed to,

[SC-L] silver bullet: mjr

2006-07-17 Thread Gary McGraw
Hi all, The silver bullet episode featuring Marcus Ranum went live recently: http://www.cigital.com/silverbullet/ In the interview, we discuss software security progress briefly. BTW, I did an interview with the mysterious Dana Epp (silverstr) last week that is in the production pipeline.

[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes: The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of

Re: [SC-L] (no subject)

2006-07-17 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] wrote: I wrote a book with viega a few years ago called building secure software... Yes, John gave us all copies. Didn't bother to get it autographed though. :-) it was not about that company (at all). It certainly was not about the horribly broken

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread mikeiscool
On 7/18/06, Goertzel Karen [EMAIL PROTECTED] wrote: Another possibility: Secure software can't be subverted. Again you are all missing that point that design faults are a major *major* problem. Cannot be subvered; well fine. But what if the main function of the app itself is wrong. It is not a

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread leichter_jerrold
Secure Software: Safe Ex ecution (No, I'm not serious.) -- Jerry ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Gadi Evron
On Mon, 17 Jul 2006, Peter G. Neumann wrote: Forget the bumper sticker approach. Hey Peter. :) Well, one should forget the bumper-sticker approach if all us broing dry guys keep try to explain to people how math works. Instead, teling them: 1+1=? Didn't learn math, eh? Is bumper-sticker

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Peter G. Neumann
Gary, If you think security is a funny topic, try this one: http://haha.nu/funny/funny-math/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter

[SC-L] Resource limitation

2006-07-17 Thread leichter_jerrold
I was recently looking at some code to do regular expression matching, when it occurred to me that one can produce fairly small regular expressions that require huge amounts of space and time. There's nothing in the slightest bit illegal about such regexp's - it's just inherent in regular

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Pascal Meunier
I prefer to define the opposite: Insecure Software is like a joke, Except others laugh at you I like it because: -it captures the notion that vulnerabilities, just like jokes, are very often made apparent by thinking in a different context from the software's designers (the straight man). -It

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Glenn and Mary Everhart
Crispin Cowan wrote: mikeiscool wrote: On 7/17/06, Crispin Cowan [EMAIL PROTECTED] wrote: supposed to goes to intent. I don't know. I think there is a difference between this does what it's supposed to do and this has no design faults. That's all I was trying to highlight. The difference

Re: [SC-L] Resource limitation

2006-07-17 Thread Nash
On Mon, Jul 17, 2006 at 05:48:59PM -0400, [EMAIL PROTECTED] wrote: I was recently looking at some code to do regular expression matching, when it occurred to me that one can produce fairly small regular expressions that require huge amounts of space and time. There's nothing in the slightest