Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is to hook the students with the exploits, and then sprinkle in a "now here's how to do it _right_" discussion while they're still paying attention. ;-) And FWIW, I've found OWASP's WebGoat to be phenomenally effective at doing just that. There are other similar tools out there as well, but the point is to give the class a safe sandbox to play in. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Unicode Security : Microsoft releases BinScope and MiniFuzz to the public
FYI, a couple of interesting developments in the software security tool space: http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Another WAF in town
FYI, some activity in the open source WAF space: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Automatic Generation of Control Flow Hijacking, Exploits for Software Vulnerabilities
Hi SC-L, I figured the referenced dissertation below would be of some interest here. Interesting reading, IMHO. Cheers, Ken van Wyk Begin forwarded message: From: Ian Cook Date: September 27, 2009 5:06:51 AM EDT Subject: [1st NEWS] [DNB] Automatic Generation of Control Flow Hijacking, Exploits for Software Vulnerabilities Title: Automatic Generation of Control Flow Hijacking Exploits for Software Vulnerabilities Author: Sean Heelan Source: University of Oxford Date Published: 3rd September 2009 Excerpt: ' Software bugs that result in memory corruption are a common and dangerous feature of systems developed in certain programming languages. Such bugs are security vulnerabilities if they can be leveraged by an attacker to trigger the execution of malicious code. Determining if such a possibility exists is a time consuming process and requires technical expertise in a number of areas. Often the only way to be sure that a bug is in fact exploitable by an attacker is to build a complete exploit. It is this process that we seek to automate. We present a novel algorithm that integrates data-flow analysis and a decision procedure with the aim of automatically building exploits. The exploits we generate are constructed to hijack the control flow of an application and redirect it to malicious code. Our algorithm is designed to build exploits for three common classes of security vulnerability; stack-based buffer overflows that corrupt a stored instruction pointer, buffer overflows that corrupt a function pointer, and buffer overflows that corrupt the destination address used by instructions that write to memory. For these vulnerability classes we present a system capable of generating functional exploits in the presence of complex arithmetic modification of inputs and arbitrary constraints. Exploits are generated using dynamic data-flow analysis in combination with a decision procedure. To the best of our knowledge the resulting implementation is the first to demonstrate exploit generation using such techniques. We illustrate its effectiveness on a number of benchmarks including a vulnerability in a large, real-world server application..' To read the complete article see: http://seanhn.files.wordpress.com/2009/09/thesis1.pdf For more Security News see: www.team-cymru.org/News www.team-cymru.org/News/secnews.rss The opinions expressed in the posted news items do not necessarily reflect the views of Team Cymru. The appearance of hyperlinks does not constitute endorsement by Team Cymru of an external Web site, or any commercial company, information, products or services contained therein. Dragon News Bytes is a Private and Restricted mailing list. To subscribe to this mailing list, please signup at https://cymru.com/mailman/listinfo/ians_dragon_newsbytes and then send an email to: outre...@cymru.com providing some personal background and two references, preferably from FIRST.ORG www.first.org/members/teams _ //` `\ _,-"\% // /``\`\ ~^~ >__^ |% // / } `\`\Team Cymru ) )%// / } } }`\`\ Dragon News Bytes / (%/`/.\_/\_/\_/\`/ (` `-._` \ , ( \ _`-.__.- %> /_`\ \ `\ \." `-..- ` ``` /_/`"-=-``/_/ ``` ``` For more Security News see: www.team-cymru.org/News www.youtube.com/teamcymru http://twitter.com/teamcymru _ Ian Cook Security Evangelist Team Cymru www.cymru.com/contact.html 'To communicate simply you must understand profoundly' smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP AppSec DC this coming week!
Greetings SC-Lers, This next week is OWASP's AppSec DC conference. I imagine quite a few SC-L subscribers will be there. I'll only be there one day (Thurs) due to a client engagement, but I hope to see a few SC-L friends there. If you're in town and care to meet up for a chat/beer (after my session...), just drop me a line. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Microsoft releases security guidelines for Agile - agile, Microsoft, security, software development - CIO
Hey, now you agile folks can't any longer feel left out by the various security development processes that bypass you: http://www.cio.com.au/article/325501/microsoft_releases_security_guidelines_agile?eid=-1050 On a somewhat related note, a client of mine referred to their process recently as "scrummerfall"... That certainly drew a few laughs. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] tweetup Thurs PM for AppSec DC?
On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote: Just a quick note, for those coming into DC for AppSec DC, rumor has it that a social gathering is brewing for Thurs PM. Let's hope so as I'd love to put faces with names! :) If I hear details, I'll be sure to pass along (feel free to ping me or reply with the 411) Well, I got a few responses to my note about meeting up there (although I doubt I'd ever use the word "tweetup" except in the context of saying I wouldn't use it...). :-) In any case, I'm not sure of the lay of the land at the conference site, but I'm betting there's a bar in or near the site. Let's plan on meeting up there immediately following the day's sessions on Thursday. As soon as I can pinpoint the actual bar name/location, I'll post it here. Hope to see some SC-L folks there. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] tweetup Thurs PM for AppSec DC?
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote: > In any case, I'm not sure of the lay of the land at the conference site, but > I'm betting there's a bar in or near the site. Let's plan on meeting up > there immediately following the day's sessions on Thursday. As soon as I can > pinpoint the actual bar name/location, I'll post it here. OK, so I did fail at getting the word out--sorry. However, it was nice to see at least a few SC-Lers notice the sponsored cocktail hour on the conference agenda. Great to meet some of you face to face. And thanks to Cenzic for hosting the cocktail hour, by the way. For those of you who weren't there, if you work with web apps at all, you really ought to put OWASP on your radar. Great community of people, and these events are a fabulous time to chat with some of the brightest software security people on the planet. Thanks, OWASP! Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog
Happy new year SC-Lers. FYI, interesting blog post on some of the new security features in Java EE 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. http://www.coresecuritypatterns.com/blogs/?p=1622 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] FT.com / UK - 'Year 2010' software glitch hits German bank cards
Greetings SC-L, There have been several reports in the last few days of various devices being hit with a so-called "year 2010" software glitch. Several bank ATMs, mobile devices, etc., have reportedly been hit. Below is a link to one such story. My question for SC-L is: anyone here aware of the actual underlying software problems willing to share? Source examples would be most appreciated. http://www.ft.com/cms/s/0/00da0e24-fa63-11de-beed-00144feab49a.html?nclick_check=1 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] 2010 bug hits millions of Germans | World news | The Guardian
FYI, below is a link to an article with some additional impact details of the "2010 bug" that's been cropping up in various places. Still no light being shed on the actual programming error, though. I think it would make a fascinating case study, or at least discussion, here. http://www.guardian.co.uk/world/2010/jan/06/2010-bug-millions-germans Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM update (informIT)
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: > Among other things, David and I discussed the difference between descriptive > models like BSIMM and prescriptive models which purport to tell you what you > should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome BSIMM and I welcome SAMM. I don't see it in the least as a "one or the other" debate. A decade(ish) since the first texts on various aspects of software security started appearing, it's great to have a BSIMM that surveys some of the largest software groups on the planet to see what they're doing. What actually works. That's fabulously useful. On the other hand, it is possible that ten thousand lemmings can be wrong. Following the herd isn't always what's best. SAMM, by contrast, was written by some bright, motivated folks, and provides us all with a set of targets to aspire to. Some will work, and some won't, without a doubt. To me, both models are useful as guide posts to help a software group--an SSG if you will--decide what practices will work best in their enterprise. But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves if we consider these to be standards or even maturity models. Any other engineering discipline on the planet would laugh us all out of the room by the mere suggestion. There's value to them, don't get me wrong. But we're still in the larval mode of building an engineering discipline here folks. After all, as a species, we didn't start (successfully) building bridges in a decade. For now, my suggestion is to read up, try things that seem reasonable, and build a set of practices that work for _you_. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Thread is dead -- Re: BSIMM update (informIT)
OK, so this thread has heated up substantially and is on the verge of flare-up. So, I'm declaring the thread to be dead and expunging the extant queue. If anyone has any civil and value-added points to add, feel free to submit them, of course. As always, I encourage free and open debate here, so long as it remains civil and on topic. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Expert in Application Security — ENISA
FYI, the European Network and Information Security Agency (ENISA) is looking for an application security expert. See link below: http://www.enisa.europa.eu/about-enisa/recruitment/vacancies/expert-in-application-security Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] The International Secure Systems Development Conference
I saw this event announcement today and thought some SC-L folks might find it of interest, FYI. "The International Secure Systems Development Conference addresses the key issues around designing-in security for standard and web-based software and systems, both in terms of developing new applications securely and also in adding security to legacy applications. The aim of the event is to help change the balance away from a repeated and ever more costly focus on securing ever more insecure infrastructures, to one which focuses on the creation of inherently secure systems through the introduction of verifiable, secure development methodologies and coherent security architectures." http://www.issdconference.com/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Web Application Exploits and Defenses
The folks at Google have released some web app training, along with a vulnerable web app sandbox to play in. The tool is called Jarlsberg. Anyone here take a look at it yet, and have an opinion about it? The description (see below) sounds kinda sorta like OWASP's WebGoat, except that the vulnerable app itself is written in Python. Oh, and the app is available on the web, as well as in source code (under Creative Commons). http://jarlsberg.appspot.com/ There's also an instructor's guide available at: http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Vulnerability Analysis Blog: CERT Basic Fuzzing Framework
New fuzzing framework released from the folks up at CMU, FYI. https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html Aloha, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Static code review for iPhone developers?
Greetings SC-L folks. Hey, I have a quick question I'd like to submit to this group. Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any SCA product vendors currently doing this? Please contact me on or off list. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Static code review for iPhone developers?
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote: > Anyone know of any static code analysis tools that can scan an iPhone app > package? Something that integrates with the Xcode SDK and can at the very > least scan through all of the Objective C in the src tree is what I'm looking > for. Any SCA product vendors currently doing this? Please contact me on or > off list. Thanks to all who responded. Great suggestions. Most focused on the (now) built-in Clang analysis engine (and front-end for LLVM ) that Dan Cornell cited here. (http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html) Clang looks like a useful starting point, as it looks for all sorts of common mistakes found in the C family, including C++ and Objective C. Memory leaks, uninitialized variables, type mismatches, and that sort of thing should be pretty easy to spot using Clang. I'm hoping also for something that goes beyond that. How about analysis of static code for use of secure network connections, session management (for client-server apps), protection of sensitive data (at rest and in transit), and that sort of thing. These are relatively language-agnostic needs, but would be extremely useful in a static analysis tool, IMHO. I'll bet the folks who coded the Citi banking app could have made good use of something like that... :-\ In any case, thanks again for all the responses. Speaks volumes for the quality of folks we have here in the SC-L community. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Computerworld: Opinion - Making apps secure is hard work
I figured this was relevant here, so here's a link to my August column for Computerworld. Excerpt: 'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by the rules? That is, that they use only published APIs and such? Well, then, you really have your work cut out for you, because that's not all that your customers expect.' To read the complete article see: http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17 Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Building Real Software: Has Static Analysis reached its limits?
FYI, nice write-up on the Fortify acquisition as well as the static code analysis space here: http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Apple's iOS app review guidelines
Greetings SC-L, I read the news this morning with a lot of hope -- that Apple has finally published their app review guidelines for iOS app developers. But then I read the document. For starters, I did a quick grep for: security, secure, crypt, safe. Nothing. Nada. The document is essentially a big long black list of what things not to do. There seems to be nothing in the way of prescriptive guidance on what TO do. Not inspiring... :-\ I was really hoping Apple would take this opportunity to include some actionable security guidance, but that wasn't the case. Of course, they did say that they don't want any more "Fart apps"... Great. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ISO/IEC 27034 application security guideline
Greetings SC-L folks, I don't participate in standards bodies, so I'm not very familiar with their inner workings and such. However, a colleague has pointed me to an ISO standard under development that will describe an application security development process. I visited the site (http://www.iso27001security.com/html/27034.html) and didn't find much in the way of documentation, other than a list of really ambitious plans for the future. So my question here is this: anyone here involved in this standards effort? If so, would you mind sharing with us a high level overview of where they are in their efforts and when the world is likely to start seeing output from the effort? Much appreciated. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] New Safecode doc released
Greets all. FYI: "SAFECode has released, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs and encourage the industry-wide adoption of fundamental secure development methods. " Doc can be found at: http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] CERT/CC Blog: Announcing the CERT Basic Fuzzing Framework 2.0
FYI, new version of Basic Fuzzing Framework released by CERT/CC. http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] SC-L Administrative FAQ
Greetings SC-L Subscribers, I'm in an airport lounge on the other side of the planet (from my home), and I thought I'd take a few moments to jot down some answers to SC-L administrative issues that come up from time to time here on SC-L. I hope you find them helpful. I try to keep the administrative traffic here to a bare minimum, so you don't often hear from me. But I do moderate and approve every single posting that goes to the list, so I'm always actively involved here. And I deal with quite a fair share of administrative issues. So, I thought it would be worth taking a few minutes and recording some of the things that people ask me from time to time. Your feedback is always appreciated. Please contact me at ken _at_ krvw.com if you have any questions or issues re SC-L. Cheers, Ken van Wyk SC-L Moderator === SC-L Administrative FAQ Q: What is SC-L? A: SC-L is a moderated mailing list whose mission is to further the state of the practice of developing secure software, by providing a free and open, objectively moderated, forum for the discussion of issues related to secure coding practices throughout a software development lifecycle process (including architecture, requirements and specifications, design, implementation, deployment, and operations). --- Q: Who runs SC-L? A: I do. I'm Ken van Wyk, and I run the list as a free, non-commercial service to the software security community. If you have questions/issues, you can contact me at ken _at_ krvw.com. Q: How do I subscribe to the list? A: The URL for the Mailman interface to subscribe or unsubscribe is http://www.krvw.com/mailman/listinfo/sc-l Q: What sort of things are allowed and not allowed on SC-L? A: Basically, my primary rule is civility. You can agree or disagree with others to your heart's content, but keep a civil tone and you're likely to have your submissions approved. For more details on what I allow and don't allow on the list, see the list charter at: http://www.securecoding.org/list/charter.php Q: How about job postings? A: So long as they're tasteful and not shotgunned to the list frequently, I'm happy to accept the occasional job posting from people within the software security community. Q: Announcements about conferences and training events? A: Similar to my policy re job postings, I'll accept them if they're not overly commercial and if they're occasional. This goes for commercial as well as non-commercial events. Q: Advertisements? A: No. I do not accept advertisements on SC-L. There are more than plenty places on the net to advertise your products and services; just not here. Q: The moderator has rejected my posting, and I believe the decision was unfair. What is my recourse? A: Well, this isn't a democracy... But, if you feel your submission should have been approved, email me and state your case. I'm a reasonable man and I'm willing to hear you out -- and admit when I'm wrong. Q: There seems to be a LOT of traffic from a small vocal minority here. What's up with that? A: The group is what the group makes of it. If you want to see more diverse traffic here, post it. I'm don't take a position on who may and may not submit to the list. If you're subscribed and your posting conforms to my guidelines, then I'll most likely approve your posting. Q: I'm a subscriber to SC-L, and I submitted a message to the list, but it never showed up and I never got any notification. Did the moderator ignore me? Why? A: Perhaps you submitted your email using an email address that isn't itself subscribed? To reduce the spams that show up in my inbox, I have configured SC-L to discard (without notification) any submissions from email addresses that are not subscribed to the list. So, if you subscribed from (say) your personal address but are posting from your work address, your submission would get discarded. Q: But I use multiple email addresses regularly. What can I do so I can submit from any of them without getting duplicate copies of SC-L in all my inboxes? A: That's easy to do. Just contact me off-list (ken _at_ krvw.com) and tell me which of your email addresses you want to submit from. I can "subscribe" them to the list but have them not get duplicate copies of the list traffic. No problem. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associat
[SC-L] OPINION column re mobile security
Greetings SC-L, It occurred to me that I neglected to send a pointer here to my latest Computerworld column. The general topic is mobile device security, but more to the point, it's about trying to do (security) things differently in the mobile world, so we don't have to re-live all our mistakes of the past. Let's at least find some _new_ mistakes... ;-) http://www.computerworld.com/s/article/9216996/Kenneth_van_Wyk_Mobile_security_isn_t_going_to_just_happen Cheers, Ken van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCING: OWASP iGoat initial public release, version 1.0
Greetings all. Yesterday, we put out the first public release of the OWASP iGoat project. This message is a brief description and call for participants in the project. Background The iGoat tool is a learning tool, primarily meant for iOS developers (but also useful to IT security practitioners, security architects, and others who simply want to learn about iOS security). It takes its name and inspiration from the venerable OWASP WebGoat tool. Like WebGoat, iGoat users explore a number of security weaknesses in iOS by exploiting them first. Then, once each weakness has been explored, the iGoat user must implement a remediation to protect against each weakness and validate that the remediation was successful--similar to the WebGoat Developer Edition. Hints and other background information are provided, right down to commented solutions in the source code, so that developers can use iGoat as a self-study learning tool to explore and understand iOS weaknesses and how to avoid them. Further, the iGoat platform was specifically designed and built to be as easily extensible as possible, so that new exercises can be easily built and integrated over time. iGoat was sponsored and initially developed by KRvW Associates, LLC (www.krvw.com), and is being released under GPLv3 licensing to the community. Status With the first public release, we've included several initial exercises and exercise categories. These include such well known topics as SQL Injection, secure communications, etc. We plan to further integrate another handful of exercises in the short term, as well as make several improvements to the user interface. In the short term, we'll also be adding more documentation in the form of HOWTO documents that will cover how to install and use iGoat, as well as how to add new exercises to it. No doubt, further improvements will quickly surface as the community starts using the tool... Project Site iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project All releases and source code are on Google Code. See the project home page above for further details. Call for Participation The iGoat team would like to invite anyone interested to participate and contribute to iGoat's further development. Please contact the project leader, Ken van Wyk (k...@krvw.com) if you wish to contribute to the project. Mailing List An open, unmoderated forum has been set up for the iGoat project. To subscribe, see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Announcing the first Mobile App Sec Triathlon, 2-4 Nov 2011, San Jose, CA
Greetings SC-L, I'll keep this announcement real short... Gunnar Peterson and I are teaming up to present our Mobile App Sec Triathlon -- 3 days of training, heavily laden with hands-on exercises -- to San Jose, California on 2-4 November 2011. Details available at: http://mobileappsectriathlon.com, or email us for more info. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com We're on Facebook now at: http://facebook.com/KRvW.Associates ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium
We are pleased to announce SecAppDev 2012, an intensive one-week course in secure application development. The course is organized by secappdev.org, a non-profit organization that aims to broaden security awareness in the development community and advance secure software engineering practices. The course is a joint initiative with K.U. Leuven and Solvay Brussels School of Economics and Management. SecAppDev 2012 is the 8th edition of our widely acclaimed course, attended by an international audience from a broad range of industries including financial services, telecom, consumer electronics and media and taught by leading software security experts including + Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab. + Ken van Wyk, co-founder of the CERT Coordination Center and widely acclaimed author and lecturer. + Dr. Steven Murdoch of the University of Cambridge Computer Laboratory's security group, well known for his research in anonymity and banking system security. + Jim Manico, founder, producer and host of the OWASP Podcast Series. When we ran our first annual course in 2005, emphasis was on awareness and security basics, but as the field matured and a thriving security training market developed, we felt it was not appropriate to compete as a non-profit organization. Our focus has hence shifted to providing a platform for leading-edge and experimental material from thought leaders in academia and industry. We look toward academics to provide research results that are ready to break into the mainstream and attract people with an industrial background to try out new content and formats. We cover a wide range of facets of secure software engineering including + threat modeling + architecture + design + coding + testing + cryptography + web applications + mobile applications + economic/business aspects The course takes place from March 5th to 9th in the Irish College, Leuven, Belgium. For more information visit the web site: http://secappdev.org. Places are limited, so do not delay registering to avoid disappointment. Registration is on a first-come, first-served basis. A 25% discount is available for Early Bird registration until January 15th. Public servants and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Cheers, Ken van Wyk (and the rest of the SecAppDev organizers) P.S. I apologize if you have already received this announcement via another channel. If you do not wish to receive future secappdev.org announcements, please unsubscribe by replying to this email. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] OWASP iGoat 1.2 released
Greetings SC-L folks, I thought some of you might find our project announcement (below) interesting. If you're an iOS developer or know any iOS developers, I'd like to encourage you to check out the OWASP iGoat project. It's modeled after its namesake, WebGoat, and is intended to be a tool for iOS developers to learn about the major security pitfalls when developing on iOS. FYI, we released iGoat version 1.2 yesterday. The primary change over 1.1 is the addition of a new keychain exercise, contributed by a newcomer to the team, Mansi Sheth. Thanks Mansi and Sean for pulling this together. It's great to see some external participation on the project, of course. We'd love to see more -- any time! Cheers, Ken van Wyk iGoat Project Leader signature.asc Description: Message signed with OpenPGP using GPGMail ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Ajax security basics
FYI, I just found an article on Ajax security out on Security focus. The article is here:http://www.securityfocus.com/infocus/1868The article touches on several key issues regarding Ajax, including the fact that scripting runs client-side and such. It also discusses how Ajax complicates app testing, which I think is worthwhile to consider carefully.Cheers,Ken van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Article -- IBM offers developers free security tools
FYI, I saw the following story out on ZD Net today regarding IBM releasing some free (and some commercial) software security tools.http://news.zdnet.com/2100-1009_22-6086913.html?tag=zdfd.newsfeedIn particular, "IBM also introduced a tool called Security Workbench Development Environment for Java, which is designed to enable developers to configure and validate Java applications that support both Java and the Open Services Gateway Initiative (OSGI) industry security standards."I haven't looked at these tools yet, but I thought that some of you might find this interesting.Cheers,Ken van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006
Greetings SC-L,I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here:http://www.ddj.com/dept/architect/189401902The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code.What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says "finish this yesterday"), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of "death march". Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations.Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006
Greetings SC-L, (Sorry for the previous message; I see that my (new) MacGPG is causing grief for Mailman, so I'm re-sending this message unsigned.) I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here: http://www.ddj.com/dept/architect/189401902 The article describes a small project team (say 5 developers) who have suddenly had their dev schedule drastically accelerated on them by powers outside of their control. It describes some techniques that the dev leader can use to concentrate the team's focus on killing (hence the name) the most pressing of issues. Not surprisingly, there's no mention of security in the article, although they do talk about conducting code reviews, but only for functional defects in the code. What caught my attention here is that I'll bet that a *lot* of small dev teams end up in situations very similar to the one described in the article's opening statements. In that sort of situation (where the company VP says "finish this yesterday"), I'd expect that doing just about any sort of security review is the first thing to be dropped from the dev schedule. I wonder, though, if teams that have already integrated (say) static analysis tools into their build cycle might have a fighting chance at *not* dropping those checks during this kind of "death march". Put another way, how does a team hold onto its good practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] InformationWeek | IT Security | Built-In Software Security Flaws Have Companies Up In Arms | July 10, 2006
Greetings SC-Lers,Here's an interesting article that I stumbled on in Information Week:http://www.informationweek.com/story/showArticle.jhtml?articleID=190301156&cid=RSSfeed_IWK_SecurityThe article discusses the results of a security survey, indicating that enterprise software users are quite fed up with the state of software security these days. I'm sure that none of us should be surprised by that, but maybe, just maybe, it's an indicator that software purchasers are going to start demanding more? Or perhaps it's Monday and I'm not (yet) sufficiently pessimistic for the week. :-)Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Administrivia: Bumper Stickers
Greetings SC-L, It's been a busy couple of days here on SC-L. The bumper sticker thread, in particular, has obviously generated a *lot* of (useful and interesting) discussion. While I'm reluctant to stop legitimate and open debate of opinions, I think that it's fair to say that this thread has pretty much run its course. As such, I'm going to be increasingly diligent in rejecting submissions to it that don't carry the debate further. I'd like to ask for everyone's support in helping this thread die its natural death and move on to other subjects. So, to those that want to continue the thread, be prepared to prove to me with each message that your message(s) deserves to be approved for distribution to the list, please. Cheers, Ken Kenneth Van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis
Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta:http://www.darkreading.com/document.asp?doc_id=99780&f_src=darkreading_section_296I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your typical buffer overflow or other bug, but basically exploits a Vista (and Windows) design problem -- that user-mode applications are allowed to access raw disk sectors, Rutkowska says."The attack, which is being described in detail at Blackhat, looks for "interesting" OS code to be paged out and then carefully modifies the contents of the page file in order to dupe Vista into loading the corrupt page data.Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Forwarded: PHP encryption for the common man
FYI, I saw an interesting article today on IBM's web site detailing how to (and how NOT to) use encryption within PHP code. Those interested can find the article at:http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs-Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Six steps to secure sensitive data in MySQL - Program - MySQL - Builder AU
Greetings SC-Lers,FYI, here's a link to an article on MySQL security. Nothing huge, just a short list of useful tips, but I figured it could be of interest here.http://www.builderau.com.au/program/mysql/soa/Six_steps_to_secure_sensitive_data_in_MySQL/0,39028784,39266102,00.htmCheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] A New Open Source Approach to Weakness
FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here:http://www.internetnews.com/dev-news/article.php/3623751Cheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Dr. Dobb's | Whitebox Security Testing Using Code Scanning | August 14, 2006
FYI, here's an interesting article from Dr. Dobb's Journal regarding the use of static analysis tools for scanning for coding bugs:http://www.ddj.com/dept/security/191901556Cheers,Ken -Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Fwd: There's More than One Monoculture
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published. Among other things, Coffee makes some interesting comparisons to the Internet monoculture situation that existed in November 1988 when Robert Morris unleashed his Internet worm program. Interesting reading, IMHO.Cheers,Ken-Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] IEEE Security and Privacy article on software security training
Wow, it's sure been a quiet few days out here on SC-L. Summer vacations are over, I suppose... In any case, I thought that I'd post a link to a new IEEE Security & Privacy article on training for software security engineers. It was written by Cigital's John Steven and yours truly, and can be found via: http://www.computer.org/portal/site/security Enjoy. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Insecurity in Open Source
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below). In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software security/quality with the best of what's out in the open source world. Further, he opines that the open source guys need to adopt far more rigorous QA testing in order to compete with the best of the proprietary source world.I'm passing this along not to launch into the invariable religious debates of closed- vs. open-source, but to encourage discussion about Chelf's claims with regards to rigorous QA testing. Anyway, here's the article.http://www.businessweek.com/technology/content/oct2006/tc20061006_394140.htm?campaign_id=bier_tco.g3a.rss1007Cheers,Ken -Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] A banner year for software bugs | Tech News on ZDNet
So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, "Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004." Of course, the real losers in this are the software users, who have to deal with the never ending onslaught of bugs and patches from their vendors. We've just _got_ to do better, IMHO, and automating the patch process is not the answer. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Secure programming is NOT just good programming
On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote: I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's called "software security". Ken and I have trained thousands of developers using the book as a guide with some success. Cigital has a number of very large-scale software security initiatives underway at various customers that leverage that training. But more importantly, good programs instill and measure the kinds of best practices (called touchpoints in the book) that are certainly not part of standard good coding practice. Presuming you meant "now part of..." and not "not part of..." In any case, another great source of information on the touchpoint processes in Gary's book is the DHS-sponsored Build Security In portal at http://BuildSecurityIn.us-cert.gov. It's still a work in progress, but there are a bunch of in-depth articles explaining all of Gary's touchpoint activities and such. Plus, several new articles will be appearing there over the next few months, so keep checking in for updates. The site is free and open to the public. (Full disclosure: as one of the BSI authors, I'm certainly not unbiased, but I still believe it's a valuable resource for those who are interested in learning more about the touchpoints Gary cited.) Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Apple Places Encrypted Binaries in Mac OS X
Here's a somewhat interesting link to an eweek article that discusses Apple's use of encryption to protect some of its OS X binaries: http://www.eweek.com/article2/0,1895,2050875,00.asp Of course, encrypting binaries isn't anything new, but it's interesting (IMHO) to see how it's being used in a real OS. The article cites speculation as to whether Apple uses encryption for anti-piracy or anti-reverse-engineering. Another interesting side topic (though not mentioned in this article) is code obfuscation, which is being increasingly used for both purposes as well. Course, some coders have been inadvertently doing code obfuscation for years. ;-\ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] Top 10 Ajax Security Holes and Driving Factors
FYI, a friend forwarded me a link to this interesting article by Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php? id=956 Since much has been written here on SC-L about relatively safe programming languages recently, I thought it might be interesting to look at the other end of the spectrum. ;-) Yes, I know Ajax is wildly popular these days. 10,000 lemmings can't be wrong, certainly! Cheers, Ken - Kenneth R. van Wyk Moderator, SC-L KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] heise Security - News - Security specialist leaves PHP security team
I guess this falls in to the "you can lead a horse to water, but you can't make him drink" category: http://www.heise-security.co.uk/news/82500 A member of the PHP security team has left in apparent disgust over the team's security practices. I doubt that anyone here on SC-L is surprised by the article, but PHP remains quite popular, and it seems sad to see it losing some vital and much-needed security support. Well, there's always AJAX, I suppose. ;-\ Cheers, Ken P.S. Hey, SC-L is 3 years old this month! - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] PHP security under scrutiny
Interesting article about PHP security: http://www.securityfocus.com/news/11430 Among other things, NIST's vul database shows, "Web applications written in PHP likely account for 43 percent of the security issues found so far in 2006, up from 29 percent in 2005." Happy reading... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Administrivia: Anyone up for a 2nd annual SC-L BoF at S3?
Hi SC-Lers, As many of you are no doubt aware, this year's S3 conference (http:// www.s-3con.com) is coming up in a couple months. At last year's conference in La Jolla, we had a small but fun "SC-L BoF" at a nearby brewpub. Any SC-L folks here care to do the same again at this year's event in San Mateo? I'm happy to coordinate things. Please reply off list if you care to join in. If there is sufficient interest, I'll post an update here as we get closer to the dates. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Source Code Specialist Fortify to Buy Secure Software
SC-Lers, The static source code analysis product space is about to get a little smaller, with Fortify's announcement of its acquisition of Secure Software. http://www.eweek.com/article2/0,1895,2085461,00.asp Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Adapting Penetration Testing for Software Development Purposes
Greetings SC-L folk, FYI, there's been a wave of new content added to the DHS-funded software security portal, Build Security In (home URL is http:// BuildSecurityIn.us-cert.gov). Most recently, a couple of articles about penetration testing and tools were added (see https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/ penetration/655.html?branch=1&language=1). (Full disclosure: I'm the author of the pen testing articles, but don't let that stop you from grabbing them. ;-) All of the articles on the BSI portal are free. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Vulnerability tallies surged in 2006 | The Register
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, "The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. 'The best we can figure, most of the growth is due to fairly easy-to- discover vulnerabilities in Web applications," Manion said. "They are easy to find, easy to create, and easy to deploy.'" Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis
Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says, "Veracode, founded by Chris Wysopal and other former executives of @stake, is now offering patented binary-code analysis of software for enterprises that want to analyze their software's security on a regular basis. The ASP will also offer security reviews of enterprise products and security analysis of third-party apps for software developers." The article also provides some counterpoints, including some from Gary McGraw, that are worth reading. Among other things, Gary says, "However, if you want real security analysis you have to go past the binary, past the source code, and actually consider the design." Opinions on binary vs. source code (and design!) analysis, anyone? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dr. Dobb's | The Truth About Software Security | January 20, 2007
FYI, there's an interesting article on ddj.com about a Symantec's new "Veracode" binary code analysis service. http://www.ddj.com/dept/security/196902326 Among other things, the article says, "Veracode clients send a compiled version of the software they want analyzed over the Internet and within 72 hours receive a Web-based report explaining--and prioritizing--its security flaws." Any SC-Lers have any first-hand experience with Veracode that they're willing to share here? Opinions? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Anyone here attending the 6th Semi-Annual Software Assurance Forum
Anyone else here attending the 6th Semi-Annual Software Assurance Forum in Fairfax, Virginia on 8-9 March? Any interest in an after- event informal SC-L BoF and beer chat? Let me know and I'll gladly coordinate. (We already have several people "signed up" for the SC-L BoF at S3 in April. If you sent me an email, I'll be sending you the details as the event draws near.) Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] The seven sins of programmers | Free Software Magazine
SC-L, So my trusty rss aggregator (NewsFire) found an interesting blog for me this morning, and I thought I'd share it here. The blog is from Free Software Magazine and it's titled, "The seven sins of programmers". On the surface, it has nothing whatsoever to do with software security -- the word "security" is never even mentioned in passing -- but I believe there are some worthy security lessons to be gleamed from it. http://www.freesoftwaremagazine.com/blog/seven_sins Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
Here's an interesting article from Dark Reading about web fuzzers. Web fuzzing seems to be gaining some traction these days as a popular means of testing web apps and web services. http://www.darkreading.com/document.asp? doc_id=118162&f_src=darkreading_section_296 Any good/bad experiences and opinions to be shared here on SC-L regarding fuzzing as a means of testing web apps/services? I have to say I'm unconvinced, but agree that they should be one part--and a small one at that--of a robust testing regimen. Cheers, Ken P.S. I'm over in Belgium right now for SecAppDev (http:// www.secappdev.org). HD Moore wowed the class here with a demo of Metasploit 3.0. For those of you that haven't looked at this (soon to be released, but available in beta now) tool, you really should check it out. Although it's geared at the IT Security pen testing audience, I do believe that it has broader applicability as a framework for constructing one-off exploits against applications. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote: Given the complex manipulations that can work in XSS attacks (see RSnake's cheat sheet) as well as directory traversal, combined with the sheer number of potential inputs in web applications, multipied by all the variations in encodings, I wouldn't be surprised if they were effective in finding those kinds of implementation bugs, even in well-designed software. Although successfully diagnosing some XSS without live verification smells like a hard problem akin to the Ptacek/Newsham "vantage point" issues in IDS. With the track record of non-web fuzzers and PROTOS style test suites, why do you think web app fuzzing is less likely to succeed? It's not so much that I don't think fuzzing is useful, it's that I don't see "one size fits all" fuzzing _products_ being useful. To me, it gets to an issue of informed vs. uninformed (or "white box" vs. "black box" if you prefer) testing. While they're both useful and should both be exercised, I believe (though I have no hard statistics to validate) that issues of coverage/state are always going to doom uninformed testing to being less effective than informed testing. For a fuzzer to be really meaningful, I believe that a "smart fuzzing" approach is going to be the best bet, and that makes it hard for a "one size fits all" product solution to be feasible. To do smart fuzzing, a lot of setup time is necessary in establishing an appropriate test harness and cases that fully exercise the files, network interface data, user data, etc., that the software is expecting. Perhaps I'm totally off base, and I invite any product folks here to chime in and correct my misconceptions. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote: unconvinced of what? what fuzzing is useful? or that it's the best security testing method ever? or you remain unconvinced that fuzzing in web apps is > fuzzing in os apps? fuzzing has obvious advantages. that's all anyone should care about. No, not that it's useful or not. As I said in my other reply, my real wariness is of the "one size fits all" product solutions. It seems to me that the best fuzzing tools are in fact frameworks for building customized fuzzing tests. OWASP's jbrofuzz (in beta release currently) is an example of what I mean here. It gives the tester the means for identifying fields to fuzz and how to fuzz them (say, integer size testing), and then you press the fuzz button and it generates all the tests. That's useful, meaningful, and valuable, IMHO. But it's not a "fire and forget" general purpose tool that can test any web app. Beyond that, to me it's an issue of coverage. As was any uninformed testing, it's bound to miss things, which is to be expected. (E.g., a state tree that contains a format string vulnerability that doesn't execute because the testing never triggered that particular state -- hence my comments about test coverage/state earlier.) So, my impression is that fuzzing is useful (in Howard/Lipner's SDL book, they say that some 25% of the bugs they find during testing come out during fuzzing), but that it should only be a small, say 10-20%, part of a testing regimen. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote: I think some vendors have come around to the economics argument. In every case, those vendors with extreme reputation exposure have attempted to move past penetrate and patch. Microsoft, for one, is trying hard, but (to use my broken leg analogy) they had a sever case of osteoporosis and must take lots of calcium to build up bone mass. The financial vertical, led by the credit card consortiums is likewise making good progress. Other vendors with less brand exposure (or outright apathy from users) are slower on the uptake. Having spent several years on the incident handling side of this argument at CMU's CERT/CC, US. Dept. of Defense, etc., I thought I'd chime in here as well. It's encouraging to me to see that many vendors now recognize the reputation exposure and economics argument. I know that in my years at CERT (1989-1993), we were more than once threatened by uncooperative vendors, saying that they would sue us if we published information about their product's vulnerabilities. We spent years developing those vendor relationships and building up some level of mutual trust. It's not always an easy path. In the "full disclosure" years, it's been my observation that many vendors get forced into publishing patches when the "vulnerability pimps" (as Marcus calls them) call them out in public. Without a doubt, that's lead many vendors to respond more quickly and more publicly than they otherwise might have. At the same time, (and to try to bring this thread back to *software security*) I'm concerned about the software security ramifications of being bullied into patching something too quickly. While a simple strcpy-->strncpy (or similar) src edit takes just moments, and shouldn't impact the functionality and reliability of any software, patches are rarely that simple. When software producers are forced to develop patches in unnaturally rushed situations, bigger problems (IMHO) will inevitably be introduced. So, I applaud the public disclosure model from the standpoint of consumer advocacy. But, I'm convinced that we need to find a process that better balances the needs of the consumer against the secure software engineering needs. Some patches can't reasonably be produced in the amount of time that the "vulnerability pimps" give the vendors. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com PGP.sig Description: This is a digitally signed message part ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Nokia Lets Users Update Phone Software Directly (Phone Scoop)
SC-L, Ok, so we all have various opinions about security patching practices in software -- mostly bad, I'm confident. But, in today's environment, patching still seems to be a necessary evil. But for the most part, mobile devices have been pretty much left out in the code. That's starting to change, but slowly. Here's a story about Nokia's recent announcement to enable their phone users to update the software on their own phones. Of course, apart from the legitimate security updating aspects of this sort of feature, I wonder if they've carefully thought through the misuse cases... Time will tell. In any case, FYI -- here's a URL to the article. Happy reading. http://www.phonescoop.com/news/item.php?n=2105 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] STSC CrossTalk - Secure Coding Standards - Mar 2007
Greetings SC-Lers, Sitting here in the DHS Software Assurance forum today, I browsed a copy of the CrossTalk journal, "The Journal of Defense Software Engineering". This month's issue is focused on software security, and there are numerous articles in it that are likely to be of general interest to some of you. The journal has an RSS feed (http:// www.stsc.hill.af.mil/crosstalk/CrossTalk.rss) and all the articles are available for free on-line. This article by James Moore and Robert Seacord, http://www.stsc.hill.af.mil/crosstalk/2007/03/0703MooreSeacord.html, caught my eye in particular. Check it out. Neat stuff, for free. Cheers, Ken P.S. Some of you had reported problems with your emailers in reading my previously PGP-signed postings. I'm now experimenting with signing via S/MIME and a free X.509 certificate from Thawte. Those of you who reported the PGP problems to me (you know who you are), is this any better? Please reply off-list. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Justice League » Blog Archive » Cigit al’s Touchpoints versus Microsoft’s SDL [Cigital ]
SC-L, I'm often asked by folks to compare and contrast some of the various published software security practices, from Microsoft's SDL and OWASP's CLASP through Cigital's "Touchpoint" processes. My own view is that they all offer value and are all worthy of consideration. In his most recent "Justice League" blog entry, Gary McGraw offers his own (obviously biased, as Cigital's CTO) comparison between their own approaches and Microsoft's SDL. You can read what he has to say at: http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints- versus-microsofts-sdl/ After recently reading Michael Howard and Steve Lipner's SDL book, I found a lot that I liked -- notably their discussions about testing. I admit that it largely changed my opinion about the value of (smart) fuzzing, for example. But how about others' experiences? I've found a lot of people feel comfortable with Microsoft's STRIDE / DREAD approaches because they're relatively light weight and an easy first step to take. Anyone here care to offer their own opinions and experiences? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Information Protection Policies
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote: Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and- paste InfoSec policies into their own? Using someone's "boilerplate" policies as a starting point is great, as long as they go beyond just infosec policies and include examples/ guidelines for writing contracts for outsourcing software development and acquisition. Steve Christey pointed to OWASP's example at http://www.owasp.org/ index.php/OWASP_Secure_Software_Contract_Annex. While I haven't (yet) looked at this AND while I'm certainly no authority on contract writing, I'd bet that this OWASP example will at least provide some pretty good food for thought for anyone who is contracting software development. I firmly believe that we as consumers and as a whole, are not doing an adequate job at demanding more in the way of software security from the software we purchase and outsource. IMHO, that shouldn't be horribly difficult to change in the short- to medium-term. Better contracts and contractor oversight (e.g., independent architectural risk analysis, static code analysis, and rigorous security testing) should go a long way. I know I'm over-simplifying things here, but still... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Full Disclosure: Fuzzled - Perl fuzzing framework
FYI, I saw this tool announcement and thought some folks here might find it useful. It's a free perl-based fuzzing framework written by Tim Brown. Follow the link to find the download site. http://seclists.org/fulldisclosure/2007/Mar/0415.html Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SANS Software Security Institute announced
FYI, the folks at SANS have announced the launch of their Software Security Institute (see http://www.sans-ssi.org/ for details). Their web site cites the following 6 goals: * Allow employers to rate their programmers on security skills so they can be confident that every project has at least one "security master" and all of their programmers understand the common errors and how to avoid them. * Provide a means for buyers of software and systems vendors to measure the secure programming skills of the people who work for the supplier. * Allow programmers to identify their gaps in secure programming knowledge in the language they use and target education to fill those gaps. * Allow employers to evaluate job candidates and potential consultants on their secure programming skills and knowledge. * Provide incentive for universities to include secure coding in required computer science, engineering, and programming courses. * Provide reporting to allow individuals and organizations to compare their skills against others in their industry, with similar education or experience or in similar regions around the world. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Stakes are High for Vista Security
I hope that some of you will find my April column over on eSecurityPlanet interesting. It can be found (for free) at the link below. If not, just press the old delete key. http://www.esecurityplanet.com/article.php/11162_3670486_2 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Stakes are High for Vista Security
On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote: http://www.esecurityplanet.com/article.php/11162_3670486_2 Sorry folks -- I inadvertently posted the URL to page 2 of the column. Page 1 is at http://www.esecurityplanet.com/article.php/3670486 Sorry for the inconvenience (and the list clutter). Mea culpa++ Cheers, Ken van Wyk smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] 1 Raindrop: Common Attack Pattern Enumeration and Classification (CAPEC)
SC-L, Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/ 1_raindrop/2007/05/common_attack_p.html)... Check out Mitre's first draft of CAPEC, the Common Attack Pattern Enumeration and Classification database (http://capec.mitre.org). It complements the existing CVE (http://cve.mitre.org) and CWE (http://cwe.mitre.org) efforts by presenting the attack patterns used to exploit the various vulnerabilities. Great stuff that should be of interest to our readers here at SC-L, though the site itself does require Javascript to work -- boo hiss! :-) Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Administrivia: Moderator on hiatus
SC-L, After an insane travel schedule over the last several months, the moderator is taking some much-needed time to relax on the beach while sipping boat drinks. I'll be checking the SC-L queue over the next week at least once daily, but if you submit something, please be a bit patient. It'll go out, but might take a little while. Sorry for the inconvenience. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Administrivia: Moderator is in, and SC-L BoF in Spain?
SC-Lers, FYI, back from a few days in the sun. It was a quiet week in any case here on SC-L, but I am indeed back at the moderator's (virtual) desk now. Anyone here attending the FIRST conference in Sevilla, Spain later this month? Any interest in an SC-L BoF session? I'll be there all week and would be happy to meet with any SC-L folks who'll be there. Drop me a line and say hi. First Rioja Crianza and jambon Iberia is on me. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Who's To Blame For Insecure Software? Maybe You
Some interesting (IMHO) stats coming out of Gartner security summit. One that jumped off the page at me was that 57% of the attendees believe that independent security "research labs" are providing a useful and valuable service. Whether you agree or not, the article below is an interesting read. http://www.informationweek.com/security/showArticle.jhtml? articleID=199901402&pgno=1&queryText= Cheers, Ken P.S. I'm surprised to say that I've so far had no takers on my question yesterday -- what is the next technology hurdle for us to clear? Perhaps everyone is off enjoying their summer breaks like I was last week... - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] What's the next tech problem to be solved in software security?
Hi SC-L, [Hmmm, this didn't make it out to the list as I'd expected, so here's a 2nd try. Apologies for any duplicates. KRvW] At the SC-L BoF sessions held to date (which admittedly is not exactly a huge number, but I'm doing my best to see them continue), I like to ask those that attend what we can be doing to make SC-L more useful and meaningful to the subscribers. Of course, as with all mailing lists, SC-L will always be what its members make of it. However, at one recent SC-L BoF session, it was suggested that I pose periodic questions/issues for comment and discussion. As last week was particularly quiet here with my hiatus and all, this seems like a good opportunity to give that a go, so... What do you think is the _next_ technological problem for the software security community to solve? PLEASE, let's NOT go down the rat hole of senior management buy-in, use [this language], etc. (In fact, be warned that I will /dev/null any responses in this thread that go there.) So, what technology could/would make life easier for a secure software developer? Better source code analysis? High(er) level languages to help automate design reviews? Better security testing tools? To any of these, *better* in what ways, specifically? Any takers? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] IBM to catch Watchfire security technology | Tech News on ZDNet
FYI, yet another acquisition in the security world... This time it's IBM buying up Watchfire (makers of AppScan). http://news.zdnet.com/2100-1009_22-6188999.html? part=rss&tag=feed&subj=zdnet Kind of reminds me of something Chef Jacques Pepin said in an interview with Terry Gross on NPR's "Fresh Air" some time back (IIRC). He said when he was growing up, leftover food never went to waste. They always took yesterday's leftovers and made something completely new with it the next day -- NEVER simply re-heating it to serve the same thing again, which always ends up being bland. By the time the "last" of the real food was gone, nobody remembered what the original recipe even was. That kept them interested in the food even as it went through several transformations. Not sure why this comes to mind now... ;-\ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What's the next tech problem to be solved in software security?
First off, many thanks to all who've contributed to this thread. The responses and range of opinions I find fascinating, and I hope that others have found value in it as well. Great stuff, keep it coming. That said, I see us going towards that favorite of rat-holes here, namely the "my programming language is better than yours, nyeah!" path. Let's please avoid that. I'm confident that we've seen it enough times to know that it ends with no clear winners (but plenty of losers). Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Harvard vs. von Neumann
On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote: I am in complete agreement with your thinking, which is why one of the touchpoints (and chapter 9 of "Software Security" is about operations. Ken knows more about this than any of us, but he's on a plane now...right Ken? Wow, I'd stop far short of such strong words, but I have spent a great deal of time in operations land, and I am convinced we're (all) missing out on significant opportunities to enhance our software security by better making use of deployment security, for lack of a better term. I've seen far too many "one size fits all" approaches to software deployments that fall far short of adequately protecting the app, much less enabling the detection and response of issues when they come up. Cheers, Ken P.S. And yes, I was on a plane. Greetings from Lisbon, en route to Sevilla, Spain for the FIRST conference. I'll again toss out the offer to meet with any SC-Lers who are at the conference. - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07
SC-L I'm not quite so sure why this one (below) caught my eye -- we _all_ get tons of product advisories -- but it did. In particular, two things jump out at me: 1) the original author of the defect thought that s/he was doing things correctly in using strncpy (vs. strcpy). 2) the original author had apparently been doing static source analysis using David Wheeler's Flawfinder tool, as we can tell from the comments. Yet, a simple coding mistake was made in calculating the length of a buffer and passing that incorrect length to strncpy. The result was a buffer overrun on the stack, just like the millions that we've all seen. Mind you, the overrun can only be exploited when specific characters are used as input to the loop in the code. Thus, I'm inclined to think that this is an interesting example of a bug that would have been extraordinarily difficult to find using black box testing, even fuzzing. The iDefense team doesn't say how the (anonymous) person who reported it found it, but I for one would be really curious to hear that story. Just some random thoughts this afternoon... Perhaps I'm still getting over the jet lag after returning from the FIRST conference in Seville. Cheers, Ken van Wyk SC-L Moderator Begin forwarded message: From: iDefense Labs <[EMAIL PROTECTED]> Date: June 26, 2007 3:53:46 PM EDT To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: iDefense Security Advisory 06.26.07: RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability iDefense Security Advisory 06.26.07 http://labs.idefense.com/intelligence/vulnerabilities/ Jun 26, 2007 I. BACKGROUND RealPlayer is an application for playing various media formats, developed by RealNetworks Inc. HelixPlayer is the open source version of RealPlayer. More information can be found at the URLs shown below. http://www.real.com/realplayer.html http://helixcommunity.org/ Synchronized Multimedia Integration Language (SMIL) is a markup language used to specify the use of several multi-media concepts when rendering media. Some such concepts are timing, transitions, and embedding. More information is available from WikiPedia at the following URL. http://en.wikipedia.org/wiki/ Synchronized_Multimedia_Integration_Language II. DESCRIPTION Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user. The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows. 924HX_RESULT 925SmilTimeValue::parseWallClockValue(REF(const char*) pCh) 926{ ... 957char buf[10]; /* Flawfinder: ignore */ ... 962while (*pCh) 963{ ... 972 else if (isspace(*pCh) || *pCh == '+' || *pCh == '-' || *pCh == 'Z') 973 { 974 // this will find the last +, - or Z... which is what we want. 975 pTimeZone = pCh; 976 } ... 982 ++pCh; 983} ... 1101if (pTimePos) 1102{ 1103//HH:MM... 1133 if (*(pos-1) == ':') 1134 { 1148if (*(pos-1) == '.') 1149{ 1150// find end. 1151UINT32 len = 0; 1152if (pTimeZone) 1153{ 1154len = pTimeZone - pos; 1155} 1156else 1157{ 1158len = end - pos; 1159} 1160strncpy(buf, pos, len); /* Flawfinder: ignore */ The stack buffer is declared to be 10 bytes on line 957. You can see that it has a comment which will cause the FlawFinder program to ignore this buffer. The loop, which begins on line 962, runs through the parameter to the function looking for characters that denote different sections of the time format. When it encounters white space, or the +, -, or Z characters it will record the location for later use. If a time was located and it contains both a colon and a period the vulnerable code will be reached. The length of data to copy into the stack buffer is calculated either on line 1154 or line 1158 depending on whether or not a timezone is present. Neither calculations take into consideration the constant length of the 'buf' buffer and therefore a stack-based buffer overflow can occur on line 1160. Again, notice that this unsafe use of strncpy() is also marked with a FlawFinder ignore comment. III. ANALYSIS Exploitation requires that an attacker persuade a user to supply RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For example, this can be accomplished by convincing them to visit a malicious web pag
Re: [SC-L] how far we still need to go
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote: Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the / Applications area), but I need to run it as admin. Maddening, isn't it? I maintain that this is a software issue, insofar as how the software is bolted into its operating environment. Many disagree with that point of view, which I can accept, but I believe that to pass this off to the "ops guys" is a bad practice that borders on negligence. Even for those who disagree with me, I still would argue that it's largely under the control of the developer to be able to bolt the code into a safe operating environment -- that promotes the principle of least privilege effectively. One of my customers uses -- and hence, so do I -- VPN software and a software one-time token ("SoftToken") that requires the SoftToken.app software to have read/write access to its folder under /Applications on OS X. The presumption was that it would always be run as root. Well, I've gone out of my way to run my desktop OS X user without privs, which broke SoftToken (it would generate the same token EVERY time it was invoked). I still wouldn't accept running it as root, however, and was able to circumvent the problem by only giving my desktop user read/write to the one data file that SoftToken needed to write to. Still not as good as designing it properly in the first place, but it was an acceptable compromise for me to be able to do what I need to do. FWIW... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Software process improvement produces secure software?
On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: During our conversation, I made a question to Mr. Hayes similar to this: "Is it possible that only software development process improvements can produce secure software?" The scenario was only based on CMMI without security interference. All that follows is IMHO, of course... I would have to agree with you, Francisco, that process improvements "without security interference" are unlikely to produce significant changes in the security of the software produced. That said, I am a believer in somewhat more rigorous security-based software process. In particular, I think it's worth spending additional time/effort delving into the non-functional aspects of software, from requirements gathering through design as well as during the implementation/coding phases. I think that solutions that focus solely on implementation improvement are not sufficient. To me, a vital component in improving throughout the dev process must focus on process improvement. That is, process improvement based not (necessarily) on CMMI, and _with_ "security interference". :-) But I also don't like to see process for the sake of _process_. I'm fine with intelligently applied ad hoc processes, if that's not too much of a contradiction in terms. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Opera Uses Mozilla Fuzzer Tool To Find 'Highly Severe' Bug -- Browser -- InformationWeek
Greetings SC-Lers, Here's a great success story regarding Mozilla's new open source fuzzer that they just released during the blackhat conference: http://www.informationweek.com/story/showArticle.jhtml? articleID=201800584&cid=RSSfeed_IWK_News Kudos to the Opera team! Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.
FYI, I saw the following tool release announcement over on bugtraq, and thought it might be of interest to some of you here. I know the terms "PHP" and "security" in the same sentence often are met with laughter here, but what the heck. If the tool helps a few PHP developers write PHP apps that are hardened against SQL injection attacks, then why not. Cheers, Ken van Wyk SC-L Moderator Begin forwarded message: From: Ezequiel Gutesman <[EMAIL PROTECTED]> Date: August 22, 2007 12:26:55 PM EDT To: [EMAIL PROTECTED] Subject: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system. CORE GRASP for PHP is a web-application protection software aimed at detecting and blocking injection vulnerabilities and privacy violations. As mentioned during its presentation at Black Hat USA 2007, GRASP is being released as open source under the Apache 2.0 license and can be obtained from http://gasp.coresecurity.com/. The present implementation protects PHP 5.2.3 against SQL-injection attacks for the MySQL engine, it can be installed with almost the same effort as the PHP engine, both in Unix and Windows systems, and protection is immediate with any PHP web application running in the protected server. CORE GRASP works by enhancing the PHP execution engine (VM) to permit byte-level taint tracking and analysis for all the user-controlled or otherwise untrustable variables of the web application. Tainted bytes are then tracked and their taint marks propagated throughout the web application's runtime. Whenever the web application tries to interact with an DB backend using SQL statements that contain tainted bytes, GRASP analyzes the statment and detects and prevents attacks or abnormal actions. CORE GRASP was developed by CoreLabs, the research unit of Core Security Technologies. At CoreLabs, we plan to improve the tool and include new protections shortly. However, the invitation to collaborate with the project is open. If you would like to collaborate, please go to the GRASP website and subscribe to our mailing list. Project home: http://grasp.coresecurity.com/ Documentation, presentation and papers: http://grasp.coresecurity.com/index.php?m=doc Download: http://grasp.coresecurity.com/index.php?m=dld - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: [1st-t] Vancouver 2008 First Conference - Call for Papers
SC-L, I'm forwarding the following Call for Papers (see below) for next year's FIRST conference here. Now, I recognize that FIRST (the Forum of Incident Response and Security Teams) is NOT a software security conference. But, over the past few years, I've started bringing some software security related sessions to the conference, and they've been well received. I'm a big believer in reaching out to other communities, and if ever there were two groups that should be talking and working together more than they currently do (IMHO), it's software developers and information security folks. Disclaimer: I currently sit on FIRST's steering committee, although I have nothing to do with accepting/rejecting conference sessions. That said, if any of you ARE interested in reaching out to FIRST a bit and would like to chat, please drop me a line. Cheers, Ken van Wyk - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com SC-L Moderator Begin forwarded message: From: Reneaué Railton <[EMAIL PROTECTED]> Date: September 20, 2007 1:20:29 PM EDT To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Subject: [1st-t] Vancouver 2008 First Conference - Call for Papers FIRST 20th Annual Conference, June 22nd – 27th, 2008, Hyatt Regency Vancouver British Columbia, Canada Crossing Borders: Towards the Globalization of Security Call for Papers - - - - --- This is a call for papers and tutorials for the 20th Annual FIRST Conference. This text is also available at: http://www.first.org/conference/2008/papers.html Overview - - - - - The Forum of Incident Response and Security Teams (FIRST, http://www.first.org/) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRT's) and includes response teams from 180 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference not only provides a setting for participants to attend tutorials and hear presentations by leading experts in the CSIRT community, it also creates opportunities for networking, collaboration, and sharing technical information. Just as importantly, the conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries. FIRST conference participants include not only CSIRT staff, but also IT managers, network and system administrators, software and hardware vendors, law enforcement representatives, security solutions providers, telecommunications organizations, ISPs, and general computer and network security personnel. FIRST conferences cover a broad range of security related topics such as (but not limited to): . Advanced techniques in security incident prevention, detection and response. . Latest advances in computer and network security tools . Shared views, experiences, and resolutions in the computer security incident response field. The Conference - - - The conference is a five-day event, comprised of two days of Tutorials, three days of Plenary Sessions focused on either Business or Technical issues. These include paper presentations, keynote speeches, Panel discussions and Birds-of-a-Feather Sessions. Features planned for this year's conference include: Geek Zone - Presentations with a Hands On Format aimed at smaller, more technical audiences of up to 30 people Case Studies – Lessons learned in dealing with real events, from discovery to remediation. Share practical experiences in dealing with cyber incidents along with the tools that provided most valuable. SIG (Special Interest Group) meetings Beer 'n Gear where vendors demonstrate their equipment . Security Challenge The theme for the 2008 conference is ‘Crossing Borders: Towards the Globalization of Security '. The conference language is English. Call for Papers - - - --- The FIRST program committee solicits original contributions for this conference, which are broadly based on the theme of ‘Crossing Borders: Towards the Globalization of Security'. All submissions must reflect original work and must adequately document any overlap with previously published or simultaneously submitted papers from any of the authors. If authors have any doubts regarding whether such overlap exists, they should contact the program chairs prior to submission. Papers will be scheduled as part of the Main Conference. Timeslots are available in three lengths: a) 50 Minutes, with 10 minutes question time b) 40 minutes, with 10 minutes question time c) 25 Minutes, with 5 minutes question time. The program committee is also looking for contributions to the 'Geek Zone Sessions', where presentations may last for up to three hours and which are aimed at a smaller more technical audience of up to 30 people. These presentations are intende
[SC-L] CERT Advances Secure Coding Standards - Desktop Security News Analysis - Dark Reading
Here's some good news from CERT and Fortify. Shortly, CERT will be generating Fortify SCA rules to help automate reviewing C/C++ source code against their secure coding standards. http://www.darkreading.com/document.asp?doc_id=135352&WT.svl=news1_2 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Microsoft Pushes Secure, Quality Code
SC-Lers, Hey, here's some good news out of Microsoft. According to EWeek, "Now for Visual Studio 2008, Microsoft's code analysis team is adding some new features, including Code Metrics, a new tool window "that allows you to not only get an overall view of the health [code-wise] of your application, but also gives you the ability to dig deep to find those unmaintainable and complex hotspots," Somasegar said. For Visual Studio 2008, Code Metrics will ship with five metrics: Cyclomatic Complexity, Depth of Inheritance, Class Coupling, Lines of Code and Maintainability Index, he said. " The full story is here http://www.eweek.com/ article2/0,1895,2192515,00.asp Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] IT industry creates secure coding advocacy group
Saw this story via Gunnar's blog (thanks!): http://www.gcn.com/online/vol1_no1/45286-1.html Any thoughts on new group, which is calling itself SAFEcode? Anyone here involved in its formation and care to share with us what's the driving force behind it? Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Mainframe Security
On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote: sSince so much of the financial services industry is powered by COBOL, I would have thought that someone would have done a thorough study of COBOL's security posture. I certainly have not found one. Anyone else? Just a couple random(ish) observations here... 1) I believe that COBOL is still behind the *vast* majority of financial transactions today. I don't know the %, but I'd bet it to be close to 100%. 2) It's been my experience that COBOL folks (read: "mainframe programmers") tend to frown on the Internet, the web, and such. However, in talking with them, it's often useful to say that they're likely to have to interface with "internet folks" via SOA and other mechanisms, so it's worth their while to understand the security problems that "those guys" face, such as XSS and SQL/XML injection (a handy tip I picked up from Andrew van der Stock -- thanks Andrew!). So what's my point? It's this: I've often found the "mainframe crowd" to be reluctant to even talk about software security because there seems to be a pervasive attitude that it's not their problem. After all, the mainframe architectures they're familiar with have had secure, trustworthy networks and such for decades, right? Well, easing them into a discussion by simply pointing out that they should be aware of the issues that the "internet folks" have to deal with because they *need* to interface with them can help things along. Lastly, I noticed that at least one static code analysis tool (Fortify) now supports COBOL. I'm not yet sure what things they scan for, and I'm *far* from COBOL literate myself, but I figure it's got to be good news re James's point. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] COBOL Exploits
On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote: I'm sure you can write COBOL programs that crash, but it must be hard to make them take control of the operating system. If software exploits were "only" isolated to OS compromise, that'd be just fine. But let's not forget that an application can be thoroughly compromised by an attacker who never leaves the realm of the application -- e.g., providing spoofed credentials to read another user's customer data in a database app. The business logic data access control (authorization) is just one area of an app that transcends implementation language. A poorly design authorization model can be implemented in pretty much anything, I believe. Let's get past the simple buffer overflow exploit to get OS access. IMHO, it's right to consider mainframe/COBOL apps carefully. Although we likely won't find a buffer overflow "smoking gun", I'll bet we are likely to find examples of bad security logic that can lead to app compromise. Plus, let's face it, modern attacks are moving more and more towards the pure application layer (think XSS, SQL/XML injection, cross-site request forgery, etc.), AND they're increasingly financially motivated. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: People in glass houses shouldn't brick phones
SC-L, FYI, some of you might find my column this month on eSecurityPlanet to be interesting: http://www.esecurityplanet.com/article.php/3709301 (free, no registration required) In it, I talk about some of the software security lessons to be gleamed from Apple's iPhone bricking debacle. Enjoy... Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
FYI, there's a provocative article over on Dark Reading today. http://www.darkreading.com/document.asp?doc_id=140184 The article quotes David Rice, who has a book out called "Geekconomics: The Real Cost of Insecure Software". In it, he tried to quantify how much insecure software costs the public and, more controversially, proposes a "vulnerability tax" on software developers. He believes such a tax would result in more secure software. IMHO, if all developers paid the tax, then I can't see it resulting in anything other than more expensive software... Perhaps I'm just missing something, though. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Fwd: SCARE metrics and tool release
Reposted with permission, FYI... Cheers, Ken SC-L Moderator Begin forwarded message: From: Pete Herzog <[EMAIL PROTECTED]> Date: November 30, 2007 10:30:18 AM EST To: [EMAIL PROTECTED] Subject: SCARE metrics and tool release Hi, Scare, the Source Code Analysis Risk Evaluation tool for measuring security complexity in C source code is now available. The tool is written to support the OpenTC project (opentc.net) as the SCARE methodology project available at: http://www.isecom.org/scare We have done some test cases with the tool already do track trends in Xen and are now working on measuring trends in the Linux Kernel. USE The SCARE analysis tool is run against source code. Currently only C code is supported. The ouput file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE. Trends in Xen: XEN ver. VisAccessesTrustsSCAREDelta 3.0.3_0 1 3142857758.26-41.74 3.0.4_1 1 3113106057.79-42.21 3.1.0 1 3163313957.43-42.57 As you can see, the security complexity of Xen is getting worse due to the increased numbers of Trusts (reliance on external variables which a user can manipulate as an input). Trust attacks can be tested according to the 4th point of the 4 Point test process in the OSSTMM 3: Intervention - changing resource interactions with the target or between targets. At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code. We need help! We are looking for people to help us complete the SCARE methodology, add new programming languages to the tool, as well as even making a windows binary version for those who do not code in Linux. Contact me if you can do this. Sincerely, -pete. -- Pete Herzog - Managing Director - [EMAIL PROTECTED] ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org --- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote: So he's not completely naive, though the history of security metrics and standards - which tend to produce code that satisfies the standards without being any more secure - should certainly give on pause. One could, I suppose, give rebates based on actual field experience: Look at the number of security problems reported per year over a two- year period and give rebates to sellers who have low rates. Right, so this is where I believe the entire idea would fall apart. I don't think we have adequate metrics today to measure products fairly. Basing the tax on field experience would also be problematic to measure well, although I could see this leading to development organizations getting some sort of actuarial score. But the real problem with it, as I said, is metrics. Should it be based on (say) defect density per thousand lines of code as reported by (say) 3 independent static code analyzers? What about design weaknesses that go blissfully unnoticed by code scanners? (At least the field experience concept could begin to address these over time, perhaps.) I do think that software developers who produce bad (security) code should be penalized, but at least for now, I still think the best way of doing this is market pressure. I don't think we're ready for more, on the whole, FWIW. But _consumers_ wield more power than they probably realize in most cases. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Redmond Developer News | Best Defense?
FYI, interesting article on sandboxing of applications, with quotes from a few SC-L regulars. Enjoy! http://reddevnews.com/features/article.aspx?editorialsid=2386 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Code Testing Tools Could Be Acquisition Targets in '08
New Year's greetings, SC-Lers, FYI, here's an interesting article about the application security testing space, from eWeek. http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594 The author sort of compares apples and oranges a bit, IMHO, in comparing recent acquisitions of security testing product firms (e.g., SPI and WatchFire) with potential future acquisitions of source code analysis tool companies, but it's still worth a quick read. The good news in the article is, "The acquisitions, coupled with an increase in the number of providers offering vulnerability assessments, are indicators of a growing emphasis on increasing security in the development process." Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] ENISA issue on Software Security
Greetings all, FYI, the European Network and Information Security Agency (ENISA) has just published their latest edition of ENISA Quarterly. This edition focuses on the issue of software security. You can download a PDF copy of EQ from: http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_12_07.pdf Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek
SC-L, I imagine many of you have seen the results of Coverity's DHS-funded scan of a *bunch* of open source projects: http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All The stats are interesting, I suppose. I don't see any prioritization of the defects, but I imagine those were provided to the various open source project leaders. The question that isn't addressed here, and I'm sure was well outside of the scope of the project, is what each open source project *did* with the vulnerability information BEYOND just fixing the bugs? Did they merely fix the problems and move on? Or, did they use the defects as an opportunity to educate their team members on how to avoid these same sorts of things from creeping back in to the src tree? If they simply treated the vul lists as checklists of things to fix, then I'd expect a similar study in (say) five years to be just as bad as the recent Coverity study. I think it's important to learn from mistakes, not just fix them and get on with things. I sure hope the open source teams in this study did some of that. If any SC-Lers have insight here, please share. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Tech Insight: The Buzz Around Fuzzing - Application and Perimeter Security News Analysis - Dark Reading
FYI, for those who are interested in fuzz testing tools, here's an interesting article URL from Dark Reading. http://www.darkreading.com/document.asp?doc_id=144773&f_src=darkreading_section_296 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Michael Howard's Web Log : Introducing SAFECode
FYI, from Michael Howard's blog: "Today SAFECode, the Software Assurance Forum for Excellence in Code, introduced its first white paper, "Software Assurance: An Overview of Current Industry Best Practices." The organization was founded by Microsoft, Symantec, EMC, SAP and Juniper to advance understanding and practices related to secure development and integrity controls. Our goal is to raise the security bar across the software industry to reduce vulnerabilities." Complete blog text, along with links to SAFECode and the white paper can be found here: http://blogs.msdn.com/michael_howard/archive/2008/02/14/introducing-safecode.aspx Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___