Goertzel, Karen [USA]goertzel_ka...@bah.com wrote:
If determination of functional correctness were extended from must
operate as specified under expected conditions to must operate as
specified under all conditions, functional correctness would necessarily
require security, safety, fault
Karen Goertzel wrote...
I'm more devious. I think what needs to happen is that we
need to redefine what we mean by functionally correct or
quality code. If determination of functional correctness
were extended from must operate as specified under expected
conditions to must operate as
Karen, Matt all,
Goertzel, Karen [USA] wrote:
I'm more devious. I think what needs to happen is that we need to redefine
what we mean by functionally correct or quality code. If determination of
functional correctness were extended from must operate as specified under
Here's an extract from the Information Assurance Technology Analysis Center
(part of DTIC) Software Security Assurance: A State of the Art Report
Courses on secure software development, secure programming, etc., typically
begin by introducing
Thank you for all of the input. Really. This information has been
Goertzel, Karen [USA] wrote:
Here's an extract from the Information Assurance Technology Analysis Center (part of
DTIC) Software Security Assurance: A State of the Art Report
A colleague and I have been looking at the problem a bit, in the context of
need for survivability in safety-critical systems. Below is an extract of the
paper Software Survivability: Where Safety and Security Converge authored by
Larry Feldman, Ph.D., and myself, and presented by our colleague
I spent a fair bit of time doing stuff relating to voting systems,
which all have embedded systems. (I am not one of the experts who
pulls them apart, lest anyone think I'm claiming credit for them.)
They are supposedly closed systems, but every time someone competent
has tried to attack them,
Thank you for all the info you guys have sent, it has been very
It is harder to steal the source (you need more electronical knowledge
and expensive debuggers and stuff) but it is possible... Do you guys
know some pages with security tips for embedded systems?
Neil Matatall wrote:
So where does secure coding belong in the curriculum?
Higher Ed? High School?
Undergrad? Grad? Extension?
Secure coding needs to be taught anytime programing is taught.
From my experience in my son's boy scout troop, I'm not sure I'd call it
out as security and confuse
We looked at the problem of voting system security specifically in the context
of insider threat for last year's IATAC State of the Art Report on the Insider
Threat to Information Systems - some of which involved rogue developers
engineering backdoors into such systems. Unfortunately the
I think we need to start indoctrinating kids in the womb. Start selling Baby
Schneier CDs alongside Baby Mozart. :)
Seriously, though, cyberspace is such an integral part of modern life, parents
need to inculcate online security into their toddlers the same way they teach
them to look both
Actually CJC, it's often even worse than that. In many cases, the customer or
consumer has an implicit requirement for security that remains unstated. Only
when the system fails and is successfully attacked does that requirement shift
from implicit to explicit. You mean it wasn't secure??
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote:
Inspired by the What is the size of this list? discussion, I decided I
won't be a lurker :)
A question prompted by
and the OWASP podcast
I think we need to start indoctrinating kids in the womb. Start
selling Baby Schneier CDs alongside Baby Mozart. :)
I can recommend this book, it was given to me by a client.
Enigma: A Magical Mystery
Grade 3–6—Someone has stolen the props belonging to the residents of
a retirement home
Has anyone who holds to this taught a beginning level programming
class? Getting students to understand what a loop is can be hard
enough, given limited time. Diving into exploits and buffer overflows
can be much more difficult.
I am sure some things could be put into a basic class,
I completely agree, though how are we really going to reach this
point? We have been talking about this at least since I got into
development in the early 1980s. We are not anywhere closer, though we
have lots of neat tools that do lots of neat stuff. Unfortunately,
our programs are
While no customer is likely to say they don't care about software
working now that we are past Y2K, they don't think about it at all and
are unlikely to allow any schedule slippage to allow for making sure
that is true.
Customers only really care about the things they will pay for.
The 41st epsiode of Silver Bullet just went live. This episode features a
conversation with Fred Schneider, a computer sceince professor at Cornell and a
very important thought leader in security research. Fred was the author of the
seminal National Academies study Trust in
Mail list logo