On Thu, Jan 15, 2009 at 5:25 AM, Brian Chess br...@fortify.com wrote:
...
There's a lot to say about input validation. Jacob West and I wrote
devoted
a full chapter to it in Secure Programming with Static Analysis
(http://www.amazon.com/dp/0321424778), but we found that the material
refused
On Jan 15, 2009, at 3:26 AM, Gary McGraw wrote:
Brian Chess, Sammy Migues and I continue to pound out the software
assurance maturity model. Expect more on that soon. Working with
a large real-world data set has really been amazing.
For those of you just getting wind of this, see:
Guys,
I am new to the App Security area so Stupid Comments Alert firstly. Many
thanks for the insights that I get from the discussions on this board. I
have been doing design/development for nearly 25 years now and it is
interesting and frightening, how I hardly ever actively think (thought)
Welcome Shouvik,
I'll address your third point. I am ALL FOR teaching software security at the
university level (and have been actively working with universities for over a
decade). I just don't think it is realistic to try to push the problem off on
universities and hope that they will
We are still struggling on simple definitions. I frequently hear names like
lack of input filtering and csrf referred to as vulnerabilities when in
reality one is an attack vector and the other an attack. You (correctly in
my opinion) refer to input validation and encoding as countermeasures.
Dr. Bishop,
I bow to you.
sc-l cohorts, don't forget that Matt was a Silver Bullet victim pretty
recently. Listen here:
http://www.cigital.com/silverbullet/show-031/
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
On
I just wanted to chime in with my two cents on the top N list.
I have witnessed (and developed) secure programs that were built to defend
attacks identified in secure requirements (i.e. data validation and data
transformation) But the one vulnerability that keeps popping up is weak
As an academic who does teach this stuff whenever they let me in a
classroom ...
I'll address your third point. I am ALL FOR teaching software
security at the university level (and have been actively working
with universities for over a decade). I just don't think it is
realistic to
On Thu, Jan 15, 2009 at 12:35 AM, Stephen de Vries
step...@twisteddelight.org wrote:
Interesting articles, and they really whet the appetite for more of
your maturity model. Can we expect a public/open release?
Since you made mention of the maturity model, I'll toss in my
shameless plug for
Hi all,
I do want to clarify that these models are not the same thing.
gem
http://www.cigital.com/~gem
- Original Message -
From: sc-l-boun...@securecoding.org sc-l-boun...@securecoding.org
To: Stephen de Vries step...@twisteddelight.org
Cc: Secure Code Mailing List
10 matches
Mail list logo