Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause
ACM SIGCSE will be pushing more information shortly on the K-12 program suggestions. I've heard it will include security. -Rob On Tue, Apr 13, 2010 at 9:27 PM, Jeremiah Heller jerem...@inertialbit.net wrote: an interesting point. if it were not socially unacceptable to perform ethnic cleansing it would still occur at the levels indicated in those examples. if it were not for the civil rights movement and the eventually wide-spread acceptance of the idea that discrimination based on superficial properties was bad, there would still be slavery. socially, groups clashed (and some still do) over their ideologies, which were used as a basis for logic and perceived sound-judgement. however the more we learn about the universe/world around us the more we understand how little we know and that any judgement can only be temporary, until more knowledge is gained. is it more ideologically sound to feed ones family or to obey a law which would allow them to starve simply due to a lack of other economic stimuli? i'm not speaking from any hard data, but i doubt that many third-world countries have a high local market for security experts, web developers, graphic designers, etc. so what is a poor-third-worlder with an old hand-me-down PC and no job to do? do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. the drive for survival seems key. i think that when the survival of many is perceived as threatened, then 'bad hacking' will be addressed on a scale which will contain it to the point that slavery is contained today... after all don't hackers simply 'enslave' other computers? j/k until then it seems that educating people on how these things /work/ is the best strategy. eventually we will reach the point where firewalls and trojan-hunting are as common as changing your oil and painting a house. first we should probably unravel the electron... and perhaps the biological effects of all of these radio waves bouncing around our tiny globe... don't get me wrong, i like my microwaves, they give me warm fuzzy feelings:) On Apr 13, 2010, at 3:14 PM, Carl Vincent wrote: social acceptance is a horrible way to enforce change anyway. Japanese internment camps, the Holocaust, the cival rights wars of the American 40's, 50's, and 60's, the American red scare, the gay bashing that goes on to this day. All examples of large groups of people often doing things they don't agree with in order to behave according to socially acceptable tenets. ... Sounds like bad juju in my book -_- Paul Schmehl wrote: --On Monday, April 12, 2010 23:51:27 -0500 Matt Parsons mparsons1...@gmail.com wrote: I have published a blog post on how I think we could potentially stop hackers in the next generation. Please let me know what you think of it or if it has been done before. Essentially your argument is that education can solve the problem of bad hacking. While I certainly think education can help, I think there will always be an element of society that is irredeemably bad and cannot be gotten rid of (or corrected, if you will) through education. Even societal shunning, which makes bad behavior so socially unacceptable that it must hide in the shadows, does not rid us of those who refuse to behave according to acceptable tenets. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What is the size of this list?
Hi SC-L, I'm a Lurker. I work for CERT | SEI | CMU and monitor the list in an attempt to keep an ear to the ground. While I'm not a professional programmer I do have an undergrad and graduate degree in CS which means I've been trained a little about programming. I'm really interested in two things with this list, 1. How do we teach secure coding from a training perspective (I develop training scenarios for CERT and I'm in the Workforce Development group, so this is exactly the kind of list that draws my attention.) 2. How to incorporate the concept of secure coding and new techniques/tools to do so. This should be a minor objective through our academic curriculum as well. Just like advanced math skills, we should have advanced secure coding skills for Software Engineers. Warm Regards, -Robert Floodeen On Wed, Aug 19, 2009 at 11:36 AM, Rafael Ruizrafael.r...@navico.com wrote: Hi people, I am a lurker (I think), I am an embedded programmer and work at Lowrance (a brand of the Navico company), and I don't think I can't provide too much to security because embedded software is closed per se. Or maybe I am wrong, is there a way to grab the source code from an electronic equipment? That would be the only concern for embedded programmers like me, but I just like to learn about the thinks you talk. Thank you. Greetings from Mexico. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] CSSLP
Paco, Does certification belong in the realm of Secure Coding? What is it we are really trying to achieve with a certification? -Rob On Mon, Mar 23, 2009 at 4:22 PM, Paco Hope p...@cigital.com wrote: On 3/21/09 6:43 PM, Jim Manico j...@manico.net wrote: What really bothers me is that the CSSLP looks appsec operations focused - not developer SDLC focused (or so I've heard). The SANS cert for software security seems to drill a lot more into actual activities a developer should take in order write secure code and seems somewhat reasonable to me. I think a secure software architecture cert would round out current offerings well. As a SME for that exam (i.e., one of the guys who makes exam questions and such), you're exactly right. It definitely is skewed towards a holistic, operations-type feel. However, you've misidentified its target. The target of the CSSLP is anyone involved in the software (though perhaps we should say system) development lifecycle. It targets not just developers, but also testers, release managers, test managers, and others who are important to the big picture of getting software out the door. It's not a certified secure developer (i.e., code-slinger). The person who holds the cert should be acquainted with security in more phases of the lifecycle than just one. It does not, however, certify them as a security ninja in any phase. There was another comment about the CISSP that I found poignant: It was too damn easy to pass and too damn hard to keep up with the CPE point entry... Although point entry is tedious, it keeps the cert honest. You can't spend 3 years converting oxygen into CO2 and remain certified. You actually have to do a few things. A CISSP person who has renewed once or twice is quite different from someone who has passed the exam after a cram session. Someone who certified once and lets their certification lapse is indistinguishable from the marginally-qualified candidate who crammed, passed, but ultimately couldn't maintain their cert. To reject certifications altogether is (to me) to endorse a continuation of the wild, wild west attitude towards security. Hire the best gunslinger you can get, and figure out who that is by word of mouth, rumor, and wanted posters at the post office. Like it or not, the citizens of this wild west are going to demand governance by a recognizable authority. Sooner or later these badge-wearing officials will come to town, and the scofflaws will be marginalized. The era of Wild Bill Hickock and Billy the Kid are over. It's only a matter of time before, for better or worse, the law moves in. We need to be on the right side, shaping those laws, not avoiding them. (Apologies to our international audience for an intensely US-centric metaphor) Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___