Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
ACM SIGCSE will be pushing more information shortly on the K-12 program suggestions. I've heard it will include security. -Rob On Tue, Apr 13, 2010 at 9:27 PM, Jeremiah Heller jerem...@inertialbit.net wrote: an interesting point. if it were not socially unacceptable to perform ethnic cleansing it would still occur at the levels indicated in those examples. if it were not for the civil rights movement and the eventually wide-spread acceptance of the idea that discrimination based on superficial properties was bad, there would still be slavery. socially, groups clashed (and some still do) over their ideologies, which were used as a basis for logic and perceived sound-judgement. however the more we learn about the universe/world around us the more we understand how little we know and that any judgement can only be temporary, until more knowledge is gained. is it more ideologically sound to feed ones family or to obey a law which would allow them to starve simply due to a lack of other economic stimuli? i'm not speaking from any hard data, but i doubt that many third-world countries have a high local market for security experts, web developers, graphic designers, etc. so what is a poor-third-worlder with an old hand-me-down PC and no job to do? do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:) On Apr 13, 2010, at 3:14 PM, Carl Vincent wrote: social acceptance is a horrible way to enforce change anyway. Japanese internment camps, the Holocaust, the cival rights wars of the American 40's, 50's, and 60's, the American red scare, the gay bashing that goes on to this day. All examples of large groups of people often doing things they don't agree with in order to behave according to socially acceptable tenets. ... Sounds like bad juju in my book -_- Paul Schmehl wrote: --On Monday, April 12, 2010 23:51:27 -0500 Matt Parsons mparsons1...@gmail.com wrote: I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. Essentially your argument is that education can solve the problem of bad hacking. While I certainly think education can help, I think there will always be an element of society that is irredeemably bad and cannot be gotten rid of (or corrected, if you will) through education. Even societal shunning, which makes bad behavior so socially unacceptable that it must hide in the shadows, does not rid us of those who refuse to behave according to acceptable tenets. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
Having a CISSP certification I know it is more than just passing the test. You are not certified as a CISSP until you have another CISSP attest to your qualifications and you submit a detail resume of your security experience by domain to (ISC)2 auditors. If the auditors do not feel your experience is sufficient you don't get the certification. I cannot discuss the test or the testing strategy [(ISC)2 CISSP NDA] but (ISC)2 makes it known that not all the questions on the exam have the same point value and some questions have no point value at all. Dave David Wieneke, CISSP, GSEC, MIT IT Security Engineer Security Operations CUNA Mutual Group 1.800.356.2644 Ext. 7753 dave.wien...@cunamutual.com Common Purpose. Uncommon Commitment. All information contained in this message is privileged, confidential and intended for the sole use of the individual(s) named above. If you are not the intended recipient, you are advised that any dissemination, distribution or copying of this communication is prohibited. If you are not the addressee or the person responsible for delivering this to the addressee, or have received this e-mail in error, please notify us immediately by returning the original message to the sender by e-mail and deleting the material from any computer, and destroying printed correspondence. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Wall, Kevin Sent: Wednesday, April 14, 2010 10:25 AM To: 'Gary McGraw'; Matt Parsons; Secure Code Mailing List Subject: Re: [SC-L] any one a CSSLP is it worth it? Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?artic leID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you cheat. Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] any one a CSSLP is it worth it?
On 14 Apr 2010, at 16:24, Wall, Kevin wrote: I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. This is the part of the article I disagree with most, as well. Asking whether multiple choice exams can discriminate between clueful and clueless developers is a valid and important question to ask. However, I believe few professors of computer science could discriminate between clueful and clueless developers if developer and clue have industry-relevant definitions. What passes for development in an academic sense and what is required for clue in an academic sense are usually defined on very different axes than the axes used in industry. So, I think asking college professors whether standardised tests are valid in this respect is posing the important question to the wrong people. There are notorious disconnects between what academics and industry value. Perhaps if you asked the folks who hire, promote, and evaluate developers, they could give a better opinion as to whether clue and standardised test performance correlate. Even then, I'd prefer to see something somewhat objective, like months between promotions versus certifications held, as opposed to calling a bunch of CIOs or VPs of Engineering and asking how well they think tests work. Having said this, I am a CSSLP and I have helped write a ton of questions for the exam. I can tell you we struggle long and hard to write meaningful questions that actually discriminate a practitioner who has experience from a random, unqualified candidate. We use follow well-established psychometric principles when designing the questions. The whole test creation/maintenance process is ANSI-approved and audited. Careful statistics are kept on the pass/fail rates on individual questions to discard questions that do not discriminate well. Over time, the question bank is maintained to remove questions that don't test well and to write new questions that represent changes in the landscape. Some of you will undoubtedly dismiss this, saying garbage in, garbage out, regardless of how pristine the pipes are. I believe that's too simplistic a view. Paco ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] Re: [owaspdallas] Re: [WEB SECURITY] RE: How to stop hackers at the root cause
You are absolutely right Paul. The problems with ignorance and abstinence-based approaches to child education extend out well beyond the Bible Belt, and can be found all over the US. I should have cast a wider net. Also, great job at ruining a good laugh. http://aspe.hhs.gov/hsp/abstinence07/ http://www.washingtonpost.com/wp-dyn/content/article/2009/03/18/AR2009031801597.html?hpid=topnewssub=AR http://www.salon.com/life/broadsheet/feature/2009/03/19/teen_birthrate/index.html http://dir.salon.com/topics/sex_education/ The point here is that while education is valuable -- *comprehensive* education is even more valuable. This is a loaded subject and people with belief-system drivers can get quite passionate about it. I'm not interested in a passionate discussion about this subject. I think the thread will turn into the tarpit of insanity if it goes further so I suggest we be done, --- Arian Evans On Wed, Apr 14, 2010 at 10:29 AM, Paul Schmehl pschmehl_li...@tx.rr.com wrote: --On Tuesday, April 13, 2010 15:21:26 -0700 Arian J. Evans arian.ev...@anachronic.com wrote: Keyboard Cowboy, Education is always a good thing. I think kids should have the opportunity to learn both sides of software security. Great suggestion. Kids, by nature, are drawn to things that are taboo and demonized. Which hacking no doubt falls into, and according to Daniel, also Angelina Jolie. We can find great analogies to the hacker kids problem in recent studies done on teenage behaviors: The Bible Belt, particularly evangelicals in the south, have the highest rates of teen sex and pregnancy in the US. Telling kids to abstain clearly doesn't work as well as teaching them how things work, and in particular careful education surrounding the use of safety devices. To the exact point you made in your blog. This is totally off topic, but I simply cannot let this slide. People like to throw out canards like this as if they are facts, and seldom are they ever questioned. First of all, your assertion isn't borne out by the data. Secondly, you've not cited a single study to back up your assertion, in particular the claim that the lack of sex education (which you assume occurs due to religious objections) is responsible for the claimed, but not factual, higher pregnancy rates. According to a study done by the Guttmacher Institute in 2000 [1] (The Guttmacher Institution is a pro-choice group that advocates for sex education), here are the state rankings by rates of pregnancy and rates of abortion 1) Nevada 4 2) Arizona 19 3) Mississippi 28 4) New Mexico 18 5) Texas 26 6) Florida 7 7) California 5 8) Georgia 22 9) North Carolina 17 10) Arkansas 41 11) Delaware 8 12) Hawaii 6 Of the top twelve states, only half are what could be considered Bible Belt states, so I think you have to look elsewhere for your explanation of teen pregnancy rates. OTOH, it's pretty clear the Bible Belt states are significantly less likely to abort a teen pregnancy, which may or may not be an indicator of religious influence. (I'm not prepared to say it is without data to support it.) About.com also has statistics about teen birth rates [2], and their statistics don't bear out your assertion either. Their stats are based on the 2006 Guttmacher Institute report, and the rankings have changed very little. States ranked by rates of pregnancy among women age 15-19 (pregnancies per thousand): 1. Nevada (113) 2. Arizona (104) 3. Mississippi (103) 4. New Mexico (103) 5. Texas (101) 6. Florida (97) 7. California (96) 8. Georgia (95) 9. North Carolina (95) 10. Arkansas (93) States ranked by rates of live births among women age 15-19 (births per thousand): 1. Mississippi (71) 2. Texas (69) 3. Arizona (67) 4. Arkansas (66) 5. New Mexico (66) 6. Georgia (63) 7. Louisiana (62) 8. Nevada (61) 9. Alabama (61) 10. Oklahoma (60) Again, the so-called Bible Belt doesn't demonstrate a propensity to get pregnant at any higher rates than other parts of the country but clearly bears those children to term at a higher rate than other areas. Furthermore, the most recent statistics from the government [3], while they do show a change in the rankings, still do not bear out your assertion that the Bible Belt, particularly evangelicals in the south, have the highest teen pregnancy rates. As I've shown birth rates do not equal pregnancy rates. You have to factor in abortions as well. You may well have been misled by MSNBC [4] (but then who hasn't been misled by MSNBC), because they recently reported a study that found a correlation between the Bible Belt and birth rates, but that study doesn't address pregnancy or abortion, so it's misleading. The study also appears to
Re: [SC-L] any one a CSSLP is it worth it?
Not sure that would work either though. Many secdev people are introverts. In their shell, they won't debate the validity of a position, including a wrong answer. Zone that into a response in the exam. It's one thing to say there is no correct answer, but the way the questions are set at ISC2, its what is the BEST answer out of this list. By the end of the 6 hours your eyes are glossed over as you actually had to think. But its still better than the 1-2 hr absolute answer exams from many orgs. I think where Gary nailed it on the head is you have to be a good developer BEFORE you can be a good at secdev. Poorly written code can not be trusted. It cannot be safe. The rest is moot. I have never been one to trust a piece of paper. Education comes from doing. Book knowledge cannot be the only weapon in a secdev's experience portfolio. He needs war wounds. Real scars of experience. He needs to learn from his own experience and apply that as the field matures and grows. I see far too many people who think because they opened Ken Van Wyk's, Michael Howard's or Gary McGraw's books that they now get secdev. Without actually applying that knowledge transfer. Review their code, and its far from absolute. Especially in failure code paths. Don't get me wrong... its essential reading. But its not enough. Doing is. In the immortal words of Yoda... Do or do not. There is no try.. I wonder if a bigger problem is that corps are relying on these certifications to weed out the bad apples? Does NOT having CSSLP mean the candidate sucks at secdev? Or the reverse, can anyone who passed the CSSLP be trusted to get it right all the time? Absolute security is a fallacy. As is perfect code. With enough money and motive, anything can be breached. A piece of paper won't stop that. Nor that crappy piece of code that I didn't properly threat model 15 years ago that is still in use today. -- Regards, Dana Epp Microsoft Security MVP On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin kevin.w...@qwest.com wrote: Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630 I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using multiple choice to discriminate knowledgeable developers from clueless developers (like the SANS test does) with many professors of computer science. Not one of them thought it was possible. I do think it is possible to separate the clueful from the clueless using multiple choice if you cheat. Here's how you do it. You write up your question and then list 4 or 5 INCORRECT answers and NO CORRECT answers. The clueless ones are the ones who just answer the question with one of the possible choices. The clueful ones are the ones who come up and argue with you that there is no correct answer listed. ;-) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.com Phone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
On Apr 14, 2010, at 11:19 AM, Wall, Kevin wrote: Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely unrealistic one. I for one, would be completely happy to go back to software development / systems programming if all the security issues completely disappeared. But unfortunately, I don't think we ever have to worry about this happening. Indeed, I'm in the happy position of developing with an eye on security. Without the excellent work done by the 'good hackers' (and 'bad' alike, come to that) I have no doubt my job would be much more difficult. My comment was more playful than thoughtful but it is an interesting paradox... for any job. Luckily there's a lot left to learn! the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k And of course, that is a good thing. After all, once the first sentient AI takes control of all the world's computers to subjugate all humanity, we have to have a way to fight back. Evil h40rs to the rescue! ;-) Hmmm, maybe I should switch fields... until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. I agree. Even though one risks ending up with smarter criminals, by and large if one addresses the poverty issues most people ultimately seem to make the right decisions in the best interests of society. I think for many, once their curiosity is satisfied and the novelty wears off they put these skills to good use. At least it seems to me a risk worth taking. I agree that the risk of educating all is one worth taking. I like to think that objective education (if possible) would drive people over time to work toward ends that benefit society as a whole. At the same time it seems that this would ultimately require people to come from similar backgrounds/experiences or to at least draw similar conclusions from those, however varied. Perhaps a good thing but then could any thinking 'outside the box' really occur? first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:)o Jeremiah, you do know that you're not supposed to stick your *head* in the microwave, don't you? No wonder you're getting the warm fuzzies. :) Ahh! That explains it! I suppose I should stop drooling over that warming cup of coffee:) What I find interesting (as a commentary about human behavior) is that the microwave was inspired by early work on radar and yet we took this idea and applied it to all sorts of technologies and currently blanket the earth with a wide-spectrum of waves of which we barely understand the broader implications of; furthermore very little research (to my knowledge) has been done to explore any side-effects. Is it simply too profitable/beneficial an enterprise to consider the risks? It took over 100 years to consider that burning fossil-fuels might have some negative impacts, both to our immediate health and environment. My dad related an interesting story to me recently about my grandfather who, while working at Boeing on a radar project, met a couple of radar techs who would keep their coffee warm by balancing it on the radar console between them. They also experienced what eventually became severe knee pain but each only in one knee and as they always sat in the same spot, it was in the knee next to the console. I'm not sure what the final diagnosis was but initially it was believed they were simply cooking their joints! Something to consider as we sit typing/reading and bathe in our lovely wifi cell networks (not to mention digital tv, which always seems to go on the fritz when I've got my head... er, coffee in the microwave:) From http://www.gallawa.com/microtech/history.html == Like many of today's great inventions, the microwave oven was a by-product of another technology. It was during a radar-related research project around 1946 that Dr. Percy Spencer, a self-taught engineer with the Raytheon Corporation, noticed something very unusual. ... == Sorry to get off-topic like this, but at the same time general considerations about humanities' approach to risk management may have implications useful in the security field, who knows. Thanks for the fun discussion! - jeremiah ___ Secure
Re: [SC-L] any one a CSSLP is it worth it?
Dana Epp wrote: Not sure that would work either though. Dana, My comment was meant tongue-in-cheek. Guess I used the wrong emoticon. Figured that ';-)' would work 'cuz I never can remember the one for tongue-in-cheek. I've seen several variations of the latter... :-? :-Q :-J -) Take your pick. Good in depth analysis though. Seriously. And I agree with you completely. In my experience as an adjunct faculty member teaching a master's level Computer Security course (based in part on the McGraw/Viega book as well as Ross Anderson's _Security Engineering_) for 6 yrs, I came to the conclusion that multiple guess (as I call them) alone only proves how well someone memorizes something, at best, or how clueless people are (if they get incorrect answers) at worst. I would argue that most of academia it is unsuited for discerning cluefulness the the real world. Over the course of 30+ yrs in IT (yes, I am an old fart!), I've seen all too many people that exceled in academia but were miserable disappointments in industry. In fact, to that end, quality guru Demming is rumored to have said about (then) ATT Bell Labs: Bell Labs only hires the top 10% of graduatesc...and they deserve what they get! There is no substitute for real experience. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] any one a CSSLP is it worth it?
I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] has any one completed a python security code review`
And don't forget the entire run-time environment in which the python code runs. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] has any one completed a python security code review`
On Mon, 5 Apr 2010 11:08:47 -0500 Matt Parsons mparsons1...@gmail.com wrote: Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. I have, on software needing to run with elevated privileges at times. All the well-known issues with filesystem operations are still there (symlink attacks, file permissions). As with any program, a Python program operating with elevated privileges in a shared folder (/tmp) or folder under another user's control is a dangerous proposition. There can be bugs that in some circumstances can become resource exhaustion vulnerabilities, for example a file descriptor leak if you use the low level file operations (in os). There can also be log pollution issues and poor randomness issues (sometimes not in the Python code itself, but in SQL). On a server-type system, multiple similar commands can create concurrency issues (race conditions), and the absence of rate limitation on expensive operations can create DoS vulnerabilities. All these were found the old fashioned way, with a code audit. Pascal Meunier ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] has any one completed a python security code review`
Matt, I have not seen any materials referencing Python nor does Fortify, I beleive, perform scans on it. But looking at the Python package on my Windows box it looks like the Python compliler has C as it's interface to the system. Obtaining the C code then running a scan against it should at least provide some insight into possible Python issuesRegards,Paul--- On Mon, 4/5/10, Matt Parsons mparsons1...@gmail.com wrote:From: Matt Parsons mparsons1...@gmail.comSubject: [SC-L] has any one completed a python security code review`To: SC-L@securecoding.orgDate: Monday, April 5, 2010, 5:08 PM Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office "Do Good and Fear No Man" Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 -Inline Attachment Follows-___Secure Coding mailing list (SC-L) SC-L@securecoding.orgList information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-lList charter available at - http://www.securecoding.org/list/charter.phpSC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)as a free, non-commercial service to the software security community.Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] has any one completed a python security code review`
On Mon, Apr 5, 2010 at 12:08 PM, Matt Parsons mparsons1...@gmail.com wrote: Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Static analysis tools can and do scan dynamic languages like python, PHP, and Javascript. Fortify 360 v2.5 can scan Python. There are also free tools for Python, like pylint, pychecker, and pyflakes, but none of them is primarily focused on security. OWASP's Python ESAPI is a good starting point to learn about potential security flaws in Python. James Walden ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] code review engagement scoping
How do people in this group scope code review engagements? What are some of the tools one uses to count the number of lines of code, supporting libraries, comments, etc. Is there an umbrella list of issues one generally looks for in code reviews? We are talking about open source products written in C/CPP Any help is appreciated Thanks___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] has any one completed a python security code review`
You should look at Ka-Ping Yee's PhD thesis: http://pvote.org and the Pvote Software Review Assurance Document, Apr 3 2007. Google finds it quickly. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] working on java security help from experts
Also be sure to check on http://www.owasp.org as there is a *ton* of great information on the site. Here are some good starting points: http://www.owasp.org/index.php/Category:OWASP_Java_Project http://www.owasp.org/index.php/Category:Java And also some good information on doing code review in general: http://www.owasp.org/index.php/OWASP_Code_Review_Guide_Table_of_Contents On Thu, Apr 1, 2010 at 2:29 PM, Romain Gaucher rgauc...@cigital.com wrote: CERT has also a many rules for Java (good and bad examples) as part of their secure coding practices. You can find that here: https://www.securecoding.cert.org/confluence/display/java/The+CERT+Sun+Microsystems+Secure+Coding+Standard+for+Java Romain - Security consultant, Cigital From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf Of Martin, Robert A. [ramar...@mitre.org] Sent: Thursday, April 01, 2010 2:49 PM To: Matt Parsons Cc: SC-L@securecoding.org Subject: Re: [SC-L] working on java security help from experts The Common Weakness Enumeration (CWE) has a view of issues that can occur in Java applications. See: http://cwe.mitre.org/data/slices/660.html for a listing of all the details or: http://cwe.mitre.org/data/lists/660.html for a list of the items where the names are hyper-links to the content about them. The entries include description, code examples, real world CVE examples of the issue in many cases, references and in most cases pointers to the attack patterns effective against the issue. Bob Matt Parsons wrote: I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:image001.jpg@01CAD11E.CF635CA0] [cid:image002.jpg@01CAD11E.CF635CA0] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Chris Schmidt OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Check out OWASP ESAPI for Java http://code.google.com/p/owasp-esapi-java/ OWASP ESAPI for JavaScript http://code.google.com/p/owasp-esapi-js/ Yet Another Developers Blog http://yet-another-dev.blogspot.com Bio and Resume http://www.digital-ritual.net/resume.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] has any one completed a python security code review`
Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] working on java security help from experts
I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] working on java security help from experts
Dear Matt, If you want to get familiar with common Java specific security errors enlisted by different vulnerability categories, the Fortify taxonomy might give you a comprehensive overview: http://www.fortify.com/vulncat/en/vulncat/index.html Open Java/JSP in the tree on the left, and enjoy! :) Best regards, Erno Erno JEGES SEARCH-LAB Ltd www.search-lab.hu PHONE/FAX: +36 1 2053098 MOB: +36 20 4200075 SKYPE: jegeserno On Wed, 31 Mar 2010, Matt Parsons wrote: I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] working on java security help from experts
I wrote a thesis on Java SE security. In addition to covering secure coding practices, I also created a number of test cases and subjected them to a suite of static analysis tools. A ton has been said over the years. I tried to organize it all into a taxonomy rooted in design principles. You might find my bibliography useful: http://mikeware.us/thesis/ Mike On Wed, Mar 31, 2010 at 11:09 PM, Matt Parsons mparsons1...@gmail.comwrote: I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [image: 0_0_0_0_250_281_csupload_6117291] [image: untitled] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] working on java security help from experts
The Common Weakness Enumeration (CWE) has a view of issues that can occur in Java applications. See: http://cwe.mitre.org/data/slices/660.html for a listing of all the details or: http://cwe.mitre.org/data/lists/660.html for a list of the items where the names are hyper-links to the content about them. The entries include description, code examples, real world CVE examples of the issue in many cases, references and in most cases pointers to the attack patterns effective against the issue. Bob Matt Parsons wrote: I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 [cid:image001.jpg@01CAD11E.CF635CA0] [cid:image002.jpg@01CAD11E.CF635CA0] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP ESAPI 2.0 rc6 released!
ESAPI 2.0 rc6 is now live! You can download the complete zip file here: http://owasp-esapi-java.googlecode.com/files/ESAPI-2.0-rc6.zip http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.3.zip Online project documentation can be found here: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc6/site/project-reports.html http://owasp-esapi-java.googlecode.com/svn/trunk_doc/2.0-rc6/site/project-reports.html Major enhancements include: 1) Major rewrite of the Encryptor implementation 2) Initial examples section included: \ESAPI-2.0-rc6\project\src\examples Please see changelog.txt at the root of the zip file for more information. Mahalo Nui Loa, -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] The International Secure Systems Development Conference
I saw this event announcement today and thought some SC-L folks might find it of interest, FYI. The International Secure Systems Development Conference addresses the key issues around designing-in security for standard and web-based software and systems, both in terms of developing new applications securely and also in adding security to legacy applications. The aim of the event is to help change the balance away from a repeated and ever more costly focus on securing ever more insecure infrastructures, to one which focuses on the creation of inherently secure systems through the introduction of verifiable, secure development methodologies and coherent security architectures. http://www.issdconference.com/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] academics do software security too
hi sc-l, Here is a CFP from a conference I help out with. gem CALL FOR PAPERS International Symposium on Engineering Secure Software and Systems (ESSoS) February 09-10, 2011 Madrid, Spain http://distrinet.cs.kuleuven.be/events/essos2011/ CONTEXT AND MOTIVATION Trustworthy, secure software is a core ingredient of the modern world. Unfortunately, the Internet is too. Hostile, networked environments, like the Internet, can allow vulnerabilities in software to be exploited from anywhere. To address this, high-quality security building blocks (e.g., cryptographic components) are necessary, but insufficient. Indeed, the construction of secure software is challenging because of the complexity of modern applications, the growing sophistication of security requirements, the multitude of available software technologies and the progress of attack vectors. Clearly, a strong need exists for engineering techniques that scale well and that demonstrably improve the software's security properties. GOAL AND SETUP The goal of this symposium, which will be the third in the series, is to bring together researchers and practitioners to advance the states of the art and practice in secure software engineering. Being one of the few conference-level events dedicated to this topic, it explicitly aims to bridge the software engineering and security engineering communities, and promote cross-fertilization. The symposium will feature two days of technical program, and is also open to proposals for both tutorials and workshops. In addition to academic papers, the symposium encourages submission of high-quality, informative experience papers about successes and failures in security software engineering and the lessons learned. Furthermore, the symposium also accepts short idea papers that crisply describe a promising direction, approach, or insight. TOPICS The Symposium seeks submissions on subjects related to its goals. This includes a diversity of topics including (but not limited to): - scalable techniques for threat modeling and analysis of vulnerabilities - specification and management of security requirements and policies - security architecture and design for software and systems - model checking for security - specification formalisms for security artifacts - verification techniques for security properties - systematic support for security best practices - security testing - security assurance cases - programming paradigms, models and DLS's for security - program rewriting techniques - processes for the development of secure software and systems - security-oriented software reconfiguration and evolution - security measurement - automated development - trade-off between security and other non-functional requirements - support for assurance, certification and accreditation SUBMISSION AND FORMAT The proceedings of the symposium are published by Springer-Verlag in the Lecture Notes in Computer Science Series (http://www.springer.com/lncs). Submissions should follow the formatting instructions of Springer LNCS. Submitted papers must present original, non-published work of high quality. Two types of papers will be accepted: Full papers (max 12 pages without bibliography/appendices) - May describe original technical research with a solid foundation, such as formal analysis or experimental results, with acceptance determined mostly based on novelty and validation. Or, may describe case studies applying existing techniques or analysis methods in industrial settings, with acceptance determined mostly by the general applicability of techniques and the completeness of the technical presentation details. Idea papers (max 8 pages with bibliography) - May crisply describe a novel idea that is both feasible and interesting, where the idea may range from a variant of an existing technique all the way to a vision for the future of security technology. Idea papers allow authors to introduce ideas to the field and get feedback, while allowing for later publication of complete, fully-developed results. Submissions will be judged primarily on novelty, excitement, and exposition, but feasibility is required, and acceptance will be unlikely without some basic, principled validation (e.g., extrapolation from limited experiments or simple formal analysis). Proposals for both tutorials and workshops are welcome. Further guidelines are on the website of the symposium. IMPORTANT DATES Abstract submission: September 13, 2010 Paper submission: September 20, 2010 Author notification: November 12, 2010 Camera-ready: December 3, 2010 STEERING COMMITTEE Jorge Cuellar (Siemens AG) Wouter Joosen (Katholieke Universiteit Leuven) - chair Fabio Massacci (Universit‡ di Trento) Gary McGraw (Cigital) Bashar Nuseibeh (The Open University) Daniel Wallach (Rice University University) ORGANIZING COMMITTEE General chair: Manuel Clavel
[SC-L] Silver Bullet Transcripts
hi sc-l, As you know, Silver Bullet is co-sponsored by Cigital and IEEE Security Privacy magazine. Excerpts of about half of the episodes are eventually published in the magazine as articles in an interview department. We just caught up with ourselves by posting the last three SP interviews on the Silver Bullet website. Sorry about the delay! Without further ado, the transcripts/articles are: Chris Hoff (with a focus on cloud security) http://www.cigital.com/silverbullet/shows/silverbullet-043-choff.pdf Gillian Hayes (with a focus on social networking, privacy and security) http://www.cigital.com/silverbullet/shows/silverbullet-042-ghayes.pdf Fred Schneider (with a focus on security research and anticipating future attacks) http://www.cigital.com/silverbullet/shows/silverbullet-041-fschneider.pdf As always, we welcome your feedback on the podcast through the Silver Bullet website. We're also very much interested in knowing who you want to hear from. Thanks for listening. gem company www.cigital.com podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Smart Grid and Software Security
hi sc-l, In the past we've wondered on this list about how to spread software security memes outside of our own little domain and into the larger world. I recently gave a keynote talk in Atlanta to a bunch of senior executives (CEOs and Board members) who run Rural electric cooperatives. This is a completely different audience...at least 10 of the hundreds of people in attendance were wearing cowboy hats! We just put the talk up on Justice League for those of you interested: http://www.cigital.com/justiceleague/2010/03/22/smart-grid-equals-dumb-security/ This talk shows the level I get to when I am trying to communicate with non geeks. I even lapse into my old Tennessee accent. Hope it works! gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Bring your Cloud to Work Day
Flip side of Lifestyle Hacking aptly described by Messrs McGraw and Routh is when your organization cannot deliver the functionality/data/ usability that the consumers need. http://1raindrop.typepad.com/1_raindrop/2010/03/bring-your-cloud-to-work-in-iraq.html -gunnar ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] SC-L Digest, Vol 6, Issue 56
As soon as a non-developer creates code, they are no longer a non-developer. By definition, they are now a developer! Of course, they may completely lack any kind of knowledge about security. Just like most developers, I should add. I expect this problem to *increase* over time. For the case that one is creating a product/service I will have to rephrase a bit. Substitute non-developer with person who lacks all but the most basic notions of software engineering. So, technically, yeah they are developers but probably they are not good developers and will run to a multitude of problems, one of which will be security. However, by non-developers, I was meaning people who write code as a one-off, (e.g. a security consultant writes some quick and dirty code to fuzz something, or someone writing a script for home use). Even if the security knowledge is there, since security is not a required property, it just will not in the resultant code, as the code is supposed to be used a few times and then thrown away (or hopefully rewritten :-) ) That may be true in some places. But all too often real knowledge and expertise is rare. Many System Admins, esp. in the Windows world, do not understand the underlying technology at all. They only know how to how to point-and-click based on recipes created by others (e.g., local instructions or whatever Google tells them). All too often we *train* while ignoring *education*. When they have to program at all, these kinds of people perform cargo cult programming (see http://en.wikipedia.org/wiki/Cargo_cult_programming ). If an organization hires (or outsources to) point-n-click admins (which, I'll hazard a guess, on average will cost cheaper than the admins who have invested time sharpening their saw), the organization will most likely have operational problems, which are not limited to security, even before the admins type shebang, IMHO. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] free scans from Google...
I guess we can all retire now, eh? I find it so exciting that the app is written in pure C... and coming from Google, I'm sure it won't leak info back to the mothership at all... Meet skipfish, our automated web security scanner http://googleonlinesecurity.blogspot.com/2010/03/meet-skipfish-our-automated-web.html -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Do you think that when they asked George Washington for ID that he just whipped out a quarter? Steven Wright ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] SC-L Digest, Vol 6, Issue 56
At 7:56 PM +0200 3/19/10, AK wrote: It is way easier for attackers to reverse engineer desktop applications than web applications. Assuming proper server configuration, it is next to impossible for an attacker to get the server side source code or compressed form (e.g WARs) for a web application and proceed with disassembly/decompilation/patching. Assuming proper _desktop_ configuration, the user does not have the ability to modify the programs they will execute, nor change the protections of objects on the system. http://nvd.nist.gov/fdcc/fdcc_faq.cfm Yes, physical access to a computer means ultimately it is possible to gain control, but the necessary measures to not constitute easier, and given control of one test machine it is not at all trivial to transfer that to control of another machine, especially if the machines are not connected to a common network. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt Parsons)
On Mar 18, 2010, at 02:17, ljknews wrote: Scripting languages should not be used for security-sensitive programs. And your evidence for this statement is? Stephan ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)
Hi all, We are drifting a bit away from my question but here is a forked question: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Cheers! Date: Wed, 17 Mar 2010 20:17:05 -0500 From: ljknews ljkn...@mac.com To: sc-l@securecoding.org Subject: Re: [SC-L] market for training CISSPs how to code (Matt Parsons) Message-ID: p05200f26c7c72f5b9...@[146.115.107.213] Content-Type: text/plain; charset=us-ascii At 7:27 PM +0200 3/17/10, AK wrote: Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of Scripting languages should not be used for security-sensitive programs. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)
At 7:36 PM +0200 3/18/10, AK wrote: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Why should standards for a web application be different than for a desktop application ? -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about
CWE, CLASP, and some other information sources have a number of code snippets that highlight various weaknesses. In CWE, this code is easily extractable from the XML by grabbing the Demonstrative_Examples element, and we've even conveniently labeled examples with the various languages. You could also grab the CVE real-world examples from the Observed_Examples element. Note that the code examples are by no means complete, but they might be good enough to start with. If you pore through CVE, you will soon realize that it can be very time-consuming to go from a real-world open-source vuln report to the actual code snippet. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
http://codesearch0day.appspot.com/ On Mar 16, 2010, at 11:41 AM, Matt Parsons wrote: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 image001.jpg image002.jpg ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com ) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
Matt, You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org) or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for illustrative purposes when teaching. - Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of particular interest because when it was first discovered it was not believed to be exploitable to gain remote root, but due to a nuance in a memcpy() / memmove() implementation, it was (I think I'm remembering this right). An example that non-exploitability depends on more than just the program itself, but also on the underlying systems (libraries, compiler, hardware, etc). - OpenSSH crc32 compensation attack detector vulnerability (#CVE-2001-0144). Of interest because this was a remote-root vulnerability in a piece of code that was used solely to try to thwart an SSH protocol 1 cryptographic attack. A good example of more code introducing more bugs, even when the more code had an important security purpose. - Never made it into any distributed code, as it was in version control only, but there was a Linux kernel vulnerability that was a backdoor attempt. (http://kerneltrap.org/node/1584). Of interest because it was apparently an intentional typo bug to create a backdoor. A good example of something that could have easily slid by, but the way that version control was set up as well as the many eyes working on the kernel, resulted in it coming to light quickly. - A sendmail bug publicized back in 2006 (#CVE-2006-0058) was of interest because the vulnerability was not a typical buffer overflow, but was due to (if I remember correctly -- the discussion of this vuln was pretty opaque at the time, so I could be wrong on this) the intermixing of static and automatic C function variables in a fairly complex attack scenario (where a residual static pointer was pointing to a previous incarnation of an automatic buffer), resulting in an attacker being able to overwrite a section of the stack if the attack was timed just right (it didn't need the nanosecond precision that was widely publicized at first). A good example of complex code being more difficult to secure. - Greg Beeley LightSys Matt Parsons wrote, On 03/16/2010 10:41 AM: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about
I am not suggesting exposing zero days. I only want known vulnerabilities in applications like web goat etc that are known to everyone. I don't even plan on naming where each vulnerability comes from but rather instead change the code to protect the innocent. I would never encourage promoting sharing zero days. I hope this clears it up. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled From: Arshan Dabirsiaghi [mailto:arshan.dabirsia...@aspectsecurity.com] Sent: Tuesday, March 16, 2010 2:49 PM To: McGovern, James F. (P+C Technology); Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: RE: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about I'm not sure Matt was suggesting burning sharing 0days, but if he was, I think he should not be discouraged. I think disclosure preference should be something like a protected class within OWASP. Arshan From: McGovern, James F. (P+C Technology) [mailto:james.mcgov...@thehartford.com] Sent: Tuesday, March 16, 2010 2:36 PM To: Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. _ From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. image003.jpgimage004.jpgimage005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] market for training CISSPs how to code
I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] blog post and open source vulnerabilities to blog about
At the OWASP Open Review project we run Fortify scans for open source project maintainers. There is some summary information on the main page, but the actual detailed scan info is only available to the project maintainers. (Echoing James McGovern's concerns we didn't want it to end up being the OWASP Open Source 0Day-Publication Project) More info can be found here: http://owasp.fortify.com/ I do like the idea of looking at CVEs for open source projects. That is good real-world data that can demonstrate patterns. Thanks, Dan -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l- boun...@securecoding.org] On Behalf Of Greg Beeley Sent: Tuesday, March 16, 2010 2:37 PM To: SC-L@securecoding.org Subject: Re: [SC-L] blog post and open source vulnerabilities to blog about Matt, You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org) or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for illustrative purposes when teaching. - Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of particular interest because when it was first discovered it was not believed to be exploitable to gain remote root, but due to a nuance in a memcpy() / memmove() implementation, it was (I think I'm remembering this right). An example that non-exploitability depends on more than just the program itself, but also on the underlying systems (libraries, compiler, hardware, etc). - OpenSSH crc32 compensation attack detector vulnerability (#CVE-2001- 0144). Of interest because this was a remote-root vulnerability in a piece of code that was used solely to try to thwart an SSH protocol 1 cryptographic attack. A good example of more code introducing more bugs, even when the more code had an important security purpose. - Never made it into any distributed code, as it was in version control only, but there was a Linux kernel vulnerability that was a backdoor attempt. (http://kerneltrap.org/node/1584). Of interest because it was apparently an intentional typo bug to create a backdoor. A good example of something that could have easily slid by, but the way that version control was set up as well as the many eyes working on the kernel, resulted in it coming to light quickly. - A sendmail bug publicized back in 2006 (#CVE-2006-0058) was of interest because the vulnerability was not a typical buffer overflow, but was due to (if I remember correctly -- the discussion of this vuln was pretty opaque at the time, so I could be wrong on this) the intermixing of static and automatic C function variables in a fairly complex attack scenario (where a residual static pointer was pointing to a previous incarnation of an automatic buffer), resulting in an attacker being able to overwrite a section of the stack if the attack was timed just right (it didn't need the nanosecond precision that was widely publicized at first). A good example of complex code being more difficult to secure. - Greg Beeley LightSys Matt Parsons wrote, On 03/16/2010 10:41 AM: Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled - --- ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC
Re: [SC-L] market for training CISSPs how to code (Matt Parsons)
Hi, Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of BUT I fail to see other scenarios where code that would be used more than a one-off is developed by non-programmers. Additional insight would be much appreciated :) Message: 1 Date: Tue, 16 Mar 2010 21:37:03 -0500 From: Matt Parsons mparsons1...@gmail.com To: owaspdal...@utdallas.edu [snipped]I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] black berry security
I had too many files open on my black berry last night while listening to music. It produced a java run time error. It made me think about blackberry security. What is the threat to black berrys and having them write secure code and have it undergo a security review? Has anyone worked on mobile app security? I find it very interesting and would like to get involved. I wrote about it on my blog. http://parsonsisconsulting.blogspot.com/ All the best. Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] USA today article Cyber Crimes and software security evangelism
I was reading the USA today and it stated more cyber criminals are getting away with cyber crimes. I was thinking that this brings more value to us that are concerned about software security and can help evangelize and fix the problem. God Bless. Matt http://parsonsisconsulting.blogspot.com/ http://www.usatoday.com/news/snapshot.htm Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] sponsors still needed for BSides Austin
Hi folks, We need your help. We're still looking for sponsors for this weekend's Security BSides Austin, which is set to occur the same day as the kickoff for SxSW Interactive (a major developer conference). We have official sponsorship from Astaro and Panda, plus a couple unofficial sponsors. We'd love to see your organization involved, too! Unconference details here: http://www.securitybsides.com/BSidesAustin Here are some benefits for sponsoring: * Being part of the media conversation: As people talk about us they talk about you or at least see you. Security B-Sides has been covered in magazines, podcasts, videocasts, blogs, and even inscribed on microchips. Get caught up in the conversation and be part of what people are talking about. * Brand recognition and awareness: Depending on the level of sponsorship, you may recognize your brand placement at some or all of the following: t-shirts, signage/lanyards, lunch sessions, or attendee badges. Based on your level of participation, create and custom branding may be arranged including transportation, banners, and podcast interviews. * Big Fish in a Small Pond: For some, sponsoring large events is not within their price range leaving them with no option for communicating their message. BSides is just the place for you! This small, community atmosphere brings together active and engaged participants who want to absorb information. Sponsoring a BSides event enables to be that big fish in a small pond and better communicate your message to an active audience. * Stay in touch with the industry: BSides enables its supporters and participants to identify and connect with industry leaders and voices. These participants represent the social networking of security. They are the people who you want to engage to solicit feedback and bring voice to your conversation. * Targeted and Direct Audience: You didn't enter the secrutity industry selling your product to everyone the same way, so why approach events that way? Instead of marketing to the broader security community connect directly with the security practioners who write about, talk about, recommend, and implement security products and services. * Be associated with the next big thing: Nobody knows what the “next big thing” will be, but these events are community driven with presentations voted upon by the industry. There is no magic to how it works, but we believe that listening to the underground can help prepare you and help identify what the next big thing might be. Thank you, -ben -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] How young can you die of old age? Steven Wright ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] cfp: W2SP 2010: Web 2.0 Security and Privacy 2010 CFP - 2nd call
The workshop chairs would like to invite you participate in the 4th annual workshop on Web 2.0 Security and Privacy. Started in 2007, this successful series of workshops has attracted participation from both academia and industry, and participants from around the world. This workshop is held in conjunction with the 2010 IEEE Symposium on Security and Privacy. Workshop Call for Papers W2SP 2010: Web 2.0 Security and Privacy 2010 Thursday, May 20 The Claremont Resort, Oakland, California Web site: http://w2spconf.com/2010 The goal of this one day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and establishing new collaborations in these areas. Web 2.0 is about connecting people and amplifying the power of working together. An ongoing explosion of new technology is powering increasingly complex social and business interactions as well as enabling an unprecedented level of unmediated information exchange and horizontal organization. These interactions rely on composition of content and services from multiple sources, commonly called mash-ups, leading to systems with complex trust boundaries. This trend is likely to continue because individuals, businesses, and other organizations desire the simplicity, efficiency, and utility these technologies offer. Though these technologies have had many positive effects, they raise issues about management of identities, personal safety, reputation, privacy, anonymity, transient and long-term relationships, and composition of function and content, both on the server and on the client side (web browsers and mobile platforms). Although many of the underlying security and privacy issues are not new, the use of these technologies by very large and disparate populations raises new questions. This workshop is intended to discuss the limitations of current technologies and explore alternatives. The scope of W2SP 2010 includes, but is not limited to: Trustworthy cloud-based services Usable security and privacy Security and privacy as a service Security for the mobile web Identity management and psuedonymity Web services/feeds/mashups Security and privacy policies for composible content Next-generation browser technology Secure extensions and plug-ins Advertisement and affiliate fraud Potential workshop participants should submit a paper on topics relevant to Web 2.0 security and privacy issues. We are seeking both short position papers (2 - 4 pages) and refereed papers (a maximum of 8 pages, including references and appendices). Papers longer than 8 pages may be automatically rejected by the chair or workshop committee. From the submissions, the program committee will strive to balance participation between academia and industry and across topics. Selected papers will appear on the workshop web site; W2SP has no formal published proceedings. For papers that focus primarily on the security and privacy of social networks, we encourage authors to submit their paper to the Social Network Security and Privacy (SNSP) workshop, which is concurrent and co-located with W2SP. Submitted papers may be referred to the SNSP program committee for consideration. Workshop Co-Chairs Larry Koved (IBM Research) Dan S. Wallach (Rice University) Program Chair Collin Jackson (Carnegie Mellon University) Program Committee Ben Adida (Harvard University) Dirk Balfanz (Google) Adam Barth (UC Berkeley) Konstantin (Kosta) Beznosov (University of British Columbia) Suresh Chari (IBM Research) Hao Chen (UC Davis) Collin Jackson (Carnegie Mellon University) Martin Johns (SAP Research) Rob Johnson (Stony Brook University) Engin Kirda (Institute Eurecom) Larry Koved (IBM Research) Shriram Krishnamurthi (Brown University) John C. Mitchell (Stanford University) Dawn Song (UC Berkeley) Dan S. Wallach (Rice University) Helen Wang (Microsoft Research) Important Dates Paper submission deadline: Tuesday, March 23, 2010 (11:59pm US-Eastern) Workshop acceptance notification date: April 11, 2010 Workshop date: Thursday, May 20, 2010 Registration: Workshop registration will be available via the 2010 IEEE Symposium on Security and Privacy conference web site. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Silver Bullet: Greg Morrisett
hi sc-l, Greetings from RSA where the security hype is very hype-y indeed. To counterbalance the nonsense, we just published Silver Bullet number 47, an interview with Harvard professor Greg Morrisett. Greg and I grew up together in Kingsport, Tennessee and it has been a pleasure watching my first business partner get a PhD at CMU, become a Dean, and generally kick butt in programming languages. Our conversation was a blast: http://www.cigital.com/silverbullet/show-047/ Lots of discussion about programming languages in tis episode. Sadly, we didn't reveal any of the ridiculous stories we can tell about each other from adolescence (something about mutually assured destruction). As always, thanks to IEEE SP magazine for co-sponsoring Silver Bullet with Cigital. Your feedback is welcome. gem company www.cigital.com blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] BSIMM2: 15 things most firms do
hi sc-l, I just spent an excellent week in Leuven, Belgium at secappdev (our fearless moderator Ken was there as always). If you've never been to secappdev, it is certainly something to do at least once, if not annually. One of the five presentations I gave in Leuven was about BSIMM2 (the 30 firm version of BSIMM). I wrote up an article with Brian Chess and Sammy Migues (my BSIMM co-creators) called Software [In]security: What Works in Software Security --- Fifteen Common Activities from BSIMM2. In addition to highlighting the fifteen most common BSIMM activities, the article also provides the 30 firm data for all 110 activities in public for the first time. http://www.informit.com/articles/article.aspx?p=1569495 We're unveiling some statistical results at RSA this week that will enhance and expand the dataset published in the article. We'll do an official BSIMM2 launch within the next couple of months. Hope to see some of you at the RSA show (probably in the hall track). gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] web apps are homogenous?
Jon, I think you're getting out of the scope of the costing exercise. The research and estimates around time to fix are based on the cost associated with developing the patch, not with deploying it. One could argue that the cost of fixing bugs - particularly major ones - is much higher for web applications given that they are more likely to be rapidly deployed and that the discovery of the bug is more likely to be widely publicized (especially if it leads to a breach). Everybody has a reasonable expectation that widely deployed commercial software is going to have various bugs over its life (e.g. Windows, Adobe products), while people seem to still be generally surprised when holes pop-up in web apps. Now, that being said, it is still a valid question as to if there is a cost differential between fix classic compiled code and modern web code. Toward that end, I would recommend looking into Laurie Williams' work at NCSU. She has inherited John Musa's Software Reliability Engineering legacy, is active in the field, and has published a number of articles and papers potentially relevant to this field. See: http://collaboration.csc.ncsu.edu/laurie/ fwiw. -ben On 2/25/10 1:56 AM, Jon McClintock wrote: On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote: I don't think webness conveys any more homogeneity than, say windowsness or linuxness. What part of being a web application provides homogeneity in a way that makes patching cheaper? In a word, control. Let's compare two different organizations: a commercial software development company, and a web commerce company. They both develop software, but how the software is deployed and managed is widely different. Commercial software is created by one party, and consumed by multiple other parties. Those parties may run it in widely different operating environments, with different network, software and harware configurations. They may be running old versions of the software, or using it in novel ways. If the commercial software development company has to patch a vulnerability, they need to first determine which releases of the software need to be patched, develop and test a patch for each supported version, test it across the plethora different configurations their customers may be running, develop release notes and a security advisory, make the patch available, and support their customers while they are patching. For a web commerce company, however, the picture is entirely different. While their production fleet may comprise hundreds, or even thousands, of servers, they're likely all running the exact same software and configuration, using a configuration management system to deploy the website software and keep it in sync. If the web commerce company identifies a vulnerability in their website, they can debug the running stack, create a fix, test it against an exact replica of the production stack, and use automated tools to deploy the patch to their entire fleet in one operation. -Jon ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Oh, so they have internet on computers now! Homer Simpson ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] web apps are homogenous?
A large part of the cost of fixing a bug, especially late in the dev cycle after testing is complete, is the cost of regression testing. The cost of regression testing of a patch for commercial software is much higher than the cost of a custom web application. Think of an Oracle bug that spans 5 supported product revisions over 5 platforms. That is 25 separate builds that need to be regression tested. Plus regression testing for commercial software needs to be more extensive because many different deployment scenarios need to be incorporated. Mary Ann Davidson told me this could cost up to $1M in a worst case scenario. A bug in a custom enterprise web application may need to be fixed quicker do to exposure which may raise the cost slightly but this is nothing compared to the testing effort to validate the fix works and did not break anything. The cost of fixing a bug late in the dev cycle or once the software is deployed is much higher for commercial software than it is ! for a single instance web application. The cost scales with number of supported revisions effected and the size and complexity of the installed base. -Chris -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave Sent: Thursday, February 25, 2010 6:43 AM To: Jon McClintock Cc: SC-L@securecoding.org Subject: Re: [SC-L] web apps are homogenous? Jon, I think you're getting out of the scope of the costing exercise. The research and estimates around time to fix are based on the cost associated with developing the patch, not with deploying it. One could argue that the cost of fixing bugs - particularly major ones - is much higher for web applications given that they are more likely to be rapidly deployed and that the discovery of the bug is more likely to be widely publicized (especially if it leads to a breach). Everybody has a reasonable expectation that widely deployed commercial software is going to have various bugs over its life (e.g. Windows, Adobe products), while people seem to still be generally surprised when holes pop-up in web apps. Now, that being said, it is still a valid question as to if there is a cost differential between fix classic compiled code and modern web code. Toward that end, I would recommend looking into Laurie Williams' work at NCSU. She has inherited John Musa's Software Reliability Engineering legacy, is active in the field, and has published a number of articles and papers potentially relevant to this field. See: http://collaboration.csc.ncsu.edu/laurie/ fwiw. -ben On 2/25/10 1:56 AM, Jon McClintock wrote: On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote: I don't think webness conveys any more homogeneity than, say windowsness or linuxness. What part of being a web application provides homogeneity in a way that makes patching cheaper? In a word, control. Let's compare two different organizations: a commercial software development company, and a web commerce company. They both develop software, but how the software is deployed and managed is widely different. Commercial software is created by one party, and consumed by multiple other parties. Those parties may run it in widely different operating environments, with different network, software and harware configurations. They may be running old versions of the software, or using it in novel ways. If the commercial software development company has to patch a vulnerability, they need to first determine which releases of the software need to be patched, develop and test a patch for each supported version, test it across the plethora different configurations their customers may be running, develop release notes and a security advisory, make the patch available, and support their customers while they are patching. For a web commerce company, however, the picture is entirely different. While their production fleet may comprise hundreds, or even thousands, of servers, they're likely all running the exact same software and configuration, using a configuration management system to deploy the website software and keep it in sync. If the web commerce company identifies a vulnerability in their website, they can debug the running stack, create a fix, test it against an exact replica of the production stack, and use automated tools to deploy the patch to their entire fleet in one operation. -Jon ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net
Re: [SC-L] web apps are homogenous?
On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote: I don't think webness conveys any more homogeneity than, say windowsness or linuxness. What part of being a web application provides homogeneity in a way that makes patching cheaper? In a word, control. Let's compare two different organizations: a commercial software development company, and a web commerce company. They both develop software, but how the software is deployed and managed is widely different. Commercial software is created by one party, and consumed by multiple other parties. Those parties may run it in widely different operating environments, with different network, software and harware configurations. They may be running old versions of the software, or using it in novel ways. If the commercial software development company has to patch a vulnerability, they need to first determine which releases of the software need to be patched, develop and test a patch for each supported version, test it across the plethora different configurations their customers may be running, develop release notes and a security advisory, make the patch available, and support their customers while they are patching. For a web commerce company, however, the picture is entirely different. While their production fleet may comprise hundreds, or even thousands, of servers, they're likely all running the exact same software and configuration, using a configuration management system to deploy the website software and keep it in sync. If the web commerce company identifies a vulnerability in their website, they can debug the running stack, create a fix, test it against an exact replica of the production stack, and use automated tools to deploy the patch to their entire fleet in one operation. -Jon signature.asc Description: Digital signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] web apps are homogenous?
On Feb 23, 2010, at 10:06 AM, Jon McClintock wrote: This provides a pretty good examination of the costs of patching commercial software. Has anyone done a similar analysis for web applications? I'd expect the costs to be dramatically lower, given thant you're typically producing a single patch for a handful of homogenous systems. I don't think webness conveys any more homogeneity than, say windowsness or linuxness. What part of being a web application provides homogeneity in a way that makes patching cheaper? Paco -- Paco Hope, CISSP - CSSLP Technical Manager, Cigital, Inc. http://www.cigital.com/ Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] seeking hard numbers of bug fixes...
Benjamin Tomhave wrote: ... we're looking for hard research or numbers that covers the cost to catch bugs in code pre-launch and post-launch. The notion being that the organization saves itself money if it does a reasonable amount of QA (and security testing) up front vs trying to chase things down after they've been identified (and possibly exploited). Ben, Not sure if this is what you are looking for or not, but back in the mid- to late-1980s or so, John Musa, a DMTS at Bell Labs, wrote up a couple of papers that showed this data, although this was in the more general context of software quality assurance and not specific to security testing. I'm pretty sure that Musa published something in either one of the ACM or IEEE CS journals and included some hard data, collected from a bunch of (then ATT) Bell Labs projects. IIRC, the main finding was something like the cost was ~100 times more to catch and correct a bug during the normal design / coding phase than it was to catch / correct it after post-deployment. Can't help you much more than that. I'm surprised I remembered that much! :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] seeking hard numbers of bug fixes...
Ah, excellent - very helpful! It appears that Laurie Williams at NCSU has inherited John Musa's Software Reliability Engineering legacy, and is still active in the field, and has a number of relevant security articles/papers listed under Publications. http://collaboration.csc.ncsu.edu/laurie/ On 2/22/10 11:22 AM, Wall, Kevin wrote: Benjamin Tomhave wrote: ... we're looking for hard research or numbers that covers the cost to catch bugs in code pre-launch and post-launch. The notion being that the organization saves itself money if it does a reasonable amount of QA (and security testing) up front vs trying to chase things down after they've been identified (and possibly exploited). Ben, Not sure if this is what you are looking for or not, but back in the mid- to late-1980s or so, John Musa, a DMTS at Bell Labs, wrote up a couple of papers that showed this data, although this was in the more general context of software quality assurance and not specific to security testing. I'm pretty sure that Musa published something in either one of the ACM or IEEE CS journals and included some hard data, collected from a bunch of (then ATT) Bell Labs projects. IIRC, the main finding was something like the cost was ~100 times more to catch and correct a bug during the normal design / coding phase than it was to catch / correct it after post-deployment. Can't help you much more than that. I'm surprised I remembered that much! :) -kevin --- Kevin W. Wall Qwest Information Technology, Inc. kevin.w...@qwest.comPhone: 614.215.4788 It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Happiness makes up in height for what it lacks in length. Robert Frost ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] seeking hard numbers of bug fixes...
On Mon, Feb 22, 2010 at 10:45:02AM -0500, Jeremy Epstein wrote: Take a look at Mary Ann Davidson's keynote at ACSAC in Dec 2009. http://www.acsac.org/2009/program/keynotes/davidson.pdf This provides a pretty good examination of the costs of patching commercial software. Has anyone done a similar analysis for web applications? I'd expect the costs to be dramatically lower, given thant you're typically producing a single patch for a handful of homogenous systems. -Jon signature.asc Description: Digital signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] seeking hard numbers of bug fixes...
Howdy, This request is a bit time critical as it's supporting a colleague's upsell up the food chain tomorrow... we're looking for hard research or numbers that covers the cost to catch bugs in code pre-launch and post-launch. The notion being that the organization saves itself money if it does a reasonable amount of QA (and security testing) up front vs trying to chase things down after they've been identified (and possibly exploited). Any help? Thank you, -ben -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Imagination is everything. It is the preview of life's coming attractions. Albert Einstein ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP DEVELOPMENT GUIDE NEWS/CALL FOR CONTRIBUTORS
News Release/Call For Contributors OWASP Development Guide Project begins work on next Guide version The Guide is a manual for designing, developing, and deploying secure web applications OWASP Development Guide Project MCLEAN February 10, 2010 MCLEAN, Feb. 10 /OWASP Development Guide Projecthttp://www.owasp.org/index.php/Category:OWASP_Guide_Project/ -- After many months of planning and preparation, the OWASP Development Guide project announced today that it is ready to begin work on the next revision of the Guide, and that that the project is looking for volunteers to do the work, both individuals and organizations. The OWASP Development Guide is aimed at architects, developers, consultants and auditors and is a comprehensive manual for designing, developing and deploying secure web applications. The original OWASP Development Guide has become a staple diet for many web security professionals. Since 2002, the initial version was downloaded over 2 million times. Today, the Development Guide is referenced by many leading government, financial, and corporate standards and is the Gold standard for Web Application and Web Service security. The next version of the OWASP Development Guide will be in effect the detailed design guide for the requirements of the OWASP Application Security Verification Standard (ASVS), which can be found here: http://www.owasp.org/index.php/ASVS. Key features of the next Guide will include use of the new OWASP common numbering scheme. The new numbering scheme will be common across OWASP Guides and References, more information can be found here: http://www.owasp.org/index.php/Common_OWASP_Numbering. Additional key features will be the inclusion of worksheets and checklists, such as the sample input validation worksheet which can be found here: http://code.google.com/p/owasp-development-guide/wiki/WebAppSecDesignGuide_D5_2_1_1 For more information, and for more information if you are interested in volunteering, please see: http://owasp-development-guide.googlecode.com/files/development-guide-contributing.pdf Please forward this email as you think appropriate. Got buddies and want to work on a section or two as a team? Professional project management will be a key feature of the next release of the Guide and can help to facilitate such arrangements. Here is what the work streams will look like: http://owasp-development-guide.googlecode.com/files/guide-org-chart.pdf. And, the Guide project is always on the lookout for volunteers. If you think you might have availability in the future, please do reach out at that time. For more information, email the OWASP Development Guide project manager Mike Boberski at mike.bober...@owasp.orgmailto:mike.bober...@owasp.org. About OWASP The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license at http://www.owasp.org SOURCE: OWASP Development Guide Project Web site: http://www.owasp.org/index.php/Category:OWASP_Guide_Project ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] A massive change at DARPA
OK, many of you don't care about DARPA, but here's something that happened there you *should* care about. DARPA funds research, and has historically drawn its program managers from the ranks of academia and occasionally the military. This is a massive change in outlook http://news.cnet.com/8301-27080_3-10450552-245.html Peiter Zatko--a respected hacker known as Mudge--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned. Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity, he said in an interview with CNET on Tuesday. One of his main goals will be to fund researchers at hacker spaces, start-ups, and boutiques who are most likely to develop technologies that can leapfrog what comes out of large corporations. I want revolutionary changes. I don't want evolutionary ones, he said. He's also hoping that giving a big push to research and development will do more to advance the progress of cybersecurity than public policy decisions have been able to do over the past few decades. [...] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] A massive change at DARPA
I think it's a welcome change. It doesn't say so in this article clip, but he is Dr. Zatko, and has worked in instruction and academia, so it's not too far a leap for them. He's also been working in the federal space quite a bit since the L0pht sold out and shutdown. Dan Geer did something similar a couple years ago when he joined In-Q-Tel. On 2/11/10 8:42 AM, Jeremy Epstein wrote: OK, many of you don't care about DARPA, but here's something that happened there you *should* care about. DARPA funds research, and has historically drawn its program managers from the ranks of academia and occasionally the military. This is a massive change in outlook http://news.cnet.com/8301-27080_3-10450552-245.html Peiter Zatko--a respected hacker known as Mudge--has been tapped to be a program manager at DARPA, where he will be in charge of funding research designed to help give the U.S. government tools needed to protect against cyberattacks, CNET has learned. Zatko will become a program manager in mid-March within the Strategic Technologies Office at DARPA (Defense Advanced Research Projects Agency), which is the research and development office for the Department of Defense. His focus will be cybersecurity, he said in an interview with CNET on Tuesday. One of his main goals will be to fund researchers at hacker spaces, start-ups, and boutiques who are most likely to develop technologies that can leapfrog what comes out of large corporations. I want revolutionary changes. I don't want evolutionary ones, he said. He's also hoping that giving a big push to research and development will do more to advance the progress of cybersecurity than public policy decisions have been able to do over the past few decades. [...] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] What if everything is an illusion and nothing exists? In that case, I definitely overpaid for my carpet. Woody Allen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Metrics
Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP Podcast Series
Hello SC-L, We have released 3 OWASP podcasts over the last few days for your listening pleasure: #60 Interview with Jeremiah Grossman and Robert Hansen (Google pays for vulns) http://www.owasp.org/download/jmanico/owasp_podcast_60.mp3 #59 AppSec round table with Dan Cornell, Boaz Gelbord, Jim Manico, Andrew van der Stock, Ben Tomhave and Jeff Williams http://www.owasp.org/download/jmanico/owasp_podcast_59.mp3 #58 Interview with Ron Gula http://www.owasp.org/download/jmanico/owasp_podcast_58.mp3 I hope you enjoy. -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Metrics
In the web security world it doesn't seem to matter much. Top(n) Lists are Top(n). There is much ideological disagreement over what goes in those lists and why, but the ratios of defects are fairly consistent. Both with managed code and with scripting languages. The WhiteHat Security statistics report provides some interesting insights into this, particularly the last one. It's one of the only public stats reports out there for webappsec that I know of. I have observed what I've thought to be differences anecdotally, but when we crunch the numbers on a large scale, they average out and issue ratios are fairly consistent. Which shows you the dangerous power of anecdotes, and statistically small samples, to be misleading. --- Arian Evans Software Security Statistician On Fri, Feb 5, 2010 at 7:07 AM, McGovern, James F. (eBusiness) james.mcgov...@thehartford.com wrote: Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Metrics
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote: One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or other compiled languages where as if I were doing an Internet startup I may leverage more scripting approaches. So, if different demographics have different behaviors what would a converged list or even a separate list tell us? A converged list is useful for general recommendations to people who haven't made their own custom lists. The 2010 Top 25, due to be released Feb 16, also considers alternate Focus Profiles with different prioritizations to serve different use cases and get people thinking about how to do their own prioritization. The general list, meanwhile, captures what patterns may exist across all participants - i.e., what everyone is most worried about. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
On Wed, 3 Feb 2010, Gary McGraw wrote: Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. That's my hope, too, but I'm comfortable with making baby steps along the way. Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it Neither do I, and that is a serious issue with models like the BSIMM that measure second order effects like activities. Do the activities actually do any good? Important question! And one we can't answer without more data that comes from the developers who adopt any particular practice, and without some independent measure of what success means. For example: I am a big fan of the attack surface metric originally proposed by Michael Howard and taken up by Jeanette Wing et al. at CMU (still need to find the time to read Manadhata's thesis, alas...) It seems like common sense that if you reduce attack surface, you reduce the number of security problems, but how do you KNOW!? The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. I was with you up until that last part. Combining the prevalence data is something you guys should definitely do. BTW, how is the 2010 CWE-25 (which doesn't yet exist) more data driven?? I guess you could call it a more refined version of the popularity contest that you already referred to (with the associated limitations, and thus subject to some of the same criticisms as those pointed at BSIMM): we effectively conducted a survey of a diverse set of organizations/individuals from various parts of the software security industry, asking what was most important to them, and what they saw the most often. This year, I intentionally designed the Top 25 under the assumption that we would not have hard-core quantitative data, recognizing that people WANTED hard-core data, and that the few people who actually had this data, would not want to share it. (After all, as a software vendor you may know what your own problems are, but you might not want to share that with anyone else.) It was a bit of a surprise when a handful of participants actually had real data - but, then the problem I'm referring to with respect to consumable form reared its ugly head. One third-party consultant had statistics for a broad set of about 10 high-level categories representing hundreds of evaluations; one software vendor gave us a specific weakness history - representing dozens of different CWE entries across a broad spectrum of issues, sometimes at very low levels of detail and even branching into the GUI part of CWE which almost nobody pays attention to - but only for 3 products. Another vendor rep evaluated the dozen or two publicly-disclosed vulnerabilities that were most severe according to associated CVSS scores. Those three data sets, plus the handful of others based on some form of analysis of hard-core data, are not merge-able. The irony with CWE (and many of the making-security-measurable efforts) is that it brings sufficient clarity to recognize when there is no clarity... the known unknowns to quote Donald Rumsfeld. I saw this in 1999 in the early days of CVE, too, and it's still going on - observers of the oss-security list see this weekly. For data collection at such a specialized level, the situation is not unlike the breach-data problem faced by the Open Security Foundation in their Data Loss DB work - sometimes you have details, sometimes you don't. The Data Loss people might be able to say well, based on this 100-page report we examined, we think it MIGHT have been SQL injection but that's the kind of data we're dealing with right now. Now, a separate exercise in which we compare/contrast the customized top-n lists of those who have actually progressed to the point of making them... that smells like opportunity to me. I for one am pretty satisfied with the rate at which things are progressing and am delighted to see that we're finally getting some raw data, as good (or as bad) as it may be. The data collection process, source data, metrics, and conclusions associated with the 2010 Top 25 will probably be controversial, but at least there's some data to argue about. Cool! To clarify to others who have commented on this part - I'm talking specifically about the rate in which the software security industry seems to be maturing, independently of how quickly the threat landscape is changing. That's a whole different, depressing problem. - Steve ___ Secure Coding mailing list
Re: [SC-L] BSIMM update (informIT)
I for one am pretty satisfied with the rate at which things are progressing I dunno... Again, trying to keep it pithy: I for one welcome our eventual new [insert hostile nation state here] overlords. /joke What I see from my vantage point is a majority of people who (1)should know better given their leadership positions that don't or (2)who willingly ignore security-related concerns to advance their personal business goals, trusting in the availability of lawyers or the ability to punch out before stuff hits the fan, speculating (perhaps) on motives. Excuse me now while I get back go my Rosetta Stone lesson. /joke Mike On Wed, Feb 3, 2010 at 3:04 PM, Gary McGraw g...@cigital.com wrote: Hi Steve (and sc-l), I'll invoke my skiing with Eli excuse again on this thread as well... On Tue, 2 Feb 2010, Wall, Kevin wrote: To study something scientifically goes _beyond_ simply gathering observable and measurable evidence. Not only does data needs to be collected, but it also needs to be tested against a hypotheses that offers a tentative *explanation* of the observed phenomena; i.e., the hypotheses should offer some predictive value. On 2/2/10 4:12 PM, Steven M. Christey co...@linus.mitre.org wrote: I believe that the cross-industry efforts like BSIMM, ESAPI, top-n lists, SAMATE, etc. are largely at the beginning of the data collection phase. I agree 100%. It's high time we gathered some data to back up our claims. I would love to see the top-n lists do more with data. Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of my (many) worries about top-n lists that are NOT bound to a particular code base is that the lists are so generic as to be useless and maybe even unhelpful if adopted wholesale without understanding what's actually going on in a codebase. [see http://www.informit.com/articles/article.aspx?p=1322398]. Note for the record that asking lots of people what they think should be in the top-10 is not quite the same as taking the union of particular top-n lists which are tied to particular code bases. Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it Neither do I, and that is a serious issue with models like the BSIMM that measure second order effects like activities. Do the activities actually do any good? Important question! The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. I was with you up until that last part. Combining the prevalence data is something you guys should definitely do. BTW, how is the 2010 CWE-25 (which doesn't yet exist) more data driven?? I for one am pretty satisfied with the rate at which things are progressing and am delighted to see that we're finally getting some raw data, as good (or as bad) as it may be. The data collection process, source data, metrics, and conclusions associated with the 2010 Top 25 will probably be controversial, but at least there's some data to argue about. Cool! So in that sense, I see Gary's article not so much as a clarion call for action to a reluctant and primitive industry, but an early announcement of a shift that is already underway. Well put. gem company www.cigital.com podcast www.cigital.com/~gem http://www.cigital.com/%7Egem blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
When comparing BSIMM to SAMM are we suffering from the Mayberry Paradox? Did you know that Apple is more secure than Microsoft simply because there are more successful attacks on MS products? Of course, we should ignore the fact that the number of attackers doesn't prove that one product is more secure than another. Whenever I bring in either vendors or consultancies to write about my organization, do I only publish the positives and only slip in a few negatives in order to maintain the façade of integrity? Would BSIMM be a better approach if the audience wasn't so self-selecting? At no time did it include corporations who use Ounce Labs or Coverity or even other well-known security consultancies. OWASP on the other hand received feedback from folks such as myself on not the things that work, but on a ton of stuff that didn't work for us. This type of filtering provides more value in that it helps other organizations avoid repeating things that we didn't do so well without necessarily encouraging others to do it the McGovern way. Corporations are dynamic entities and what won't work vs what will is highly contextual. I prefer a list of things that could possibly work over the effort to simply pull something off the shelf that another organization got to work with a lot of missing context. The best security decisions are made when you can provide an enterprise with choice in recommendations and I think SAMM in this regard does a better job than other approaches. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Wednesday, February 03, 2010 4:08 PM To: Secure Coding Subject: Re: [SC-L] BSIMM update (informIT) On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a one or the other debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
Why are we holding up the statistics from Google, Adobe and Microsoft ( http://www.bsi-mm.com/participate/ ) in BDSIMM? These companies are examples of recent epic security failure. Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through ie6 for years, Google has a pretty basic network segmentation and policy problem, and Adobe continues to be the laughing stock of client side security. Why are we holding up these companies as BDSIMM champions? - Jim On Wed, 3 Feb 2010, Gary McGraw wrote: Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. That's my hope, too, but I'm comfortable with making baby steps along the way. Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it Neither do I, and that is a serious issue with models like the BSIMM that measure second order effects like activities. Do the activities actually do any good? Important question! And one we can't answer without more data that comes from the developers who adopt any particular practice, and without some independent measure of what success means. For example: I am a big fan of the attack surface metric originally proposed by Michael Howard and taken up by Jeanette Wing et al. at CMU (still need to find the time to read Manadhata's thesis, alas...) It seems like common sense that if you reduce attack surface, you reduce the number of security problems, but how do you KNOW!? The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. I was with you up until that last part. Combining the prevalence data is something you guys should definitely do. BTW, how is the 2010 CWE-25 (which doesn't yet exist) more data driven?? I guess you could call it a more refined version of the popularity contest that you already referred to (with the associated limitations, and thus subject to some of the same criticisms as those pointed at BSIMM): we effectively conducted a survey of a diverse set of organizations/individuals from various parts of the software security industry, asking what was most important to them, and what they saw the most often. This year, I intentionally designed the Top 25 under the assumption that we would not have hard-core quantitative data, recognizing that people WANTED hard-core data, and that the few people who actually had this data, would not want to share it. (After all, as a software vendor you may know what your own problems are, but you might not want to share that with anyone else.) It was a bit of a surprise when a handful of participants actually had real data - but, then the problem I'm referring to with respect to consumable form reared its ugly head. One third-party consultant had statistics for a broad set of about 10 high-level categories representing hundreds of evaluations; one software vendor gave us a specific weakness history - representing dozens of different CWE entries across a broad spectrum of issues, sometimes at very low levels of detail and even branching into the GUI part of CWE which almost nobody pays attention to - but only for 3 products. Another vendor rep evaluated the dozen or two publicly-disclosed vulnerabilities that were most severe according to associated CVSS scores. Those three data sets, plus the handful of others based on some form of analysis of hard-core data, are not merge-able. The irony with CWE (and many of the making-security-measurable efforts) is that it brings sufficient clarity to recognize when there is no clarity... the known unknowns to quote Donald Rumsfeld. I saw this in 1999 in the early days of CVE, too, and it's still going on - observers of the oss-security list see this weekly. For data collection at such a specialized level, the situation is not unlike the breach-data problem faced by the Open Security Foundation in their Data Loss DB work - sometimes you have details, sometimes you don't. The Data Loss people might be able to say well, based on this 100-page report we examined, we think it MIGHT have been SQL injection but that's the kind of data we're dealing with right now. Now, a separate exercise in which we compare/contrast the customized top-n lists of those who have actually progressed to the point of making them... that smells like opportunity to me. I for one am pretty satisfied with the rate at which things are progressing and am delighted to see that we're finally getting some raw data, as good (or as bad) as it may be. The data
Re: [SC-L] BSIMM update (informIT)
At no time did it include corporations who use Ounce Labs or Coverity Bzzzt. False. While there are plenty of Fortify customers represented in BSIMM, there are also plenty of participants who aren't Fortify customers. I don't think there are any hard numbers on market share in this realm, but my hunch is that BSIMM is not far off from a uniform sample in this regard. Brian -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Wednesday, February 03, 2010 4:08 PM To: Secure Coding Subject: Re: [SC-L] BSIMM update (informIT) On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a one or the other debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
On Thu, 4 Feb 2010, Jim Manico wrote: These companies are examples of recent epic security failure. Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through ie6 for years Actually, it was a not-so-vanilla use-after-free, which once upon a time was only thought of as a reliability problem, but lately, exploit and detection techniques have recently begun bearing fruit for the small number of people who actually know how to get code execution out of these bugs. In general, Microsoft (and others) have gotten their software to the point where attackers and researchers have to spend a lot of time and $$$ to find obscure vuln types, then spend some more time and $$$ to work around the various protection mechanisms that exist in order to get code execution instead of a crash. I can't remember the last time I saw a Microsoft product have a mind-numbingly-obvious problem in it. It would be nice if statistics were available that measured how many person-hours and CPU-hours were used to find new vulnerabilities - then you could determine the ratio of level-of-effort to number-of-vulns-found. That data's not available, though - we only have anecdotal evidence by people such as Dave Aitel and David Litchfield saying it's getting more difficult and time-consuming. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
hi jim, We chose organizations that in our opinion are doing a superior job with software security. You are welcome to disagree with our choices. Microsoft has a shockingly good approach to software security that they are kind enough to share with the world through the SDL books and websites. Google has a much different approach with more attention focused on open source risk and testing (and much less on code review with tools). Adobe has a newly reinvigorated approach under new leadership that is making some much needed progress. The three firms that you cited were all members of the original nine whose data allowed us to construct the model. There are now 30 firms in the BSIMM study, and their BSIMM data vary as much as you might expect...about which more soon. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On 2/4/10 12:50 PM, Jim Manico j...@manico.net wrote: Why are we holding up the statistics from Google, Adobe and Microsoft ( http://www.bsi-mm.com/participate/ ) in BDSIMM? These companies are examples of recent epic security failure. Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through ie6 for years, Google has a pretty basic network segmentation and policy problem, and Adobe continues to be the laughing stock of client side security. Why are we holding up these companies as BDSIMM champions? - Jim On Wed, 3 Feb 2010, Gary McGraw wrote: Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. That's my hope, too, but I'm comfortable with making baby steps along the way. Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it Neither do I, and that is a serious issue with models like the BSIMM that measure second order effects like activities. Do the activities actually do any good? Important question! And one we can't answer without more data that comes from the developers who adopt any particular practice, and without some independent measure of what success means. For example: I am a big fan of the attack surface metric originally proposed by Michael Howard and taken up by Jeanette Wing et al. at CMU (still need to find the time to read Manadhata's thesis, alas...) It seems like common sense that if you reduce attack surface, you reduce the number of security problems, but how do you KNOW!? The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. I was with you up until that last part. Combining the prevalence data is something you guys should definitely do. BTW, how is the 2010 CWE-25 (which doesn't yet exist) more data driven?? I guess you could call it a more refined version of the popularity contest that you already referred to (with the associated limitations, and thus subject to some of the same criticisms as those pointed at BSIMM): we effectively conducted a survey of a diverse set of organizations/individuals from various parts of the software security industry, asking what was most important to them, and what they saw the most often. This year, I intentionally designed the Top 25 under the assumption that we would not have hard-core quantitative data, recognizing that people WANTED hard-core data, and that the few people who actually had this data, would not want to share it. (After all, as a software vendor you may know what your own problems are, but you might not want to share that with anyone else.) It was a bit of a surprise when a handful of participants actually had real data - but, then the problem I'm referring to with respect to consumable form reared its ugly head. One third-party consultant had statistics for a broad set of about 10 high-level categories representing hundreds of evaluations; one software vendor gave us a specific weakness history - representing dozens of different CWE entries across a broad spectrum of issues, sometimes at very low levels of detail and even branching into the GUI part of CWE which almost nobody pays attention to - but only for 3 products. Another vendor rep evaluated the dozen or two publicly-disclosed vulnerabilities that were most severe according to associated CVSS scores. Those three data sets, plus the handful of others based on some form of analysis of hard-core data, are not merge-able. The irony with CWE (and many of the making-security-measurable efforts) is that it brings sufficient clarity to recognize when there is no clarity... the known
Re: [SC-L] BSIMM update (informIT)
Merely hoping to understand more about the thinking behind BSIMM. Here is a quote from the page: Of the thirty-five large-scale software security initiatives we are aware of, we chose nine that we considered the most advanced how can the reader tell why others were filtered? When you visit the link: http://www.bsi-mm.com/participate/ it doesn't show any of the vendors you mentioned below? Should they be shown somewhere? The BSIMM download link requires registration. Does this become a lead for some company? -Original Message- From: Gary McGraw [mailto:g...@cigital.com] Sent: Thursday, February 04, 2010 2:18 PM To: McGovern, James F. (P+C Technology); Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) hi james, I'm afraid you are completely wrong about this paragraph which you have completely fabricated. Please check your facts. This one borders on slander and I have no earthly idea why you believe what you said. Would BSIMM be a better approach if the audience wasn't so self-selecting? At no time did it include corporations who use Ounce Labs or Coverity or even other well-known security consultancies. BSIMM covers many organizations who use Ounce, Appscan, SPI dev inspect, Coverity, Klocwork, Veracode, and a slew of consultancies including iSec, Aspect, Leviathan, Aitel, and so on. gem On 2/4/10 10:29 AM, McGovern, James F. (eBusiness) james.mcgov...@thehartford.com wrote: When comparing BSIMM to SAMM are we suffering from the Mayberry Paradox? Did you know that Apple is more secure than Microsoft simply because there are more successful attacks on MS products? Of course, we should ignore the fact that the number of attackers doesn't prove that one product is more secure than another. Whenever I bring in either vendors or consultancies to write about my organization, do I only publish the positives and only slip in a few negatives in order to maintain the façade of integrity? Would BSIMM be a better approach if the audience wasn't so self-selecting? At no time did it include corporations who use Ounce Labs or Coverity or even other well-known security consultancies. OWASP on the other hand received feedback from folks such as myself on not the things that work, but on a ton of stuff that didn't work for us. This type of filtering provides more value in that it helps other organizations avoid repeating things that we didn't do so well without necessarily encouraging others to do it the McGovern way. Corporations are dynamic entities and what won't work vs what will is highly contextual. I prefer a list of things that could possibly work over the effort to simply pull something off the shelf that another organization got to work with a lot of missing context. The best security decisions are made when you can provide an enterprise with choice in recommendations and I think SAMM in this regard does a better job than other approaches. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Wednesday, February 03, 2010 4:08 PM To: Secure Coding Subject: Re: [SC-L] BSIMM update (informIT) On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a one or the other debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com
Re: [SC-L] BSIMM update (informIT)
Hola Gary, inline: On Wed, Feb 3, 2010 at 12:05 PM, Gary McGraw g...@cigital.com wrote: Strategic folks (VP, CxO) ...Initially ...ask for descriptive information, but once they get going they need strategic prescriptions. Please see my response to Kevin. I hope it's clear what the BSIMM is for. It's for measuring your initiative and comparing it to others. Given some solid BSIMM data, I believe you can do a superior job with strategy...and results measurement. It is a tool for strategic people to use to build an initiative that works. My response was regarding what people need today. I think BSIMM is too much for most organization's needs and interests. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? The BSIMM is not for tactical folks. That's too bad. Security is largely tactical, like it or not. But should you base your decision regarding what to fix first on goat sacrifice? What should drive that decision? Moon phase? It doesn't take much thinking to move beyond moon phase to pragmatic things like: + What is being attacked? (the most | or | targeting you) + What do I have the most of? + What issues present the most risk of impact or loss? + etc. Definitely doesn't take Feynman. Or moon phase melodrama. Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? BSIMM != code review tool, top-n list, book, coding experience, ... Sure. Again, I was sharing with folks on SC-L what people out in IRL at what layers of an organization actually care about. BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. Where to start. All I can say about BSIMM so far is that is appears to be useful for 30 large commercial organizations carrying out real software security initiatives. BSIMM might be useful. I don't think it's necessary. More power to BSIMM though. I think everyone on SC-L would appreciate more good data, and BSIMM certainly can collect some interesting data. But what about SMB (small to medium sized business)? I don't deal a lot with SMB, but certainly they don't need BSIMM. They might make use of the metrics (?) though I doubt it. They want, and probably need, Top(n) lists and prescriptive guidance. Arian, who are your clients? Mostly fortune-listed (100/500/2000, etc.), but including a broad spectrum from small online startups to east coast financial institutions. Mostly people who do business on the Internet, and care about that business, and security (to try and put them all in a singular bucket). How many developers do they have? From a handful to thousands, to tens of thousands. Why? Who do you report to as a consultant? I haven't done consulting in years. How do you help them make business decisions? With Math, mostly, and pragmatic prioritization so they can move on and focus on their business, and get security out of the way as much as possible. Regarding the existence of an SSG, see this article http://www.informit.com/articles/article.aspx?p=1434903. Are your customers too small to have an SSG? Are YOU the SSG? Are your customers not mature enough for an SSG? Data would be great. Not many organizations need an SSG today, unless they have a TON of developers and are an ISV, or a SaaS version of an old-school ISV (Salesforce.com). I do think they benefit highly from a developer-turned-SSP. But I don't think there are enough of those to go around. So the network and widget security folks, and even the policy wanks, are going to probably play a role in software security. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. You guys and your personal attacks. Yeesh. Gary -- you've been a bit preachy and didactic lately; maybe Obama's demagoguery has been inspiring you. So be prepared to duck. I'll define my tomatoes below. Alternately you might consider ending your articles with Amen. :) I am pretty sure you meant the next to last paragraph You are correct. As I have said before, the time has come to put away the bug parade boogeyman http://www.informit.com/articles/article.aspx?p=1248057, the top 25 tea leaves http://www.informit.com/articles/article.aspx?p=1322398, black box web app goat sacrifice, and the occult reading of pen testing entrails. It's science time. And the more descriptive and data driven we are, the better. Can you be more specific about your disagreements please? Yes, I think, quite simply: that paragraph has a sign swinging over it that says out to
[SC-L] Thread is dead -- Re: BSIMM update (informIT)
OK, so this thread has heated up substantially and is on the verge of flare-up. So, I'm declaring the thread to be dead and expunging the extant queue. If anyone has any civil and value-added points to add, feel free to submit them, of course. As always, I encourage free and open debate here, so long as it remains civil and on topic. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
soapboxWhile I can't disagree with this based on modern reality, I'm increasingly hesitant to allow the conversation to bring in risk, since it's almost complete garbage these days. Nobody really understands it, nobody really does it very well (especially if we redact out financial services and insurance - and even then, look what happened to Wall Street risk models!), and more importantly, it's implemented so shoddily that there's no real, reasonable way to actually demonstrate risk remediation/reduction because talking about it means bringing in a whole other range of discussions (what is most important to the business? and how are risk levels defined in business terms? and what role do data and systems play in the business strategy? and how does data flow into and out of the environment? and so on). Anyway... the long-n-short is this: let's stop fooling ourselves by pretending that risk has anything to do with these conversations./soapbox I think: - yes to prescriptive! - yes to legal/regulatory mandates! - caution: we need some sort of evolving maturity framework to which the previous two points can be pegged! cheers, -ben On 2/2/10 4:32 PM, Arian J. Evans wrote: 100% agree with the first half of your response, Kevin. Here's what people ask and need: Strategic folks (VP, CxO) most frequently ask: + What do I do next? / What should we focus on next? (prescriptive) + How do we tell if we are reducing risk? (prescriptive guidance again) Initially they ask for descriptive information, but once they get going they need strategic prescriptions. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? (yes, a prescriptive blacklist can work here) Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? etc. BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. They need a clear-cut tree of prescriptive guidelines that work in a measurable fashion. I agree and strongly empathize with Gary on many premises of his article - including that not many folks have metrics, and tend to have more faith and magic. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. There are other ways to gather and measure useful metrics easily without BSIMM. Black Box and Pen Test metrics, and Top(n) List metrics are metrics, and highly useful metrics. And definitely better than no metrics. Pragmatically, I think Ralph Nader fits better than Feynman for this discussion. Nader's Top(n) lists and Bug Parades earned us many safer-society (cars, water, etc.) features over the last five decades. Feynman didn't change much in terms of business SOP. Good day then, --- Arian Evans capitalist marksman. eats animals. On Tue, Feb 2, 2010 at 9:30 AM, Wall, Kevin kevin.w...@qwest.com wrote: On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. To those application development teams, something like OWASP's ESAPI is much more valuable than something like BSIMM or OpenSAMM. In fact, I you confirm that you BSIMM research would indicate that many companies' SSGs have developed their own proprietary security APIs for use by their application development teams. Therefore, to that end, I would not say we need less _prescriptive_ and more _descriptive_ approaches. Both are useful and ideally
Re: [SC-L] BSIMM update (informIT)
Fun article. To try to be equally pithy in my response: the article reads to me like a high-tech, application security-specific form of McCarthyism. To explain... The amount of reinvention and discussion about the problems in this space is spectacular. If one has something to start from which one can then tailor for one's own purposes, why wouldn't one do this? Does one need to discover SQL injection on one's own before deciding to do some escaping? It's crazy in my opinion to think that the majority of the planet has the expertise let alone the bandwidth (Agile, anyone?) to thoughtfully research and derive anything that results in a net effect of a targeted, measurable, comparable level of security. To all the good folks out there, here is some advice for free: don't start from scratch, whether it's at the program level, the project level, or the toolkit level. Use the top x lists to make sure whatever you're doing is up to date with the latest best practices and technologies. On the subject of tools and products specifically since the article veers there very specifically: if you're looking to build or buy a product that provides security functions, go look into CC. If you're looking at a cryptomodule, go look into FIPS 140. If you're looking at an enterprise app, go look into ASVS. If you need a toolkit that validates form input data strings in PHP using a whitelist because you're trying to provide a first layer of defense against XSS and SQLi, use BSIMM. Just kidding. Yes, use ESAPI in those cases. FWIW, Best, Mike On Tue, Feb 2, 2010 at 4:32 PM, Arian J. Evans arian.ev...@anachronic.comwrote: 100% agree with the first half of your response, Kevin. Here's what people ask and need: Strategic folks (VP, CxO) most frequently ask: + What do I do next? / What should we focus on next? (prescriptive) + How do we tell if we are reducing risk? (prescriptive guidance again) Initially they ask for descriptive information, but once they get going they need strategic prescriptions. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? (yes, a prescriptive blacklist can work here) Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? etc. BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. They need a clear-cut tree of prescriptive guidelines that work in a measurable fashion. I agree and strongly empathize with Gary on many premises of his article - including that not many folks have metrics, and tend to have more faith and magic. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. There are other ways to gather and measure useful metrics easily without BSIMM. Black Box and Pen Test metrics, and Top(n) List metrics are metrics, and highly useful metrics. And definitely better than no metrics. Pragmatically, I think Ralph Nader fits better than Feynman for this discussion. Nader's Top(n) lists and Bug Parades earned us many safer-society (cars, water, etc.) features over the last five decades. Feynman didn't change much in terms of business SOP. Good day then, --- Arian Evans capitalist marksman. eats animals. On Tue, Feb 2, 2010 at 9:30 AM, Wall, Kevin kevin.w...@qwest.com wrote: On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. To those
Re: [SC-L] BSIMM update (informIT)
But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM Mike's Top 5 Web Application Security Countermeasures: 1. Add a security guy or gal who has a software development background to your application's software development team. 2. Turn SSL/TLS on for all connections (including both external and backend connections) that are authenticated or that involve sensitive data or functions. 3. Build an Enterprise Security API (a.k.a. an ESAPI, e.g. OWASP's several different ESAPI toolkits) that is specific to your solution stack and minimally provides input validation controls that use whitelists, output encoding/escaping controls (optionally use parameterized interfaces for SQL), and authentication controls. Build your ESAPI to target a specific level of overall security when all of your security controls are viewed as a whole (e.g. an OWASP Application Security Verification Standard (ASVS) level). 4. Write a programming manual (i.e. a secure coding standard that is specific to your solution stack that is organized by vulnerability type or security requirement with before and after code snippets, e.g. a cookbook that provides before and after code snippets and links to API documentation) that contains step-by-step instructions for using your ESAPI to both proactively guard against vulnerabilities, and to act as a quick reference when the time comes to make fixes. 5. Gate releases of your ESAPI library (e.g. if it is being packaged in a wrapper for subsequent use by other developers throughout the application) with security functional tests that include sufficient negative test cases to demonstrate the security controls are working using data that is specific to your application. Gate releases of your application (ideally gate source control checkins) with security-focused code reviews of all new or updated application code produced during the release (looking out for where new or updated security controls/security control configuration updates are needed). Mike On Tue, Feb 2, 2010 at 7:23 PM, Steven M. Christey co...@linus.mitre.orgwrote: On Tue, 2 Feb 2010, Arian J. Evans wrote: BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. I'm looking forward to what BSIMM Basic discovers when talking to small and mid-size developers. Many of the questions in the survey PDF assume that the respondent has at least thought of addressing software security, but not all questions assume the presence of an SSG, and there are even questions about the use of general top-n lists vs. customized top-n lists that may be informative. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
I challenge the validity of any risk assessment/rating approach in use today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or whatever. They are all fundamentally flawed in that they are based on qualitative values the introduce subjectivity, and they lack the historical data seen in the actuarial science to make the probability estimates even remotely reasonable. FAIR tries to compensate for this by using Bayesian statistics, but the qualitative-quantitative conversion is still highly problematic. On prescriptive... the problem is this: businesses will not spend money unless they're required to do so. Security will never succeed without at least an initial increased spend. It is exceedingly difficult to make a well-understood business case for proper security measures and spend. I think this is something you guys in insurance (you, Chris Hayes, etc.) perhaps take for granted. The other businesses - especially SMBs - don't even understand what we're talking about, and they certainly don't have any interest in dropping a penny on security without seeing a direct benefit. Do I trust regulators to do things right? Of course not, but that's only one possible fork. The other possible fork is relying on the courts to finally catch-up such that case law can develop around defining reasonable standard of care and then evolving it over time. In either case, you need to set a definitive mark that says you must do THIS MUCH or you will be negligent and held accountable. I hate standards like PCI as much as the next guy because I hate being told how I should be doing security, but in the short-to-mid-term it's the right approach because it tells people the expectation for performance. If you never set expectations for performance, then you shouldn't be disappointed when people don't achieve them. The bottom line here is that we need to get far more proactive in the regulatory space so that we can influence sensible regulations that mandate change rather than relying on businesses to do the right thing without understand the underlying business value. Conceptually, I agree with the idealist approach, but in reality I don't find that it works well at all. I've worked with a half-dozen or more companies of varying size in the last couple years and NONE of them understood risk, risk management, current security theory, or how the implicit AND explicit value of security changes. It's just not intuitive to most people, not the least of which because bad behaviors are generally divorced from tangible consequences. Anyway... :) I can go on forever on this topic... :) -ben On 2/3/10 10:06 AM, McGovern, James F. (eBusiness) wrote: While Wall Street's definition of risk collapsed, the insurance model of risk stood the test of time :-) Should we explore your question of how are risk levels defined in business terms more deeply or can we simply say that if you don't have your own industry-specific regulatory way of quantifying, a good starting point may be to leverage the OWASP Risk Rating system? I also would like to challenge and say NO to prescriptive. Security people are not Vice Presidents of the NO department. Instead we need to figure out how to align with other value systems (Think Agile Manifesto). We can be secure without being prescriptive. One example is to do business exercises such as Protection Poker. Finally, we shouldn't say yes to regulatory mandates as most of them are misses on the real risk at hand. The challenge here is that they always mandate process but never competency. If a regulation said that I should have someone with a fancy title overseeing a program, the business world would immediately fill the slot with some non-technical resource who is really good at PowerPoint but nothing else. In other words a figurehead. Likewise, while regulations cause people to do things that they should be doing independently, it has a negative side effect on our economy by causing folks to spend money in non-strategic ways. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave Sent: Tuesday, February 02, 2010 10:19 PM To: Arian J. Evans Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) soapboxWhile I can't disagree with this based on modern reality, I'm increasingly hesitant to allow the conversation to bring in risk, since it's almost complete garbage these days. Nobody really understands it, nobody really does it very well (especially if we redact out financial services and insurance - and even then, look what happened to Wall Street risk models!), and more importantly, it's implemented so shoddily that there's no real, reasonable way to actually demonstrate risk remediation/reduction because talking about it means bringing in a whole other range of discussions (what is most important to the business? and how are risk levels defined in business terms?
Re: [SC-L] BSIMM update (informIT)
OK, being the insurance enterprisey security guy I think you may be onto something. One of the many reasons why actuarial science can work in insurance is the fact that there is a lot more public data than in IT security. If you smash your car into a wall, your chosen carrier doesn't just pay the claim. This information is shared in what we refer to as the CLUE database. Other carriers should you decide to switch carriers will also know the characteristics of your loss. CLUE works because folks have figured out that sharing of negative information can benefit the business. Likewise, CLUE did enough homework to figure out the right taxonomy and metadata in order to make it happen. Have security professionals ever figured out how to turn something bad into something good for the same organization? Have security professionals ever figured out even how to describe a security event in a consistent enough way such that acturial type calculations could occur... FYI. Clue is successful and isn't done for regulatory reasons. It is done for sound business practice. The same model we should operate within... -Original Message- From: Benjamin Tomhave [mailto:list-s...@secureconsulting.net] Sent: Wednesday, February 03, 2010 11:07 AM To: McGovern, James F. (P+C Technology) Cc: Secure Code Mailing List Subject: Re: [SC-L] BSIMM update (informIT) I challenge the validity of any risk assessment/rating approach in use today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or whatever. They are all fundamentally flawed in that they are based on qualitative values the introduce subjectivity, and they lack the historical data seen in the actuarial science to make the probability estimates even remotely reasonable. FAIR tries to compensate for this by using Bayesian statistics, but the qualitative-quantitative conversion is still highly problematic. On prescriptive... the problem is this: businesses will not spend money unless they're required to do so. Security will never succeed without at least an initial increased spend. It is exceedingly difficult to make a well-understood business case for proper security measures and spend. I think this is something you guys in insurance (you, Chris Hayes, etc.) perhaps take for granted. The other businesses - especially SMBs - don't even understand what we're talking about, and they certainly don't have any interest in dropping a penny on security without seeing a direct benefit. Do I trust regulators to do things right? Of course not, but that's only one possible fork. The other possible fork is relying on the courts to finally catch-up such that case law can develop around defining reasonable standard of care and then evolving it over time. In either case, you need to set a definitive mark that says you must do THIS MUCH or you will be negligent and held accountable. I hate standards like PCI as much as the next guy because I hate being told how I should be doing security, but in the short-to-mid-term it's the right approach because it tells people the expectation for performance. If you never set expectations for performance, then you shouldn't be disappointed when people don't achieve them. The bottom line here is that we need to get far more proactive in the regulatory space so that we can influence sensible regulations that mandate change rather than relying on businesses to do the right thing without understand the underlying business value. Conceptually, I agree with the idealist approach, but in reality I don't find that it works well at all. I've worked with a half-dozen or more companies of varying size in the last couple years and NONE of them understood risk, risk management, current security theory, or how the implicit AND explicit value of security changes. It's just not intuitive to most people, not the least of which because bad behaviors are generally divorced from tangible consequences. Anyway... :) I can go on forever on this topic... :) -ben On 2/3/10 10:06 AM, McGovern, James F. (eBusiness) wrote: While Wall Street's definition of risk collapsed, the insurance model of risk stood the test of time :-) Should we explore your question of how are risk levels defined in business terms more deeply or can we simply say that if you don't have your own industry-specific regulatory way of quantifying, a good starting point may be to leverage the OWASP Risk Rating system? I also would like to challenge and say NO to prescriptive. Security people are not Vice Presidents of the NO department. Instead we need to figure out how to align with other value systems (Think Agile Manifesto). We can be secure without being prescriptive. One example is to do business exercises such as Protection Poker. Finally, we shouldn't say yes to regulatory mandates as most of them are misses on the real risk at hand. The challenge here is that they always mandate process but never competency. If a regulation said that I should have
[SC-L] NIST SP 800-37
NIST has created a draft document entitled: Guide for applying risk management framework to federal information systems: a security lifecycle approach. Curious to know if anyone has identified gaps, differences in opinion, etc between NIST and how either SAMM or BSIMM would define the same? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a one or the other debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] NIST SP 800-37
800-37 has been in release for a while, providing the basis for the CA process. My understanding is that CA is evolving (and going the way of the dinosaur) very soon as NIST works with CNSS/JTF on the next big thing. I'm blanking on the rest of the details (not my space), but pinging Mike Smith (@rybolov) or Dan Philpott (@danphilpott) on Twitter would likely be a good starting point. On 2/3/10 1:12 PM, McGovern, James F. (eBusiness) wrote: NIST has created a draft document entitled: Guide for applying risk management framework to federal information systems: a security lifecycle approach. Curious to know if anyone has identified gaps, differences in opinion, etc between NIST and how either SAMM or BSIMM would define the same? This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Opportunity is missed by most people because it is dressed in overalls and looks like work. Thomas A. Edison ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
hi kevin (and sc-l), Sorry for the delay responding to this. I was skiing yesterday with my son Eli and just flew across the country for the SANS summit this morning (leaving behind 6 inches of new snow in VA). Anyway, better late than never. I'll interleave responses below. On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 On 2/2/10 12:30 PM, Wall, Kevin kevin.w...@qwest.com wrote: In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. Absolutely. I think as an SSG lead in a particular company environment you must have a prescriptive approach but that the approach you develop will be better if informed by data from a descriptive model like BSIMM. (For the record, I see SAMM as a prescriptive model that tells you often in great detail what your initiative should be doing without knowing one whit about how your organization ticks.) If you read the article carefully, there are two paragraphs that together should make this clear. Here's the first: Prescriptive models purport to tell you what you should do. Promulgators of such models say things more like, the model is chocked full of value judgements [sic] about what organizations SHOULD be doing. That's just dandy, as long as any prescriptive model only became prescriptive over time based on sufficient observation and testing. And here's the second: Also worthy of mention in this section is the one size fits all problem that many prescriptive models suffer from. The fact is, nobody knows your organizational culture like you do. A descriptive comparison allows you to gather descriptive data and adapt good ideas from others while taking your culture into account. BSIMM is meant to be a tool for the people running and SSG (and for that matter, strategizing about a company's software security initiative). The article is really about the differences between BSIMM and SAMM than anything else. It's not really about the difference between BSIMM and ESAPI. BSIMM and things like ESAPI fit together. Both are useful and ideally should go together like hand and glove. Exactly right. I suspect that this apparent dichotomy in our perception of the usefulness of the prescriptive vs. descriptive approaches is explained in part by the different audiences with whom we associate. Agreed. See above. BSIMM is a tool for executives to help build, measure, and maintain a software security initiative. If our SSG were to hand them something like BSIMM, they would come away telling their management that we didn't help them at all. Please do NOT even think about handing the BSIMM to developers as a solution! The BSIMM is a yardstick for an initiative, and it's meant for a guy like you. The notion is to measure your own initiative and most importantly of all compare your initiative to your peers. This brings me to my fourth, and likely most controversial point. Despite the interesting historical story about Feynman, I question whether BSIMM is really scientific as the BSIMM community claims. I would contend that we are only fooling ourselves if we claim otherwise. I think this is a valid criticism. The only thing that makes BSIMM more scientific than other methodologies like the Touchoints, SDL, CLASP, or SAMM, is that the BSIMM uses real data and real measurement. However the measurement technique is certainly not foolproof. (Incidentally, I state that view pretty clearly in the article...computer science, and other fields with science in their name are usually not.) While I am certainly not privy to the exact method used to arrive at the BSIMM data (I have read through the BSIMM Begin survey, but have not been involved in a full BSIMM assessment), I would contend that the process is not repeatable to the necessary degree required by science. This criticism holds some water, but you are shooting from the hip and it is pretty clear that you have not read the BSIMM itself. That, and the first article we wrote about the BSIMM explain our methods pretty clearly. Please read those two things and lets continue this line of questioning. I challenge [the BSIMM team] to put forth additional information explaining their data collection process and in particular, describing how it avoids unintentional bias. (E.g., Are assessment participants choose at random? By whom? How do you know you have a representative sample of a company? Etc.) This is pretty clearly explained in the BSIMM itself. In my opinion, comparison of observations from two companies is not worth the paper that
Re: [SC-L] BSIMM update (informIT)
hi mike, On 2/2/10 9:28 PM, Mike Boberski mike.bober...@gmail.com wrote: Fun article. To try to be equally pithy in my response: the article reads to me like a high-tech, application security-specific form of McCarthyism. As a die hard liberal, I take offense to the McCarthy comment (hah). Anyway some interleaved thoughts...sorry for the delay...etc and so on. The amount of reinvention and discussion about the problems in this space is spectacular. If one has something to start from which one can then tailor for one's own purposes, why wouldn't one do this? Does one need to discover SQL injection on one's own before deciding to do some escaping? I am with you on this. It's crazy in my opinion to think that the majority of the planet has the expertise let alone the bandwidth (Agile, anyone?) to thoughtfully research and derive anything that results in a net effect of a targeted, measurable, comparable level of security. Who is arguing that? Is this supposed to be some straw man for the BSIMM? I'm lost. What the heck are you talking about? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On Tue, Feb 2, 2010 at 4:32 PM, Arian J. Evans arian.ev...@anachronic.com wrote: 100% agree with the first half of your response, Kevin. Here's what people ask and need: Strategic folks (VP, CxO) most frequently ask: + What do I do next? / What should we focus on next? (prescriptive) + How do we tell if we are reducing risk? (prescriptive guidance again) Initially they ask for descriptive information, but once they get going they need strategic prescriptions. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? (yes, a prescriptive blacklist can work here) Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? etc. BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. They need a clear-cut tree of prescriptive guidelines that work in a measurable fashion. I agree and strongly empathize with Gary on many premises of his article - including that not many folks have metrics, and tend to have more faith and magic. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. There are other ways to gather and measure useful metrics easily without BSIMM. Black Box and Pen Test metrics, and Top(n) List metrics are metrics, and highly useful metrics. And definitely better than no metrics. Pragmatically, I think Ralph Nader fits better than Feynman for this discussion. Nader's Top(n) lists and Bug Parades earned us many safer-society (cars, water, etc.) features over the last five decades. Feynman didn't change much in terms of business SOP. Good day then, --- Arian Evans capitalist marksman. eats animals. On Tue, Feb 2, 2010 at 9:30 AM, Wall, Kevin kevin.w...@qwest.com wrote: On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. To those application development teams, something like OWASP's ESAPI is much more valuable than something like BSIMM or OpenSAMM. In fact, I you confirm that you BSIMM research would indicate that many companies' SSGs have developed their own proprietary security APIs for use by their application development teams. Therefore, to that end, I would not say we need less _prescriptive_ and more _descriptive_ approaches. Both are
Re: [SC-L] BSIMM update (informIT)
Hi again Mike, Yadda yadda, delay, and so on... On 2/2/10 9:30 PM, Mike Boberski mike.bober...@gmail.com wrote: somebody eslse said But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM Mike's Top 5 Web Application Security Countermeasures: 1. Add a security guy or gal who has a software development background to your application's software development team. Dang, this would have saved Microsoft lots of money. With 30,000 developers that security gal would have been pretty busy though. 3. Build an Enterprise Security API (a.k.a. an ESAPI, e.g. OWASP's several different ESAPI toolkits) that is specific to your solution stack and minimally provides input validation controls that use whitelists, output encoding/escaping controls (optionally use parameterized interfaces for SQL), and authentication controls. Build your ESAPI to target a specific level of overall security when all of your security controls are viewed as a whole (e.g. an OWASP Application Security Verification Standard (ASVS) level). Why do you believe that an ESAPI (which is a good idea) is the best place to start? Why not training? Why not pen testing by Mike? Etc. This was not job 1 in any firm I have been involved with. 4. Write a programming manual (i.e. a secure coding standard that is specific to your solution stack that is organized by vulnerability type or security requirement with before and after code snippets, e.g. a cookbook that provides before and after code snippets and links to API documentation) that contains step-by-step instructions for using your ESAPI to both proactively guard against vulnerabilities, and to act as a quick reference when the time comes to make fixes. Again. How does this fit into a bigger picture? The notion of code guidelines is a good one. See [CR2.1] in the BSIMM which 11 of 30 companies we observed carry out. This was not job 2 in any case I am aware of. How about tying such guidance to code review technology. We've helped multiple clients do that. How many customers have followed Mike's Way? What are their results? How do the Mike's Way customers score with the BSIMM? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On Tue, Feb 2, 2010 at 7:23 PM, Steven M. Christey co...@linus.mitre.org wrote: On Tue, 2 Feb 2010, Arian J. Evans wrote: BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. I'm looking forward to what BSIMM Basic discovers when talking to small and mid-size developers. Many of the questions in the survey PDF assume that the respondent has at least thought of addressing software security, but not all questions assume the presence of an SSG, and there are even questions about the use of general top-n lists vs. customized top-n lists that may be informative. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
Hi Steve (and sc-l), I'll invoke my skiing with Eli excuse again on this thread as well... On Tue, 2 Feb 2010, Wall, Kevin wrote: To study something scientifically goes _beyond_ simply gathering observable and measurable evidence. Not only does data needs to be collected, but it also needs to be tested against a hypotheses that offers a tentative *explanation* of the observed phenomena; i.e., the hypotheses should offer some predictive value. On 2/2/10 4:12 PM, Steven M. Christey co...@linus.mitre.org wrote: I believe that the cross-industry efforts like BSIMM, ESAPI, top-n lists, SAMATE, etc. are largely at the beginning of the data collection phase. I agree 100%. It's high time we gathered some data to back up our claims. I would love to see the top-n lists do more with data. Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug lists based on their own data culled from their own code. I would love to see how those top-n lists compare to the OWASP top ten or the CWE-25. I would also love to see whether the union of these lists is even remotely interesting. One of my (many) worries about top-n lists that are NOT bound to a particular code base is that the lists are so generic as to be useless and maybe even unhelpful if adopted wholesale without understanding what's actually going on in a codebase. [see http://www.informit.com/articles/article.aspx?p=1322398]. Note for the record that asking lots of people what they think should be in the top-10 is not quite the same as taking the union of particular top-n lists which are tied to particular code bases. Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it Neither do I, and that is a serious issue with models like the BSIMM that measure second order effects like activities. Do the activities actually do any good? Important question! The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. I was with you up until that last part. Combining the prevalence data is something you guys should definitely do. BTW, how is the 2010 CWE-25 (which doesn't yet exist) more data driven?? I for one am pretty satisfied with the rate at which things are progressing and am delighted to see that we're finally getting some raw data, as good (or as bad) as it may be. The data collection process, source data, metrics, and conclusions associated with the 2010 Top 25 will probably be controversial, but at least there's some data to argue about. Cool! So in that sense, I see Gary's article not so much as a clarion call for action to a reluctant and primitive industry, but an early announcement of a shift that is already underway. Well put. gem company www.cigital.com podcast www.cigital.com/~gem blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
Hi Arian, Some more particulars regarding your posting. Sorry for the delay... On 2/2/10 4:32 PM, Arian J. Evans arian.ev...@anachronic.com wrote: Strategic folks (VP, CxO) ...Initially ...ask for descriptive information, but once they get going they need strategic prescriptions. Please see my response to Kevin. I hope it's clear what the BSIMM is for. It's for measuring your initiative and comparing it to others. Given some solid BSIMM data, I believe you can do a superior job with strategy...and results measurement. It is a tool for strategic people to use to build an initiative that works. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? The BSIMM is not for tactical folks. But should you base your decision regarding what to fix first on goat sacrifice? What should drive that decision? Moon phase? Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? BSIMM != code review tool, top-n list, book, coding experience, ... BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. Where to start. All I can say about BSIMM so far is that is appears to be useful for 30 large commercial organizations carrying out real software security initiatives. We have studied 0 (count 'em...none) government organizations to date. In my experience, the government is always lagging when it comes to software security. I'm hoping to gather some government data forth with, starting with the US Air Force. We shall see. But what about SMB (small to medium sized business)? Arian, who are your clients? How many developers do they have? Who do you report to as a consultant? How do you help them make business decisions? Regarding the existence of an SSG, see this article http://www.informit.com/articles/article.aspx?p=1434903. Are your customers too small to have an SSG? Are YOU the SSG? Are your customers not mature enough for an SSG? Data would be great. I agree and strongly empathize with Gary on many premises of his article - including that not many folks have metrics, and tend to have more faith and magic. Sadly I think we're stuck with second order metrics like the BSIMM. Heck, we even studied the metrics that real initiatives use in the BSIMM (bugs per square inch anyone?), but you know what? Everyone has different metrics. Really. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. You guys and your personal attacks. Yeesh. I am pretty sure you meant the next to last paragraph, because Feynman wrote the entire last one. Here is the next to last one: As I have said before, the time has come to put away the bug parade boogeyman http://www.informit.com/articles/article.aspx?p=1248057, the top 25 tea leaves http://www.informit.com/articles/article.aspx?p=1322398, black box web app goat sacrifice, and the occult reading of pen testing entrails. It's science time. And the more descriptive and data driven we are, the better. Can you be more specific about your disagreements please? Did you read articles at the end of the pointers? Where am I wrong? Better yet, why? We'll just ignore the Nader Feynman stuff. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com On Tue, Feb 2, 2010 at 9:30 AM, Wall, Kevin kevin.w...@qwest.com wrote: On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some
Re: [SC-L] BSIMM update (informIT)
On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. To those application development teams, something like OWASP's ESAPI is much more valuable than something like BSIMM or OpenSAMM. In fact, I you confirm that you BSIMM research would indicate that many companies' SSGs have developed their own proprietary security APIs for use by their application development teams. Therefore, to that end, I would not say we need less _prescriptive_ and more _descriptive_ approaches. Both are useful and ideally should go together like hand and glove. (To that end, I also ask that you overlook some of my somewhat overzealous ESAPI developer colleagues who in the past made claims that ESAPI was the greatest thing since sliced beer. While I am an ardent ESAPI supporter and contributor, I proclaim it will *NOT* solve our pandemic security issues alone, nor for the record will it solve world hunger. ;-) I suspect that this apparent dichotomy in our perception of the usefulness of the prescriptive vs. descriptive approaches is explained in part by the different audiences with whom we associate. Hang out with VPs, CSOs, and executive directors and they likely are looking for advice on an SSDLC or broad direction to cover their specifically identified security gaps. However, in the trenches--where my team works--they want specifics. They ask us How can you help us to eliminate our specific XSS or CSRF issues?, Can you provide us with a secure SSO solution that is compliant with both corporate information security policies and regulatory compliance?, etc. If our SSG were to hand them something like BSIMM, they would come away telling their management that we didn't help them at all. This brings me to my fourth, and likely most controversial point. Despite the interesting historical story about Feynman, I question whether BSIMM is really scientific as the BSIMM community claims. I would contend that we are only fooling ourselves if we claim otherwise. And while BSIMM is a refreshing approach opposed to the traditional FUD modus operandi taken by most security vendors hyping their security products, I would argue that BSIMM is no more scientific than the those who gather common quality metrics of counting defects/KLOC. Certainly there is some correlation there, but cause and effect relationships are far from obvious and seem to have little predictive accuracy. Sure, BSIMM _looks_ scientific on the outside, but simply collecting specific quantifiable data alone does not make something a scientific endeavor. Yes, it is a start, but we've been collecting quantifiable data for decades on things like software defects and I would contend BSIMM is no more scientific than those efforts. Is BSIMM moving in the right direction? I think so. But BSIMM is no more scientific than most of the other areas of computer science. To study something scientifically goes _beyond_ simply gathering observable and measurable evidence. Not only does data needs to be collected, but it also needs to be tested against a hypotheses that offers a tentative *explanation* of the observed phenomena; i.e., the hypotheses should offer some predictive value. Furthermore, the steps of the experiment must be _repeatable_, not just by those currently involved in the attempted scientific endeavor, but by *anyone* who would care to repeat the experiment. If the steps are not repeatable, then any predictive value of the study is lost. While I am certainly not privy to the exact method used to arrive at the BSIMM data (I have read through the BSIMM Begin survey, but have not been involved in a full BSIMM assessment), I would contend that the process is not repeatable to the necessary degree required by science. In fact, I would claim in most organizations, you could take any group of BSIMM interviewers and have them question different
Re: [SC-L] BSIMM update (informIT)
On Tue, 2 Feb 2010, Wall, Kevin wrote: To study something scientifically goes _beyond_ simply gathering observable and measurable evidence. Not only does data needs to be collected, but it also needs to be tested against a hypotheses that offers a tentative *explanation* of the observed phenomena; i.e., the hypotheses should offer some predictive value. Furthermore, the steps of the experiment must be _repeatable_, not just by those currently involved in the attempted scientific endeavor, but by *anyone* who would care to repeat the experiment. If the steps are not repeatable, then any predictive value of the study is lost. I believe that the cross-industry efforts like BSIMM, ESAPI, top-n lists, SAMATE, etc. are largely at the beginning of the data collection phase. It shouldn't be much of a surprise that the many companies participate in two or more of these efforts (although simultaneously disconcerting, but that's probably what happens in brand-new areas). Ultimately, I would love to see the kind of linkage between the collected data (evidence) and some larger goal (higher security whatever THAT means in quantitative terms) but if it's out there, I don't see it, or it's in tiny pieces... and it may be a few years before we get to that point. CVE data and trends have been used in recent years, or should I say abused or misused, because of inherent bias problems that I'm too lazy to talk about at the moment. In CWE, one aspect of our research is to tie attacks to weaknesses, weaknesses to mitigations, etc. so that there is better understanding of all the inter-related pieces. So when you look at the CERT C coding standard and its ties back to CWE, you see which rules directly reduce/affect which weaknesses, and which ones don't. (Or, you *could*, if you wanted to look at it closely enough). The 2010 OWASP Top 10 RC1 is more data-driven than previous versions; same with the 2010 Top 25 (whose release has been delayed to Feb 16, btw). Unlike last year's Top 25 effort, this time I received several sources of raw prevalence data, but unfortunately it wasn't in sufficiently consumable form to combine. In tool analysis efforts such as SAMATE, we are still wrestling with the notion of what a false positive really means, not to mention the challenge of analyzing mountains of raw data, using tools that were intended for developers in a third-party consulting context, combined with the multitude of perspectives in how weaknesses are described (e.g., what do you do if there's a chain from weakness X to Y, and tool 1 reports X, and tool 2 reports Y?) In fact, I am willing to bet that the different members of my Application Security team who have all worked together for about 8 years would answer a significant number of the BSIMM Begin survey questions quite differently. Even surveys using much lower-level detailed questions - such as which weaknesses on a nominee list of 41 are the most important and prevalent - have had distinct responses from multiple people within the same organization. (I'll touch on this a little more when the 2010 Top 25 is released). Arguably many of these differences in opinion come down to variations in context and experience, but unless and until we can model context in a way that makes our results somewhat shareable, we can't get beyond the data collection phase. I for one am pretty satisfied with the rate at which things are progressing and am delighted to see that we're finally getting some raw data, as good (or as bad) as it may be. The data collection process, source data, metrics, and conclusions associated with the 2010 Top 25 will probably be controversial, but at least there's some data to argue about. So in that sense, I see Gary's article not so much as a clarion call for action to a reluctant and primitive industry, but an early announcement of a shift that is already underway. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
100% agree with the first half of your response, Kevin. Here's what people ask and need: Strategic folks (VP, CxO) most frequently ask: + What do I do next? / What should we focus on next? (prescriptive) + How do we tell if we are reducing risk? (prescriptive guidance again) Initially they ask for descriptive information, but once they get going they need strategic prescriptions. Tactical folks tend to ask: + What should we fix first? (prescriptive) + What steps can I take to reduce XSS attack surface by 80%? (yes, a prescriptive blacklist can work here) Implementation level folks ask: + What do I do about this specific attack/weakness? + How do I make my compensating control (WAF, IPS) block this specific attack? etc. BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. They need a clear-cut tree of prescriptive guidelines that work in a measurable fashion. I agree and strongly empathize with Gary on many premises of his article - including that not many folks have metrics, and tend to have more faith and magic. But, as should be no surprise, I cateogrically disagree with the entire concluding paragraph of the article. Sadly it's just more faith and magic from Gary's end. We all can do better than that. There are other ways to gather and measure useful metrics easily without BSIMM. Black Box and Pen Test metrics, and Top(n) List metrics are metrics, and highly useful metrics. And definitely better than no metrics. Pragmatically, I think Ralph Nader fits better than Feynman for this discussion. Nader's Top(n) lists and Bug Parades earned us many safer-society (cars, water, etc.) features over the last five decades. Feynman didn't change much in terms of business SOP. Good day then, --- Arian Evans capitalist marksman. eats animals. On Tue, Feb 2, 2010 at 9:30 AM, Wall, Kevin kevin.w...@qwest.com wrote: On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is Cargo Cult Computer Security: Why we need more description and less prescription. http://www.informit.com/articles/article.aspx?p=1562220 First, let me say that I have been the team lead of a small Software Security Group (specifically, an Application Security team) at a large telecom company for the past 11 years, so I am writing this from an SSG practitioner's perspective. Second, let me say that I appreciate descriptive holistic approaches to security such as BSIMM and OWASP's OpenSAMM. I think they are much needed, though seldom heeded. Which brings me to my third point. In my 11 years of experience working on this SSG, it is very rare that application development teams are looking for a _descriptive_ approach. Almost always, they are looking for a _prescriptive_ one. They want specific solutions to specific problems, not some general formula to an approach that will make them more secure. To those application development teams, something like OWASP's ESAPI is much more valuable than something like BSIMM or OpenSAMM. In fact, I you confirm that you BSIMM research would indicate that many companies' SSGs have developed their own proprietary security APIs for use by their application development teams. Therefore, to that end, I would not say we need less _prescriptive_ and more _descriptive_ approaches. Both are useful and ideally should go together like hand and glove. (To that end, I also ask that you overlook some of my somewhat overzealous ESAPI developer colleagues who in the past made claims that ESAPI was the greatest thing since sliced beer. While I am an ardent ESAPI supporter and contributor, I proclaim it will *NOT* solve our pandemic security issues alone, nor for the record will it solve world hunger. ;-) I suspect that this apparent dichotomy in our perception of the usefulness of the prescriptive vs. descriptive approaches is explained in part by the different audiences with whom we associate. Hang out with VPs, CSOs, and executive directors and they likely are looking for advice on an SSDLC or broad direction to cover their specifically identified security gaps. However, in the trenches--where my team works--they want specifics. They ask us How can you help us to eliminate our specific XSS or CSRF issues?, Can you provide us with a secure SSO solution that is compliant with both corporate information security policies and regulatory compliance?, etc. If our SSG were to hand them something like BSIMM, they would come away telling their management that we didn't help them at all. This brings me to my fourth, and likely most
Re: [SC-L] BSIMM update (informIT)
On Tue, 2 Feb 2010, Arian J. Evans wrote: BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group. I'm looking forward to what BSIMM Basic discovers when talking to small and mid-size developers. Many of the questions in the survey PDF assume that the respondent has at least thought of addressing software security, but not all questions assume the presence of an SSG, and there are even questions about the use of general top-n lists vs. customized top-n lists that may be informative. - Steve ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] ESAPI 1.4.4 released!
I'm very pleased to announce the release of the OWASP Enterprise Security API Library (ESAPI) version 1.4.4 for Java version 1.4 and above! This is an open source project under the BSD license. Changelog: http://owasp-esapi-java.googlecode.com/svn/branches/1.4/changelog.txt Other important links: * You may download the complete .zip release at http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.4.zip * The ESAPI 1.4.4 Javadoc's can be found here: http://owasp-esapi-java.googlecode.com/svn/trunk_doc/1.4.4/index.html * ESAPI users may ask questions regarding ESAPI usage and configuration here: https://lists.owasp.org/mailman/listinfo/esapi-user * Developers interested in contributing to ESAPI may sign up for the ESAPI developers email list here: https://lists.owasp.org/mailman/listinfo/esapi-dev Our sincere /Mahalo Nui Loa http://en.wikipedia.org/wiki/Mahalo /to all of the many developers and users who have contributed to the ESAPI project in some way. Warm Regards, -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
Speaking of top 25 tea leaves, the bug parade boogeyman just called and reminded me that the 2010 Top 25 is due to be released next Thursday, February 4. Thanks for the plug. A preview of some of the brand-new features: 1) Data-driven ranking with alternate metrics to feed the brain and stimulate wider discussion - featuring special guest star Elizabeth Nichols 2) Multiple focus profiles to avoid one-size-fits-all 3) Cross-cutting mitigations that expand far beyond the Top 25 - AND show which mitigations address which Top 25's 4) References to resources such as BSIMM (and even that controversial bad-boy ESAPI) to get people thinking even more about systematic software security ... and a few more tidbits. This particular Cargo-Culting pseudoscientist has dutifully listened to his fellow islanders. This year we've made shiny new airstrips and control towers, and apparently we've already started some fires. The planes will TOTALLY come back! Or maybe I'm just feeling a little whimsical. - Steve P.S. I can't wait until software security becomes an actual science, because as we all know, scientists are much too rational to ever indulge in self-destructive infighting and name-calling that hinders opportunities for progress in their field. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] How a stray mouse click choked the NYSE cost a bank $150K
NYSE has come out with findings on a Credit Suisse initiated DOS issue... something so small, yet so fundamentally flawed... http://arstechnica.com/business/news/2010/01/how-a-stray-mouse-click-choked-the-nyse-cost-a-bank-150k.ars -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] Science is facts; just as houses are made of stones, so is science made of facts; but a pile of stones is not a house and a collection of facts is not necessarily science. Henri Poincare ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] win win for owasp and television spots
Don¹t forget to mention how individuals can get involved with OWASP ;) Like mailing lists, local chapter meetings and larger events such as AppSec 2010 (from 9/7-9/10) Neil On 1/22/10 6:50 AM, Justin Clarke connectjun...@gmail.com wrote: Hi Matt, What would be very good is if you can talk to the (newly created) OWASP Connections Committee. I believe your best contact would be Lorna Alamri, who is heading up our PR initiative. Best regards Justin On 22/01/2010 10:39, Matt Parsons mparsons1...@gmail.com wrote: Ladies and Gentlemen, I am starting to get approached by a few television stations to talk about application security. I would like to promote Owasp in these talks. What would be the best way to do it professionally and competently? See below news story. Thanks, Matt http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] win win for owasp and television spots
Ladies and Gentlemen, I am starting to get approached by a few television stations to talk about application security. I would like to promote Owasp in these talks. What would be the best way to do it professionally and competently? See below news story. Thanks, Matt http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] win win for owasp and television spots
My #1 rule is to avoid jargon and to speak in as conversational a way as possible, targeting (and retargeting as the conversation progresses) the level of detail/abstraction to the targeted audience, whether it's one person or a bunch. Start broad, then narrow it down, change direction as the flow of the conversation dictates. E.g., Is your application this secure (hand gesture) or T--H--I--S secure (bigger hand gesture)? This is what application security is all about. Application security can perhaps be thought of in terms of buying, building, and breaking software.BLAH BLAH..[buy=OWASP legal project's contract annex, build=OWASP ESAPI, break=OWASP ASVS]..[awareness=OWASP Top 10]...[injecting security into development cycles=OWASP SAMM].. To explain further, to put all of this together...While most people are familiar with passwords, and people like to say firewall!, authentication, encryption and digital signatures, and logging are only the beginning, in terms of application security. Additional technical security controls are necessary to write applications that can (or should) be trusted by the customer not to spill data regardless of environment, from private networks to clouds, given modern-day threats.BLAH BLAH..China! Google! .BLAH BL! AH.. FWIW, Best, Mike B. -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Friday, January 22, 2010 5:40 AM To: 'Secure Code Mailing List' Subject: Re: [SC-L] win win for owasp and television spots Ladies and Gentlemen, I am starting to get approached by a few television stations to talk about application security. I would like to promote Owasp in these talks. What would be the best way to do it professionally and competently? See below news story. Thanks, Matt http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] win win for owasp and television spots
Hi Matt, What would be very good is if you can talk to the (newly created) OWASP Connections Committee. I believe your best contact would be Lorna Alamri, who is heading up our PR initiative. Best regards Justin On 22/01/2010 10:39, Matt Parsons mparsons1...@gmail.com wrote: Ladies and Gentlemen, I am starting to get approached by a few television stations to talk about application security. I would like to promote Owasp in these talks. What would be the best way to do it professionally and competently? See below news story. Thanks, Matt http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Webcast? and BSIMM goes statistical
hi sc-l, I haven't done a webcast in at least 2 years, but through a communications SNAFU it looks like I am doing one tomorrow for SANS on the BSIMM?! David Rice is the interviewer. In case you care: https://www.sans.org/webcasts/-impact-of-bsi-mm-in-software-development-programs-93194 In other news, the BSIMM now has 30 vectors (that is we have data collected form 30 firms) and we're crunching our statistically significant dataset now with the help of Betsy Nichols. Results to be presented at RSA. gem company www.cigital.com podcast www.cigital.com/silverbullet podcast www.cigital.com/realitycheck blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP for Charities: Haiti relief effort
Hi, there are days that I am really proud of being part of the OWASP community, today is one of those days :) The Haiti tragedy prompt the OWASP community to kickstart a project that we have talked about several times in the past but never got around to do it: the OWASP for Charities project. You can read all about it in the email included below. This email was sent to all our mailing-list subscribers (more than 10,000), and it looks like we are on to something, since we already had some great responses. One in particular was really good: *...rebuild digital infrastructure ... there is a need for IT infrastructure to support the immediate relief efforts... people to set up local networks and links between the diff countries (US, France, Spain, etc) who are all working to aid but are not tied together or help keep PCs/net work devices etc running, basic tech support...* I just wrote a blog entry with the email's content ( http://bit.ly/OWASP-Haiti) and I would really appreciate if you linked to it, or just reused its content on your own blog, or redistributed it to your internal/external mailing lists. Lets use this opportunity to build a team that is focused on helping others, since we never know where it will happen next. Please join us at the OWASP for Charities project, and in the short term in supporting the Haiti relief effort. Thanks Dinis Cruz OWASP Board Member -- Forwarded message -- From: Kate Hartmann kate.hartm...@owasp.org Date: 2010/1/19 Subject: OWASP for Charities: Haiti relief effort To: owasp-...@lists.owasp.org OWASP Members and Supporters, OWASP was founded, and is supported as a non-profit organization, by a group of dedicated volunteers who believe that all applications should be secure and trusted. As our organization matures we have taken those beliefs broader, and have started setting up ways for our members to donate to the global community. Among these initiatives are: - OWASP has an active Kiva lending team who have donated $9,125.00 to date. http://www.kiva.org/community/viewTeam?team_id=522 - OWASP in response to the need in Haiti has set up a secure and trusted way for those within the OWASP community to donate funds to help the people of Haiti. This allows our OWASP community to help another with a single global voice. 100% of the collected donations will be transferred directly to victims for disaster relief such as food and medical requirements. Please visit www.owasp.org and click the link for G33k-4-HAITI. In a time of crisis, OWASP can help those who are in great need. The OWASP community can help organize, support , and promote efforts outside of application security. OWASP is well aware there is a movement for phishers to utilize this tragedy to get unsuspecting people to donate to a “cause” without having a legitimate business back end and ultimately funneling all the money directly into their own pockets. The OWASP community is uniquely qualified to help protect from this type of attack and educate about attacks as well. As the world becomes more dependent on technology and particularly web applications, there are many who need protection who simply have no options to protect themselves. These include small companies, individuals, charities, and others. The OWASP community can help by connecting qualified, trusted resources willing to volunteer their time to those organizations which qualify. OWASP is setting up an outreach program, which will be under the name project name of OWASP for Charities. We hope you will support OWASPs efforts to make a difference in any of the above ways. We are also open to suggestions in regards to where you feel the OWASP Community can be of service. Regards, Your OWASP Board Kate Hartmann OWASP Operations Director 9175 Guilford Road Suite 300 Columbia, MD 21046 301-275-9403 kate.hartm...@owasp.org Skype: kate.hartmann1 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] ESAPI for JavaScript!
The newest version of ESAPI4JS is out! There are some significant new features, namely i18n support and validation. You can download the 0.1.2 distribution here: http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.2.zip As always, comments and questions are welcome and encouraged directly to the projects author at chrisisb...@gmail.com ! Other ESAPI resources: OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Check out OWASP ESAPI for Java http://code.google.com/p/owasp-esapi-java/ Thanks all. -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Special Issue of IJSSE: Software Safety Dependability - the Art of Engineering Trustworthy Software
For those who might be interested. There are still a couple weeks until the submission deadline Karen Mercedes Goertzel, CISSP Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com --- Special Issue of IJSSE Theme: Software Safety Dependability - the Art of Engineering Trustworthy Software 1. Guest Editors Guest Editor: Dr. Lei Wu School of Science and Computer Engineering University of Houston-Clear Lake, Houston, Texas, U.S.A Email: w...@uhcl.edu Co-Guest Editor: Dr. Yi Feng Department of Computer Science and Mathematics, Algoma University, Sault Ste. Marie, Ontario, Canada. Email: yi.f...@algomau.ca 2. Important Dates * Submission of manuscripts: February 1, 2010 * Notification of pre-acceptance/rejection: March 31, 2010 * Submission of camera ready accepted papers: June 30 2010 * Journal Special Issue Publication: January 2011 3. Submission Guidelines * Submission guidelines through journal web site at: http://www.igi-global.com/ijsse * Inquiries, manuscripts and any supplementary material should be submitted to Guest Editor Dr. Lei Wu (w...@uhcl.edu), and Co-Guest Editor, Dr. Yi Feng (yi.f...@algomau.ca) through E-mail 4. Call for Paper Content Software Safety is an element of the total safety program. It optimizes system safety dependability in the design, development, use, and maintenance of software systems and their integration with safety critical application systems in an operational environment. Increasing size and complexity of software systems makes it harder to ensure their dependability. At the same time, the issues of safety become more critical as we more and more rely on software systems in our daily life. These trends make it necessary to support software engineers with a set of techniques and tools for developing dependable, trustworthy software. Software safety cannot be allowed to function independently of the total effort. Both simple and highly integrated multiple systems are experiencing an extraordinary growth in the use of software to monitor and/or control safety-critical subsystems or functions. A software specification error, design flaw, or the lack of generic safety-critical requirements can contribute to or cause a system failure or erroneous human decision. To achieve an acceptable level of dependability goals for software used in critical applications, software safety engineering must be given primary emphasis early in the requirements definition and system conceptual design process. Safety-critical software must then receive continuous management emphasis and engineering analysis throughout the development and operational lifecycles of the system. In this special issue, we are seeking insights in how we can confront the challenges of software safety dependability issues in developing dependable, trustworthy software systems. 5. Topics of Interests This special issue is designed for software professionals and decision makers to explore the state-of-the-art techniques of Secure Software Engineering practices targeted at software safety dependability challenges. Some suggested areas include, but not limited to: * Safety consistent with mission requirements * Secure software engineering with software security trustworthy software development * State-of-arts literature review of technology dealing with software system security * Identify and analysis of safety-critical functionality of complex systems * Intrusion detection, security management , applied cryptography * Derive hazards and design safeguards for mitigations * Safety-Critical functions design and preliminary hazards analysis * Identification, evaluation, and elimination techniques for hazards associated with the system and its software, throughout the lifecycle * Complexity of safety critical interfaces, software components * Sound secure software engineering principles that apply to the design of the software-user interface to minimize the probability of human error * Failure hazard models, including hardware, software, human and system are addressed in the design of the software * Software testing techniques targeting at software safety issues at different levels of testing -- Means should be taken to obviate one great objection - at present felt with respect to sending private communi- cations by telegraph - the violation of all secrecy. - The Quarterly Review (UK), 1853 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at -
