Re: [SC-L] any one a CSSLP is it worth it?

, anything can be breached. A piece of paper won't stop that. Nor that crappy piece of code that I didn't properly threat model 15 years ago that is still in use today. -- Regards, Dana Epp Microsoft Security MVP On Wed, Apr 14, 2010 at 8:24 AM, Wall, Kevin wrote: > > Gary McGraw

Re: [SC-L] Change of position

My plan is to create a new mailing list (hope Ken lets this one by) called nsbsc-l [network-security-beats-secure-coding-list]. Look for more information about that from me soon. gem Gary McGraw, Ph.D. CTO, Cigital http://www.cigital.com -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Interesting article on the adoption of Software Security

ight job. And although you can pound a square peg through a round hole if you beat it hard enough... it doesn't mean its the right thing to do. Nor is right to assume you can use typesafe languages as the panacea for secure coding. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Education and security -- another perspective (was "ACM Queue - Content")

ink they should be taught the powers and failures of C. Since I know many of you think I'm nuts for that, you might want to look at this outline with the same amount of consideration. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Education and security -- another perspective (was "ACM Queue - Content")

st need to convince the dean that all those books should be required reading, and that my code auditing is better than my email proofreading :) Mark Rockman wrote: You are not nuts. Your course outline is a very substantial step in the right direction. - Original Message - From: "Da

Re: [SC-L] Education and security -- plus safety, reliability and availability

Hey Jim, All good points. I haven't seen that book and will have to see about grabbing it. Jim & Mary Ronback wrote: Dana Epp wrote: I think they should be taught the powers and failures of C. Your course sounds enticing. I'm tempted to sign up for it. Your course should als

Re: [SC-L] Education and security -- another perspective (was "ACM Queue - Content")

oncepts across in a practical environment in universities. And more importantly, from a secure coding objective, you can show what NOT to do. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Programming languages used for security

gram, thereby saving time and eliminating coding error. You will find exactly those arguments in the preface to the K&R C book. Crispin -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Exploiting Software: How to Break Code

George, I wrote a review about the book on my blog at: http://silverstr.ufies.org/blog/archives/000592.html Not sure if thats what you are looking for, but take a look if you are looking for a book review style view of it. - Dana - Original Message - From: "Greenarrow 1" <[EMAIL PROTEC

Re: [SC-L] How do we improve s/w developer awareness?

age resulting directly or indirectly from the use of this email or its contents. Thank You. -------- -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

Re: [SC-L] Secured Coding

ve their pawns backwards, giving them an unfair advantage. And at times, get ahead of us. But that doesn't mean we stop trying. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/]

[no subject]

<[EMAIL PROTECTED]> Subject: Re: [SC-L] How do we improve s/w developer awareness? Date: Thu, 2 Dec 2004 12:52:35 -0800 Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact <[EMAIL PROTECTED]> ; run by MajorDomo List-Id: Secure Coding Mailing List List-Post:

Re: [SC-L] "Tech News on ZDNet" -- OS makers: Security is job No. 1

eper to WHY they appear to be doing that. At least, thats my opinion on it anyways. YMMV. -- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/] Gizmo wrote: Microsoft is all about making Windows 'more secure' because they see a potential revenue stream. Note that their approach is NO

RE: [SC-L] Managing the insider threat through code obfuscation

ig your own bunker however you see fit. How strong you make it depends on what sort of attack you are fretting about.   --- Regards, Dana Epp [Blog: http://silverstr.ufies.org/blog/] From: [EMAIL PROTECTED] on behalf of Kenneth R. van WykSent: Thu 12/15/2005 7:09 AMTo: Jose NazarioCc: Secu

RE: [SC-L] Bugs and flaws

ources to begin with, its not something that will be fixed over night.   --- Regards, Dana Epp [Microsoft Security MVP] Blog: http://silverstr.ufies.org/blog/ From: [EMAIL PROTECTED] on behalf of Crispin CowanSent: Fri 2/3/2006 12:12 PMTo: Gary McGrawCc: Kenneth R. van Wyk; Secure Coding Mail

RE: [SC-L] ddj: beyond the badnessometer

t; Problem is, no tool in the world is going to show green blinky lights to tell you the code is safe. Human heuristics come into play here, and we have to leverage what assets we have, both manual and automatic, to find the faulty code and eliminate it. And pentesting is just another one of those

Re: [SC-L] bumper sticker slogan for secure software

umper sticker I made. It simply says: 0x5 10 points to the first person to explain what that means. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SC-L Subscriber Dave Aronson

Re: [SC-L] bumper sticker slogan for secure software

e real world we are still in our infancy when it comes to secure software as a discipline, and we still have much to learn before we will reach it. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ ___ Secure Coding maili

Re: [SC-L] bumper sticker slogan for secure software

(in that order). So 0x5 means - no reception ("0") - good signal strength ("5") ie, we're doing ok at getting our message out, but people aren't listening yet. " That cracked me up. So fitting for this forum. Regards, Dana Epp [Microsoft Security MV

Re: [SC-L] "Bumper sticker" definition of secure software

As should secure software engineers who think they can solve all problems with technology without considering all risks and impacts to the business. Regards, Dana Epp [Microsoft Security MVP] http://silverstr.ufies.org/blog/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL

[SC-L] Secure software education. Does it start with our tools?

ritten for Windows95. This was built FOR and ON Vista. With Microsoft's great strides in their SDLC process to date, should we be expecting them to lead the charge in educating developers to run as Standard Users? What are your thoughts on this? --- Regards, Dana E

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

s why we squarely need to reflect on them to tactically do it. -- Regards, Dana Epp Microsoft Security MVP On Tue, Nov 25, 2008 at 9:01 AM, Stephen Craig Evans < [EMAIL PROTECTED]> wrote: > Gunnar, > > Developers have no power. You should be talking to the decision makers. > &g

Re: [SC-L] How Can You Tell It Is Written Securely?

of two members of the dev team that wish to do harm in your codebase before the risk elevates. Of course, the auditor better know what the hell he or she is doing. Otherwise, stuff will still get through. -- Regards, Dana Epp Microsoft Security MVP On Wed, Nov 26, 2008 at 6:03 PM, Mark Rockman