Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:

  the value of tools in this space are not really targeted at developers
  but should be targeted at executives who care about overall quality and
  security folks who care about risk. While developers are the ones to
  remediate, the accountability for secure coding resides elsewhere.

Sort of.  There are multiple levels of accountability.  As has been said here 
many times: the developers should be held accountable for producing secure 
software, but the management must give them the time and tools to do so, and 
management usually places far higher priority on things like ease of use and 
especially on time to market.

  It would seem to be that tools that developers plug into their IDE should
  be free since the value proposition should reside elsewhere. Many of these
  tools provide audit functionality and allow enterprises to gain a view
  into their portfolio that they previously had zero clue about and this is
  where the value should reside.

Heh.  Yeah, I'd like to see some executive dashboard saying things like whose 
code currently generates the most warnings, especially if those warnings are 
from security analysis tools.  B-)  Of course, most executives won't bother 
looking at something that techy, let alone understand the significance.  B-(

  If there is even an iota of agreement, wouldn't it be in the best interest
  of folks here to get vendors to ignore developer specific licensing and
  instead focus on enterprise concerns?

Unfortunately, that often means that ANY license at all for it will be 
horrendously expensive, so that small shops are totally cut out.

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread SC-L Subscriber Dave Aronson
Robin Sheat [mailto:[EMAIL PROTECTED] wonders:

  What I did was take the user's password to create a key

What happens when the user changes his password?  I didn't quite follow it all, 
but it looks to me like that means that all of a user's data has to be 
decrypted and re-encrypted.  You didn't tell us how much data that is, so I'm 
going to ass-u-me that it *could* be a lot.

Perhaps you could base the encryption on more stable data, such as the user 
name combined with when the user joined.  This could be used to encrypt the 
data directly, or, as you proposed, to encrypt the actual key.  How difficult 
would it be for the attacker to figure out whose data something is, and when 
they joined, or whatever else you base your encryption on, AND the fact that 
that's how you encrypt?  If finding that out would be pretty much trivial, 
there goes all your protection, under the above scheme.

Also, just how secure do you need it to be?  Don't waste a thousand-dollar lock 
on a fifty-dollar bicycle.  Is this data actually a tempting target for 
attackers who are clueful and resourceful (in both the senses of clever and 
able to spend a lot)?

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] How big is the market?

2007-04-24 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:

  I just conducted a super-official study of what my peers are reading by
  walking a total of five aisles within a very large building. Here are a
  list of magazines on folks desk:
  
  - Infoworld
  - Java Developers Journal
  - Insurance  Technology
  - DMReview
  - Intelligent Enterprise
  - CIO
  - Insurance Networking News

I'd also suggest Software Development, and maybe Information Security.

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes:

 certifications such as CISSP whereby the exams that
 prove you are a security professional talk all about
 physical security and network security but really don't
 address software development in any meaningful way.

Perhaps what is needed is a separate certification.  It would be nice to know 
that someone knows how to write software in a secure manner, but it's not 
necessary that they know all about physical security, firewall rules, etc.  It 
could even be done at multiple levels, like Sun's Java certs, to certify 
knowledge of secure design principles vs. secure *implementation* principles, 
maybe even going onward to principles of building security into the process.  
Something like, say, Certified Secure Programmer, Coder, and Software Engineer, 
respectively.

  Would be intriguing for folks here that blog to discuss ways

...in their blogs?  rant size=microThat's not discussion, that's 
pontificating.  It also detracts from discussion, by fracturing it./rant  
Discussion is what we're having *here*, so whether someone blogs is irrelevant.

-Dave



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Compilers

2006-12-27 Thread SC-L Subscriber Dave Aronson
Tim Hollebeek [mailto:[EMAIL PROTECTED] wonders:

  are shops that insist on warning free compiles really that rare?

Yes.  I've worked for or with many companies over the years, totalling probably 
somewhere in the mid-teens or so.  In all that, there was, to the best of my 
recollection, only ONE that insisted on it, other than my own one man show.  
Add to that, numerous open source apps I've compiled; I haven't kept track of 
how many were warning-free, but it's rare enough that I consider it a pleasant 
surprise.

In several projects, I fixed some nasty bugs (inherited from other people) by 
turning warnings on (they were often totally suppressed!), and fixing the 
things that the warnings were trying to warn me about.  This is of course 
obvious to you and me, and probably to most of this list, but apparently not to 
the vast majority of programmers (even so-called software engineers), let alone 
people in any position of authority to set such policies.  :-(

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] writes:

 The main thing I wonder is, what do you think? When you have a hot
 demonstration of an exploit, how do you responsibly release it?

This isn't so much about that, in the usual sense. This was, as you say, a 
well-known vulnerability, one screamingly obvious to anybody who bothered to 
think about how to get around the No-Fly List. Bruce Schneier wrote about it on 
his blog long ago, as did many others.

 What role do such demonstrations play in moving software security forward?

It could help dramatically. Not so much because of the demo itself, which will 
of course be ignored by the Powers that Be, but the publicity around it. That 
might possibly eventually make enough of a dent in the public consciousness, to 
wake them up to the fact that what the PTBs have been doing is almost all just 
security THEATER.

However, it depends how much the media gives background. Unfortunately, even a 
brief blurb like this flaw in the No-Fly List concept has been well known for 
several years is unlikely to be aired or printed, since it takes valuable 
time/space away from the latest scandals of skanky socialites and other such 
much more important news. Without this little bit of trivia, the sheeple will 
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor 
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.

-Dave

-- 
Dave Aronson
Specialization is for insects. -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes:

  Software is like Titanic, pleople claim it was unsinkable. Securing is
  providing it power steering

But power steering wouldn't have saved it.  By the time the iceberg was 
spotted, there was not enough time to turn that large a boat.  Perhaps radar, 
but that doesn't make a very good analogy.  Maybe a thicker tougher hull and 
automatic compartment doors?

-Dave




___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes:

  The point remains though: trimming this down into a friendly little
  phrase is, IMCO, useless.

One of the common problems in trying to persuade the masses of ANYTHING, be it 
the importance of secure software, the factual or moral correctness of your 
political stances, etc., is how to communicate it so that they will understand 
and receive the message.  You can easily confuse them, bore them, or turn them 
against yourself.  Truly putting it on bumper stickers is likely to be useless, 
but this is a useful exercise in thinking how we could express the concept 
briefly and simply.

Another useful thing would be if all engineers would enroll in Toastmasters, 
but that's another story.  ;-)

-Dave, Governor of Toastmasters Area 63 (District 27)



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] (no subject)

2006-07-17 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] wrote:

  I wrote a book with viega a few years ago called building secure
  software...

Yes, John gave us all copies.  Didn't bother to get it autographed though.  :-)

  it was not about that company (at all).

It certainly was not about the horribly broken software I spent months banging 
my head against a wall trying to fix  :-(

  P.s. I actually like ivan's quip as reported by crispy.

Me too.  It contains the ideas I was trying to convey, more clearly, but it's 
still too long to fit on a bumper sticker.  :-)

-Dave



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php