Re: [SC-L] Software security != security software
Hi Gem, Microsoft still suffers from the lack of properly correcting flaws within their operating systems in a mannerly fashion. Myself, I feel until Microsoft proves to me that they can safe guard the system I would never allow them to secure my computer(s). I have tested Vista, Window Defender and other security programs MS has created, and while Vista I applaud the lock down of the kernel I have found Defender to be lacking in security. Creating a program like this must protect against all malware and not what Microsoft decides is malware, ie, some third party partner programs which garner information which would be considered spy ware are not blocked by Defender. This is one illustration of guarding the henhouse. I could name a few more but that still would not deter the inevitable. Regards, George Greenarrow1 InNetInvestigations-Forensic - Original Message - From: Gary McGraw [EMAIL PROTECTED] To: SC-L@securecoding.org Sent: Monday, December 11, 2006 11:02 AM Subject: [SC-L] Software security != security software Hi all, The furvor over Microsoft's entry into the security software business is confusing some people about their software security designs. Or maybe people who know better are trying to confuse the market??! Note word order. I wrote about this in my latest darkreading column that you can find here: http://www.darkreading.com/document.asp?doc_id=112402 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or indirectly from the use of this email or its contents. Thank You. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Java Open Review Project
Hello all, I'm pleased to announce that we've just launched the Java Open Review Project (http://opensource.fortifysoftware.com). We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to do the heavy lifting: FindBugs and Fortify SCA. We can use plenty of human eyes to help sort through the results. We're also soliciting ideas for which projects we should be reviewing next. Please help! Brian ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Software security != security software
The problem is that security software vendors including Symantec and McAfee have used the very same techniques for years in the name of good. Antivirus software and personal firewall software pulls all sorts of fancy kernel-interpositioning kung fu. . and for every good. there is also a bad: http://www.securiteam.com/windowsntfocus/6Z0032AH5U.html The reason we need security software like antivirus tools and personal firewalls is that OSes have traditionally suffered from all kinds of security problems (both bugs and flaws). Hmmm let's see lately we've had these bugs http://secunia.com/vendor/6/ and these http://secunia.com/vendor/70/ and these http://secunia.com/vendor/56/ and these ones http://secunia.com/vendor/54/ and these http://secunia.com/vendor/51/ and. well you get the idea that it's not just OS's that have security flaws.. sometimes it's the very things we buy to make us secure that have their own issues Microsoft may be too responsible to manipulate its security defect density intentionally in order to create demand for its security software, but the fact that this is even possible is a great worry. This is like allowing the fox to design and build the henhouse, not just guard it. Microsoft rogue developer says in development meeting of Forefront products: Say... I think I'm going to manipulate security defects just 'cause I want to drive more sales of Forefront products...yeah that's the ticket... Okay so with tinfoil in place... that's going to need a Security defect Density Product Manager (Microsoft doesn't do anything without a PM or two you know), at least an entire WagEd (Waggoner Edstrom [however you spell that] marketing division to do a 'spin' and marketing blitz on how Forefront needs to be the software of choice... numerous conference calls and committee meetings, not to mention a User Interface testing ... etc etc... You know this reminds me of when my Dad would respond to the folks that said that the Government did fill in the blank such as kill Kennedy, pretend to go to the moon but really did not, and other assorted odds and ends. 1. From the outside it appears that they are not that well organized to pull something like this off (it took them 5 years to get Vista out the door... do you honestly think that Microsoft can selectively code a security defect density without causing some other issue? That the Forefront team gets together with the Vista team and the watercooler and swaps and coordinates places to put defects in? 2. Do you honestly think there wouldn't be some honest whistle blower somewhere that wouldn't be on the Fox News Channel or Oprah in a heartbeat? Is this possible? When our own government put forth evidence of weapons of mass destruction and later it comes out there wasn't any...that showcases that people talk and the truth gets out. Maybe I just grew up too much in the era of Watergate and believe too strongly in the power of free speech... but it's a little hard for me to think that someone like MiniMicrosoft wouldn't be screaming their head off if someone in Microsoft even thought of such a thing. Someone would blog. Trust me on that one. Quite frankly, I've been burned a few times with those antivirus companies that have guarded my henhouse and have flagged things as viruses they shouldn't, and have brought my network to it's knees. So even when they were protecting me, I've lost confidence in them too. Right now my biggest concern is that we still aren't caring enough about software security at all. Susan... who's convinced that the bad guys have gotten over these petty turf wars a long time ago and are way more cooperating/coordinating that the good guys are. Gary McGraw wrote: Hi all, The furvor over Microsoft's entry into the security software business is confusing some people about their software security designs. Or maybe people who know better are trying to confuse the market??! Note word order. I wrote about this in my latest darkreading column that you can find here: http://www.darkreading.com/document.asp?doc_id=112402 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use by any other party is not authorized. If you are not the intended recipient (or otherwise authorized to receive this message by the intended recipient), any disclosure, copying, distribution or use of the contents of the information is prohibited. If you have received this electronic message transmission in error, please contact the sender by reply email and delete all copies of this message. Cigital, Inc. accepts no responsibility for any loss or damage resulting directly or