FYI, the folks at SANS have announced the launch of their Software
Security Institute (see http://www.sans-ssi.org/ for details).
Their web site cites the following 6 goals:
* Allow employers to rate their programmers on security skills
so they can be confident that every project has at
FYI, I saw this tool announcement and thought some folks here might
find it useful. It's a free perl-based fuzzing framework written by
Tim Brown. Follow the link to find the download site.
http://seclists.org/fulldisclosure/2007/Mar/0415.html
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Mod
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
Ken, in terms of a previous response to your posting in terms of
getting customers to ask for secure coding practices from vendors,
wouldn't it start with figuring out how they could simply cut-and-
paste InfoSec policies into
SC-L,
I'm often asked by folks to compare and contrast some of the various
published software security practices, from Microsoft's SDL and
OWASP's CLASP through Cigital's "Touchpoint" processes. My own view
is that they all offer value and are all worthy of consideration. In
his most re
Greetings SC-Lers,
Sitting here in the DHS Software Assurance forum today, I browsed a
copy of the CrossTalk journal, "The Journal of Defense Software
Engineering". This month's issue is focused on software security,
and there are numerous articles in it that are likely to be of
general
SC-L,
Ok, so we all have various opinions about security patching practices
in software -- mostly bad, I'm confident. But, in today's
environment, patching still seems to be a necessary evil. But for
the most part, mobile devices have been pretty much left out in the
code. That's start
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In
every case, those vendors with extreme reputation exposure have
attempted to move past penetrate and patch. Microsoft, for one, is
trying hard, but (to use my broken leg analog
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:
unconvinced of what? what fuzzing is useful? or that it's the best
security testing method ever? or you remain unconvinced that fuzzing
in web apps is > fuzzing in os apps?
fuzzing has obvious advantages. that's all anyone should care about.
No,
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see
RSnake's
cheat sheet) as well as directory traversal, combined with the sheer
number of potential inputs in web applications, multipied by all the
variations in encodings, I
Here's an interesting article from Dark Reading about web fuzzers.
Web fuzzing seems to be gaining some traction these days as a popular
means of testing web apps and web services.
http://www.darkreading.com/document.asp?
doc_id=118162&f_src=darkreading_section_296
Any good/bad experience
SC-L,
So my trusty rss aggregator (NewsFire) found an interesting blog for
me this morning, and I thought I'd share it here. The blog is from
Free Software Magazine and it's titled, "The seven sins of
programmers". On the surface, it has nothing whatsoever to do with
software security -
Anyone else here attending the 6th Semi-Annual Software Assurance
Forum in Fairfax, Virginia on 8-9 March? Any interest in an after-
event informal SC-L BoF and beer chat? Let me know and I'll gladly
coordinate.
(We already have several people "signed up" for the SC-L BoF at S3 in
April.
FYI, there's an interesting article on ddj.com about a Symantec's new
"Veracode" binary code analysis service.
http://www.ddj.com/dept/security/196902326
Among other things, the article says, "Veracode clients send a
compiled version of the software they want analyzed over the Internet
and
Ok, last software security news item for today, I promise. :-) This
article (see
http://www.darkreading.com/document.asp?doc_id=115110&WT.svl=news1_1)
is about a couple of new startup companies. One of them in
particular, Veracode, may be of some interest here. The article
says, "Veraco
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a
35% increase over 2005.
See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/
The article further states, "The greatest factor in the skyrocketing
number of vulnerabilities is that certain types of flaws in community
Greetings SC-L folk,
FYI, there's been a wave of new content added to the DHS-funded
software security portal, Build Security In (home URL is http://
BuildSecurityIn.us-cert.gov). Most recently, a couple of articles
about penetration testing and tools were added (see
https://buildsecurityin
SC-Lers,
The static source code analysis product space is about to get a
little smaller, with Fortify's announcement of its acquisition of
Secure Software.
http://www.eweek.com/article2/0,1895,2085461,00.asp
Cheers,
Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://w
Hi SC-Lers,
As many of you are no doubt aware, this year's S3 conference (http://
www.s-3con.com) is coming up in a couple months. At last year's
conference in La Jolla, we had a small but fun "SC-L BoF" at a nearby
brewpub. Any SC-L folks here care to do the same again at this
year's ev
Interesting article about PHP security:
http://www.securityfocus.com/news/11430
Among other things, NIST's vul database shows, "Web applications
written in PHP likely account for 43 percent of the security issues
found so far in 2006, up from 29 percent in 2005."
Happy reading...
Cheers,
I guess this falls in to the "you can lead a horse to water, but you
can't make him drink" category:
http://www.heise-security.co.uk/news/82500
A member of the PHP security team has left in apparent disgust over
the team's security practices.
I doubt that anyone here on SC-L is surprised b
FYI, a friend forwarded me a link to this interesting article by
Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php?
id=956
Since much has been written here on SC-L about relatively safe
programming languages recently, I thought it might be interesting to
look at the othe
Here's a somewhat interesting link to an eweek article that discusses
Apple's use of encryption to protect some of its OS X binaries:
http://www.eweek.com/article2/0,1895,2050875,00.asp
Of course, encrypting binaries isn't anything new, but it's
interesting (IMHO) to see how it's being used
On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote:
I suppose now is as good a time as any to say that everything david
is talking about here is described in great detail in the HOW TO
book that I released last february. If you're reading this list,
you really should read that book. It's call
So here's a lovely statistic for the software community to hang its
hat on:
http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed
Among other things, the article says, "Atlanta-based ISS, which is
being acquired by IBM, predicts there will be a 41 percent increase
in confirmed
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below). In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software security/quality
Wow, it's sure been a quiet few days out here on SC-L. Summer
vacations are over, I suppose...
In any case, I thought that I'd post a link to a new IEEE Security &
Privacy article on training for software security engineers. It was
written by Cigital's John Steven and yours truly, and can
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published. Among other things, Coffee makes some interesting comparisons to the Interne
FYI, here's an interesting article from Dr. Dobb's Journal regarding the use of static analysis tools for scanning for coding bugs:http://www.ddj.com/dept/security/191901556Cheers,Ken -Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com ___
Secu
FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here:http://www.internetnews.com/dev-news/article.php/3623751Cheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com _
Greetings SC-Lers,FYI, here's a link to an article on MySQL security. Nothing huge, just a short list of useful tips, but I figured it could be of interest here.http://www.builderau.com.au/program/mysql/soa/Six_steps_to_secure_sensitive_data_in_MySQL/0,39028784,39266102,00.htmCheers,Ken-Kennet
FYI, I saw an interesting article today on IBM's web site detailing how to (and how NOT to) use encryption within PHP code. Those interested can find the article at:http://www-128.ibm.com/developerworks/library/os-php-encrypt/index.html?ca=drs-Cheers,Ken Kenneth Van WykKRvW Associates, LLChttp://w
Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta:http://www.darkreading.com/document.asp?doc_id=99780&f_src=darkreading_section_296I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your ty
ubjects.
So, to those that want to continue the thread, be prepared to prove
to me with each message that your message(s) deserves to be approved
for distribution to the list, please.
Cheers,
Ken
Kenneth Van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com
___
Greetings SC-Lers,Here's an interesting article that I stumbled on in Information Week:http://www.informationweek.com/story/showArticle.jhtml?articleID=190301156&cid=RSSfeed_IWK_SecurityThe article discusses the results of a security survey, indicating that enterprise software users are quite fed u
th march". Put another way, how does a team hold
onto its good practices (not just security reviews) when they're in
crisis mode? I'm sure that the answer varies a lot by team,
priorities, etc., but I'd welcome any comments, opinions, etc. from
any of you who have been
Greetings SC-L,I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit. The article is on "Quick-Kill Project Management" -- full link is here:http://www.ddj.com/dept/architect/189401902The article describes a small project team (say 5 developers) who have suddenly had
FYI, I saw the following story out on ZD Net today regarding IBM releasing some free (and some commercial) software security tools.http://news.zdnet.com/2100-1009_22-6086913.html?tag=zdfd.newsfeedIn particular, "IBM also introduced a tool called Security Workbench Development Environment for Java,
FYI, I just found an article on Ajax security out on Security focus. The article is here:http://www.securityfocus.com/infocus/1868The article touches on several key issues regarding Ajax, including the fact that scripting runs client-side and such. It also discusses how Ajax complicates app testi
101 - 138 of 138 matches
Mail list logo