http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf
--
Jim Manico
@Manicode
(808) 652-3805
On Jul 1, 2013, at 8:55 PM, Jeffrey Walton wrote:
Hi Jim,
Do you know if there is a slide deck available with the talk? It
sounds like there is, but Dr. Bernstein's
ces".
Dan is a very sharp and controversial character. I hope you enjoy.
Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3
RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml
Thanks for listening!
Aloha,
Jim Manico
OWASP Board M
rity-proj...@lists.owasp.org).
Thank you!
Regards,
Jim Manico
OWASP Board Member and Volunteer
@Manicode
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter ava
homas Herlea for curating this and future
SecAppDev.org presentations.
Thanks for listening.
- Jim Manico
OWASP Volunteer
j...@owasp.org
@manicode
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krv
.com/p/owasp-java-waf/) project team (Jim Manico and Juan
> Carlos Calderon) have agreed to work on a ModSecurity porting effort. This
> means that the OWASP Java WAF will be able to support a subset of the
> ModSecurity Rules Language, and thus, would allow Java web app users to
> dir
upport
ESAPI in a wide variety of ways!
Aloha!
- Jim Manico
ESAPI Project Manager
OWASP Volunteer
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinf
:Wichers
3) OWASP Podcast 81 is an older show from Brian Chess prior to HP's
purchase of Fortify. Brian talked about how software security issues are
no longer just about business risk - its now life and death.
http://www.owasp.org/download/jmanico/owasp_podcast_81.mp3
I hope you enjoy. Feedb
>
> why is this a problem again?
>
> On 15 Feb 2011, at 05:06, Chris Schmidt wrote:
>
>> I would assume just about any app with a shopping cart does. This is of
>> course compounded by libraries like struts and spring mvc that autobind your
>> form variables for you.
sues with prescriptive
>> remediation advice.
>>
>> 1) Update your JVM, often easier said then done
>> 2) Build a blacklist filter looking for this specific numerical attack
>> range. I already patched this in the ESAPI for Java security library
>> which you wil
Hello Chris,
Thanks for replying!
I think the reaction from "my boss" was not so much knee-jerk, but a
reasonable concern. The risk of persisting intellectual property on a
cloud service is real. And that risk differs depending on your business
(as well as many other factors). I'm eager to see ve
have faced these objections before. How do you work around them?
-Jim Manico
http://manico.net
On Feb 3, 2011, at 1:54 PM, Chris Wysopal wrote:
>
> Nice article. In the 5 years Veracode has been selling static analysis
> services we have seen the market mature. In the beginning, or
Hey Gary,
Nice article. A brief note, Ounce is "dead". The product was renamed
"IBM Rational AppScan Source Edition" after IBM's acquisition of Ounce.
Small matter but for what it's worth,
Jim
> hi sc-l,
>
> John Steven and I recently collaborated on an article for informIT. The
> article is
An old friend of mine and a new but highly active member of the ESAPI-Java
team provided a significant improvement on the Stanford clickjacking defense
methodology that I think is worth blasting out to the community.
https://www.codemagi.com/blog/post/194
Comments appreciated.
Cheers,
> My gut feel here is that we gain a lot more by merging the work done here
into ESAPI.
I agree 100%, I'm glad you said it first. J
- Jim
From: Chris Schmidt [mailto:chrisisb...@gmail.com]
Sent: Friday, October 29, 2010 8:36 PM
To: Jim Manico; esapi-...@lists.owasp.o
ke to understand any potential modifications CSRFGuard users have had to
make in order to implement it successfully for their website. I'd also like
to hear of any success stories of using CSRFGuard out of the box.
Any feedback regarding this matter is greatly appreciated.
Thanks kindl
cover general defensive coding techniques and good
security design principles that help dev's build secure apps from day 1.
And Steve, you only see me pop up when I have a criticism. But as I said when
we went hiking on Kauai, I think you and team are doing outstanding work and
I'm thankful
when using a modern
security framework like Spring Security or (wait for it) ESAPI. But client-side
Java? Flash? There are a few large organizations who have banned both from
their clients and they are more secure for it.
-Jim Manico
http://manico.net
On Oct 21, 2010, at 10:58 PM, "Ste
assurance we need
to promote ESAPI 2.0 to GA.
Malama Pono Aloha,
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information
tly (it was not done correctly in SATE 2008).
Vadim
____________
From: Jim Manico [...@manico.net]
Sent: Thursday, May 27, 2010 5:31 PM
To: 'Webappsec Group'
Subject: [WEB SECURITY] SATE?
I feel that NIST made a few errors in the first 2 SATE studies.
After the sec
Fantastic SATE reply from Steven M. Christey:
I participated in SATE 2008 and SATE 2009, much more actively in the
2008 effort. I'm not completely sure of the 2009 results and final
publication, as I've been otherwise occupied lately :-/ Looks like a
final report has been delayed till June (
C
(http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://ww
I feel that NIST made a few errors in the first 2 SATE studies.
After the second round of SATE, the results were never fully released to
the public - even when NIST agreed to do just that at the inception of
the contest. I do not understand why SATE censored the final results - I
feel such cen
7CE70--
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW
: Did someone say "slow down" ? I missed that as I was running by... ;)
Thanks for listening!
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L@securecodin
is non-commercial podcast released under the
Creative Commons/ShareAlike license.
Thanks for listening!
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L
c\examples
Please see changelog.txt at the root of the zip file for more information.
Mahalo Nui Loa,
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L@securecodin
..or do the same via iTunes
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
..or see our show list on the web
http://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows
Thanks for listening!
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
, Jim Manico,
Andrew van der Stock, Ben Tomhave and Jeff Williams
http://www.owasp.org/download/jmanico/owasp_podcast_59.mp3
#58 Interview with Ron Gula
http://www.owasp.org/download/jmanico/owasp_podcast_58.mp3
I hope you enjoy.
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project
Why are we holding up the statistics from Google, Adobe and Microsoft (
http://www.bsi-mm.com/participate/ ) in BDSIMM?
These companies are examples of recent "epic security failure". Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through
Loa <http://en.wikipedia.org/wiki/Mahalo> /to
all of the many developers and users who have contributed to the ESAPI
project in some way.
Warm Regards,
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
_
encouraged directly to
the projects author at chrisisb...@gmail.com !
Other ESAPI resources:
OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/
Thanks all.
--
Jim Manico
OWASP
d critique here at ESAPI central, and I will continue to
look for your counsel and advice.
And as a side note, I think many of your concerns are justified. I am
petitioning the ESAPI team to relabel different versions of ESAPI as
ALPHA/BETA where appropriate, an opinion that is sure to bring me heat
fro
re application security industry
disappear and/or shrink so AppSec is just a standard set on line items
on each software projects SOW. Communists? Maybe. But we are making a
difference.
These are all my opinions and do not necessarily represent the
"official" position of OWASP, if such
Stephen,
I think this is very important and sage advice.
Philosophically, we do not want to bring developers to ESAPI, we want to
bring ESAPI to developers. And that means working with where THEY are at
and moving form there.
I have not seen a large company use ESAPI directly in their code
(alth
Senior Director; Advanced Technology Consulting
Desk: 703.404.9293 x1204 Cell: 703.727.4034
Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908
Blog: http://www.cigital.com/justiceleague
Papers: http://www.cigital.com/papers/jsteven
http://www.cigital.com
Software Confidence. Achi
l help you build secure apps.
Jim Manico
On Jan 6, 2010, at 6:20 PM, John Steven wrote:
All,
With due respect to those who work on ESAPI, Jim included, ESAPI is
not the only way "to make a secure app even remotely possible." And
I believe that underneath their own pride in wha
> I again come back to James McGovern's suggestion, which is treating
coding as an art rather than a science
Keep your Picasso out of my coding shop, world of discrete mathematics
and predicate logic! I don't care how cheap his hourly is. :)
I'd prefer to think of coders as craftsman; we cert
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at 11
A quick note, in the Java world (obfuscation aside), the source and
"binary" is really the same thing. The fact that Fortify analizes
source and Veracode analizes class files is a fairly minor detail.
Jim Manico
On Jul 28, 2009, at 7:40 AM, "Arian J. Evans" > wrote:
Very nice work.
Since this is written under the creative common 3 license, I put a copy
(with attribution to Lenny) on OWASP.org at
http://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet in case
anyone wishes to collaborate on this guide.
- Jim
- Original Message -
From: "
here
http://www.owasp.org/index.php/Podcast_26 or just grab the mp3
http://www.owasp.org/download/jmanico/owasp_podcast_26.mp3
Thanks for listening! (or at least downloading :)
Best Regards,
Jim Manico
OWASP Podcast Host
PS : We discussed the following articles on this show.
4/16 http://www.in
.
Thanks for listening, I hope you enjoy.
Regards,
Jim Manico
Aspect Security/OWASP Podcast Host
RSS: http://www.owasp.org/download/jmanico/podcast.xml
iTunes:
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
___
Secure Coding
ation
Security. I hope you enjoy!
Aloha from Kauai,
Jim Manico
OWASP Podcast Series Host
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at -
tiple CSRF vulns in the AV vendor space
http://www.owasp.org/download/jmanico/owasp_podcast_20.mp3
Thanks kindly for listening!
Jim Manico
OWASP Podcast Series Host
podc...@owasp.org
Archives: https://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows
RSS Feed: http://www.owasp.org/downlo
I heard that http://www.twitter.com is a fun one, too. LITTERED with major
vulns.
- Jim
- Original Message -
From: "security curmudgeon"
To: "Jeremy Epstein"
Cc:
Sent: Wednesday, May 06, 2009 7:17 AM
Subject: Re: [SC-L] Seeking vulnerable server-side scripts
>
> : There are several
Any Java Education book, like Cay Hortsman's Core Java. Seriously.
- Jim
- Original Message -
From: "Brad Andrews"
To:
Sent: Wednesday, May 06, 2009 7:41 AM
Subject: [SC-L] Insecure Java Code Snippets
>
>
> Does anyone know of a source of insecure Java snippets? I would like
> to ge
nes:
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
Thanks for listening,
- Jim Manico
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
Li
/viewPodcast?id=300769012
Regards,
- Jim Manico
OWASP Podcast Host
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http
I had the pleasure of interview Dr. Brian Chess from Fortify Software for OWASP
Podcast 15. Brian talked about BSIMM and more - demonstrated a lot of class as
always. Have a listen!
Direct Link: http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3
To stay connected to the OWASP Podcast Se
listen to OWASP Podcast #14 you can, download the mp3 file directly ,
subscribe to the RSS feed or subscribe directly through iTunes!
Cheers to SC-L,
Jim Manico - OWASP Podcast Host___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information
It really depends on what you are hiring for.
If we are talking App/Software security - like Gary has said many times - I
would rather hire a software guy and train them about security. Doing it the
other way around is almost impossible. How can you really do software security
if you are netse
innovate, you must as well jump the curve*.
>
> -ben
>
> * see Kawasaki "Art of Innovation"
> http://blog.guykawasaki.com/2007/06/art_of_innovati.html
>
> Gary McGraw wrote:
>> Aloha Jim,
>>
>> I agree that security bugs should not necessarily take
This is why I'm not fond if leading with a tool. I prefer to lead with
architectural/design analysis and targeted manual review of high risk
applications.
Jim Manico
j...@manico.net
On Mar 20, 2009, at 4:06 AM, "Goertzel, Karen [USA]" > wrote:
Except when they'
our primary analysis driver
concearns me. Will you elaborate, please?
- Jim
- Original Message -
From: "Gary McGraw"
To: "Jim Manico" ; "Steven M. Christey"
Cc: "Sammy Migues" ; "Dustin Sullivan"
; "Secure Code Mailing List"
Se
> The top N lists we observed among the 9 were BUG lists only. So that
> means that in general at least half of the defects were not being
> identified on the "most wanted" list using that BSIMM set of activities.
This sounds very problematic to me. There are many standard software bugs
that a
> Many of the top N lists we encountered were developed through the
> consistent use of static analysis tools. After looking at millions of
> lines of code (sometimes constantly), a ***real*** top N list of bugs
> emerges for an organization.
You mean a "real list of what a certain vendors sta
On the topics of Podcast, I'm very pleased to announce the release of the
non-rigged live release of OWASP Podcast #12, an Interview with Ryan C.
Barnet.
Ryan Barnett talks about the OWASP ModSecurity core ruleset project and WAF
technology in general. Ryan has such incredible experience in thi
or subscribe directly through iTunes.
Thanks Gentlemen!
- Jim Manico
OWASP Podcast Series Host
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
I'm very pleased to announce to SC-L that OWASP Podcast #10 - an interview with
Ken van Wyk - is live!!
To listen to OWASP Podcast #10, you can download the mp3 file directly ,
subscribe to the RSS feed or subscribe directly through iTunes.
Thanks Gentlemen!
- Jim Manico
OWASP Podcast S
Hello SC-L
I just pushed OWASP Podcast #6 live at
http://www.owasp.org/index.php/Podcast_6 - an OWASP Roundtable with
Brian Holyfield, Marcin Wielgoszewski, Andre Gironda and myself, Jim
Manico. Our focus was WAF's.
Thanks and I hope you enjoy,
Jim M
> I'd like to offer a different view for your consideration, which is
that /*input validation and output encoding actually don't have anything
to do with security*/. Those techniques are essential software building.
I'm really confused with this statement - and almost feel it's
dangerous. Encoding
e intended recipient, please notify the sender immediately by return
> e-mail, delete this communication and destroy all copies.
>
>
>
> _______
> Secure Coding mailing list (SC-L) SC-L@
tephen
> ___
> Secure Coding mailing list (SC-L) SC-L@securecoding.org
> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hos
//krvw.com/mailman/listinfo/sc-l
> List charter available at - http://www.securecoding.org/list/charter.php
> SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> ___
>>
>> ___
>> Secure Coding mailing list (SC-L) SC-L@securecoding.org
>> List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>>
nd moderated by KRvW Associates, LLC (http://www.KRvW.com)
> as a free, non-commercial service to the software security community.
> ___
>
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTE
rise.
- Jim
> At 9:12 AM -1000 8/26/08, Jim Manico wrote:
>
>
>> How does xHTML help stop access control vulnerabilities?
>> Authorization issues? CSRF problems?
>>
>
> It is indicative of the caliber of the people who built
> the site.
>
> My
gt; application security functionality, which is what WAF also attempts to
> do."
>
> http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
>
> I rest my case.
> Stephen
>
> On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico <[EMAIL PROTE
t;>> of you may be interested in participating in. Try it yourself here:
>>>>
>>>> http://www.bankinfosecurity.com/surveys.php?surveyID=1
>>>>
>>> Hmmm. http://validator.w3.org says there are 973 errors on that page.
>>>
> Anyone else have a take on this new attack method?
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
In Java (for Insert/Update/etc) just use PreparedStatement + variable
binding.
There are similar constructs in all languages.
Although the atta
. Unauthorized use of this communication is strictly
prohibited and may be unlawful. If you have received this communication
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
--
Jim Manico, Senior Application Secur
tp://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
"How to break web software" is one of the best web security coder-
centric books I have read. Its concise and useful.
Sent from my iPhone
On Mar 7, 2008, at 7:45 AM, "Lawson, David L"
<[EMAIL PROTECTED]> wrote:
> I've read several secure coding books in the past, and was wondering
> if
> an
n-commercial service to the software security community.
> ___
>
>
>
>
--
Best Regards,
Jim Manico
[EMAIL PROTECTED]
808.652.3805 (c)
___
Secure Coding mailing list (SC-L) SC-L@securecodin
74 matches
Mail list logo