On Wed, 14 Dec 2005, ljknews wrote:
At 9:14 AM -0500 12/14/05, Gary McGraw wrote:
No, that's a copy of stackguard. The real problem with all of these
approaches is that they don't fix the root problem. Finding and removing
buffer overflow conditions with a static analysis tool is far
In the manufacturing world, which is far more mature than the software
development world, they use the terminology of design defect and
manufacturing defect. So this distinction is useful and has stood the
test of time.
Flaw and defect are synonymous. We should just pick one. You could say
that
Crocker, Escher Technologies Ltd.
Consultancy, contracting and tools for dependable software development
www.eschertech.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Chris Wysopal
Sent: 02 February 2006 21:35
To: Gary McGraw
Cc: William Kruse
On Mon, 9 Oct 2006, Gary McGraw wrote:
The most interesting thing from an sc-l perspective about this column is
that it emphasizes a client need we're often forced to address---the
need for a demo exploit. Sometimes those on the receiving end of a
software security vulnerability don't
-= The Art of Software Security Testing: Identifying Software Security
-= Flaws by Chris Wysopal, Lucas Nelson, Dino Dai Zovi, and Elfriede
-= Dustin, Available Nov 27, 2006
On Tue, 10 Oct 2006, Jeremy Epstein wrote:
Gary,
Interesting point. I'm on the Virginia state commission charged with making
Ken,
I enjoyed reading your this article. My book The Art of Software
Security Testing is based on the concept of using penetration techniques
as part of the development lifecycle and is specifically targetted at QA
professionals. One of my co-authors Elfriede Dustin has written 5 QA
books
There has been some movement in this direction and I think you are
correct that that we need to educate the mainstream QA audience just as
we must educate the mainstream developer audience. I am giving a
keynote on software security testing at Practical Quality and Software
Testing in
Ken,
Customers not wanting to part with source code is one of the reasons, at
Veracode, we decided to take our static binary analysis technology to
market as SaaS. You get the benefit of both automation, as with static
source code analysis, and an external assessment, yet you don't have to
part
And presumably before they spent many man years proving implementation
correctness they could have spent a fraction of that on design review and
subsequent design corrections.
-Chris
-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On
This seems to boil down to an economics problem. Notice how quickly the bean
counters showed up after the thread began with a discussion of bugs and
complexity. It is just too inexpensive to create new code and there isn't
enough economic pain when it fails for anything to change for most
A large part of the cost of fixing a bug, especially late in the dev cycle
after testing is complete, is the cost of regression testing. The cost of
regression testing of a patch for commercial software is much higher than the
cost of a custom web application. Think of an Oracle bug that
Most software security people that I talk to that advocate static analysis and
pen testing see it as one part of the overall solution. It is a part of the
solution that software producers can get started on rather easily to open their
eyes that they need secure architectures and better
There is no reason the php.ini and other framework or app server configuration
files can't be taken into account in a static analysis. Veracode performs
static analysis of an application in its final executable form. So for
compiled languages that is a binary executable, for managed
Nice article. There is a piece of this history that predated ITS4 which is
L0pht's SLINT which was in 1998 and demoed to you and John Viega.
Here was our original description:
http://web.archive.org/web/19990209122838/http://www.l0pht.com/slint.html
From the Feb, 1999 web page:
excerpt
vs. anybug effect.
-Chris
1. Standing on Other's Shoulders, https://www.securityfocus.com/columnists/486
-Original Message-
From: Gary McGraw [mailto:g...@cigital.com]
Sent: Thursday, October 28, 2010 5:08 PM
To: Secure Code Mailing List
Cc: Jeremy Epstein; Chris Wysopal
Subject: Re
Here is a paper that I wrote with Chris Eng that covers major categories of
backdoors with examples.
http://www.veracode.com/images/stories/static-detection-of-backdoors-1.0.pdf
Our Blackhat presentation
: Jim Manico [mailto:jim.man...@owasp.org]
Sent: Thursday, February 03, 2011 7:02 PM
To: Chris Wysopal
Cc: Gary McGraw; Secure Code Mailing List
Subject: Re: [SC-L] InformIT: comparing static analysis tools
Chris,
I've tried to leverage Veracode in recent engagements. Here is how
” benefits kick in.
-Chris
From: Prasad N Shenoy [mailto:prasad.she...@gmail.com]
Sent: Thursday, February 03, 2011 9:02 PM
To: Chris Wysopal
Cc: Gary McGraw; Secure Code Mailing List
Subject: Re: [SC-L] InformIT: comparing static analysis tools
Very well said Chris. Can you explain what you mean
I have a couple of blog posts modeling application vulnerabilities the way you
might think of technical debt.
Part I: Application Security Debt and Application Interest Rates
http://www.veracode.com/blog/2011/02/application-security-debt-and-application-interest-rates/
Part II: A Financial
19 matches
Mail list logo
