Not many builders go to BlackHat. BlackHat is by Breakers, for
Defenders. It is primarily attended by Defenders, with a smaller pool
of dedicated Breakers.
It is very valuable to our industry to have conferences focused on
Breaking. Though they do have Builder and Defender talks. Some of my
first
Hello fellow SCLers.
Cross-Site Request Forgery (CSRF) has been generating a high volume of
questions for us in the last year, as well as noticing increased
discussions on the webappsec mailng lists. As Jeremiah noted over on
the WASC list - this is a welcome change really -- for most of the
last
Excellent response, Ivan. Malware is a business, not a programming mistake,
which Gary's article mentions then sidesteps.
This is the "Secure Coding" list so I can understand the myopia.
As for "Long Term Solutions and Wishful Thinking" in the article:
It is clear that current solutions are not
That is a great question. According to Gartner, HA has the stench of
inevitability. And in general, I agree.
There are cases where dynamic and static each have clear strengths.
Pragmatic combination of of the two has promise is solving a broad
spectrum of test-cases. Additionally -HA can help impr
Great article, Gary. Many of your comments about static technology
challenges I have seen and verified first-hand, including
multi-million dollar cost overruns. After some great dialogue with
John Stevens, I suspect we have had similar experiences.
I was just about to write a similar article at a
Sebastian -
Looks like you got great replies! Lots of different theories and ideas here.
On a day to day basis - here are the most common "backdoors" in
webapps I've encountered over the last 15 years or so:
1) Developer Tools "Backdoor" hidden under obscure path
2) COTS module improperly deploy
This is a really awesome time to be involved with web application
security, and software security in general! Real metrics are finally
being published in our industry. This will help us move away from the
Anecdotal Evidence powering competing Security Risk Religions that
folks have been selecting b
27, 2010 at 11:52 AM, Arian J. Evans
> wrote:
>> So to be clear -
>>
>> You are saying that you do all of the below when you are analyzing
>> hundreds to thousands of websites to help your customers identify
>> weaknesses that hackers could exploit?
>>
&g
On Sat, Apr 24, 2010 at 9:33 PM, Arian J. Evans
> wrote:
>> You guys that write a lot of ideological software SDL-theory books can
>> keep your dinosaur Multics.
>
> Nobody wants to go back to / can go back to the TCSEC/Orange-Book
> formal methods days. We can't go bac
The world of web software is the future and the future is a wild
open-ended place by design. I for one would like to keep it that way.
You guys that write a lot of ideological software SDL-theory books can
keep your dinosaur Multics.
About 4 years ago I shifted my focus away from static analysis
e be done,
---
Arian Evans
On Wed, Apr 14, 2010 at 10:29 AM, Paul Schmehl wrote:
> --On Tuesday, April 13, 2010 15:21:26 -0700 "Arian J. Evans"
> wrote:
>
>> Keyboard Cowboy,
>>
>> Education is always a good thing. I think kids should have the opportunity
Keyboard Cowboy,
Education is always a good thing. I think kids should have the opportunity
to learn both sides of software security. Great suggestion.
Kids, by nature, are drawn to things that are taboo and demonized. Which
hacking no doubt falls into, and according to Daniel, also Angelina Joli
In the web security world it doesn't seem to matter much. Top(n) Lists
are Top(n).
There is much ideological disagreement over what goes in those lists
and why, but the ratios of defects are fairly consistent. Both with
managed code and with "scripting" languages.
The WhiteHat Security statistics
ck surface is most
immediately at risk of compromise, and move the bar a meaningful
amount.
I guess I'm just not a fan of huge GW Bush style programs where you
mobilize a special task force and invade another country to count WMDs
before you can identify that you have a basic problem and take st
100% agree with the first half of your response, Kevin. Here's what
people ask and need:
Strategic folks (VP, CxO) most frequently ask:
+ What do I do next? / What should we focus on next? (prescriptive)
+ How do we tell if we are reducing risk? (prescriptive guidance again)
Initially they ask
The software security problem is a huge problem. There are not enough
CISSPs to even think about solving this problem.
CISSPs probably should have a tactical role helping categorize,
classify, and facilitate getting things done. Scanner jockeys and
network security folk will lead the operational c
Rafael -- to clarify concretely:
There are quite a few researchers that attack/exploit embedded
systems. Some google searches will probably provide you with names.
None of the folks I know of that actively work on exploiting embedded
systems are on this listbut I figure if I know a handful of
inline
On Wed, Aug 19, 2009 at 4:06 AM, Kenneth Van Wyk wrote:
> The list has pretty consistently hovered around 1000 subscribers since
> pretty shortly after I launched it in late 2003.
Interesting. I would not have guessed that the list was so large.
Guess I need to stop making inside jokes an
Jeremiah Grossman and I were both pondering the size of the SCL recently.
Is the list size public?
I realized I tend to think of SCL as a small list of 30 people from
2003 who are are all about 2 degrees of Kevin Bacon away from each
other.
Now that what we do has become a true industry, and and
potential, however, there's still a lot of work to be done beyond a scan to
> perform anything resembling a complete assessment. Of course, a human
> assisted SaaS model has the potential to fill the gap, but from what I'm the
> majority of organizations using scanners like
Kevin -- excellent points. Starting on top:
+ this is happening... (really!)
+ "dynamic scanning" vendors are getting together to add/share more
data-points and lessons with:
++ WAF vendors
++ static-analysis automation vendors
++ consultants doing Pen-Testing, static analysis, threat modeling,
Great answer, John. I especially like your point about web.xml.
This goes dually for black-box testing. There would be a lot of
advantage to being able to get (and compare) these types of config
files today for dialing in BBB (Better Black Box vs. blind black box)
testing. I don't think anyone is
We deliver it as a
> service. If you have a .NET or Java web app, you would cannot find a
> comparable solution form a single vendor today.
>
> -Chris
>
> -Original Message-
> From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
> Behalf Of Arian J. Evan
Right now, officially, I think that is about it. IBM, Veracode, and
AoD (in Germany) claims they have this too.
As Mattyson mentioned, Veracode only does static binary analysis (no
source analysis). They offer "dynamic scanning" but I believe it is
using NTO Spider IIRC which is a simplified scann
On Sat, Mar 21, 2009 at 2:43 PM, Matt Parsons wrote:
> I was asked the following questions on a job phone interview and wondered
> what the proper answers were. I was told their answers after the
> interview. I was also told that the answers to these questions were one or
> two word words. In
I think that you are spot on, and people are sooner than
later going to be demanding that, as a by-product of our
shrinking economic reality.
Take this example (not to stir up a semantic pissing match):
"Insufficient Input Validation"
I get it. I understand the importance of it. But it is not
cl
On Mon, Jan 19, 2009 at 9:45 AM, Stephen Craig Evans
wrote:
>
> Hi Arian,
>
> " SANS has spoken and I think that is a pretty clear indication what is
> going on)"
>
> Have you been watching Wizard of Oz re-reruns again? This sentence sounds
> too much like "The Mighty Oz has spoken" :-)
I am
Hello all. Xposting to SCL and WASC:
Following-up to my commentary on the
WASC list about the SANS/CWE "Top 25"
I have repeatedly confirmed that the SANS/CWE
Top 25 is being actively used, and growing in
use, as a "Standard".
I understand the spirit of intent and that the
makers are not acco
ll one.
Many of us throw out the baby with the bathwater due
to the technology problem and the insane vendor
marketing around it we've been dealing with for years.
When many of our technology solutions still don't do
what they say they have been able to do for 4 or 5
years, maybe it
ng and
design over the years.
While it makes sense to enforce some syntax
structure upon the caller, in general I tend to
put all semantic responsibilities upon the callee,
and even assume the callee should enforce
some notion of syntax requirements upon
the caller, and feed said back to caller.
this second, to make money.
Interesting work by David, for sure, and
great ammo if we have to beat the "strong
data typing" drum in our software.
--
--
Arian J. Evans, software security stuff.
I spend most of my money on motorcycles, mistresses, and martinis. The
rest of it I squander
I'll second this Gary. You've done nice work here.
I think Mary Ann's comments are some of the most
interesting concerning what our industry needs to
focus on in the near future. (and I'd love to see you
focus on this with your series)
Her comments reminded me of a discussion on this
list with Wy
le spend on patching, and/or random third party "add security"
> appliances and software takes scarce resources that might be put to better
> uses.
>
> If the Army has tank crews of 12, and 10 of them are busy fixing the tank
> treads because they keep slipping off, the
quot;mitigation" and "response".
I get a completely different feel, due to entirely different
organizational/business realities, from software startups
and silicon valley in general.
That's great that you see this, though. Good news.
-ae
On Fri, Mar 14, 2008 at 7:06 AM, Mike Ly
On Wed, Mar 12, 2008 at 3:05 PM, Andy Steingruebl <[EMAIL PROTECTED]> wrote:
> On a related note a quick perusal of the JavaOne conference tracks
> doesn't show a lot of content in this area either. Is this due to a
> lack of interest, or people in the security world not pitching talks
> to t
I hate to start a random definition thread, but Ben asked me a good
question and I'm curious if anyone else sees this matter in the
same fashion that I do. Ben asked why I refer to software security
as similar to artifacts identified by emergent behaviors:
> > Software security is an emergent beh
surance or substantial penalties are the norm (if they are
ever the norm) will we have meaningful quantitative data to drive a
justification for security as a requirement in startup or most open
source software projects. That's my opinion, anyway.
---
Arian J. Evans
Software Security Stu
On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave
<[EMAIL PROTECTED]> wrote:
> I think you misunderstood my points a little bit. SXSW was just a
> current conference example. As Gary's pointed out, there are many
> conferences. It's possible SXSW wasn't a good example, but it was meant
> more
On 6/6/07, McGovern, James F (HTSC, IT) <[EMAIL PROTECTED]>
wrote:
I really hope that this email doesn't generate a ton of offline emails and
hope that folks will talk publicly. It has been my latest thinking that the
value of tools in this space are not really targeted at developers but
shoul
I don't understand this thread. These are different sets of issues. Often,
they are different sets of people. Organizational size is a factor. A
three-man startup is going to have a lot of hat overlap, where a monolithic
enterprise is going to have broad distribution of hats. The spirit of this
th
1. This is a great first step. While it sounds so 2003: I still deal with
developers all the time that simply have no idea what to do or where to
begin for *very basic* issues. Input validation. Output encoding. Or try to
solve by doing crazy wild wrong things ("dangerous-string" blacklists,
case-
comments:
On 4/24/07, Jeremy Epstein <[EMAIL PROTECTED]> wrote:
I've just caught up with 6 weeks of backlogged messages in this group,
better than me, I fell off all the lists when I moved last year. Pardon list
duplicity:
(1) SOX is a waste, as several people said, because it's just a way
7;t poked the bear err trolled any of the usual
suspects lately. Looks like I've been missing out on some good dialogue,
thank you, this was very helpful,
Arian J. Evans
Solipsistic Software Security Sophist at Large
___
Secure Coding mailing li
Great stuff Nash. To re-iterate one important statement: Many orgs
today will *only* respond to a working exploit. (I'm not sure what
the sample (%clue) of orgs I see is vs. Cigital's client, but...)
Pen-test vs. code review, black-box, white-box, whatever:
There is absolutely no difference at th
> -Original Message-
> From: [EMAIL PROTECTED]
> Sent: Friday, April 29, 2005 2:32 PM
> To: SC-L
> Subject: [SC-L] Why Software Will Continue to Be Vulnerable
>
> This makes it highly unlikely that software companies are
> about to start dumping large quantities of $$ into improving soft
45 matches
Mail list logo