ACM SIGCSE will be pushing more information shortly on the K-12
program suggestions. I've heard it will include security.
-Rob
On Tue, Apr 13, 2010 at 9:27 PM, Jeremiah Heller
jerem...@inertialbit.net wrote:
an interesting point. if it were not socially unacceptable to perform ethnic
Having a CISSP certification I know it is more than just passing the
test. You are not certified as a CISSP until you have another CISSP
attest to your qualifications and you submit a detail resume of your
security experience by domain to (ISC)2 auditors. If the auditors do
not feel your
On 14 Apr 2010, at 16:24, Wall, Kevin wrote:
I just reread your Dark Reading post and I must say I agree with it
almost 100%. The only part where I disagree with it is where you wrote:
The multiple choice test itself is one of the problems. I
have discussed the idea of using
Jeremiah Heller writes...
do security professionals really want to wipe hacking
activity from the planet? sounds like poor job security to me.
Even though I've been involved in software security for the
past dozen years or so, I still think this is a laudable goal,
albeit a completely
You are absolutely right Paul. The problems with ignorance and
abstinence-based approaches to child education extend out well beyond
the Bible Belt, and can be found all over the US. I should have cast a
wider net. Also, great job at ruining a good laugh.
http://aspe.hhs.gov/hsp/abstinence07/
Not sure that would work either though.
Many secdev people are introverts. In their shell, they won't debate
the validity of a position, including a wrong answer. Zone that into a
response in the exam. It's one thing to say there is no correct
answer, but the way the questions are set at ISC2,
On Apr 14, 2010, at 11:19 AM, Wall, Kevin wrote:
Jeremiah Heller writes...
do security professionals really want to wipe hacking
activity from the planet? sounds like poor job security to me.
Even though I've been involved in software security for the
past dozen years or so, I still
Dana Epp wrote:
Not sure that would work either though.
Dana,
My comment was meant tongue-in-cheek. Guess I used the wrong
emoticon. Figured that ';-)' would work 'cuz I never can remember
the one for tongue-in-cheek. I've seen several variations of the
latter...
:-? :-Q :-J
I am a CISSP with programming experience, static code analysis and web
penetration testing. I am thinking about taking the CSSLP. I just bought
the review book. Is it worth getting this certification? Is it going to
raise my rates and help me get more contracts? Is the GIAC better or
And don't forget the entire run-time environment in which the python code runs.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
On Mon, 5 Apr 2010 11:08:47 -0500
Matt Parsons mparsons1...@gmail.com wrote:
Has anyone completed a python security code review? What would you
look for besides inputs, outputs and dangerous functions? Do any of
the commercial static code analysis vendors scan that code? I would
think not
Matt, I have not seen any materials referencing Python nor does Fortify, I beleive, perform scans on it. But looking at the Python package on my Windows box it looks like the Python compliler has C as it's interface to the system. Obtaining the C code then running a scan against it should at least
On Mon, Apr 5, 2010 at 12:08 PM, Matt Parsons mparsons1...@gmail.com
wrote:
Has anyone completed a python security code review? What would
you look for besides inputs, outputs and dangerous functions?
Do any of the commercial static code analysis vendors scan that
code? I would think not
How do people in this group scope code review engagements? What are some of the
tools one uses to count the number of lines of code, supporting libraries,
comments, etc. Is there an umbrella list of issues one generally looks for in
code reviews? We are talking about open source products
You should look at Ka-Ping Yee's PhD thesis: http://pvote.org
and the Pvote Software Review Assurance Document, Apr 3 2007.
Google finds it quickly.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
Also be sure to check on http://www.owasp.org as there is a *ton* of great
information on the site.
Here are some good starting points:
http://www.owasp.org/index.php/Category:OWASP_Java_Project
http://www.owasp.org/index.php/Category:Java
And also some good information on doing code review in
Has anyone completed a python security code review? What would you look for
besides inputs, outputs and dangerous functions? Do any of the commercial
static code analysis vendors scan that code? I would think not because
python is not compiled at run time like the other languages that static
I am trying to become an expert in source code review in java application
security. Are there any experts on this list that are willing to share some
of their knowledge? I am reading Java Security by Scott Oaks and I am
rereading all of the Sun Docs on java security. Any help would be greatly
Dear Matt,
If you want to get familiar with common Java specific security errors
enlisted by different vulnerability categories, the Fortify taxonomy might
give you a comprehensive overview:
http://www.fortify.com/vulncat/en/vulncat/index.html
Open Java/JSP in the tree on the left, and
I wrote a thesis on Java SE security. In addition to covering secure coding
practices, I also created a number of test cases and subjected them to a
suite of static analysis tools.
A ton has been said over the years. I tried to organize it all into a
taxonomy rooted in design principles. You
The Common Weakness Enumeration (CWE) has a view of issues that can
occur in Java applications.
See: http://cwe.mitre.org/data/slices/660.html for a listing of all the
details or: http://cwe.mitre.org/data/lists/660.html for a list of the
items where the names are hyper-links to the content
ESAPI 2.0 rc6 is now live!
You can download the complete zip file here:
http://owasp-esapi-java.googlecode.com/files/ESAPI-2.0-rc6.zip
http://owasp-esapi-java.googlecode.com/files/ESAPI-1.4.3.zip
Online project documentation can be found here:
I saw this event announcement today and thought some SC-L folks might find it
of interest, FYI.
The International Secure Systems Development Conference addresses the key
issues around designing-in security for standard and web-based software and
systems, both in terms of developing new
hi sc-l,
Here is a CFP from a conference I help out with.
gem
CALL FOR PAPERS
International Symposium on Engineering Secure Software and Systems (ESSoS)
February 09-10, 2011
Madrid, Spain
http://distrinet.cs.kuleuven.be/events/essos2011/
CONTEXT AND MOTIVATION
hi sc-l,
As you know, Silver Bullet is co-sponsored by Cigital and IEEE Security
Privacy magazine. Excerpts of about half of the episodes are eventually
published in the magazine as articles in an interview department. We just
caught up with ourselves by posting the last three SP interviews
hi sc-l,
In the past we've wondered on this list about how to spread software security
memes outside of our own little domain and into the larger world. I recently
gave a keynote talk in Atlanta to a bunch of senior executives (CEOs and Board
members) who run Rural electric cooperatives.
Flip side of Lifestyle Hacking aptly described by Messrs McGraw and
Routh is when your organization cannot deliver the functionality/data/
usability that the consumers need.
http://1raindrop.typepad.com/1_raindrop/2010/03/bring-your-cloud-to-work-in-iraq.html
-gunnar
As soon as a non-developer creates code, they are no longer a
non-developer. By definition, they are now a developer!
Of course, they may completely lack any kind of knowledge about security.
Just like most developers, I should add. I expect this problem to *increase*
over time.
I guess we can all retire now, eh? I find it so exciting that the app is
written in pure C... and coming from Google, I'm sure it won't leak
info back to the mothership at all...
Meet skipfish, our automated web security scanner
At 7:56 PM +0200 3/19/10, AK wrote:
It is way easier for attackers to reverse engineer desktop applications
than web applications. Assuming proper server configuration, it is next
to impossible for an attacker to get the server side source code or
compressed form (e.g WARs) for a web
On Mar 18, 2010, at 02:17, ljknews wrote:
Scripting languages should not be used for security-sensitive
programs.
And your evidence for this statement is?
Stephan
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information,
Hi all,
We are drifting a bit away from my question but here is a forked question:
Who says so, in the context of web applications? I can see it (somewhat) from a
desktop application perspective, but how is this relevant in web apps?
Cheers!
Date: Wed, 17 Mar 2010 20:17:05 -0500
From: ljknews
At 7:36 PM +0200 3/18/10, AK wrote:
Who says so, in the context of web applications?
I can see it (somewhat) from a desktop application
perspective, but how is this relevant in web apps?
Why should standards for a web application be different than
for a desktop application ?
--
Larry
CWE, CLASP, and some other information sources have a number of code
snippets that highlight various weaknesses. In CWE, this code is easily
extractable from the XML by grabbing the Demonstrative_Examples element,
and we've even conveniently labeled examples with the various languages.
You
http://codesearch0day.appspot.com/
On Mar 16, 2010, at 11:41 AM, Matt Parsons wrote:
Hello,
I am working on a software security blog and I am trying to find
open source vulnerabilities to present and share. Does anyone else
have any open source vulnerabilities that they could share and
This doesn't feel like responsible disclosure and is not the way to
announce weaknesses in software. It is best to deal with scenarios that
have already been addressed.
From: sc-l-boun...@securecoding.org
[mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt
Matt,
You can find quite a list of OSS vulnerabilities over an CVE (cve.mitre.org)
or NVD (nvd.nist.gov), but here are a couple ones that I tend to use for
illustrative purposes when teaching.
- Apache Chunked Encoding vuln (#CVE-2002-0392), an integer overflow. Of
particular interest because
I am not suggesting exposing zero days. I only want known vulnerabilities
in applications like web goat etc that are known to everyone. I don't even
plan on naming where each vulnerability comes from but rather instead change
the code to protect the innocent. I would never encourage promoting
I have been a programmer and a security analyst for a few years now. When
I first started developers told me I didn't know how to code good enough and
CISSP's told me I didn't have enough security experience. Has anyone had
any success training CISSP's and non programmers how to write code
At the OWASP Open Review project we run Fortify scans for open source project
maintainers. There is some summary information on the main page, but the
actual detailed scan info is only available to the project maintainers.
(Echoing James McGovern's concerns we didn't want it to end up being
Hi,
Regarding training non-developers to write secure code, what are the
circumstances that a non-developer would create code that would
*require* security? I am assuming that system administrators know the
basics of their trade and scripting language of choice so security there
is taken care of
I had too many files open on my black berry last night while listening to
music. It produced a java run time error. It made me think about
blackberry security. What is the threat to black berrys and having them
write secure code and have it undergo a security review? Has anyone worked
on
I was reading the USA today and it stated more cyber criminals are getting
away with cyber crimes. I was thinking that this brings more value to us
that are concerned about software security and can help evangelize and fix
the problem. God Bless.
Matt
Hi folks,
We need your help. We're still looking for sponsors for this weekend's
Security BSides Austin, which is set to occur the same day as the
kickoff for SxSW Interactive (a major developer conference). We have
official sponsorship from Astaro and Panda, plus a couple unofficial
sponsors.
The workshop chairs would like to invite you participate in the 4th annual
workshop on Web 2.0 Security and Privacy. Started in 2007, this
successful
series of workshops has attracted participation from both academia and
industry, and participants from around the world. This workshop is
hi sc-l,
Greetings from RSA where the security hype is very hype-y indeed. To
counterbalance the nonsense, we just published Silver Bullet number 47, an
interview with Harvard professor Greg Morrisett. Greg and I grew up together
in Kingsport, Tennessee and it has been a pleasure watching my
hi sc-l,
I just spent an excellent week in Leuven, Belgium at secappdev (our fearless
moderator Ken was there as always). If you've never been to secappdev, it is
certainly something to do at least once, if not annually.
One of the five presentations I gave in Leuven was about BSIMM2 (the 30
Jon,
I think you're getting out of the scope of the costing exercise. The
research and estimates around time to fix are based on the cost
associated with developing the patch, not with deploying it. One could
argue that the cost of fixing bugs - particularly major ones - is much
higher for web
A large part of the cost of fixing a bug, especially late in the dev cycle
after testing is complete, is the cost of regression testing. The cost of
regression testing of a patch for commercial software is much higher than the
cost of a custom web application. Think of an Oracle bug that
On Wed, Feb 24, 2010 at 10:46:56AM -0500, Paco Hope wrote:
I don't think webness conveys any more homogeneity than, say windowsness
or linuxness.
What part of being a web application provides homogeneity in a way that makes
patching cheaper?
In a word, control. Let's compare two different
On Feb 23, 2010, at 10:06 AM, Jon McClintock wrote:
This provides a pretty good examination of the costs of patching
commercial software. Has anyone done a similar analysis for web
applications? I'd expect the costs to be dramatically lower, given
thant you're typically producing a single
Benjamin Tomhave wrote:
... we're looking for hard research or
numbers that covers the cost to catch bugs in code pre-launch and
post-launch. The notion being that the organization saves itself money
if it does a reasonable amount of QA (and security testing)
up front vs trying to chase
Ah, excellent - very helpful!
It appears that Laurie Williams at NCSU has inherited John Musa's
Software Reliability Engineering legacy, and is still active in the
field, and has a number of relevant security articles/papers listed
under Publications.
http://collaboration.csc.ncsu.edu/laurie/
On
On Mon, Feb 22, 2010 at 10:45:02AM -0500, Jeremy Epstein wrote:
Take a look at Mary Ann Davidson's keynote at ACSAC in Dec 2009.
http://www.acsac.org/2009/program/keynotes/davidson.pdf
This provides a pretty good examination of the costs of patching
commercial software. Has anyone done a
Howdy,
This request is a bit time critical as it's supporting a colleague's
upsell up the food chain tomorrow... we're looking for hard research or
numbers that covers the cost to catch bugs in code pre-launch and
post-launch. The notion being that the organization saves itself money
if it does a
News Release/Call For Contributors
OWASP Development Guide Project begins work on next Guide version
The Guide is a manual for designing, developing, and deploying secure web
applications
OWASP Development Guide Project
MCLEAN
February 10, 2010
MCLEAN, Feb. 10 /OWASP Development Guide
OK, many of you don't care about DARPA, but here's something that
happened there you *should* care about. DARPA funds research, and has
historically drawn its program managers from the ranks of academia and
occasionally the military. This is a massive change in outlook
I think it's a welcome change. It doesn't say so in this article clip,
but he is Dr. Zatko, and has worked in instruction and academia, so it's
not too far a leap for them. He's also been working in the federal space
quite a bit since the L0pht sold out and shutdown. Dan Geer did
something similar
Here's an example. In the BSIMM, 10 of 30 firms have built top-N bug
lists based on their own data culled from their own code. I would
love to see how those top-n lists compare to the OWASP top ten or the
CWE-25. I would also love to see whether the union of these lists is
even remotely
Hello SC-L,
We have released 3 OWASP podcasts over the last few days for your
listening pleasure:
#60 Interview with Jeremiah Grossman and Robert Hansen (Google pays for
vulns)
http://www.owasp.org/download/jmanico/owasp_podcast_60.mp3
#59 AppSec round table with Dan Cornell, Boaz Gelbord,
In the web security world it doesn't seem to matter much. Top(n) Lists
are Top(n).
There is much ideological disagreement over what goes in those lists
and why, but the ratios of defects are fairly consistent. Both with
managed code and with scripting languages.
The WhiteHat Security statistics
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote:
One of the general patterns I noted while providing feedback to the
OWASP Top Ten listserv is that top ten lists do sort differently. Within
an enterprise setting, it is typical for enterprise applications to be
built on Java, .NET or
On Wed, 3 Feb 2010, Gary McGraw wrote:
Popularity contests are not the kind of data we should count on. But
maybe we'll make some progress on that one day.
That's my hope, too, but I'm comfortable with making baby steps along the
way.
Ultimately, I would love to see the kind of linkage
I for one am pretty satisfied with the rate at which things are
progressing
I dunno...
Again, trying to keep it pithy: I for one welcome our eventual new [insert
hostile nation state here] overlords. /joke
What I see from my vantage point is a majority of people who (1)should know
better given
When comparing BSIMM to SAMM are we suffering from the Mayberry Paradox? Did
you know that Apple is more secure than Microsoft simply because there are more
successful attacks on MS products? Of course, we should ignore the fact that
the number of attackers doesn't prove that one product is
Why are we holding up the statistics from Google, Adobe and Microsoft (
http://www.bsi-mm.com/participate/ ) in BDSIMM?
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through
At no time did it include corporations who use Ounce Labs or Coverity
Bzzzt. False. While there are plenty of Fortify customers represented in
BSIMM, there are also plenty of participants who aren't Fortify customers.
I don't think there are any hard numbers on market share in this realm, but
On Thu, 4 Feb 2010, Jim Manico wrote:
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through ie6 for years
Actually, it was a not-so-vanilla use-after-free, which once upon a
hi jim,
We chose organizations that in our opinion are doing a superior job with
software security. You are welcome to disagree with our choices.
Microsoft has a shockingly good approach to software security that they are
kind enough to share with the world through the SDL books and websites.
Merely hoping to understand more about the thinking behind BSIMM.
Here is a quote from the page: Of the thirty-five large-scale software
security initiatives we are aware of, we chose nine that we considered the most
advanced how can the reader tell why others were filtered?
When you visit
Hola Gary, inline:
On Wed, Feb 3, 2010 at 12:05 PM, Gary McGraw g...@cigital.com wrote:
Strategic folks (VP, CxO) ...Initially ...ask for descriptive information,
but once they get
going they need strategic prescriptions.
Please see my response to Kevin. I hope it's clear what the BSIMM is
OK, so this thread has heated up substantially and is on the verge of flare-up.
So, I'm declaring the thread to be dead and expunging the extant queue.
If anyone has any civil and value-added points to add, feel free to submit
them, of course. As always, I encourage free and open debate here,
soapboxWhile I can't disagree with this based on modern reality, I'm
increasingly hesitant to allow the conversation to bring in risk, since
it's almost complete garbage these days. Nobody really understands it,
nobody really does it very well (especially if we redact out financial
services and
Fun article. To try to be equally pithy in my response: the article reads to
me like a high-tech, application security-specific form of McCarthyism.
To explain...
The amount of reinvention and discussion about the problems in this space is
spectacular.
If one has something to start from which
But the vast majority of clients I work with don't have the time or need
or ability to take advantage of BSIMM
Mike's Top 5 Web Application Security Countermeasures:
1. Add a security guy or gal who has a software development background to
your application's software development team.
2. Turn
I challenge the validity of any risk assessment/rating approach in use
today in infosec circles, whether it be OWASP or FAIR or IAM/ISAM or
whatever. They are all fundamentally flawed in that they are based on
qualitative values the introduce subjectivity, and they lack the
historical data seen in
OK, being the insurance enterprisey security guy I think you may be onto
something. One of the many reasons why actuarial science can work in
insurance is the fact that there is a lot more public data than in IT
security. If you smash your car into a wall, your chosen carrier doesn't
just pay the
NIST has created a draft document entitled: Guide for applying risk
management framework to federal information systems: a security
lifecycle approach. Curious to know if anyone has identified gaps,
differences in opinion, etc between NIST and how either SAMM or BSIMM
would define the same?
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:
Among other things, David and I discussed the difference between descriptive
models like BSIMM and prescriptive models which purport to tell you what you
should do.
Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome
800-37 has been in release for a while, providing the basis for the CA
process. My understanding is that CA is evolving (and going the way of
the dinosaur) very soon as NIST works with CNSS/JTF on the next big
thing. I'm blanking on the rest of the details (not my space), but
pinging Mike Smith
hi kevin (and sc-l),
Sorry for the delay responding to this. I was skiing yesterday with my son Eli
and just flew across the country for the SANS summit this morning (leaving
behind 6 inches of new snow in VA). Anyway, better late than never.
I'll interleave responses below.
On Thu, 28 Jan
hi mike,
On 2/2/10 9:28 PM, Mike Boberski mike.bober...@gmail.com wrote:
Fun article. To try to be equally pithy in my response: the article reads to
me like a high-tech, application security-specific form of McCarthyism.
As a die hard liberal, I take offense to the McCarthy comment (hah).
Hi again Mike,
Yadda yadda, delay, and so on...
On 2/2/10 9:30 PM, Mike Boberski mike.bober...@gmail.com wrote:
somebody eslse said But the vast majority of clients I work with don't have
the time or need or ability to take advantage of BSIMM
Mike's Top 5 Web Application Security
Hi Steve (and sc-l),
I'll invoke my skiing with Eli excuse again on this thread as well...
On Tue, 2 Feb 2010, Wall, Kevin wrote:
To study something scientifically goes _beyond_ simply gathering
observable and measurable evidence. Not only does data needs to be
collected, but it also needs to
Hi Arian,
Some more particulars regarding your posting. Sorry for the delay...
On 2/2/10 4:32 PM, Arian J. Evans arian.ev...@anachronic.com wrote:
Strategic folks (VP, CxO) ...Initially ...ask for descriptive information, but
once they get
going they need strategic prescriptions.
Please see
On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote:
Among other things, David [Rice] and I discussed the difference between
descriptive models like BSIMM and prescriptive models which purport to
tell you what you should do. I just wrote an article about that for
informIT. The title is
On Tue, 2 Feb 2010, Wall, Kevin wrote:
To study something scientifically goes _beyond_ simply gathering
observable and measurable evidence. Not only does data needs to be
collected, but it also needs to be tested against a hypotheses that offers
a tentative *explanation* of the observed
100% agree with the first half of your response, Kevin. Here's what
people ask and need:
Strategic folks (VP, CxO) most frequently ask:
+ What do I do next? / What should we focus on next? (prescriptive)
+ How do we tell if we are reducing risk? (prescriptive guidance again)
Initially they
On Tue, 2 Feb 2010, Arian J. Evans wrote:
BSIMM is probably useful for government agencies, or some large
organizations. But the vast majority of clients I work with don't have
the time or need or ability to take advantage of BSIMM. Nor should
they. They don't need a software security group.
I'm very pleased to announce the release of the OWASP Enterprise
Security API Library (ESAPI) version 1.4.4 for Java version 1.4 and
above! This is an open source project under the BSD license.
Changelog:
http://owasp-esapi-java.googlecode.com/svn/branches/1.4/changelog.txt
Other important
Speaking of top 25 tea leaves, the bug parade boogeyman just called
and reminded me that the 2010 Top 25 is due to be released next Thursday,
February 4. Thanks for the plug.
A preview of some of the brand-new features:
1) Data-driven ranking with alternate metrics to feed the brain and
NYSE has come out with findings on a Credit Suisse initiated DOS
issue... something so small, yet so fundamentally flawed...
http://arstechnica.com/business/news/2010/01/how-a-stray-mouse-click-choked-the-nyse-cost-a-bank-150k.ars
--
Benjamin Tomhave, MS, CISSP
tomh...@secureconsulting.net
Don¹t forget to mention how individuals can get involved with OWASP ;) Like
mailing lists, local chapter meetings and larger events such as AppSec 2010
(from 9/7-9/10)
Neil
On 1/22/10 6:50 AM, Justin Clarke connectjun...@gmail.com wrote:
Hi Matt,
What would be very good is if you can talk
Ladies and Gentlemen,
I am starting to get approached by a few television stations to talk about
application security. I would like to promote Owasp in these talks. What
would be the best way to do it professionally and competently?
See below news story.
Thanks,
Matt
My #1 rule is to avoid jargon and to speak in as conversational a way as
possible, targeting (and retargeting as the conversation progresses) the level
of detail/abstraction to the targeted audience, whether it's one person or a
bunch. Start broad, then narrow it down, change direction as the
Hi Matt,
What would be very good is if you can talk to the (newly created) OWASP
Connections Committee. I believe your best contact would be Lorna Alamri,
who is heading up our PR initiative.
Best regards
Justin
On 22/01/2010 10:39, Matt Parsons mparsons1...@gmail.com wrote:
Ladies and
hi sc-l,
I haven't done a webcast in at least 2 years, but through a communications
SNAFU it looks like I am doing one tomorrow for SANS on the BSIMM?! David Rice
is the interviewer. In case you care:
https://www.sans.org/webcasts/-impact-of-bsi-mm-in-software-development-programs-93194
In
Hi, there are days that I am really proud of being part of the OWASP
community, today is one of those days :)
The Haiti tragedy prompt the OWASP community to kickstart a project that we
have talked about several times in the past but never got around to do it:
the OWASP for Charities project.
The newest version of ESAPI4JS is out! There are some significant new
features, namely i18n support and validation.
You can download the 0.1.2 distribution here:
http://code.google.com/p/owasp-esapi-js/downloads/detail?name=esapi4js-0.1.2.zip
As always, comments and questions are welcome and
For those who might be interested. There are still a couple weeks until the
submission deadline
Karen Mercedes Goertzel, CISSP
Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com
---
Special Issue of IJSSE
Theme: Software Safety Dependability - the Art of Engineering
501 - 600 of 2400 matches
Mail list logo
