[SC-L] OWASP AsiaPac 2012 - Sydney, Australia: CFP and call for trainers

Colleagues, In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia! OWASP Asia Pacific is the foremost Application Security conference for the region, and brings together the community in a central meeting for 4 days to discuss and present on recent and current

Re: [SC-L] Language agnostic secure coding guidelines/standards?

The OWASP materials are fairly language neutral. The closest document to your current requirements is the Developer Guide. I am also developing a coding standard for Owasp with a likely deliverable date next year. I am looking for volunteers to help with it, so if you want a document that

Re: [SC-L] quick question - SXSW

of the world. thanks, Andrew van der Stock Lead Author, OWASP Guide and OWASP Top 10 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

Re: [SC-L] Silver Bullet turns 2: Mary Ann Davidson

aid and treating security as a fundamental software engineering requirement. It's about time. thanks, Andrew van der Stock Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10 ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] COBOL Exploits

, but better late than never. I know a bunch of sites that could use that tool if it works even 1% as well as the marketing is likely to make out. thanks, Andrew van der Stock Executive Director, OWASP Project Lead Author, OWASP Guide On Nov 2, 2007, at 1:45 PM, Peter G. Neumann wrote: Searching

Re: [SC-L] Mainframe Security

In my experience of reviewing COBOL and mainframes in general, it's worthwhile to evaluate doing bad things to the business logic. The designers are literal in their translation of the business requirements to specifications, and never think of the mis-use cases. Mainframe coders aren't

Re: [SC-L] How is secure coding sold within enterprises?

- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: 1. Opportunity cost / competitive advantage

Re: [SC-L] Bumper sticker definition of secure software

NB: I am not speaking on behalf of my employer and this is my personal opinion. Banks in general do not use smart cards as they suffer from the same issue as two factor non-transaction signing fobs - they are somewhat trivial to trick users into giving up a credential. Connected keys are

Re: [SC-L] bumper sticker slogan for secure software

Actually, it is a myth. For every non-trivial system, there are business pressures on resourcing, deadlines, and acceptable quality (pick any two). Once a business has set their taste for risk, it makes no sense to spend say $10m on security controls on a product and delay it for six

Re: [SC-L] bumper sticker slogan for secure software

Best for older cars... My other car is a bit more secure Best for Volvos (or pick another high safety brand): I wish my finance systems are as safe as this car Honk if you want secure software Who has your data? Ask for secure software next time thanks, Andrew smime.p7s Description: S/MIME

[SC-L] OWASP PHP Top 5 Announcement

OWASP is pleased to announce the immediate availability of the OWASP PHP Top 5. The OWASP Top 5 is an education piece which provides up to date advice to PHP developers, hosters, and other PHP users. The PHP Top 5 is produced by the OWASP PHP Project. The PHP Top 5 is based upon attack

Re: [SC-L] Re: [WEB SECURITY] On sandboxes, and why you should care

Dinis, Sandboxing prevents a machine from having bad system() and buffer overflows causing system compromise. Sure that's bad enough. However, sandboxing does not prevent: * all types of cross-site scripting * SQL injection * Command injection via SQL injection (xp_cmdshell and similar

[SC-L] Java integer overflows (was: a really long topic)

On 3/29/06, Andrew van der Stock [EMAIL PROTECTED] wrote: This is not quite true. Java does not prevent integer overflows (it will not throw an exception). So you still have to be careful about array indexes. Andrew smime.p7s Description: S/MIME cryptographic signature

Re: [Owasp-dotnet] Re: [SC-L] Is there any Security problem in Ajax technology?

Yes! :) I am speaking at the OWASP EU conference in Belgium (I hope people speak English 'cos my French is now quite appalling) at the end of May, and I have a paper submission for O'Reilly's OSCON in early July. I am still mulling over whether to submit a proposal to BlackHat as

[SC-L] Fwd: Security problems with Ajax

: Andrew van der Stock [EMAIL PROTECTED] Date: 7 March 2006 2:54:36 AM To: kentaro.arai at hidden Subject: Security problems with Ajax Kentaro, In short, yes! :) I am researching and writing a new chapter on Ajax security for the OWASP Guide which will be out as soon as it's been properly reviewed