Re: [SC-L] Mainframe Security
At 9:16 PM +0100 11/1/07, Johan Peeters wrote: > I think this could do a great service to the community. > > Recently I was hired by a major financial institution as a lead > developer. They said they needed me for some Java applications, but it > turns out that the majority of code is in COBOL. As I have never > before been anywhere near COBOL, this comes as a culture shock. I was > surprised at the paucity of readily available information on COBOL > vulnerabilities, yet my gut feeling is that there are plenty of > security problems lurking there. Since so much of the financial > services industry is powered by COBOL, I would have thought that > someone would have done a thorough study of COBOL's security posture. > I certainly have not found one. Anyone else? Can anyone point to stories about Cobol exploits ? I mean exploits that have to do with the nature of the language, not social engineering attacks that happened to take place against a Cobol shop. My limited exposure to Cobol makes me think it is as unlikely to have a buffer overflow as PL/I or Ada. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Mainframe Security
On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote: sSince so much of the financial services industry is powered by COBOL, I would have thought that someone would have done a thorough study of COBOL's security posture. I certainly have not found one. Anyone else? Just a couple random(ish) observations here... 1) I believe that COBOL is still behind the *vast* majority of financial transactions today. I don't know the %, but I'd bet it to be close to 100%. 2) It's been my experience that COBOL folks (read: "mainframe programmers") tend to frown on the Internet, the web, and such. However, in talking with them, it's often useful to say that they're likely to have to interface with "internet folks" via SOA and other mechanisms, so it's worth their while to understand the security problems that "those guys" face, such as XSS and SQL/XML injection (a handy tip I picked up from Andrew van der Stock -- thanks Andrew!). So what's my point? It's this: I've often found the "mainframe crowd" to be reluctant to even talk about software security because there seems to be a pervasive attitude that it's not their problem. After all, the mainframe architectures they're familiar with have had secure, trustworthy networks and such for decades, right? Well, easing them into a discussion by simply pointing out that they should be aware of the issues that the "internet folks" have to deal with because they *need* to interface with them can help things along. Lastly, I noticed that at least one static code analysis tool (Fortify) now supports COBOL. I'm not yet sure what things they scan for, and I'm *far* from COBOL literate myself, but I figure it's got to be good news re James's point. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Mainframe Security
I think this could do a great service to the community. Recently I was hired by a major financial institution as a lead developer. They said they needed me for some Java applications, but it turns out that the majority of code is in COBOL. As I have never before been anywhere near COBOL, this comes as a culture shock. I was surprised at the paucity of readily available information on COBOL vulnerabilities, yet my gut feeling is that there are plenty of security problems lurking there. Since so much of the financial services industry is powered by COBOL, I would have thought that someone would have done a thorough study of COBOL's security posture. I certainly have not found one. Anyone else? kr, Yo On 11/1/07, McGovern, James F (HTSC, IT) <[EMAIL PROTECTED]> wrote: > I was thinking that there is an opportunity for us otherwise lazy > enterprisey types to do our part in order to promote secure coding in an > open source way. Small vendors tend to be filled with lots of folks that > know C, Java and .NET but may not have anyone who knows COBOL. > Minimally, they probably won't have access to a mainframe or a large > code base. > > Being an individual who is savage about being open and participating in > a community, I would like to figure out why my particular call to action > is. What questions should I be asking myself regarding our mainframe, > how to exploit, etc so that I can make this type of knowledge open > source such that all the static analysis tools can start to incorporate? > > > * > This communication, including attachments, is > for the exclusive use of addressee and may contain proprietary, > confidential and/or privileged information. If you are not the intended > recipient, any use, copying, disclosure, dissemination or distribution is > strictly prohibited. If you are not the intended recipient, please notify > the sender immediately by return e-mail, delete this communication and > destroy all copies. > * > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > ___ > -- Johan Peeters http://johanpeeters.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Hugh Thompson show
hi sc-l, Hugh Thompson (of "How to Break Software Security" fame) is the host of his own show on the AT&T Tech Channel. I went up to NY for an interview which was posted last night. I brought my son Jack and my fiddle along with me. Check out the result: http://techchannel.att.com/site/home/index.cfm?key=7fb7b3944a89e2e9178bb2ce6d83e9d8 Question for the list. Do shows like this help the software security mission? Are cartoons and animated films about things like security attacks a good way to reach a larger audience? How about case study books about popular subjects like EOG? In order to scale software security to the size needed to make a dent in the problem we need to move from a cast of a few thousand to tens of thousands. Perhaps popular outreach is necessary. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Orizon v0.50 announce
Hi there, I'd like to announce as delivery for Owasp Spring of Code 2007 project, the 0.50 release of Orizon. Orizon is a source code review engine, built with the aim to give developers something usable to build code review tools. Orizon is independent from the language used to write the sources because its APIs translate the code in a XML file and APIs are provided to apply security checks over the translated XML file. By now just Java programming language is supported in XML translation but I'm planning to add C# support very soon. Orizon is written in Java and is provided with a small default library containing 20 security checks. Orizon is waiting for developers wanting to extends the engine and also people who wants to provide further security checks to be added into the library. It would be great having your feedback, your opinions, your bug reports in order to improve my project. Links: Orizon site: http://orizon.sourceforge.net Milk site, a code review tool I'm writing and that uses Orizon: http://milk.sourceforge.net Regards, thesp0nge -- Owasp Orizon leader orizon.sourceforge.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Mainframe Security
I was thinking that there is an opportunity for us otherwise lazy enterprisey types to do our part in order to promote secure coding in an open source way. Small vendors tend to be filled with lots of folks that know C, Java and .NET but may not have anyone who knows COBOL. Minimally, they probably won't have access to a mainframe or a large code base. Being an individual who is savage about being open and participating in a community, I would like to figure out why my particular call to action is. What questions should I be asking myself regarding our mainframe, how to exploit, etc so that I can make this type of knowledge open source such that all the static analysis tools can start to incorporate? * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IT industry creates secure coding advocacy group
I publicly support Gunnar's assertion that folks in large enterprises need to get together as a collective to drive secure coding practices. If you know of others, please do not hesitate to have them connect to me via LinkedIn (I am bad with managing contact information) and I will most certainly take the lead... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson Sent: Tuesday, October 23, 2007 3:08 PM To: Kenneth van Wyk; Secure Mailing List Subject: Re: [SC-L] IT industry creates secure coding advocacy group Hi Ken, I thought the driving force was your book, after all they named their initiative after it. Anyhow, I'll reiterate here what I blogged: It would be very interesting to see an equivalent initiative from the customer side (who are the lucky recipients who have to pay for all the security vulns created by the above). I know as a consultant there are many large companies struggling with similar secure coding issues exacerbated by outsourcing to some degree, and a lot could be gained by a shared effort. The analyst community like the vendors has more or less Fortune 500s out in the dark, so this may be an area where a half dozen or so motivated security architects and CISOs at Fortune 500s could band together to create a group to help drive change. None of the other big players (analysts, vendors, big consulting firms) seem to be doing it. Why not bootstrap a Fortune 500 Secure Coding Initiative to drive better products, services and share best practices in the software security space? -gp On 10/23/07 1:55 PM, "Kenneth Van Wyk" <[EMAIL PROTECTED]> wrote: > Saw this story via Gunnar's blog (thanks!): > > http://www.gcn.com/online/vol1_no1/45286-1.html > > Any thoughts on new group, which is calling itself SAFEcode? Anyone > here involved in its formation and care to share with us what's the > driving force behind it? > > Cheers, > > Ken > > - > Kenneth R. van Wyk > SC-L Moderator > KRvW Associates, LLC > http://www.KRvW.com > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org List > information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) as a free, non-commercial service to the software security community. > ___ On 10/23/07 1:55 PM, "Kenneth Van Wyk" <[EMAIL PROTECTED]> wrote: > Saw this story via Gunnar's blog (thanks!): > > http://www.gcn.com/online/vol1_no1/45286-1.html > > Any thoughts on new group, which is calling itself SAFEcode? Anyone > here involved in its formation and care to share with us what's the > driving force behind it? > > Cheers, > > Ken > > - > Kenneth R. van Wyk > SC-L Moderator > KRvW Associates, LLC > http://www.KRvW.com > > > > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org List > information, subscriptions, etc - > http://krvw.com/mailman/listinfo/sc-l > List charter available at - > http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC > (http://www.KRvW.com) as a free, non-commercial service to the software security community. > ___ -- Gunnar Peterson, Managing Principal, Arctec Group http://www.arctecgroup.net Blog: http://1raindrop.typepad.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security communit