Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs
Jeremy Epstein jeremy.j.epst...@gmail.com wrote: I'm pleased to announce the creation of LAMN, the Legion Against Meaningless certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it - this group is for you. Heh. I'm going to be giving a speech today in which I mention PMPs, CISSPs, MCSEs, MDs, JDs, DDSes, and other assorted CAS -- that's Certified Alphabet Soup. -Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects.| Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] more relevant certifications
Paco Hope p...@cigital.com wrote: just as overly-simplistic as someone who disparages all credentials equally. On that note... my company (BAE Systems) has been pushing for people to become CISSPs, because in turn the main client (US gov) has been pushing for contractors to have a bunch of CISSPs on the projects. But, it seems as though that cert is very heavily loaded down with things that front-line grunts like me will NEVER use. I doubt I'll ever get to decide where a data center is located, let alone the entire building, nor what kind of fire detection/suppression or physical security systems it has, and I can probably forget about dictating HR policy as well. So, I was considering other certs, that seem much more relevant. The main relevant one I've heard of is the GSSP (GIAC Secure Software Programmer). 1) What do y'all think of that one? 2) It looked to me as though, other than perhaps from buying books, there is one and only one GSSP practice exam, and it can be taken only once. Am I wrong? Do you know of any others available for free, preferably to be taken online? 3) Have you heard of any other certs relevant for those of us who mainly design and implement computer-based systems, which will usually undergo security scrutiny, and usually have little to no say about all the other stuff around it? (Preferably not technology-specific, as opposed to for example a Secure Java or Secure Web-Apps cert.) Compare and contrast, as the teachers would say Thanks, Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects.| Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
ljknews ljkn...@mac.com wrote: At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. It's rarely (I won't say never!) a question of what *can't* be done in language X or Y. Usually, it's about what's *easier* to do in X or Y. Sometimes the security tradeoff is worth taking the hard way, but sometimes the choice is to the point of being at all practical or not. -Dave, making good progress on the job hunt, thanks in part to people here -- Dave Aronson, software engineer soon to be for hire. Looking for job (or contract) in Washington DC area. See http://www.davearonson.com/ for resume - if that is down see http://mysite.verizon.net/~nosnoraevad/. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. A much-too-late entry for the bumper sticker contest we had here a few years back: Works as you wish, under all condish. (Okay, okay, so maybe that kind of abbreviating is a bit out of style... by 70 years or so) -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)
Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote (rearranged into correct order): 2009/10/13 Bobby Miller b.g.mil...@gmail.com The obvious difference is parts. In manufacturing, things are assembled from well-known, well-specified, tested parts. Hmmm Thats the idea of libraries. Well known, well specified, well tested parts. Well, whatever. Ideally, yes. However, programmers love to reinvent the wheel. It's MUCH easier, both to do and to get away with, in software than in hardware... and often necessary. Need a bolt of at least a given length and strength, less than a given diameter? There are standard thread sizes, and people make bolts of most common threadings and lengths, for purchase at reasonable prices, at places easily found, and you can be fairly certain that any given one of them will do the job quite well. Need a function for your program? If it's as common as a bolt, it's probably already built into the very language. If it's nearly as common, maybe there's a fairly standard library for it... and if you're very lucky, it's not too buggy or brittle. Otherwise, it's probably going to be much cheaper (which is all your management probably cares about) to just code the damn thing yourself, than to research who makes such a thing, which ones there are, who says which one is how reliable, which ones have licensing terms your company finds palatable, and justifying your choice to management. Lord help you if it requires money, because then you have to justify it to a higher degree, get the beancounters involved, budgetary authority from possibly multiple layers of manglement, and spend the rest of your days filling out purchase orders. If you do wind up coding it yourself, is the company then going to make that piece of functionality available to the world separately, whether for profit or open source? N times out of N+1, for very large values of N, no way! Will they at least make it available *internally*, so that *they* don't have to reinvent the wheel *next* time? Again, N times out of N+1, for almost as large values of N, no. -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)
Chris Wysopal cwyso...@veracode.com wrote: In certain cases like aircraft where the economic pain of failure is high you get DO-178B, Software Considerations in Airborne Systems and Equipment Certification. For that type of software you might see the purchase of highly reliable libraries that have also met that certification. Good point! That's like how my former employer (BAE Systems) relied for sales on those who NEEDED a data guard (or whatever) to be on a platform that passed high levels of common criteria evaluation. If it weren't for that, similar software would have run just fine under Linux (even without SE) or even Windows. -Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] new job!
Since the Power that Be let me post my plea for job help, I figured I'd let y'all know the outcome. Long story short, I have accepted a position at Comcast, in the National Engineering and Technical Operations group, in Herndon VA (possibly moving to Reston VA soonish), starting in probably a week or two. I will no longer be in a position related to security, but will still participate here, and in the broader secure coding community, as time allows -- and keep trying to spread the gospel. ;-) Thanks for all your help, Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___