Re: [SC-L] Secure Coding Books

2008-03-12 Thread Bennett, Jason
Hi All, With all the questions about what are good books are there any views on actually implementing the principles i.e. using them on real programmes to drive security improvement. In particular the contrast between exisitng programmes and new programmes? Consider the environment before

Re: [SC-L] quick question - SXSW

2008-03-12 Thread William L. Anderson
Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not see many discussions that pay attention to security, or any other software engineering oriented concerns, explicitly. There was a discussion of scalability for web services that featured the developers from digg,

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Benjamin Tomhave
First, thanks for that Bill, it exemplifies my point perfectly. A couple thoughts... one, targeting designers is just as important as reaching out to the developers themselves... if the designers can ensure that security requirements are incorporated from the outset, then we receive an added

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Andy Steingruebl
On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave [EMAIL PROTECTED] wrote: I had just a quick query for everyone out there, with an attached thought. How many security and/or secure coding professionals are prevalently involved with the SXSW conference this week? I know, I know... it's a big

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Kenneth Van Wyk
Ben, Your point is a good one -- the software security community needs to be vigilant in reaching out to developers and spreading the word. FWIW, some dev conferences have done this. I spoke at SD West in 2006, and there was a significant security track there. Still, it'd be great to

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Andy Steingruebl
On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw [EMAIL PROTECTED] wrote: Hey andy, You mean AJAX one? Last time I went there was zero interest and even less clue about security among attendees. The only shining light was a long conversation I had with bill joy about security critical

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Johan Peeters
I agree. Reaching the development community, that's precisely what we are trying to do at secappdev. Thanks for helping with that too, Ken. I have also taken some security-related sessions to conferences such as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU. I would love to hear

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Arian J. Evans
my responses inline On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave [EMAIL PROTECTED] wrote: I think you misunderstood my points a little bit. SXSW was just a current conference example. As Gary's pointed out, there are many conferences. It's possible SXSW wasn't a good example, but it was

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Gunnar Peterson
I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Arian J. Evans
So two thoughts Ben, purely my 0.02 USD: 1. This is largely the wrong crowd. Designers of small web2.0 stuffs, particularly the domain of widgets and WS interfaces for all the usual suspect platforms (flickr, facebook etc.) as well as most startups: They just don't care. They will never care.

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Gary McGraw
Hi again, I rebooted the security track completely at SD West in 2003 (thanks to tami who I cc'ed here). I'm on the advisory board. We're slowly inching our way toward SDL/touchpoints/CLASP stuffs at SD West, though when I tried to cover the touchpoints and enterprise security in 2006,