RE: [SC-L] ACL (access control lists) generic design questions

2004-02-26 Thread Shea, Brian A
Would you want to ad any ACL ability or attributes for Meta-Data on objects? or would that ACL be on a different object? -Original Message- From: William Herrera [mailto:[EMAIL PROTECTED] Sent: Thursday, February 26, 2004 12:20 AM To: [EMAIL PROTECTED] Subject: [SC-L] ACL (access control l

RE: [SC-L] How do we improve s/w developer awareness?

2004-12-02 Thread Shea, Brian A
FYI this is part of a notice that went out to financial institutions recently. Complete Financial Institution Letter: http://www.fdic.gov/news/news/financial/2004/fil12104.html Highlights: Management is responsible for ensuring that commercial off-the-shelf (COTS) software packages and vendo

RE: [SC-L] [Fwd: DJB's students release 44 *nix software vulnerability advisories]

2004-12-20 Thread Shea, Brian A
Isn't the base problem residing in this essentially flawed statement: "Widely deployed open source software is commonly believed to contain fewer security vulnerabilities than similar closed source software due to the possibility of unrestricted third party source code auditing." To have fewer bu

Re: [SC-L] "Bumper sticker" definition of secure software

2006-07-17 Thread Shea, Brian A
My slogan: Unsecured Applications = Unsecured Business -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Epstein Sent: Monday, July 17, 2006 8:46 AM To: Secure Coding Mailing List Subject: Re: [SC-L] "Bumper sticker" definition of secure software I

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Shea, Brian A
The right answer is both IMO. You need the thinkers, integrators, and operators to do it right. The term Security Professional at its basic level simply denotes someone who works to make things secure. You can't be secure with only application security any more than you can be secure with only f

Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread Shea, Brian A
" And answering that correctly requires input from the customer. Which we (TINW) won't have until customers recognize a need for security and get enough clue to know what they want to be secure against." I can't exactly agree with this as there is a distinction (or should be IMO) between security

Re: [SC-L] Software security video podcast

2007-10-29 Thread Shea, Brian A
IMO (IANAL) this is a position that is increasingly untenable as we move forward, especially in the consumer markets. As a customer I do, in fact, expect software to operate "correctly" (per features and functions promised / contracted) but also "securely" in that is doesn't contain bugs or insecu

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Shea, Brian A
IMO the path to changing the dynamics for secure coding will reside in the market, the courts, and the capacity of the software industry to measure and test itself and to demonstrate the desired properties of security, quality, and suitability for purpose. In today's market we do well in suitabili

Re: [SC-L] Programming language comparison?

2008-02-06 Thread Shea, Brian A
It seems like this exchange is focused on whether bug / flaw classes can be applied to "All" programming languages or not. Isn't the question at hand which languages have the property "Subject to bug / flaw class XXX" (true | false), and not whether you can find one or more class that fits the "Al

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Shea, Brian A
Security is a tradeoff game between risk and cost in my experience. So the "least privilege" question comes down to practical matters like knowing the execution environment, knowing the requirements of the tasks being executed, and knowing where those intersect with the ability of the user or appl