[SC-L] [CFP] Workshop: Who are you?! Adventures in Authentication at SOUPS 2016 - Next week!

2016-06-20 Thread Larry Koved
Title: Who are you?!  Adventures in Authentication

Workshop to be held at the Twelfth Symposium on Usable Privacy and 
Security - SOUPS 2016
When: June 22, 2016
Where: Denver, CO

URL: https://www.usenix.org/conference/soups2016/workshop-who-are-you

Description: 

Authentication, or the act of proving that someone is who they claim to 
be, is a cornerstone of security. As more time is spent using computers, 
authentication is becoming both more common and increasingly important. 
Users must authenticate to prove their identity to maintain a continuous 
presence with a wide variety of computing services. 

The purpose of this workshop is to bring together researchers and 
practitioners to share experiences, concerns, and ideas about known and 
new authentication techniques. We are interested in discussing methods of 
evaluating the impact and usability of various authentication techniques, 
and ideas about novel authentication techniques that are secure, robust 
and usable.

Schedule:

8:30 Intro and welcome 

Session 1: Strengthening Passwords 
8:40 Strengthening Password-based Authentication (Scott Ruoti, 
Jeff Andersen, Kent Seamons; Brigham Young University)
9:00 Standard Metrics and Scenarios for Usable Authentication (Scott 
Ruoti, Kent Seamons; Brigham Young University)
9:20 Recovering High-Value Secrets with SGX and Social Authentication 
(Nathan Malkin, Serge Egelman, David Wagner; University of 
California Berkeley)
9:40 Lessons Learned from Designing and Evaluating Smart Device-based 
Authentication for Visually Impaired Users (Nata Barbosa, Yang 
Wang; Syracuse University)

10:00 Break 

Session 2: The Future of Authentication 
10:30 Who Are You? It Depends (On What You Ask Me!): Context-Dependent 
Dynamic User Authentication (Raghav V. Sampangi, Kirstie Hawkey; Dalhousie 
University)
10:50 Exploring Games for Improved Touchscreen Authentication on Mobile 
Devices (Padmaja Scindia, Jonathan Voris; New York Institute 
of Technology)
11:10 Social Authentication for End-to-End Encryption (Elham 
Vaziripour, Mark O'Neill, Justin Wu, Scott Heidbrink, Kent Seamons, 
Daniel Zappala; Brigham Young University)
11:30 Authentication Feature and Model Selection using Penalty Algorithms 
(Rahul Murmuria, Angelos Stavrou; Kryptowire)
11:50 Who are you now? Fading to multiple personas (Sven Dietrich, Michael 
Brenner, Katharina Krombholz; CUNY John Jay College, Leibniz University 
Hannover, SBA Research )

12:10 Lunch 

Session 3: Mobile Authentication 
13:40 Implications of the Use of Emojis in Mobile Authentication (Lydia 
Kraus, Robert Schmidt, Marcel Walch, Florian 
Schaub, Christopher Krügelstein, Sebastian Möller; Technische Universität 
Berlin, Technische Universität Berlin, Ulm University, Carnegie Mellon 
University, Technische Universität Berlin, Technische Universität Berlin)
14:00 Picking a (Smart)Lock: Locking Relationships on Mobile Devices 
(Elizabeth Stobert, David Barrera; ETH Zürich)
14:20 Advancing the Understanding of Android Unlocking and Usage (Lina 
Qiu, Ildar Muslukhov, Konstantin Beznosov; University of British Columbia)
14:40 Examining Visual-Spatial Paths for Mobile Authentication (David 
Lu, Taehoon Lee, Sauvik Das, Jason Hong; Carnegie Mellon University)

15:00 Break 

Session 4: Cognition and Passwords 
15:30 Measuring the Impact of Alphabet and Culture on Graphical Passwords 
(Adam J. Aviv, Markus Dürmuth, Payas Gupta; United States 
Naval Academy, Ruhr-University Bochum, NYU Abu Dhabi)
15:50 Effect of Cognitive Effort on Password Choice (Thomas Groß, Kovila 
P.L. Coopamootoo, Amina Al-Jabri; Newcastle University)

16:10 Discussion / Workshop Close 


Question about about the workshop should be directed to: 
adventuresinauthenticat...@gmail.com. 

Workshop co-chairs: 
Larry Koved Elizabeth Stobert
IBM T. J. Watson Research CenterETH Zürich


Program Committee:
Hala Assal, Carleton University
David Barrera, ETH Zürich
Heather Crawford Florida Institute of Technology
Markus Duermuth, Ruhr-University Bochum
Alain Forget, Google
Claudio Marforio, ETH Zürich
Blase Ur, Carnegie Mellon University

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 122: David Nathans

2016-06-07 Thread Gary McGraw
Hi  sc-l,

The latest episode of Silver Bullet features a conversation with David Nathans 
from Siemens Healthcare.  David got his start in security ops, and even wrote a 
book about that.  But he completely understands why product security is 
essential in the modern world and has been moving things in the right direction 
when it comes to medical devices.  

Have a listen: http://bit.ly/SB-nathans  

As always, your feedback is welcome.

gem

http://garymcgraw.com 



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [CFP] Workshop CFP: Who are you?! Adventures in Authentication at SOUPS 2016 - 1 week until the submission deadline

2016-05-10 Thread Larry Koved
Title: Who are you?!  Adventures in Authentication

Workshop to be held at the Twelfth Symposium on Usable Privacy and 
Security - SOUPS 2016
When: June 22, 2016
Where: Denver, CO

URL: https://www.usenix.org/conference/soups2016/workshop-who-are-you

Description: 

Authentication, or the act of proving that someone is who they claim to 
be, is a cornerstone of security. As more time is spent using computers, 
authentication is becoming both more common and increasingly important. 
Users must authenticate to prove their identity to maintain a continuous 
presence with a wide variety of computing services. 

Our most common method of authentication continues to be based on the 
assumption of a person using a desktop computer and keyboard, or a person 
authenticating to their mobile phone -- what Bill Buxton has referred to 
as the "missionary position": one user and one computer face-to-face - no 
other position allowed. More recently, mobile devices have opened up new 
possibilities based on a variety of gestures and biometrics.  

There has been an implicit assumption that the effort of authenticating, 
both in terms of elapsed time, user actions, cognitive load and impact on 
a user's primary task, will be amortized over a relatively long lifetime 
of the authenticated session with the system, application or service. As 
computing moves into new environments, including mobile and embedded 
systems, these assumptions may no longer be valid.

In the era of mobile, embedded and ubiquitous computing, the time for each 
interaction with a device, application or service is becoming much 
briefer.  The user’s primary task may be tending to a patient, driving a 
car, operating heavy machinery, or interacting with friends and colleagues 
via mobile apps.  Due to the nature of user interaction in these new 
computing environments, and new threat models, methods of authenticating 
are needed that are both robust, easy to use, and minimize impact on the 
user's primary task.  The time / cost of authentication needs to be 
commensurate with the level of engagement with these kinds of systems and 
applications.

The purpose of this workshop is to bring together researchers and 
practitioners to share experiences, concerns, and ideas about known and 
new authentication techniques. We are interested in discussing methods of 
evaluating the impact and usability of various authentication techniques, 
and ideas about novel authentication techniques that are secure, robust 
and usable.

Target Audience:

Researchers and practitioners interested in the topics outlined below. We 
expect that researchers from both industry and academia will find relevant 
material in the workshop.
Topics of interest for this workshop include:

·Surveys and comparisons of known authentication techniques
·Novel metrics or comparisons of metrics for authentication 
strength 
·Empirical evaluations of authentication techniques, including 
performance, accuracy, and the impact of authentication on a user’s 
primary task
·New authentication techniques that target emerging computing 
environments such as mobile and embedded systems
·Approaches (including protocols) that enable weak authentication 
schemes to be more robust
·Existing authentication techniques applied in new environments or 
usage contexts
·Novel approaches to the design and evaluation of authentication 
systems

The goal of this workshop is to explore these and related topics across 
the broad range of contexts, including enterprise systems, personal 
systems, and especially mobile and embedded systems (such as healthcare, 
automotive and wearable systems).  This workshop provides an informal and 
interdisciplinary setting at the intersection of security, psychological, 
and behavioral science.  Panel discussions may be organized around topics 
of interest where the workshop participants will be given an opportunity 
to give presentations, which may include current or prior work in this 
area, as well as pose new challenges in authentication.

We are soliciting 1-2 page position statements that express the nature of 
your interest in the workshop; these should include the aspects of 
authentication of interest to you, including the topic(s) that you would 
like to discuss during the workshop and panel discussions.  Position 
statements must be in PDF format, preferably using the SOUPS formatting 
template (LaTeX or MS Word).  Submissions should not be blinded. 

Accepted submissions will be posted to the SOUPS workshop web site.  We 
encourage participants to also make their workshop presentations available 
on the web site.  These submissions will not be considered “published” 
works, and as such, should not preclude publication elsewhere.  

Submissions will be via the EasyChair WAY 2016 web site: 
https://easychair.org/conferences/?conf=way2016

Question about submissions should be directed to: 

[SC-L] c0c0n 2016 | The cy0ps c0n - Call For Papers & Call For Workshops

2016-04-25 Thread c0c0n 2016 - The CyOps Conference
______  ___   ___  __   __  
   / _ \  / _ \|__ \ / _ \/_ | / /  
   ___| | | | ___| | | |_ __  ) | | | || |/ /_  
  / __| | | |/ __| | | | '_ \/ /| | | || | '_ \ 
 | (__| |_| | (__| |_| | | | |  / /_| |_| || | (_) |
  \___|\___/ \___|\___/|_| |_| ||\___/ |_|\___/ 
 

#
c0c0n 2016 | The cy0ps c0n - Call For Papers & Call For Workshops
#

August 18-20, 2016 - Kollam / Quilon (Coulão), India

Buenos dmas from the God's Own Country!

We are extremely delighted to announce the Call for Papers and Call for
Workshops for c0c0n 2016 , a 3-day Security and
Hacking Conference (2 day conference and 1 day pre-conference workshop),
full of
interesting presentations, talks and of course filled with fun!

The conference topics are divided into four domains as follows:

>> Info Sec - Technical
>> Info Sec - Management
>> Digital Forensics and Investigations
>> Cyber Laws and Governance.

We are expecting conference and workshop submissions on the following
topics,
but are not limited to:

>> Smart Cities
>> Cloud Security
>> Browser Security
>> Honeypots/Honeynets
>> Offensive forensics
>> Software Testing/Fuzzing
>> Network and Router Hacking
>> WLAN and Bluetooth Security
>> Hacking virtualized environment
>> Lockpicking & physical security
>> National Security & Cyber Warfare
>> Open Source Security Tools
>> Web Application Security & Hacking
>> Exploiting Layer 8/Social Engineering
>> Malware analysis & Reverse Engineering
>> New Vulnerabilities and Exploits/0-days
>> Advanced Penetration testing techniques
>> Antivirus/Firewall/UTM Evasion Techniques
>> IT Auditing/Risk management and IS Management
>> Cyber Forensics, Cyber Crime & Law Enforcement
>> Mobile Application Security-Threats and Exploits
>> Critical Infrastructure & SCADA networks Security


Presentations/topics that haven't been presented before will be preferred.


#
Submission Guidelines:
#

Email your submission to: cfp [at] is-ra [dot]org
Email subject should be: CFP c0c0n 2016 - 
Email Body:

Personal Information:
=

Speaker Name:
Job Role/Handle:
Company/Organization:
Country:
Email ID:
Contact Number:
Speaker Profile: (max 1000 words)

If there is additional speaker please mention it here following the above
format.

Presentation Details:
=
Name/Title of the presentation:
Paper Abstract: (max 3000 words)
Presentation Time Required (20, 30, 50 Minutes)
Is there any demonstration? Yes or No
Are you releasing any new tool? Yes or No
Are you releasing any new exploit? Yes or No
Have you presented the paper before on any other security / technology
conference(s)? Yes or No

Other Needs & Requirements:
===

Do you need any special equipment?
We will be providing 1 LCD projector feed, 2 screens, microphones, wired
and/or wireless Internet.
If you have any other requirement, Please mention it here and the reason.

#
Remember these Dates!
#

CFP Opens: 04 Apr 2016
CFP Closing Date:  15 May 2016
Conference Dates: 19 - 20 Aug 2016
Workshop Dates: 18 Aug 2016

*NOTE:* We do not promote vendor/product oriented submissions hence it will
be rejected.

##
Speaker Benefits:
##

>> Complimentary Conference registration.
>> Complementary Accommodation for 2 nights.
>> Invitation to Day 1 Networking Dinner / Party.
>> Travel Reimbursement (maximum upto below mentioned amount)
   # International Speaker (outside India) (USD $1000)
   # Speakers from India (INR Rs.6000)
>> Only one speaker will be eligible for the benefits in case there are two
or
more speakers for a  talk.

Thanks and Regards,

   - c0c0n 2016 Team -


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [CFP] Workshop CFP: Who are you?! Adventures in Authentication at SOUPS 2016

2016-04-25 Thread Larry Koved
Title: Who are you?!  Adventures in Authentication

Workshop to be held at the Twelfth Symposium on Usable Privacy and 
Security - SOUPS 2016
When: June 22, 2016
Where: Denver, CO

URL: https://www.usenix.org/conference/soups2016

Description: 

Authentication, or the act of proving that someone is who they claim to 
be, is a cornerstone of security. As more time is spent using computers, 
authentication is becoming both more common and increasingly important. 
Users must authenticate to prove their identity to maintain a continuous 
presence with a wide variety of computing services. 

Our most common method of authentication continues to be based on the 
assumption of a person using a desktop computer and keyboard, or a person 
authenticating to their mobile phone -- what Bill Buxton has referred to 
as the "missionary position": one user and one computer face-to-face - no 
other position allowed. More recently, mobile devices have opened up new 
possibilities based on a variety of gestures and biometrics. 

There has been an implicit assumption that the effort of authenticating, 
both in terms of elapsed time, user actions, cognitive load and impact on 
a user's primary task, will be amortized over a relatively long lifetime 
of the authenticated session with the system, application or service. As 
computing moves into new environments, including mobile and embedded 
systems, these assumptions may no longer be valid.

In the era of mobile, embedded and ubiquitous computing, the time for each 
interaction with a device, application or service is becoming much 
briefer.  The user’s primary task may be tending to a patient, driving a 
car, operating heavy machinery, or interacting with friends and colleagues 
via mobile apps.  Due to the nature of user interaction in these new 
computing environments, and new threat models, methods of authenticating 
are needed that are both robust, easy to use, and minimize impact on the 
user's primary task.  The time / cost of authentication needs to be 
commensurate with the level of engagement with these kinds of systems and 
applications.

The purpose of this workshop is to bring together researchers and 
practitioners to share experiences, concerns, and ideas about known and 
new authentication techniques. We are interested in discussing methods of 
evaluating the impact and usability of various authentication techniques, 
and ideas about novel authentication techniques that are secure, robust 
and usable.

Target Audience:

Researchers and practitioners interested in the topics outlined below. We 
expect that researchers from both industry and academia will find relevant 
material in the workshop.

Topics of interest for this workshop include:

·   Surveys and comparisons of known authentication techniques
·   Novel metrics or comparisons of metrics for authentication 
strength 
·   Empirical evaluations of authentication techniques, including 
performance, accuracy, and the impact of authentication on a user’s 
primary task
·   New authentication techniques that target emerging computing 
environments such as mobile and embedded systems
·   Approaches (including protocols) that enable weak authentication 
schemes to be more robust
·   Existing authentication techniques applied in new environments or 
usage contexts
·   Novel approaches to the design and evaluation of authentication 
systems

The goal of this workshop is to explore these and related topics across 
the broad range of contexts, including enterprise systems, personal 
systems, and especially mobile and embedded systems (such as healthcare, 
automotive and wearable systems).  This workshop provides an informal and 
interdisciplinary setting at the intersection of security, psychological, 
and behavioral science.  Panel discussions may be organized around topics 
of interest where the workshop participants will be given an opportunity 
to give presentations, which may include current or prior work in this 
area, as well as pose new challenges in authentication.

We are soliciting 1-2 page position statements that express the nature of 
your interest in the workshop; these should include the aspects of 
authentication of interest to you, including the topic(s) that you would 
like to discuss during the workshop and panel discussions.  Position 
statements must be in PDF format, preferably using the SOUPS formatting 
template (LaTeX or MS Word).  Submissions should not be blinded. 

Accepted submissions will be posted to the SOUPS workshop web site.  We 
encourage participants to also make their workshop presentations available 
on the web site.  These submissions will not be considered “published” 
works, and as such, should not preclude publication elsewhere. 

Submissions will be via the EasyChair WAY 2016 web site: 
https://easychair.org/conferences/?conf=way2016

Question about submissions should be directed to: 
adventuresinauthenticat...@gmail.com. 

Workshop co-chairs: 

[SC-L] Silver Bullet celebrates a decade of shows: Gary McGraw

2016-04-01 Thread Gary McGraw
hi sc-l,

Hard to believe, but Silver Bullet has been running for ten years---120 months 
of shows in a row without missing a month.  To celebrate this accomplishment, 
we shot a video for episode 120 out by the Shenandoah river at my house.  And 
we turned the tables on the interview.  Marcus Ranum, inventor of the firewall, 
interviews me.  

We discuss: software security, internet of (crappy) things, the surveillance 
state, advisory board work, toothbrush dDoS, perl, and evolutionary biology.  
Have a look.  I hope you enjoy it.  

http://bit.ly/SB-gem 

Silver Bullet continues to be a blast to do.  Last time we ran stats last 
October, Silver Bullet had over 1.4 million listens with an episode averaging 
almost 14K listeners.

gem

https://www.garymcgraw.com/




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [CFP] Workshop CFP: Who are you?! Adventures in Authentication at SOUPS 2016

2016-03-15 Thread Larry Koved
Title: Who are you?!  Adventures in Authentication

Workshop to be held at the Twelfth Symposium on Usable Privacy and 
Security - SOUPS 2016
When: June 22, 2016
Where: Denver, CO

URL: https://www.usenix.org/conference/soups2016

Description: 

Authentication, or the act of proving that someone is who they claim to 
be, is a cornerstone of security. As more time is spent using computers, 
authentication is becoming both more common and increasingly important. 
Users must authenticate to prove their identity to maintain a continuous 
presence with a wide variety of computing services. 

Our most common method of authentication continues to be based on the 
assumption of a person using a desktop computer and keyboard, or a person 
authenticating to their mobile phone -- what Bill Buxton has referred to 
as the "missionary position": one user and one computer face-to-face - no 
other position allowed. More recently, mobile devices have opened up new 
possibilities based on a variety of gestures and biometrics. 

There has been an implicit assumption that the effort of authenticating, 
both in terms of elapsed time, user actions, cognitive load and impact on 
a user's primary task, will be amortized over a relatively long lifetime 
of the authenticated session with the system, application or service. As 
computing moves into new environments, including mobile and embedded 
systems, these assumptions may no longer be valid.

In the era of mobile, embedded and ubiquitous computing, the time for each 
interaction with a device, application or service is becoming much 
briefer.  The user’s primary task may be tending to a patient, driving a 
car, operating heavy machinery, or interacting with friends and colleagues 
via mobile apps.  Due to the nature of user interaction in these new 
computing environments, and new threat models, methods of authenticating 
are needed that are both robust, easy to use, and minimize impact on the 
user's primary task.  The time / cost of authentication needs to be 
commensurate with the level of engagement with these kinds of systems and 
applications.

The purpose of this workshop is to bring together researchers and 
practitioners to share experiences, concerns, and ideas about known and 
new authentication techniques. We are interested in discussing methods of 
evaluating the impact and usability of various authentication techniques, 
and ideas about novel authentication techniques that are secure, robust 
and usable.

Target Audience:

Researchers and practitioners interested in the topics outlined below. We 
expect that researchers from both industry and academia will find relevant 
material in the workshop.

Topics of interest for this workshop include:

·   Surveys and comparisons of known authentication techniques
·   Novel metrics or comparisons of metrics for authentication 
strength 
·   Empirical evaluations of authentication techniques, including 
performance, accuracy, and the impact of authentication on a user’s 
primary task
·   New authentication techniques that target emerging computing 
environments such as mobile and embedded systems
·   Approaches (including protocols) that enable weak authentication 
schemes to be more robust
·   Existing authentication techniques applied in new environments or 
usage contexts
·   Novel approaches to the design and evaluation of authentication 
systems

The goal of this workshop is to explore these and related topics across 
the broad range of contexts, including enterprise systems, personal 
systems, and especially mobile and embedded systems (such as healthcare, 
automotive and wearable systems).  This workshop provides an informal and 
interdisciplinary setting at the intersection of security, psychological, 
and behavioral science.  Panel discussions may be organized around topics 
of interest where the workshop participants will be given an opportunity 
to give presentations, which may include current or prior work in this 
area, as well as pose new challenges in authentication.

We are soliciting 1-2 page position statements that express the nature of 
your interest in the workshop; these should include the aspects of 
authentication of interest to you, including the topic(s) that you would 
like to discuss during the workshop and panel discussions.  Position 
statements must be in PDF format, preferably using the SOUPS formatting 
template (LaTeX or MS Word).  Submissions should not be blinded. 

Accepted submissions will be posted to the SOUPS workshop web site.  We 
encourage participants to also make their workshop presentations available 
on the web site.  These submissions will not be considered “published” 
works, and as such, should not preclude publication elsewhere. 

Submissions will be via the EasyChair WAY 2016 web site: 
https://easychair.org/conferences/?conf=way2016,

Question about submissions should be directed to: 
adventuresinauthenticat...@gmail.com. 

Workshop 

[SC-L] Ruxcon 2016 Call For Presentations

2016-03-15 Thread cfp
Ruxcon 2016 Call For Presentations
Melbourne, Australia, October 22-23
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For 
Presentations for Ruxcon 2016.

This year the conference will take place over the weekend of the 22nd and 23rd 
of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 30th of June, 2016.


.[x]. About Ruxcon .[x]. 

Ruxcon is ia premier technical computer security conference in the Australia. 
The conference aims to bring together the individual talents of the best and 
brightest security folk in the region, through live presentations, activities 
and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing 
attendees to enjoy themselves whilst networking within the community and 
expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and 
offensive security topics, varying from previously unpublished research to 
required reading for the security community. 


.[x]. Important Dates .[x].

 June 30 - Call For Presentations Close
 October 17-21 - Ruxcon Training
 October 22-23 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

 To submit a presentation please use our submission form: https://goo.gl/75WhtZ

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
including question time. 
 

.[x]. Contact .[x].

 o Email: presentati...@ruxcon.org.au
 o Twitter: @ruxcon
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 119: Jacob West on the IEEE CSD Wearables report (design review)

2016-02-29 Thread Gary McGraw
hi sc-l,

It’s leap day and RSA week!

We just posted Silver Bullet episode 119 featuring BSIMM co-author and IEEE CSD 
co-founder Jacob West talking about the latest IEEE CSD report.   Architecture 
analysis lags behind other touchpoints when it comes to software security 
practices.  The CSD wearables report is intended to help get developers and 
architects more familiar with just what design analysis means:

http://bit.ly/SB-CSDwearable 

Your feedback on the podcast is welcome.

gem

I have a new website https://www.garymcgraw.com/ (TECH | LIFE | MUSIC)



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Mobile Security Technologies (MoST) 2016 - submission deadline extended to Monday Feb 1

2016-02-01 Thread Larry Koved
http://ieee-security.org/TC/SPW2016/MoST/cfp.html

Mobile Security Technologies (MoST) 2016
co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S 2016) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2016) 
The Fairmont Hotel
San Jose, CA, USA
Thursday May 26, 2016

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 

With the development of new mobile platforms, such as Android and iOS, 
mobile computing has shown exponential growth in popularity in recent 
years. To benefit from the availability of constantly-growing consumer 
base, new services and applications are being built from the composition 
of existing ones at breakneck speed. This rapid growth has also been 
coupled with new security and privacy concerns and challenges. For 
instance, more and more sensitive content is being collected and shared by 
third-party applications that, if misused, can have serious security and 
privacy repercussions. Consequently, there is a growing need to study and 
address these new challenges.

Topics of Interest Include:
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The topics of interest include, but are not limited 
to:
Identity and access control for mobile platforms
Mobile app security
Mobile cloud security
Mobile hardware security
Mobile middleware and OS security
Mobile web and advertisement security
Protecting security-critical applications of mobile platforms
Secure application development tools and practices
Security study of mobile ecosystems
Unmanned aerial vehicles (UAVs) security
Wearable and IoT security

Paper Submission Instructions
Papers will be submitted through EasyChair. You may update your paper at 
any time until the submission deadline.
All accepted papers will be published online as part of the IEEE Symposium 
on Security and Privacy Workshops proceedings. Submitted papers must not 
substantially overlap papers that have been published or that are 
simultaneously submitted to a journal or a conference with proceedings. 
Please see the workshop CFP web site (
http://ieee-security.org/TC/SPW2016/MoST/cfp.html) for details.

Important Dates
Paper submission deadline: January 29, 2016 February 1, 2016 (11:59pm 
US-PST)
Acceptance notification: March 7, 2016
Camera-ready deadline: March 25, 2016
Workshop day: May 26, 2016

Organizing Committee
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
Program Chair
Long Lu (Stony Brook University)

Program Committee
David Barrera (ETH Zürich)
Rich Cannings (Google)
Lorenzo Cavallaro (Royal Holloway, University of London)
Hao Chen (UC Davis)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
Jonathan Crussell (Sandia National Laboratories)
Drew Davidson (University of Wisconsin-Madison)
Manuel Egele (Boston University)
Markus Jakobsson (ZapFraud Inc)
Suman Jana (Columbia University)
Larry Koved (IBM TJ Watson Research Center)
David Lie (University of Toronto)
Long Lu (Stony Brook University)
Collin Mulliner (Square, Inc.)
Adwait Nadkarni (NC State University)
Kapil Singh (IBM T.J. Watson Research Center)
Hayawardh Vijayakumar (Samsung Research America)
Tao Wei (Baidu USA)
Yajin Zhou (Qihoo 360)





___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Jack Daniel

2016-02-01 Thread Gary McGraw
hi sc-l,

For the first Silver Bullet of 2016 I have a chat with Jack Daniel, co-founder 
of the Bsides Conferences.  We talk about security communities, the evolution 
of the field, car repair, complex systems, the waning security Rennaissance, 
and other matters.  We conclude with a quick pointer to various tiki 
experiences.

http://bit.ly/SB-jackdaniel

Have a listen.  Your feedback on the podcast is always welcome.

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Mobile Security Technologies (MoST) 2016 - 2 week until the submission deadline!

2016-02-01 Thread Larry Koved
http://ieee-security.org/TC/SPW2016/MoST/cfp.html

Mobile Security Technologies (MoST) 2016
co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S 2016) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2016) 
The Fairmont Hotel
San Jose, CA, USA
Thursday May 26, 2016

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 

With the development of new mobile platforms, such as Android and iOS, 
mobile computing has shown exponential growth in popularity in recent 
years. To benefit from the availability of constantly-growing consumer 
base, new services and applications are being built from the composition 
of existing ones at breakneck speed. This rapid growth has also been 
coupled with new security and privacy concerns and challenges. For 
instance, more and more sensitive content is being collected and shared by 
third-party applications that, if misused, can have serious security and 
privacy repercussions. Consequently, there is a growing need to study and 
address these new challenges.

Topics of Interest Include:
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The topics of interest include, but are not limited 
to:
Identity and access control for mobile platforms
Mobile app security
Mobile cloud security
Mobile hardware security
Mobile middleware and OS security
Mobile web and advertisement security
Protecting security-critical applications of mobile platforms
Secure application development tools and practices
Security study of mobile ecosystems
Unmanned aerial vehicles (UAVs) security
Wearable and IoT security

Paper Submission Instructions
Papers will be submitted through EasyChair. You may update your paper at 
any time until the submission deadline.
All accepted papers will be published online as part of the IEEE Symposium 
on Security and Privacy Workshops proceedings. Submitted papers must not 
substantially overlap papers that have been published or that are 
simultaneously submitted to a journal or a conference with proceedings. 
Please see the workshop CFP web site (
http://ieee-security.org/TC/SPW2016/MoST/cfp.html) for details.

Important Dates
Paper submission deadline: January 29, 2016 (11:59pm US-PST)
Acceptance notification: March 7, 2016
Camera-ready deadline: March 25, 2016
Workshop day: May 26, 2016

Organizing Committee
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
Program Chair
Long Lu (Stony Brook University)

Program Committee
David Barrera (ETH Zürich)
Rich Cannings (Google)
Lorenzo Cavallaro (Royal Holloway, University of London)
Hao Chen (UC Davis)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
Jonathan Crussell (Sandia National Laboratories)
Drew Davidson (University of Wisconsin-Madison)
Manuel Egele (Boston University)
Markus Jakobsson (ZapFraud Inc)
Suman Jana (Columbia University)
Larry Koved (IBM TJ Watson Research Center)
David Lie (University of Toronto)
Long Lu (Stony Brook University)
Collin Mulliner (Square, Inc.)
Adwait Nadkarni (NC State University)
Kapil Singh (IBM T.J. Watson Research Center)
Hayawardh Vijayakumar (Samsung Research America)
Tao Wei (Baidu USA)
Yajin Zhou (Qihoo 360)




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2016 - 2 weeks until the submission deadline!

2016-01-19 Thread Larry Koved
http://ieee-security.org/TC/SPW2016/MoST/cfp.html

Mobile Security Technologies (MoST) 2016
co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S 2016) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2016) 
The Fairmont Hotel
San Jose, CA, USA
Thursday May 26, 2016

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 

With the development of new mobile platforms, such as Android and iOS, 
mobile computing has shown exponential growth in popularity in recent 
years. To benefit from the availability of constantly-growing consumer 
base, new services and applications are being built from the composition 
of existing ones at breakneck speed. This rapid growth has also been 
coupled with new security and privacy concerns and challenges. For 
instance, more and more sensitive content is being collected and shared by 
third-party applications that, if misused, can have serious security and 
privacy repercussions. Consequently, there is a growing need to study and 
address these new challenges.

Topics of Interest Include:
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The topics of interest include, but are not limited 
to:
Identity and access control for mobile platforms
Mobile app security
Mobile cloud security
Mobile hardware security
Mobile middleware and OS security
Mobile web and advertisement security
Protecting security-critical applications of mobile platforms
Secure application development tools and practices
Security study of mobile ecosystems
Unmanned aerial vehicles (UAVs) security
Wearable and IoT security

Paper Submission Instructions
Papers will be submitted through EasyChair. You may update your paper at 
any time until the submission deadline.
All accepted papers will be published online as part of the IEEE Symposium 
on Security and Privacy Workshops proceedings. Submitted papers must not 
substantially overlap papers that have been published or that are 
simultaneously submitted to a journal or a conference with proceedings. 
Please see the workshop CFP web site (
http://ieee-security.org/TC/SPW2016/MoST/cfp.html) for details.

Important Dates
Paper submission deadline: January 29, 2016 (11:59pm US-PST)
Acceptance notification: March 7, 2016
Camera-ready deadline: March 25, 2016
Workshop day: May 26, 2016

Organizing Committee
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
Program Chair
Long Lu (Stony Brook University)

Program Committee
David Barrera (ETH Zürich)
Rich Cannings (Google)
Lorenzo Cavallaro (Royal Holloway, University of London)
Hao Chen (UC Davis)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
Jonathan Crussell (Sandia National Laboratories)
Drew Davidson (University of Wisconsin-Madison)
Manuel Egele (Boston University)
Markus Jakobsson (ZapFraud Inc)
Suman Jana (Columbia University)
Larry Koved (IBM TJ Watson Research Center)
David Lie (University of Toronto)
Long Lu (Stony Brook University)
Collin Mulliner (Square, Inc.)
Adwait Nadkarni (NC State University)
Kapil Singh (IBM T.J. Watson Research Center)
Hayawardh Vijayakumar (Samsung Research America)
Tao Wei (Baidu USA)
Yajin Zhou (Qihoo 360)



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2016 - corrected dates

2016-01-19 Thread Larry Koved
My apologies.  Here are the correct dates:

Paper submission deadline: January 29, 2016 (11:59pm US-PST)
Acceptance notification: March 7, 2016
Camera-ready deadline: March 25, 2016
Workshop day: May 26, 2016



http://ieee-security.org/TC/SPW2016/MoST/cfp.html

Mobile Security Technologies (MoST) 2016
co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S 2016) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2016) 
The Fairmont Hotel
San Jose, CA, USA
Thursday May 26, 2016

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 

With the development of new mobile platforms, such as Android and iOS, 
mobile computing has shown exponential growth in popularity in recent 
years. To benefit from the availability of constantly-growing consumer 
base, new services and applications are being built from the composition 
of existing ones at breakneck speed. This rapid growth has also been 
coupled with new security and privacy concerns and challenges. For 
instance, more and more sensitive content is being collected and shared by 
third-party applications that, if misused, can have serious security and 
privacy repercussions. Consequently, there is a growing need to study and 
address these new challenges.

Topics of Interest Include:
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The topics of interest include, but are not limited 
to:
Identity and access control for mobile platforms
Mobile app security
Mobile cloud security
Mobile hardware security
Mobile middleware and OS security
Mobile web and advertisement security
Protecting security-critical applications of mobile platforms
Secure application development tools and practices
Security study of mobile ecosystems
Unmanned aerial vehicles (UAVs) security
Wearable and IoT security

Paper Submission Instructions
Papers will be submitted through EasyChair. You may update your paper at 
any time until the submission deadline.
All accepted papers will be published online as part of the IEEE Symposium 
on Security and Privacy Workshops proceedings. Submitted papers must not 
substantially overlap papers that have been published or that are 
simultaneously submitted to a journal or a conference with proceedings. 
Please see the workshop CFP web site (
http://ieee-security.org/TC/SPW2016/MoST/cfp.html) for details.

Organizing Committee
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
Program Chair
Long Lu (Stony Brook University)

Program Committee
David Barrera (ETH Zürich)
Rich Cannings (Google)
Lorenzo Cavallaro (Royal Holloway, University of London)
Hao Chen (UC Davis)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
Jonathan Crussell (Sandia National Laboratories)
Drew Davidson (University of Wisconsin-Madison)
Manuel Egele (Boston University)
Markus Jakobsson (ZapFraud Inc)
Suman Jana (Columbia University)
Larry Koved (IBM TJ Watson Research Center)
David Lie (University of Toronto)
Long Lu (Stony Brook University)
Collin Mulliner (Square, Inc.)
Adwait Nadkarni (NC State University)
Kapil Singh (IBM T.J. Watson Research Center)
Hayawardh Vijayakumar (Samsung Research America)
Tao Wei (Baidu USA)
Yajin Zhou (Qihoo 360)


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 117: Jamie Butler

2015-12-26 Thread Gary McGraw
hi sc-l,

The current episode of the Silver Bullet Security Podcast features Jamie 
Butler, CTO of Endgame.  Jamie and I talk rootkits (he wrote the book with Greg 
Hoglund), attack patters, defense and offense.  Jamie has a long career in 
security (17 years) spanning early days at Fort Meade, through Mandiant, to 
Endgame.

Have a listen: http://bit.ly/SB-butler

And happy holidays from Silver Bullet!

gem

company www.cigital.com
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 116: Doug Maughan

2015-12-01 Thread Gary McGraw
hi sc-l,

Doug Maughan is one of the very good people who somehow works in the federal 
government at DHS (I know).  He has been funding reasonable science in computer 
security since his early DARPA days and even once funded some of our work at 
cigital.  We talk about science, research, tech transfer, the research valley 
of death, and why computer security is so badly broken in the federal 
government.

Have a listen: http://bit.ly/SB-maughan

As always, your comments are welcome.  Thanks for listening.  Pass it on!

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2016

2015-11-04 Thread Larry Koved
http://ieee-security.org/TC/SPW2016/MoST/cfp.html

Mobile Security Technologies (MoST) 2016
co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE S 2016) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2016) 
The Fairmont Hotel
San Jose, CA, USA
Thursday May 26, 2016

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 

With the development of new mobile platforms, such as Android and iOS, 
mobile computing has shown exponential growth in popularity in recent 
years. To benefit from the availability of constantly-growing consumer 
base, new services and applications are being built from the composition 
of existing ones at breakneck speed. This rapid growth has also been 
coupled with new security and privacy concerns and challenges. For 
instance, more and more sensitive content is being collected and shared by 
third-party applications that, if misused, can have serious security and 
privacy repercussions. Consequently, there is a growing need to study and 
address these new challenges.

Topics of Interest Include:
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The topics of interest include, but are not limited 
to:
Identity and access control for mobile platforms
Mobile app security
Mobile cloud security
Mobile hardware security
Mobile middleware and OS security
Mobile web and advertisement security
Protecting security-critical applications of mobile platforms
Secure application development tools and practices
Security study of mobile ecosystems
Unmanned aerial vehicles (UAVs) security
Wearable and IoT security

Paper Submission Instructions
Papers will be submitted through EasyChair. You may update your paper at 
any time until the submission deadline.
All accepted papers will be published online as part of the IEEE Symposium 
on Security and Privacy Workshops proceedings. Submitted papers must not 
substantially overlap papers that have been published or that are 
simultaneously submitted to a journal or a conference with proceedings. 
Please see the workshop CFP web site (
http://ieee-security.org/TC/SPW2016/MoST/cfp.html) for details.

Important Dates
Paper submission deadline: January 15, 2016 (11:59pm US-PST)
Acceptance notification: February 21, 2016
Camera-ready deadline: TBD (approx. March 5, 2016)
Workshop day: May 26, 2016
Organizing Committee
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
Program Chair
Long Lu (Stony Brook University)___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 115: mudge

2015-10-29 Thread Gary McGraw
hi sc-l,

Cigital just posted Silver Bullet 115 which features an interview with mudge 
(a.k.a., Peiter Zatko).

https://www.cigital.com/podcasts/show-115-peiter-mudge-zatko/

We talk l0pht, cult of the dead cow, early security days, testifying before 
Congress, why the government is so confused about security, DARPA, DoD, Google, 
and current doings.  Mudge is one of the original hackers from days gone by who 
took his hobby and turned it into a career. (I have known him since I was ten.)

Have a listen and pass it on.

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] BSIMM6

2015-10-19 Thread Gary McGraw
hi sc-l,

Today Cigital published Release 6 of the Building Security In Maturity Model 
(BSIMM).  The BSIMM now represents eight years of bringing science to the 
software security.  We have directly measured over 104 companies across 
multiple industries (BSIMM6 covers 78 of them).  BSIMM6 also includes the 
addition of healthcare as a one of the well-represented verticals (10 firms or 
more).

Opinion is rife in computer security, and software security as well.  BSIMM6 
provides a set of facts to both counter and ground opinion in reality.  Want to 
know what the ratio of software security professionals to developers is?  The 
BSIMM knows.  BSIMM6 describes the work of 1,084 SSG members working with a 
satellite of 2,111 people to secure the software developed by 287,006 developers

The BSIMM is a free resource published under the creative commons.  Please use 
it in your own work.  You can download BSIMM6 from the new website 
http://bsimm.com

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] MQ Series and Middleware security

2015-10-08 Thread Gunnar Peterson
As the saying goes, a Unix server goes down and you have a bad weekend. A 
Mainframe goes down and the earth stops rotating on its axis. To the latter 
point, MQ Series and other messaging systems that communicate with Mainframes 
and heritage(*) systems get next to no attention from the security community, 
however they are critical. Here is a chat with T. Rob Wyatt on that subject

http://1raindrop.typepad.com/1_raindrop/2015/10/security-140-chat-with-t-rob-wyatt-on-mq-and-middleware-security.html

-gunnar
http://1raindrop.typepad.com
@oneraindrop

* Heritage is what most people call legacy, but legacy is pejorative and 
heritage more accurately reflects the role of the systems that basically runs 
many businesses
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Seven Myths of Software Security

2015-10-06 Thread Gary McGraw
hi sc-l,

You’ve heard these before I’m sure.  Working on expanding or improving your 
software security initiative?  Here are seven of the most common objections we 
see all the time (and what to say in response).

Please read this article: http://bit.ly/swsec-myths

Hopefully you will all find this useful in getting thinking back on track when 
it comes to software security.

As always, your feedback is welcome.  Let me know what you think!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 114: Peter "Pete" Clay

2015-09-30 Thread Gary McGraw
hi sc-l,

Episode 114 of Silver Bullet was just posted.  This episode features Peter 
“Pete” Clay who has served as a CISO in several firms (Deliotte, Invotas, Qlik) 
and has provided security direction both in the Federal government and the 
private sector.

Have a listen: http://bit.ly/SB-pete

As always, your feedback and your suggestions for future episodes greatly 
appreciated!

gem

company www.cigital.com
writings www.cigital.com/gem/writings/
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] The FTC and Software Security

2015-09-17 Thread Gary McGraw
hi sc-l,

I just posted some thoughts on the FTC and software security.

Have a look: http://bit.ly/gem-FTC

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] The FTC and Software Security

2015-09-17 Thread Jeffrey Walton
On Wed, Sep 16, 2015 at 2:58 PM, Gary McGraw  wrote:
> hi sc-l,
>
> I just posted some thoughts on the FTC and software security.
>
> Have a look: http://bit.ly/gem-FTC

+1, well written.

I've kinda ignored the FTC over the years, and focused on the state
laws covering data breaches and notifications (48 states and the
district have them,
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx).

But breach notification and FTC actions are reactive, and not proactive.

Consumers still need a stick. Too much carrot is making the mule's fat
:) Once consumers can take action, then the risks will become real and
companies will start moving towards the defensive security posture
Cigital can help provide.

jeff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Podcast: Threatpost covers software security

2015-09-12 Thread Gary McGraw
hi sc-l,

Yesterday I recorded an episode of Threatpost with Dennis Fisher.  We talk 
about many current topics, including how to scale software security.

Have a listen and pass it on:
https://threatpost.com/gary-mcgraw-on-scalable-software-security-and-medical-device-security/114640/

Topics covered include: BSIMM6, software security growth, the FTC and security, 
security in startups, medical device security, scaling software security, music

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-08 Thread Gary McGraw
The URL was apparently scrambled below.  For the SB episode try: 
http://bit.ly/SB-chandu 

gem




On 8/31/15, 12:51 PM, "SC-L on behalf of Gary McGraw" 
 wrote:

>hi sc-l,
>
>The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
>Chandu has 20+ years of experience in software, starting as a developer and 
>working his way to a secure design proponent.  Have a listen:
>http://bit.ly/SB-chandu
>
>We discuss threat modelling, architectural analysis, healthcare security, 
>economics, and what developers think of security (not necessarily in that 
>order).  You can also find out what Chandu’s favorite Indian music is when you 
>listen.
>
>gem
>
>company www.cigital.com
>blog www.cigital.com/justiceleague
>book www.swsec.com
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Goertzel, Karen [USA]
Yes, we seem to abandon security mechanisms that (1) we can actually trust, and 
(2) that Microsoft and Google refuse to build.

===
Karen Mercedes Goertzel, CISSP, CSSLP
Senior Lead Scientist
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

"The hardest thing of all is to
find a black cat in a dark room,
especially if there is no cat."
- Confucius



From: Peter G. Neumann [neum...@csl.sri.com]
Sent: 06 September 2015 15:24
To: Goertzel, Karen [USA]
Cc: Alfonso De Gregorio; Johan Peeters; Secure Code Mailing List
Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism

Reference monitors were a lovely concept, largely invented for multilevel
security kernels and trusted computing bases, but are almost nonexistent
in that context.  Yes, they'd be lovely to have, but even the NSA folks
seem to have abandoned them...

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Peter G. Neumann
Reference monitors were a lovely concept, largely invented for multilevel
security kernels and trusted computing bases, but are almost nonexistent
in that context.  Yes, they'd be lovely to have, but even the NSA folks
seem to have abandoned them...
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Gary McGraw
As far as I know, Microsoft integrated some reference monitoring into their OS 
family under Fred Schneider’s guidance.  They called it “inline reference 
monitoring” and I believe they still use it.

gem




On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]" 
 wrote:

>Yes, we seem to abandon security mechanisms that (1) we can actually trust, 
>and (2) that Microsoft and Google refuse to build.
>
>===
>Karen Mercedes Goertzel, CISSP, CSSLP
>Senior Lead Scientist
>Booz Allen Hamilton
>703.698.7454
>goertzel_ka...@bah.com
>
>"The hardest thing of all is to
>find a black cat in a dark room,
>especially if there is no cat."
>- Confucius
>
>
>
>From: Peter G. Neumann [neum...@csl.sri.com]
>Sent: 06 September 2015 15:24
>To: Goertzel, Karen [USA]
>Cc: Alfonso De Gregorio; Johan Peeters; Secure Code Mailing List
>Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism
>
>Reference monitors were a lovely concept, largely invented for multilevel
>security kernels and trusted computing bases, but are almost nonexistent
>in that context.  Yes, they'd be lovely to have, but even the NSA folks
>seem to have abandoned them...
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Goertzel, Karen [USA]
It's been there since Windows NT 4.0, and is used with mandatory integrity 
labels to enforce a mandatory integrity policy so that subjects with a lower 
integrity label cannot access (and, most importantly, cannot modify) objects 
with higher integrity labels. 

It also exists separate from the Windows DAC ACL, which is what seems to govern 
user access to data files. One gets the impression it is intended to be used to 
protect DLL executables against modification by unauthorized processes, which 
is a worthy usage, but doesn't do anything for sensitivity- or privacy-based 
control of information flow.



===
Karen Mercedes Goertzel, CISSP, CSSLP
Senior Lead Scientist
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

"The hardest thing of all is to
find a black cat in a dark room,
especially if there is no cat."
- Confucius



From: Gary McGraw [g...@cigital.com]
Sent: 08 September 2015 15:44
To: Goertzel, Karen [USA]; Peter G. Neumann
Cc: Secure Code Mailing List
Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism

As far as I know, Microsoft integrated some reference monitoring into their OS 
family under Fred Schneider’s guidance.  They called it “inline reference 
monitoring” and I believe they still use it.

gem




On 9/8/15, 8:49 AM, "SC-L on behalf of Goertzel, Karen [USA]" 
 wrote:

>Yes, we seem to abandon security mechanisms that (1) we can actually trust, 
>and (2) that Microsoft and Google refuse to build.
>
>===
>Karen Mercedes Goertzel, CISSP, CSSLP
>Senior Lead Scientist
>Booz Allen Hamilton
>703.698.7454
>goertzel_ka...@bah.com
>
>"The hardest thing of all is to
>find a black cat in a dark room,
>especially if there is no cat."
>- Confucius
>
>
>
>From: Peter G. Neumann [neum...@csl.sri.com]
>Sent: 06 September 2015 15:24
>To: Goertzel, Karen [USA]
>Cc: Alfonso De Gregorio; Johan Peeters; Secure Code Mailing List
>Subject: Re: [SC-L] [External] Re: SearchSecurity: Dynamism
>
>Reference monitors were a lovely concept, largely invented for multilevel
>security kernels and trusted computing bases, but are almost nonexistent
>in that context.  Yes, they'd be lovely to have, but even the NSA folks
>seem to have abandoned them...
>
>___
>Secure Coding mailing list (SC-L) SC-L@securecoding.org
>List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
>List charter available at - http://www.securecoding.org/list/charter.php
>SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
>as a free, non-commercial service to the software security community.
>Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
>___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-08 Thread Alfonso De Gregorio
On Tue, Sep 8, 2015 at 7:44 PM, Gary McGraw  wrote:
> As far as I know, Microsoft integrated some reference monitoring into their 
> OS family under Fred Schneider’s guidance.  They called it “inline reference 
> monitoring” and I believe they still use it.

A related work by Microsoft is BrowserShield, an inline reference
monitor for JavaScript:

  BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML
  http://research.microsoft.com/en-us/projects/shield/#browsershield

-- Alfonso

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Dynamism

2015-09-06 Thread Goertzel, Karen [USA]
Does anyone else remember "reference monitors"?

What an old-fashioned idea. But they'd certainly solve a lot of problems.

===
Karen Mercedes Goertzel, CISSP, CSSLP
Senior Lead Scientist
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

"The hardest thing of all is to
find a black cat in a dark room,
especially if there is no cat."
- Confucius



From: SC-L [sc-l-boun...@securecoding.org] on behalf of Alfonso De Gregorio 
[a...@secyoure.com]
Sent: 28 August 2015 13:02
To: Johan Peeters
Cc: Secure Code Mailing List
Subject: [External]  Re: [SC-L] SearchSecurity: Dynamism

On Thu, Aug 20, 2015 at 8:20 PM, Johan Peeters  wrote:
> nice one, Gary. Finally something positive about agile and DevOps. A
> trick that you may have missed is immutable servers, see Docker and
> friends. They will be a leap forward for server security when they hit
> the mainstream.

Immutable servers are nice -- let's deploy them. Yet, in an execution
environment where code is data and data is code, high assurance
software will also require control-flow integrity in the face of
malicious input. Or, what we would be left with are weird machines
instantiated from disposable images.

-- Alfonso
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 113: Chandu Ketkar

2015-09-06 Thread Gary McGraw
hi sc-l,

The new episode of Silver Bullet features a conversation with Chandu Ketkar. 
Chandu has 20+ years of experience in software, starting as a developer and 
working his way to a secure design proponent.  Have a listen:
http://bit.ly/SB-chandu

We discuss threat modelling, architectural analysis, healthcare security, 
economics, and what developers think of security (not necessarily in that 
order).  You can also find out what Chandu’s favorite Indian music is when you 
listen.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Dynamism

2015-08-30 Thread Alfonso De Gregorio
On Thu, Aug 20, 2015 at 8:20 PM, Johan Peeters y...@johanpeeters.com wrote:
 nice one, Gary. Finally something positive about agile and DevOps. A
 trick that you may have missed is immutable servers, see Docker and
 friends. They will be a leap forward for server security when they hit
 the mainstream.

Immutable servers are nice -- let's deploy them. Yet, in an execution
environment where code is data and data is code, high assurance
software will also require control-flow integrity in the face of
malicious input. Or, what we would be left with are weird machines
instantiated from disposable images.

-- Alfonso
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Dynamism

2015-08-28 Thread Johan Peeters
nice one, Gary. Finally something positive about agile and DevOps. A
trick that you may have missed is immutable servers, see Docker and
friends. They will be a leap forward for server security when they hit
the mainstream.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Dynamism

2015-08-20 Thread Gary McGraw
hi sc-l,

What is the relationship between dynamic languages and dynamic methodologies?  
What is the impact on software security?

This article provides a gentle introduction: http://bit.ly/gem-dynamic

Feedback welcome.  Pass it on.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 112: Matthew Green and Steve Bellovin on Crypto Back Doors

2015-07-23 Thread Gary McGraw
hi sc-l,

For the latest episode of Silver Bullet, we spoke to two of the fifteen 
co-authors of the Keys Under Doormats paper describing the technical peril of 
implementing crypto back doors as FBI Director Comey has suggested.  Steve 
Bellovin comes at the problem with years of experience and direct involvement 
in the first crypto wars.  Matthew Green comes to the problem with a solid 
understanding of applied cryptography in real world systems.  Have a listen:

http://bit.ly/SB-crypto-wars

As always, your feedback on SilverBullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Silver Bullet 111: Marcus Ranum

2015-07-16 Thread Gunnar Peterson
In case anyone needs a summer project, I wonder what percentage of issues 
discussed in the 111 shows are still issues today? 

-gunnar 

 On Jul 7, 2015, at 11:45 AM, Kevin W. Wall kevin.w.w...@gmail.com wrote:
 
 Ah, I see...so the dirty trick is that you are finally doing reruns. 
 Syndication can't be far behind. ;-)
 
 -kevin
 Sent from my Droid; please excuse typos.
 
 On Jul 7, 2015 12:07 PM, Gary McGraw g...@cigital.com wrote:
 hi sc-l,
 
 Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant 
 trick.  The episode features Marcus Ranum, inventor of the proxy firewall 
 and all around security guru.  We talk about perimeter security, software 
 security, security progress (or lack of such) and whether hackers are 
 necessary for security.
 
 http://bit.ly/sb111-mjr   (or for purists 
 http://www.cigital.com/silver-bullet/show-111/)
 
 So what was the trick?  At the end of the episode I revealed that during 
 episode 3 (recorded exactly 9 years before episode 111), I asked Marcus 
 exactly the same set of questions.  Wonder how consistent Marcus is over nine 
 years?  Compare and contrast http://www.cigital.com/silver-bullet/show-003/
 
 gem
 
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Silver Bullet 111: Marcus Ranum

2015-07-10 Thread Kevin W. Wall
Ah, I see...so the dirty trick is that you are finally doing reruns.
Syndication can't be far behind. ;-)

-kevin
Sent from my Droid; please excuse typos.
On Jul 7, 2015 12:07 PM, Gary McGraw g...@cigital.com wrote:

 hi sc-l,

 Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant
 trick.  The episode features Marcus Ranum, inventor of the proxy firewall
 and all around security guru.  We talk about perimeter security, software
 security, security progress (or lack of such) and whether hackers are
 necessary for security.

 http://bit.ly/sb111-mjr   (or for purists
 http://www.cigital.com/silver-bullet/show-111/)

 So what was the trick?  At the end of the episode I revealed that during
 episode 3 (recorded exactly 9 years before episode 111), I asked Marcus
 exactly the same set of questions.  Wonder how consistent Marcus is over
 nine years?  Compare and contrast
 http://www.cigital.com/silver-bullet/show-003/

 gem

 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Ruxcon 2015 Final Call For Presentations

2015-07-07 Thread cfp
Ruxcon 2015 Final Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For 
Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th 
of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 15th of September, 2015.


.[x]. About Ruxcon .[x]. 

Ruxcon is ia premier technical computer security conference in the Australia. 
The conference aims to bring together the individual talents of the best and 
brightest security folk in the region, through live presentations, activities 
and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing 
attendees to enjoy themselves whilst networking within the community and 
expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and 
offensive security topics, varying from previously unpublished research to 
required reading for the security community. 


.[x]. Important Dates .[x].

 September 30 - Final Call For Presentations Close
 October 22-23 - Breakpoint Conference
 October 24-25 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

 To submit a presentation please use our submission form: http://goo.gl/WXNBvr

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
including question time. 
 

.[x]. Contact .[x].

 o Email: presentati...@ruxcon.org.au
 o Twitter: @ruxcon
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 111: Marcus Ranum

2015-07-07 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 111 is a sneaky one based around a “dirty brilliant 
trick.  The episode features Marcus Ranum, inventor of the proxy firewall and 
all around security guru.  We talk about perimeter security, software security, 
security progress (or lack of such) and whether hackers are necessary for 
security.

http://bit.ly/sb111-mjr   (or for purists 
http://www.cigital.com/silver-bullet/show-111/)

So what was the trick?  At the end of the episode I revealed that during 
episode 3 (recorded exactly 9 years before episode 111), I asked Marcus exactly 
the same set of questions.  Wonder how consistent Marcus is over nine years?  
Compare and contrast http://www.cigital.com/silver-bullet/show-003/

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 110: Paul Dorey

2015-06-04 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 110 features Paul Dorey.  Paul was one of the original 
CSOs of Europe, ultimately serving as the CSO of BP.  He and I are on an 
Advisory Board together, and most recently, Paul and I did a “fernside chat” at 
the BSIMM Europe Conference.  We talk about the CSO job, software security, and 
a few other things on this episode:

http://bit.ly/SB-dorey

As always, your feedback is welcome.  Please post, tweet, share, email, etc.  
Spread the #swsec meme.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] RSA Antidote: Bart Preneel on Silver Bullet 109

2015-04-27 Thread Gary McGraw
hi sc-l,

Lots of us have RSA Conference goo leaking out of our ears by now.  Yerg.  
Here’s a quick antidote from a serious cryptographer.  Bart Preneel is a 
professor at KL Leuven University (founded in 1425).  He is an exceptional 
cryptographer and a huge supporter of software security in Europe.

http://bit.ly/SB-bart

As always, your feedback is welcome.  Two more days of RSA to go.  Please send 
reinforcements.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Ruxcon 2015 Call For Presentations

2015-04-13 Thread cfp
Ruxcon 2015 Call For Presentations
Melbourne, Australia, October 24-25
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the first round of Call For 
Presentations for Ruxcon 2015.

This year the conference will take place over the weekend of the 24th and 25th 
of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 30th of June, 2015.


.[x]. About Ruxcon .[x]. 

Ruxcon is ia premier technical computer security conference in the Australia. 
The conference aims to bring together the individual talents of the best and 
brightest security folk in the region, through live presentations, activities 
and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing 
attendees to enjoy themselves whilst networking within the community and 
expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and 
offensive security topics, varying from previously unpublished research to 
required reading for the security community. 


.[x]. Important Dates .[x].

 June 30 - Call For Presentations Close
 October 22-23 - Breakpoint Conference
 October 24-25 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

 To submit a presentation please use our submission form: http://goo.gl/WXNBvr

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
including question time. 
 

.[x]. Contact .[x].

 o Email: presentati...@ruxcon.org.au
 o Twitter: @ruxcon
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [searchsecurity] How to structure an SSG

2015-03-31 Thread Gary McGraw
hi sc-l,

During the last BSIMM Conference in Monterey, CA, Caroline Wong ran a 
workshop/session during which all 23 firms present shared their BSIMM 
structures with eachother.  The event was organized as a poster session. It was 
a great event.  Caroline and I took the data, crunched it, organized it, and 
wrote it up in an article that was just published by SearchSecurity.

http://bit.ly/gem-SSG

If you’re wondering how to structure a new SSG, or refactor an existing SSG, 
take a look at what we discovered.

As always, your feedback is welcome. Tweet to be about it @cigitalgem.

gem


company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 108: Katie Moussouris

2015-03-31 Thread Gary McGraw
hi sc-l,

Just in time for my Spring Break college tour with Eli, here is Silver Bullet 
episode 108, an interview with HackerOne’s Katie Moussouris.

Katie and I talk about bug bounties, early coding (sadly she was a C64 person 
instead of an Apple ][+ person), SDL, BlueHat, mentors, and more.  Have a listen
http://bit.ly/SB-katie

And as always, please pass it on through all media (twitter, facebook, 
linkedin, email, and good old fashioned word of mouth).

Your feedback is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] CFP: Mobile Security Technologies (MoST) 2015 - Paper submission deadline extension

2015-02-24 Thread Larry Koved
Submission deadline has been extended to this Friday, February 27.


http://ieee-security.org/TC/SPW2015/MoST/cfp.html

MOBILE SECURITY TECHNOLOGIES (MOST) 2015
Thursday, May 21, 2015
The Fairmont Hotel, San Jose, CA
Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. (For 
full submission details, see the call for papers.)
Previous MoST Workshop:   2014   2013   2012
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2015 - Final Call for Papers

2015-02-24 Thread Larry Koved
Submission deadline is this Sunday.


http://ieee-security.org/TC/SPW2015/MoST/cfp.html

MOBILE SECURITY TECHNOLOGIES (MOST) 2015
Thursday, May 21, 2015
The Fairmont Hotel, San Jose, CA
Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. (For 
full submission details, see the call for papers.)
Previous MoST Workshop:   2014   2013   2012

IMPORTANT DATES
Paper submission deadline: February 22, 2015 (11:59pm US-PST)
Acceptance notification: March 22, 2015
Camera-ready deadline: April 8th, 2015
Workshop: May 21st, 2015
For more information, please consult the call for papers
Questions about the program and submissions may be directed to the program 
chair: Jonathan Crussell
Questions about the workshop may be directed to either of the workshop 
chairs: Hao Chen and Larry Koved.

We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2015 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies


WORKSHOP CO-CHAIRS
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
PROGRAM CHAIR
Jonathan Crussell (Sandia National Laboratories)
PROGRAM COMMITTEE
Adrian Ludwig (Google)
Clint Gibler (NCC Group)
David Wagner (University of California, Berkeley)
Hao Chen (University of California, Davis)
Jonathan Crussell (Sandia National Laboratories)
Kapil Singh (IBM Research)
Kevin Butler (University of Florida)
Larry Koved (IBM Research)
Long Lu (Stony Brook University)
Lorenzo Cavallaro (Royal Holloway, University of London)
Markus Jakobsson (Qualcomm Research Silicon Valley)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
William Enck (North Carolina State University)


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
hi sc-l,

I wrote my latest SearchSecurity article based on conversations I have been 
having with a number of CSOs and security execs.  It’s about what happens when 
risk management goes bad.  The biggest failure condition seems to be “ignoring 
the lows” entirely.

Anyway, have a read and pass it on: http://bit.ly/risk-gn-bad

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [article] When risk management goes bad

2015-02-24 Thread Christian Heinrich
Gary,

On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw g...@cigital.com wrote:
 I wrote my latest SearchSecurity article based on conversations I have been 
 having with a number of CSOs and
 security execs.  It’s about what happens when risk management goes bad.  The 
 biggest failure condition seems
 to be “ignoring the lows” entirely.

High technology risks, such as chained exploits, are low business
risks in the context of ISO 31000 et al.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [article] When risk management goes bad

2015-02-24 Thread Gary McGraw
hi christian,

Good point.

A combined risk score based on “SIL” levels is what I was using in my 
article.  The combination risk score takes into account both technology 
risk and business risk.  Using one component or the other alone is folly.

gem




On 2/24/15, 4:13 AM, Christian Heinrich christian.heinr...@cmlh.id.au 
wrote:

Gary,

On Sat, Feb 21, 2015 at 6:13 AM, Gary McGraw g...@cigital.com wrote:
 I wrote my latest SearchSecurity article based on conversations I have 
been having with a number of CSOs and
 security execs.  It’s about what happens when risk management goes bad. 
 The biggest failure condition seems
 to be “ignoring the lows” entirely.

High technology risks, such as chained exploits, are low business
risks in the context of ISO 31000 et al.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] The Web Platform podcast talks security

2015-02-04 Thread Gary McGraw
hi sc-l,

An entire gaggle of devs and architects interviews me about software security.  
have a listen.  Pass it on 
http://thewebplatform.libsyn.com/28-securing-your-web-applications

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Superbowl Silver Bullet Security Podcast 106: Steve Katz

2015-02-03 Thread Gary McGraw
hi sc-l,

What’s better than the Superbowl?  Silver Bullet of course!  Hah.  Have a 
listen to episode 106 featuring Steve Katz, widely revered as the world’s first 
CISO.  Steve has served as CISO of citibank/citigroup, JP Morgan, Merril Lynch, 
and Kaiser Permanente.  (We serve on one Advisory Board together.)

http://www.cigital.com/silver-bullet/show-106/

Steve and I discuss security, business, risk management, software security, and 
more.

As always, your feedback and discussion of the episode are welcome.  (Please 
tweet about the episode if you would.)  And happy Superbowl weekend!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Web 2.0 Security and Privacy Workshop Call for Papers - Final call for papers

2015-01-22 Thread Larry Koved
http://ieee-security.org/TC/SPW2015/W2SP/cfp.html

Dear Colleagues,
  Please consider to submit and/or forward to the appropriate 
groups/personnel the opportunity to submit to the Web 2.0 Security and 
Privacy Workshop (W2SP) which is held as part of the IEEE Computer Society 
Security and Privacy Workshops, in conjunction with the IEEE Symposium on 
Security and Privacy.
  W2SP has had eight successful years and the goal of this workshop 
has always been to bring together researchers, practitioners, web 
programmers, policy makers, and others interested in the latest 
understanding and advances in the security and privacy of the web, 
browsers, cloud, mobile and their eco-system. Areas of interest are but 
not limited to:
Analysis of Web, Cloud and Mobile Vulnerabilities
Forensic Analysis of Web, Cloud and Mobile Systems
Security Analysis of Web, Cloud and Mobile Systems
Advances in Penetration Testing
Advances in (SQL/code) Injection Attacks
Trustworthy Cloud-based, Web and Mobile services
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems
Security and Privacy as a Service
Usable Security and Privacy
Security and Privacy Solutions for the Web, Cloud and Mobile
Identity Management, Pseudonymity and Anonymity
Security/Privacy Web Services/Feeds/Mashups
Provenance and Governance
Security and Privacy Policy Management for the Web, Cloud and Mobile
Next-Generation Web/Mobile Browser Technology
Security/Privacy Extensions and Plug-ins
Online Privacy and Security frameworks
Advertisement and Affiliate fraud
Studies on Understanding Web/Cloud/Mobile Security and Privacy
Technical Solutions for Security and Privacy legislation
Solutions for connecting the Business, Legal, Technical and Social 
aspects on Web/Cloud/Mobile Security and Privacy.
Technologies merging Economics with Security/Privacy
Innovative Security/Privacy Solutions for Industry Verticals
Formal methods in Security
Important Dates

Paper submission deadline: January 26th, 2015 (11:59pm US-PST)
Workshop acceptance notification date: March 5th, 2015
Camera Ready deadline: March 19th, 2015 (11:59pm US-PST)
Presentation deadline: April 14th, 2015 (11:59pm US-PST)
Workshop date: Thursday May 21, 2015 

For more information please view the Website, Call For Papers and 
don't forget to SUBMIT.

Workshop Co-Chairs
Larry Koved (IBM T.J. Watson Research Center)
Tyrone Grandison (Proficiency Labs)
Program Chairs
Sean Thorpe (University of Technology, Jamaica)
Abigail Goldsteen (IBM Research Haifa) 


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2015

2015-01-22 Thread Larry Koved
http://ieee-security.org/TC/SPW2015/MoST/cfp.html

MOBILE SECURITY TECHNOLOGIES (MOST) 2015
Thursday, May 21, 2015
The Fairmont Hotel, San Jose, CA
Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. (For 
full submission details, see the call for papers.)
Previous MoST Workshop:   2014   2013   2012

IMPORTANT DATES
Paper submission deadline: February 22, 2015 (11:59pm US-PST)
Acceptance notification: March 22, 2015
Camera-ready deadline: April 8th, 2015
Workshop: May 21st, 2015
For more information, please consult the call for papers
Questions about the program and submissions may be directed to the program 
chair: Jonathan Crussell
Questions about the workshop may be directed to either of the workshop 
chairs: Hao Chen and Larry Koved.

We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2015 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies


WORKSHOP CO-CHAIRS
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
PROGRAM CHAIR
Jonathan Crussell (Sandia National Laboratories)
PROGRAM COMMITTEE
Adrian Ludwig (Google)
Clint Gibler (NCC Group)
David Wagner (University of California, Berkeley)
Hao Chen (University of California, Davis)
Jonathan Crussell (Sandia National Laboratories)
Kapil Singh (IBM Research)
Kevin Butler (University of Florida)
Larry Koved (IBM Research)
Long Lu (Stony Brook University)
Lorenzo Cavallaro (Royal Holloway, University of London)
Markus Jakobsson (Qualcomm Research Silicon Valley)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
William Enck (North Carolina State University)


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Whitfield Diffie

2015-01-01 Thread Gary McGraw
hi sc-l,

Merry New Year to you all!!

Episode 105 of Silver Bullet is an interview with Whitfield Diffie.  Whit 
co-invented PKI among other things.  We have an in depth talk about crypto, 
computation, LISP, AI, quantum key distro, and more

http://bit.ly/SB-diffie

As always, your feedback on Silver Bullet is welcome.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2015

2014-11-12 Thread Larry Koved
http://ieee-security.org/TC/SPW2015/MoST/

MOBILE SECURITY TECHNOLOGIES (MOST) 2015
Thursday, May 21, 2015
The Fairmont Hotel, San Jose, CA
Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. (For 
full submission details, see the call for papers.)
Previous MoST Workshop:   2014   2013   2012

IMPORTANT DATES
Coming soon
For more information, please consult the call for papers
Questions about the program and submissions may be directed to the program 
chair: Jonathan Crussell
Questions about the workshop may be directed to either of the workshop 
chairs: Hao Chen and Larry Koved.

We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2015 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies


WORKSHOP CO-CHAIRS
Hao Chen (University of California, Davis)
Larry Koved (IBM Research)
PROGRAM CHAIR
Jonathan Crussell (Sandia National Laboratories)
PROGRAM COMMITTEE
Adrian Ludwig (Google)
Clint Gibler (NCC Group)
David Wagner (University of California, Berkeley)
Hao Chen (University of California, Davis)
Jonathan Crussell (Sandia National Laboratories)
Kapil Singh (IBM Research)
Kevin Butler (University of Florida)
Larry Koved (IBM Research)
Long Lu (Stony Brook University)
Lorenzo Cavallaro (Royal Holloway, University of London)
Markus Jakobsson (Qualcomm Research Silicon Valley)
Mihai Christodorescu (Qualcomm Research Silicon Valley)
William Enck (North Carolina State University)___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet: Brian Krebs

2014-10-31 Thread Gary McGraw
hi sc-l,

Silver Bullet episode 103 features Brian Krebs, whose website
http://krebsonsecurity.com is among the leading security reporting sites on
the planet.  Brian was once a reporter for the Washington Post, but he went
solo after being let go (too deep for the dinosaur).  Krebs broke a number
of important stories in 2014, including the Target and Home Depot breaches
(among others). 

In our conversation, we discuss old media vs new media, Russian crime
syndicates, poltical strategy and cyber security, and why the government is
so far behind in software security.

http://www.cigital.com/silver-bullet/show-103/

As always, your feedback on Silver Bullet is welcome (try tweeting to
@cigitalgem).  Thanks for listening.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com 
twitter @cigitalgem





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 102: Richard Danzig

2014-09-21 Thread Gary McGraw
hi sc-l,

The 102nd monthly episode of the Silver Bullet podcast features a conversation 
with Richard Danzig.  Richard is a very accomplished leader who served as 
Secretary of the Navy (among other powerful positions).  He is currenty a 
member of the Board of the Center for a New American Security.  Richard is 
attempting in his recent work to bridge the gap between technologists and 
Washington policy makers when it comes to cybersecurity.

http://www.cigital.com/silver-bullet/show-102/

Our wide ranging conversation focuses mostly on a recent report Richard 
authored titled “Surviving on a Diet of Poisoned Fruit: Reducing the National 
Security Risks of America’s Cyber Dependencies” 
http://www.cnas.org/surviving-diet-poisoned-fruit which I encourage you all 
to read.  At the end of our conversation we discuss when technologists like 
ourselves can do to improve computer security policy in Washington.

As always, your feedback on the podcast is welcome.

In other news, I hope to see some of you at Appsecusa in Denver this week.  I 
am giving Friday morning’s keynote.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IEEE Center for Secure Design [searchsecurity and silver bullet]

2014-08-27 Thread Gary McGraw
hi sc-l,

This evening in SF we are officially launching the IEEE Center for Seure Design 
with a small event including security people and press.  Jim DelGrosso and I 
will make a short presentation about the CSD during the launch.

 I devoted both of my monthly pieces (Silver Bullet and SearchSecurity) to the 
CSD this month.

Please check out this article and pass it on:
http://bit.ly/CSD-SS  
http://searchsecurity.techtarget.com/opinion/McGraw-on-the-IEEE-Center-for-Secure-Design

Also have a listen to the new Silver Bullet podcast featuring Del, Christoph 
Kern from Google, and Yoshi Kohno from University of Washington where we all 
discuss the CSD:
http://www.cigital.com/silver-bullet/show-101/

Finally, note that the IEEE CSD website and an associated work called “Avoiding 
the Top Ten Software Security Flaws” will be live soon:
http://cybersecurity.ieee.org/center-for-secure-design.html

Make sure to read the CSD document.  It’s good stuff.  Discussion welcome!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Ruxcon 2014 Final Call For Presentations

2014-07-15 Thread cfp
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
CQ Function Centre

http://www.ruxcon.org.au

The Ruxcon team is pleased to announce the Final Call For Presentations for 
Ruxcon 2014.

This year the conference will take place over the weekend of the 11th and 12th 
of October at the CQ Function Centre, Melbourne, Australia.

The deadline for submissions is the 15th of September, 2014.


.[x]. About Ruxcon .[x]. 

Ruxcon is ia premier technical computer security conference in the Australia. 
The conference aims to bring together the individual talents of the best and 
brightest security folk in the region, through live presentations, activities 
and demonstrations.

The conference is held over two days in a relaxed atmosphere, allowing 
attendees to enjoy themselves whilst networking within the community and 
expanding their knowledge of security.

Live presentations and activities will cover a full range of defensive and 
offensive security topics, varying from previously unpublished research to 
required reading for the security community. 


.[x]. Important Dates .[x].

 September 15  - Call For Presentations Close
 October   6-7 - Ruxcon/Breakpoint Training
 October   8-9 - Breakpoint Conference
 October 11-12 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
including question time. 
 
 If you have any enquiries about submissions, or would like to make a 
submission, please send an email to presentati...@ruxcon.org.au


.[x]. Contact .[x].

 o Email: presentati...@ruxcon.org.au
 o Twitter: @ruxcon
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-07 Thread Jeremy Epstein
Agree with you - there's nothing new in the article.  I gave a talk a
couple years ago at a conference on biomedical engineering, and there was
one person in the room (out of a few hundred) who had heard of Therac-25.
(Which I assume is what you were referring to with 1985.)

If the article were instead published in a medical device or biomedical
engineering journal, that would be something different.  But as you say,
putting it in on SearchSecurity is just the echo chamber of security folks.

IMHO, anyone who builds medical devices that use software and hasn't read
about Therac-25 should be considered as unqualified.  (And if that gets
anyone on the list to pull out Google, who didn't recognize the reference
to 1985, so much the better!)





On Sun, Jul 6, 2014 at 1:21 AM, security curmudgeon jeri...@attrition.org
wrote:


 On Mon, 30 Jun 2014, Gary McGraw wrote:

 : Chandu Ketkar and I wrote an article about medical device security based
 : on a talk Chandu gave at Kevin Fu?s Archimedes conference in Ann Arbor.
 : In the article, we discuss six categories of security defects that
 : Cigital discovers again and again when analyzing medical devices for our
 : customers.  Have a look and pass it on:
 :
 : http://bit.ly/1pPH56p
 :
 : As always, your feedback is welcome.

 Per your request, my feedback:

 Why do so many security professionals think we need yet another article on
 medical devices that give a high-level overview, that ultimately boils
 down to medical devices are not secure?

 We see these every month or three, and have for a long time. Other than
 medical vendors who are very resistent to the idea that their devices have
 issues, who is this written for? Who exactly outside medical vendors think
 that those devices are secure?

 These articles do nothing.. absolutely nothing, to fix problems. They are
 bandwagon articles jumping on the 'medical security' wave that has some
 attention right now. Everyone writing these articles seems to be
 completely new to the medical arena. Most that write this crap that I have
 talked to can't speak to any of the history of medical disclosures. Names
 like Fu and Halperin are foreign to them, and the importance of 1985 in
 the timeline of medical issues is lost on them. If you find yourself
 Googling any of those, thanks for proving my point.

 This shit is not new. These articles are NOT advancing our field or the
 medical field. Sure, you are getting a slice of attention for the issue,
 but mostly in our echo chamber.

 Finally, your intro. Since 1996 my company has analyzed hundreds of
 systems... Really? Hundreds? You might want to fix that, else you come
 across as complete n00bz in the industry. I've done single engagements
 that involved tends of thousands of machines. Perhaps you want to qualify
 that to mean hundreds of vendors? Hundreds per months/year?

 To illustrate I am not the only one who feels this way:
 https://twitter.com/attritionorg/status/485652525589086209

 1 minute later:
 https://twitter.com/SteveSyfuhs/status/485652988044656640

 Seriously, dare to evolve.

 .b
 ___
 Secure Coding mailing list (SC-L) SC-L@securecoding.org
 List information, subscriptions, etc -
 http://krvw.com/mailman/listinfo/sc-l
 List charter available at - http://www.securecoding.org/list/charter.php
 SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
 as a free, non-commercial service to the software security community.
 Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
 ___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Re: SearchSecurity: Medical Devices and Software Security

2014-07-07 Thread Goertzel, Karen [USA]
Another big frustration: No-one seems to be making any real headway into the 
problem of actually measuring loss attributable to doing nothing - or, in other 
words, losses cradle to grave from operating insufficiently secure systems. 
People try to measure ROI from security, which is a ridiculous concept 
because it involves trying to measure a negative - i.e., this is how many times 
we DIDN'T lose $n - can't be done - or trying to measure how much competitive 
advantage only being hacked 20 vs. 50 times last year gave us as a company - or 
other such silly pseudo-measurements.

What I really want is:

[1] Ability to measure the aggregate of losses attributable to a single 
degradation or failure in an ICT infrastructure (all layers) - not just 
immediate loss due to downtime or degraded performance, but all the costs 
involved in redirecting resources (i.e., to deal with incident response, 
forensics, restoring from backup, implementing COOP, etc.); implementing 
interim short and long-term workarounds, purchases and man-hours involved in 
achieving total recovery to a sustained acceptable working state (ideally the 
same or better state than pre-loss); investment in preemptiove actions, things, 
and extraordinary (not what I was already doing) risk management activities to 
prevent a recurrence; plus all the other things I've probably not thought of 
here that contribute to the WHOLE amount of loss (e.g., reputation loss, 
advertising and PR reputation recovery campaigns, legal fees, fines, 
preparations plus actual expenses involved in testifying in court and/or on 
Capitol Hill, !
 additional tests and audits needed, etc.);

[2] Ability to accurately determine which of my ICT-related losses can be 
attributed, in whole or in part (and, in the latter case, what %) to 
intentional malevolent actions by someone (direct or via supply chain or 
operational subversion or sabotage via malware, etc.) - and which losses can be 
attributed to stupid mistakes by someone.

Once I can get a real grip on actual, complete loss amounts - not just the 
stuff that usually gets measured - I can then see if I really have struck the 
right balance between what I spend on security to avoid/prevent loss, and what 
I'm actually losing - so I can figure out if I need to adjust the equation. 
Also, being able to accurately identify all the someones involved in causing 
each loss - e.g., developers, integrators, users, administrators, etc. - while 
this level of attribution isn't necessary to quantify losses - would enable me 
not only to figure out if I'm spending the right amount, but if I'm spending 
the right amount on the right things. For example, if my losses are mainly down 
to crappy or subverted software, investment in mitigating end-user risk is 
going to be of less value than investment in correcting SLDC deficiencies.

In short, every time I read about a new attempt to measure security, it's 
always either too granular or not granular enough, and I'm not seeing any 
credible efforts to apply analysis across all measurement data to actually 
build a COMPLETE picture not only of the current security situation, but of 
the whole cost of security - what it is, and more importantly, what it should 
be.

===
Karen Mercedes Goertzel, CISSP
Senior Lead Scientist
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

Answers are easy. It's asking the right questions which is hard.
- The Doctor


From: Jeffrey Walton [noloa...@gmail.com]
Sent: 07 July 2014 14:56
To: Goertzel, Karen [USA]
Cc: Secure Code Mailing List
Subject: Re: [SC-L] [External] Re: SearchSecurity: Medical Devices and Software 
Security

 Ever since I read an article about the challenges of remote laser surgery 
 being done by doctors at the Naval Hospital in Bethesda, MD, via satellite 
 link on wounded soldiers in Iraq, I've been warning for years about the need 
 to apply software assurance principles to the development and testing - and 
 SCRM to the acquisition - of medical devices and their embedded software.

https://en.wikipedia.org/wiki/Therac-25 FTW!

 What I want to know is this: When is someone who can actually make a 
 difference going to FINALLY figure out the real potential hazards of the 
 Internet of Things.

+1. Dr. Geer has already warned about it at
http://www.lawfareblog.com/2014/04/heartbleed-as-metaphor/. Can you
imagine the IoT, with medical devices and avionics packages, running
around with little to no testing and little more that the browser
security model. Clear the cache to erase the evidence!!!

 Manufacturers of the latter need to stop trying so bloody hard to improve 
 products that no longer need improvement.

This is a political problem rooted in software liability laws (or lack
thereof). Too many carrots, not enough sticks

As it stands, its cost effective to do nothing. The risk analysis
equations need to be tipped in favor of the consumer or user. One it
starts costing 

[SC-L] SearchSecurity: Medical Devices and Software Security

2014-07-03 Thread Gary McGraw
hi sc-l,

Chandu Ketkar and I wrote an article about medical device security based on a 
talk Chandu gave at Kevin Fu’s Archimedes conference in Ann Arbor.  In the 
article, we discuss six categories of security defects that Cigital discovers 
again and again when analyzing medical devices for our customers.  Have a look 
and pass it on:

http://bit.ly/1pPH56p

As always, your feedback is welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 99: Michael Hicks

2014-07-03 Thread Gary McGraw
hi sc-l,

Silver Bullet Security Podcast number 99 (99 months in a row!!) was just 
posted.  This episode features a programming languages smorgasbord with Michael 
Hicks, professor of CS and security at University of Maryland.  We talk type 
safety, closure, why C is bad, what makes dynamic languages like Javascript 
problematic, and so on.  If you like programming languages talk, you’ll dig 
this episode.

Have a listen: https://www.cigital.com/silver-bullet/show-099/

As always, your feedback on the podcast is welcome.  We’re shooting a video for 
episode 100!!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 98: Bart MIller

2014-06-05 Thread Gary McGraw
hi sc-l,

Bart Miller, computer science professor from Wisconsin, coined the term fuzz 
testing in 1990.  He also is the PI for the DHS SWAMP---a software assurance 
marketplace of sorts.  Bart knows a ton abiut software analysis.

In episode 98 of Silver Bullet, we geek out about software security, hearbleed, 
fuzz testing. fault injection, and instrumenting binary code as it runs.  Have 
a listen: http://www.cigital.com/silver-bullet/show-098/

Your feedback is welcome.  Pass it on!

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Breakpoint 2014 Call For Presentations

2014-05-07 Thread cfp
Breakpoint 2014 Call For Papers
Melbourne, Australia, October 8th-9th
Intercontinental Rialto
http://www.ruxconbreakpoint.com


.[x]. Introduction .[x].

 The Ruxcon team is pleased to announce Call For Papers for Breakpoint 2014.

 Breakpoint showcases the work of expert security researchers from around the
 world on a wide range of topics. This conference is organised by the Ruxcon 
 team and offers a specialised security conference to complement and lead into 
 the larger and more casual Ruxcon weekend conference. 


.[x]. Important Dates .[x].

 May 1 - Call For Presentations Open
 August 30 - Call For Presentations Close
 October 6-7 - Breakpoint Training
 October 8-9 - Breakpoint Conference
 October 11-12 - Ruxcon Conference


.[x]. Topic Scope .[x].

Topics of interest include, but are not limited to:

 o Mobile Device Security
 o Exploitation Techniques
 o Reverse Engineering
 o Vulnerability Discovery
 o Rootkit Development
 o Malware Analysis
 o Code Analysis
 o Virtualisation, Hypervisor Security
 o Cloud Security
 o Embedded Device Security
 o Hardware Security
 o Telecommunications Security
 o Wireless Network Security
 o Web Application Security
 o Law Enforcement Activities
 o Forensics
 o Threat Intelligence


.[x]. Submission Guidelines .[x].

 In order for us to process your submission we will require the following 
 information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in presentation
 7. Information on where the presentation material has or will be presented 
before Breakpoint

 * Preference will be given to presentations that contain original research 
   that will be first presented at Breakpoint. 
 * As a general guideline, Breakpoint presentations are between 
   45 and 60 minutes, including question time. 

 If you have any questions about submissions, or would like to make a 
 submission, please send an email to submissi...@ruxconbreakpoint.com


.[x]. Speaker Benefits .[x].

 Speakers at Breakpoint will be entitled to the following benefits: 
   

 - A return economy airfare to Melbourne (total cost limit applies)
 - Three nights accommodation at the Intercontinental Rialto
 - Complimentary registration for Breakpoint and Ruxcon conferences
 - Invitation to all Breakpoint and Ruxcon parties

 * All speaker benefits apply to a single speaker per submission. 


.[x]. Contact .[x]. 

 If you have any questions or inqueries, contact us at:

 * Email:   submissi...@ruxconbreakpoint.com
 * Twitter: @ruxconbpx


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 97 + SearchSecurity Heartbleed

2014-05-06 Thread Gary McGraw
hi sc-l,

Heartbleed?   Who cares?  We do.  Real lessons here  http://bit.ly/1lBKDsE

Silver Bullet 97.  Programming languages actually matter.  
http://www.cigital.com/silver-bullet/show-097/

Read. Listen. Share. React.

We want your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Ruxcon 2014 Call For Papers

2014-05-06 Thread cfp
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
http://www.ruxcon.org.au


The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 
2014.

This year the conference will take place over the weekend of the 11th and 12th 
of October at the CQ Function Centre, Melbourne, Australia.


.[x]. About Ruxcon .[x]. 

 Ruxcon brings together the individual talents of the best and brightest 
security 
 folk in the region, through live presentations, activities, and demonstrations.

 The con is held over two days in a relaxed atmosphere, allowing delegates to 
enjoy 
 themselves whilst networking within the community and expanding their 
knowledge.

 Live presentations and activities will cover a full range of defensive 
 and offensive security topics, varying from previously unpublished research 
 to required reading for the security community. 


.[x]. Important Dates .[x].

 May 1st - Call For Presentations Open
 September 30th - Call For Presentations Close
 October 6-7 - Ruxcon/Breakpoint Training
 October 8-9 - Breakpoint Conference
 October 11-12 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
  including question time. 
 
 If you have any enquiries about submissions, or would like to make a 
 submission, please send an email to presentati...@ruxcon.org.au


.[x]. Contact .[x].

 o Email: submissi...@ruxcon.org.au
 o Twitter: @ruxcon
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2014 - Call for Participation - May 17

2014-05-06 Thread Larry Koved
http://mostconf.org/2014/cfp.html 

Mobile Security Technologies (MoST) 2014 

Saturday May 17, 2014

co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE SP 2014) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014)  

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 
Topics 
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2014 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to: 
Device hardware 
Operating systems 
Middleware 
Mobile web 
Secure and efficient communication 
Secure application development tools and practices 
Privacy 
Vulnerabilities and remediation techniques 
Usable security 
Identity and access control 
Risks in putting trust in the device vs. in the network/cloud 
Special applications, such as medical monitoring and records 
Mobile advertisement 
Secure applications and application markets 
Economic impact of security and privacy technologies

Paper Submission Instructions 

All accepted papers will be published online in the workshop proceedings. 

Organizing Committee 
Hao Chen, University of California, Davis 
Larry Koved, IBM Research
Program Chair 
Kapil Singh, IBM Research

Program Committee 
Kevin Butler (University of Oregon)
Hao Chen (University of California, Davis)
William Enck (North Carolina State University)
Adrienne Porter Felt (Google)
Rajarshi Gupta (Qualcomm Research Silicon Valley)
Markus Jakobsson (Qualcomm Research Silicon Valley)
Jaeyeon Jung (Microsoft Research)
Larry Koved (IBM Research)
Zhichun Li (NEC Research Labs)
Long Lu (Stony Brook University)
Adrian Ludwig (Google)
David Wagner (University of California, Berkeley)


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - Call for Participation - May 18

2014-05-06 Thread Larry Koved
http://w2spconf.com/2014/

WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS 

IMPORTANT DATES 
Workshop date: Sunday, May 18, 2014 


W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal. 
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright. 
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates. 
The scope of W2SP 2014 includes, but is not limited to: 
Analysis of Web, Cloud and Mobile Vulnerabilities 
Forensic Analysis of Web, Cloud and Mobile Systems 
Security Analysis of Web, Cloud and Mobile Systems 
Advances in Penetration Testing 
Advances in (SQL/code) Injection Attacks 
Trustworthy Cloud-based, Web and Mobile services 
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems 
Security and Privacy as a Service 
Usable Security and Privacy 
Security and Privacy Solutions for the Web, Cloud and Mobile 
Identity Management, Psuedonymity and ANonymity 
Security/Privacy Web Services/Feeds/Mashups 
Provenance and Governance 
Security and Privacy Policy Management for the Web, Cloud and Mobile 
Next-Generation Web/Mobile Browser Technology 
Security/Privacy Extensions and Plug-ins 
Online Privacy and Security frameworks 
Advertisement and Affiliate fraud 
Studies on Understanding Web/Cloud/Mobile Security and Privacy 
Technical Solutions for Security and Privacy legislation 
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy. 
Technologies merging Economics with Security/Privacy 
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com. 

WORKSHOP CO-CHAIRS 
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison) 
PROGRAM CHAIR 
Tyrone Grandison (Proficiency Labs) 
PROGRAM COMMITTEE 
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Ruxcon 2014 Call For Papers

2014-05-06 Thread cfp
Ruxcon 2014 Call For Presentations
Melbourne, Australia, October 11th-12th
http://www.ruxcon.org.au


The Ruxcon team is pleased to announce the Call For Presentations for Ruxcon 
2014.

This year the conference will take place over the weekend of the 11th and 12th 
of October at the CQ Function Centre, Melbourne, Australia.


.[x]. About Ruxcon .[x]. 

 Ruxcon brings together the individual talents of the best and brightest 
security 
 folk in the region, through live presentations, activities, and demonstrations.

 The con is held over two days in a relaxed atmosphere, allowing delegates to 
enjoy 
 themselves whilst networking within the community and expanding their 
knowledge.

 Live presentations and activities will cover a full range of defensive 
 and offensive security topics, varying from previously unpublished research 
 to required reading for the security community. 


.[x]. Important Dates .[x].

 May 1st - Call For Presentations Open
 September 30th - Call For Presentations Close
 October 6-7 - Ruxcon/Breakpoint Training
 October 8-9 - Breakpoint Conference
 October 11-12 - Ruxcon Conference


.[x]. Topic Scope .[x].

 o Topics of interest include, but are not limited to:
 o Mobile Device Security
 o Virtualization, Hypervisor, and Cloud Security
 o Malware Analysis
 o Reverse Engineering
 o Exploitation Techniques
 o Rootkit Development
 o Code Analysis
 o Forensics and Anti-Forensics
 o Embedded Device Security
 o Web Application Security
 o Network Traffic Analysis
 o Wireless Network Security
 o Cryptography and Cryptanalysis
 o Social Engineering
 o Law Enforcement Activities
 o Telecommunications Security (SS7, 3G/4G, GSM, VOIP, etc)


.[x]. Submission Guidelines .[x].

In order for us to process your submission we require the following information:

 1. Presentation title
 2. Detailed summary of your presentation material
 3. Name/Nickname
 4. Mobile phone number
 5. Brief personal biography
 6. Description of any demonstrations involved in the presentation
 7. Information on where the presentation material has or will be presented 
before Ruxcon

* As a general guideline, Ruxcon presentations are between 45 and 60 minutes, 
  including question time. 
 
 If you have any enquiries about submissions, or would like to make a 
 submission, please send an email to presentati...@ruxcon.org.au


.[x]. Contact .[x].

 o Email: submissi...@ruxcon.org.au
 o Twitter: @ruxcon


Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL 
certificate.  We look at how SSL works, how it benefits your company and how 
your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web 
server. Throughout, best practices for set-up are highlighted to help you 
ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - Call for Participation

2014-04-15 Thread Larry Koved
http://w2spconf.com/2014/


WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS 

IMPORTANT DATES 

Workshop date: Sunday, May 18, 2014 


W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal. 
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright. 
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates. 
The scope of W2SP 2014 includes, but is not limited to: 
Analysis of Web, Cloud and Mobile Vulnerabilities 
Forensic Analysis of Web, Cloud and Mobile Systems 
Security Analysis of Web, Cloud and Mobile Systems 
Advances in Penetration Testing 
Advances in (SQL/code) Injection Attacks 
Trustworthy Cloud-based, Web and Mobile services 
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems 
Security and Privacy as a Service 
Usable Security and Privacy 
Security and Privacy Solutions for the Web, Cloud and Mobile 
Identity Management, Psuedonymity and ANonymity 
Security/Privacy Web Services/Feeds/Mashups 
Provenance and Governance 
Security and Privacy Policy Management for the Web, Cloud and Mobile 
Next-Generation Web/Mobile Browser Technology 
Security/Privacy Extensions and Plug-ins 
Online Privacy and Security frameworks 
Advertisement and Affiliate fraud 
Studies on Understanding Web/Cloud/Mobile Security and Privacy 
Technical Solutions for Security and Privacy legislation 
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy. 
Technologies merging Economics with Security/Privacy 
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com. 

WORKSHOP CO-CHAIRS 
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison) 
PROGRAM CHAIR 
Tyrone Grandison (Proficiency Labs) 
PROGRAM COMMITTEE 
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

2014-04-04 Thread Goertzel, Karen [USA]
The one point that's missing from the article is to remind people: What the 
heck do you think firewalls are made of? Software! So unless a software 
manufacturer has got software security religion, their product is just as 
likely to be broken inside than the things it allegedly protects. 

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

I love humans. Always seeing patterns in things that aren't there.
- The Doctor


From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw 
[g...@cigital.com]
Sent: 31 March 2014 18:40
To: Secure Code Mailing List
Subject: [External]  [SC-L] Firewalls, Fairy Dust, and Forensics

hi sc-l,

Ever get discouraged that we have not been making enough progress in software 
security?  Well, we have been making plenty of progress and our field is 
growing fast!   This peppy little article (co-authored with Sammy Migues) 
explains why firewalls, fairy dust, and forensics are not working out for 
computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10% of 
the computer security market (which is itself growing at 8.9%).  We are in the 
right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-and-forensics-Try-software-security
  Then have your SSG members read it.  You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it around (by 
pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [External] Firewalls, Fairy Dust, and Forensics

2014-04-04 Thread Gary McGraw
hi karen,

Good point, and one that I usually make!  I agree.

gem

On 4/1/14, 9:16 AM, Goertzel, Karen [USA] goertzel_ka...@bah.com wrote:

The one point that's missing from the article is to remind people: What
the heck do you think firewalls are made of? Software! So unless a
software manufacturer has got software security religion, their product
is just as likely to be broken inside than the things it allegedly
protects. 

===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com

I love humans. Always seeing patterns in things that aren't there.
- The Doctor


From: SC-L [sc-l-boun...@securecoding.org] on behalf of Gary McGraw
[g...@cigital.com]
Sent: 31 March 2014 18:40
To: Secure Code Mailing List
Subject: [External]  [SC-L] Firewalls, Fairy Dust, and Forensics

hi sc-l,

Ever get discouraged that we have not been making enough progress in
software security?  Well, we have been making plenty of progress and our
field is growing fast!   This peppy little article (co-authored with
Sammy Migues) explains why firewalls, fairy dust, and forensics are not
working out for computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10%
of the computer security market (which is itself growing at 8.9%).  We
are in the right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-a
nd-forensics-Try-software-security  Then have your SSG members read it.
You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it
around (by pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc -
http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 96: Nate Fick, CEO of Endgame (and combat veteran)

2014-04-04 Thread Gary McGraw
hi sc-l,

Nate Fick is an interesting man.  He has a classics degree from Dartmouth, 
where he is now a Trustee.  He served combat tours in Afghanistan and Iraq, 
resulting in the book “One Bullet Away” and the HBO series “Generation Kill.”  
He served as the CEO of an important new think thank, the Center for New 
American Security.  While he was at CNAS, we wrote this: 
http://www.cigital.com/papers/download/mcgraw-fick-CNAS.pdf  And then he 
transitioned to become CEO or Endgame.  When he did that, I was worried, since 
Endgame was performing services that did not help security at all.  He has 
turned Endgame around completely.

We talk about that, about “cyber war” versus real war, policy people in 
Washington, security hype, and running a startup in the security space.  Have a 
listen, and pass it on: http://www.cigital.com/silver-bullet/show-096/

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com
twitter @cigitalgem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Firewalls, Fairy Dust, and Forensics

2014-04-01 Thread Gary McGraw
hi sc-l,

Ever get discouraged that we have not been making enough progress in software 
security?  Well, we have been making plenty of progress and our field is 
growing fast!   This peppy little article (co-authored with Sammy Migues) 
explains why firewalls, fairy dust, and forensics are not working out for 
computer security.

Oh, and software security is growing at 20% CAGR and now accounts for 10% of 
the computer security market (which is itself growing at 8.9%).  We are in the 
right field, and the this mailing list is a major help.

Please read this: 
http://searchsecurity.techtarget.com/opinion/McGraw-Firewalls-fairy-dust-and-forensics-Try-software-security
  Then have your SSG members read it.  You do have an SSG, right?

Feel free to post links to twitter, facebook, linkedin, and send it around (by 
pointer).  I would really appreciate that.

Thanks!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IEEE Computer article

2014-03-26 Thread Gary McGraw
hi sc-l,

I was asked to write an article for IEEE Computer’s security column this month. 
 It’s about software security.

Security Fatigue? Shift Your 
Paradigmhttp://www.cigital.com/presentations/mco2014030081.pdf, (IEEE 
Computer Society, March 2014)

As always, your feedback is welcome.  You can find many of my writings here: 
http://www.cigital.com/~gem/writings/

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Paul dot com podcast on #swsec at 6pm EST

2014-03-20 Thread Gary McGraw
hi sc-l,

Tonight at 6pm EST I will be participating in a paul dot com webcast and 
talking all things software security.  Please tune in if you can, and spread 
the word!

http://securityweekly.com/watch

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2014 - Deadline extended to March 10

2014-03-09 Thread Larry Koved
http://mostconf.org/2014/cfp.html 

Mobile Security Technologies (MoST) 2014

co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE SP 2014) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014) 

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems.
Topics
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2014 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies

Paper Submission Instructions

All accepted papers will be published online in the workshop proceedings. 
Important Dates
Paper submission deadline: March 10, 2014 (11:59pm US-PST).
Acceptance notification: March 31, 2014.

Organizing Committee
Hao Chen, University of California, Davis
Larry Koved, IBM Research
Program Chair
Kapil Singh, IBM Research
Program Committee
Kevin Butler (University of Oregon)
Hao Chen (University of California, Davis)
William Enck (North Carolina State University)
Adrienne Porter Felt (Google)
Rajarshi Gupta (Qualcomm Research Silicon Valley)
Markus Jakobsson (Qualcomm Research Silicon Valley)
Jaeyeon Jung (Microsoft Research)
Larry Koved (IBM Research)
Zhichun Li (NEC Research Labs)
Long Lu (Stony Brook University)
Adrian Ludwig (Google)
David Wagner (University of California, Berkeley)___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - Deadline extension to March 5

2014-03-09 Thread Larry Koved
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS 

IMPORTANT DATES 
Paper submission deadline: March 5, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014 
Workshop paper submission web site: 
https://www.easychair.org/conferences/?conf=w2sp2014 

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal. 
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright. 
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates. 
The scope of W2SP 2014 includes, but is not limited to: 
Analysis of Web, Cloud and Mobile Vulnerabilities 
Forensic Analysis of Web, Cloud and Mobile Systems 
Security Analysis of Web, Cloud and Mobile Systems 
Advances in Penetration Testing 
Advances in (SQL/code) Injection Attacks 
Trustworthy Cloud-based, Web and Mobile services 
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems 
Security and Privacy as a Service 
Usable Security and Privacy 
Security and Privacy Solutions for the Web, Cloud and Mobile 
Identity Management, Psuedonymity and ANonymity 
Security/Privacy Web Services/Feeds/Mashups 
Provenance and Governance 
Security and Privacy Policy Management for the Web, Cloud and Mobile 
Next-Generation Web/Mobile Browser Technology 
Security/Privacy Extensions and Plug-ins 
Online Privacy and Security frameworks 
Advertisement and Affiliate fraud 
Studies on Understanding Web/Cloud/Mobile Security and Privacy 
Technical Solutions for Security and Privacy legislation 
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy. 
Technologies merging Economics with Security/Privacy 
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com. 

WORKSHOP CO-CHAIRS 
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison) 
PROGRAM CHAIR 
Tyrone Grandison (Proficiency Labs) 
PROGRAM COMMITTEE 
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)  

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 95: Charlie Miller

2014-02-28 Thread Gary McGraw
hi sc-l,

Greetings from RSA, where the show gets underway today.  I hope to see some 
sc-l readers out here.  (Come see us duing the show 
https://www.cigital.com/blog/2014/01/rsa-2014/.)

Episode 95 of silver bullet features a conversation with Charie Miller, who now 
works at Twitter as a security engineer.  Charlie is well known for his 
spectacular Apple hacks.  Lately, he has turned his attention to cars.  We talk 
about fuzzing, exploit development, and their relationship to software security.

http://www.cigital.com/silver-bullet/show-095/

Have a listen and pass it on.  As always, your feedback is welcome

gem

company www.cigital.com
podcast www.cigital.com/silver-bullet
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Final CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

2014-02-19 Thread Larry Koved
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: February 26, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site: 
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal.
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright.
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates.
The scope of W2SP 2014 includes, but is not limited to:
Analysis of Web, Cloud and Mobile Vulnerabilities
Forensic Analysis of Web, Cloud and Mobile Systems
Security Analysis of Web, Cloud and Mobile Systems
Advances in Penetration Testing
Advances in (SQL/code) Injection Attacks
Trustworthy Cloud-based, Web and Mobile services
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems
Security and Privacy as a Service
Usable Security and Privacy
Security and Privacy Solutions for the Web, Cloud and Mobile
Identity Management, Psuedonymity and ANonymity
Security/Privacy Web Services/Feeds/Mashups
Provenance and Governance
Security and Privacy Policy Management for the Web, Cloud and Mobile
Next-Generation Web/Mobile Browser Technology
Security/Privacy Extensions and Plug-ins
Online Privacy and Security frameworks
Advertisement and Affiliate fraud
Studies on Understanding Web/Cloud/Mobile Security and Privacy
Technical Solutions for Security and Privacy legislation
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy.
Technologies merging Economics with Security/Privacy
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com.

WORKSHOP CO-CHAIRS
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison)
PROGRAM CHAIR
Tyrone Grandison (Proficiency Labs)
PROGRAM COMMITTEE
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)  

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2014

2014-02-19 Thread Larry Koved
http://mostconf.org/2014/cfp.html 

Mobile Security Technologies (MoST) 2014 

co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE SP 2014) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014)  

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems. 
Topics 
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2014 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to: 
Device hardware 
Operating systems 
Middleware 
Mobile web 
Secure and efficient communication 
Secure application development tools and practices 
Privacy 
Vulnerabilities and remediation techniques 
Usable security 
Identity and access control 
Risks in putting trust in the device vs. in the network/cloud 
Special applications, such as medical monitoring and records 
Mobile advertisement 
Secure applications and application markets 
Economic impact of security and privacy technologies

Paper Submission Instructions 

All accepted papers will be published online in the workshop proceedings. 
Important Dates 
Paper submission deadline: March 3, 2014 (11:59pm US-PST). 
Acceptance notification: March 31, 2014.

Organizing Committee 
Hao Chen, University of California, Davis 
Larry Koved, IBM Research
Program Chair 
Kapil Singh, IBM Research

Program Committee 
Kevin Butler (University of Oregon)
Hao Chen (University of California, Davis)
William Enck (North Carolina State University)
Adrienne Porter Felt (Google)
Rajarshi Gupta (Qualcomm Research Silicon Valley)
Markus Jakobsson
Jaeyeon Jung (Microsoft Research)
Larry Koved (IBM Research)
Zhichun Li (NEC Research Labs)
Long Lu (Stony Brook University)
Adrian Ludwig (Google)
David Wagner (University of California, Berkeley)
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] FYI: OWASP AppSec Europe 2014 - Call For Papers - submission deadline Mar-21

2014-02-14 Thread Tobias
Hello dear secure coding fellows,

fyi: we just opened the Call for Papers for the upcoming OWASP AppSec
Europe in Cambridge in June 2014.
Closing deadline: March 21st
Please be invited to submit your papers, presentations, research papers
and training proposals.
https://2014.appsec.eu/call-for-training-call-for-papers-january/

Best regards, Tobias



On 13/02/14 18:03, Laura Grau wrote:


 Hello,


 The AppSec Europe 2014
 https://www.owasp.org/index.php/AppSec_Europe_2014#tab=WELCOME Selection
 Committee is accepting papers, presentations and training
 submissions for the OWASP event in Cambridge, June 23rd-26th.


 We invite all practitioners of application security and those who
 work or interact with all facets of application security to submit
 speaker and trainer proposals.


 For more information, read the appropriate document:


   * Call for Presentations
 
 https://www.owasp.org/images/3/30/Call-for-Presentations-v1-1.pdf
   * Call for Training
 https://www.owasp.org/images/6/63/AppSec_Europe_2014_CFT.pdf
   * Call for Papers
 https://www.owasp.org/images/4/4a/AppSec_Europe_2014_CFP.pdf


 All submissions should be sent via EasyChair
 https://www.easychair.org/conferences/?conf=appseceu2014 /(Select the
 appropriate track once you have registered.)/

 _
 _
 _
 Important Dates:_
  CFP/CFT Open: Feb 1st
  CFP/CFT Closes: March 21st
  Acceptance Notification: April 25th
  Conference Schedule Publication: May 16th


 Should you need any further information, please do not hesitate to
 contact me.


 Thank you very much,

 Laura Grau

 Global Conference Manager
 OWASP Foundation
 laura.g...@owasp.org mailto:laura.g...@owasp.org



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] FYI: OWASP CISO Survey Report 2013 Released

2014-02-14 Thread Tobias
Hello dear secure coding fellows,

just fyi: OWASP just released the OWASP CISO Survey Report 2013 Version
1.0 https://www.owasp.org/index.php/OWASP_CISO_Survey.
/Among application security stakeholders, Chief Information Security
Officers (CISOs),are responsible for application security from
governance, compliance and risk perspectives. The OWASP CISO Survey
provides tactical intelligence about security risks and best practices
to help CISOs manage application security programs according to their
own roles, responsibilities, perspectives and needs. It also complements
nicely with its sister project, the Application Security Guide For CISOs
https://www.owasp.org/index.php/Application_Security_Guide_For_CISOs./

- Here the link to the Report:
https://www.owasp.org/index.php/OWASP_CISO_Survey
- It can also be downloaded as a PDF
https://www.owasp.org/index.php/File:Owasp-ciso-report-2013-1.0.pdf

*Please share and spread the word!*

Plans are also to build on the lessons learnt and update and extend the
Survey in 2014 - make it better, bigger and more comprehensive. If you
or someone you know like to help and join the project team, you can join
the project mailing-list here:
https://www.owasp.org/index.php/OWASP_CISO_Survey_Project

If you have any comments, questions or feedback on how we can make it
better for the next version, please feel free to send them to the
project mailing-list (owasp_ciso_sur...@lists.owasp.org) or directly to
the project lead (tobias.gond...@owasp.org).

All the best, Tobias


Tobias Gondrom
OWASP CISO Survey Project Lead
email: tobias.gond...@owasp.org mailto:tobias.gond...@owasp.org
twitter: @tgondrom



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

2014-02-13 Thread Larry Koved
2 weeks until the submission deadline


WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: February 26, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site: 
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal.
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright.
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates.
The scope of W2SP 2014 includes, but is not limited to:
Analysis of Web, Cloud and Mobile Vulnerabilities
Forensic Analysis of Web, Cloud and Mobile Systems
Security Analysis of Web, Cloud and Mobile Systems
Advances in Penetration Testing
Advances in (SQL/code) Injection Attacks
Trustworthy Cloud-based, Web and Mobile services
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems
Security and Privacy as a Service
Usable Security and Privacy
Security and Privacy Solutions for the Web, Cloud and Mobile
Identity Management, Psuedonymity and ANonymity
Security/Privacy Web Services/Feeds/Mashups
Provenance and Governance
Security and Privacy Policy Management for the Web, Cloud and Mobile
Next-Generation Web/Mobile Browser Technology
Security/Privacy Extensions and Plug-ins
Online Privacy and Security frameworks
Advertisement and Affiliate fraud
Studies on Understanding Web/Cloud/Mobile Security and Privacy
Technical Solutions for Security and Privacy legislation
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy.
Technologies merging Economics with Security/Privacy
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com.

WORKSHOP CO-CHAIRS
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison)
PROGRAM CHAIR
Tyrone Grandison (Proficiency Labs)
PROGRAM COMMITTEE
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)  

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] IR/Application Security

2014-02-10 Thread Tom Brennan - OWASP
In this episode Karl Sigler sit's down with Grayson Lenik, a forensic expert 
for Trustwave SpiderLabs. We talk about Point-of-Sale malware, including common 
web application security attack vectors as well as remediation steps to help 
protect businesses using POS systems. 

http://blog.spiderlabs.com/2014/01/spiderlabs-radio-january-23-2014.html

Enjoy!

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Cfp: IEEE SP Workshop on Cyber Crime 2014

2014-02-08 Thread wmazurczyk
Dear Collegues,
 Please consider submitting papers to IWCC (International Workshop on Cyber 
Crime) 2014 which is is part of the IEEE CS Security amp; Privacy Workshops 
(SPW 2014), an event of the IEEE CS Technical Committee on Security and Privacy 
and like last year will be co-located with IEEE Samp;P 2014 in  the Fairmont 
Hotel, San Jose, CA, USA, May 17-18, 2014.
 
CALL FOR PAPERS - deadline in 6 days!
 
Submission page: https://www.easychair.org/conferences/?conf=iwcc2014
 
The extended versions of high-quality papers selected from the workshop will be 
published in a special issue of the EURASIP Journal on Information Security, 
Springer (confirmed!)
 
IWCC 2014 is part of the IEEE CS Security amp; Privacy Workshops (SPW 2014), 
an event of the IEEE CS Technical Committee on Security and Privacy. 
IWCC 2014 website: http://stegano.net/IWCC2014/
 
IMPORTANT DATES
 
February 10, 2014: Regular amp; Short Paper Submission
 March 17, 2014: Notification Date
 April, 2014: Camera-Ready amp; Early Registration Deadline
 
Today's world's societies are becoming more and more dependent on open networks 
such as the Internet - where commercial activities, business transactions and 
government services are realized. This has led to the fast development of new 
cyber threats and numerous information security issues which are exploited by 
cyber criminals. The inability to provide trusted secure services in 
contemporary computer network technologies has a tremendous socio-economic 
impact on global enterprises as well as individuals.
 
Moreover, the frequently occurring international frauds impose the necessity to 
conduct the investigation of facts spanning across multiple international 
borders. Such examination is often subject to different jurisdictions and legal 
systems. A good illustration of the above being the Internet, which has made it 
easier to perpetrate traditional crimes. It has acted as an alternate avenue 
for the criminals to conduct their activities, and launch attacks with relative 
anonymity. The increased complexity of the communications and the networking 
infrastructure is making investigation of the crimes difficult. Traces of 
illegal digital activities are often buried in large volumes of data, which are 
hard to inspect with the aim of detecting offences and collecting evidence. 
Nowadays, the digital crime scene functions like any other network, with 
dedicated administrators functioning as the first responders.
 
This poses new challenges for law enforcement policies and forces the computer 
societies to utilize digital forensics to combat the increasing number of 
cybercrimes. Forensic professionals must be fully prepared in order to be able 
to provide court admissible evidence. To make these goals achievable, forensic 
techniques should keep pace with new technologies.
 The aim of this workshop is to bring together the research accomplishments 
provided by the researchers from academia and the industry. The other goal is 
to show the latest research results in the field of digital forensics and to 
present the development of tools and techniques which assist the investigation 
process of potentially illegal cyber activity. We encourage prospective authors 
to submit related distinguished research papers on the subject of both: 
theoretical approaches and practical case reviews.
 
The workshop will be accessible to both non-experts interested in learning 
about this area and experts interesting in hearing about new research and 
approaches.
 
Topics of interest include, but are not limited to:
 
    • Cyber crimes: evolution, new trends and detection
     • Cyber crime related investigations
     • Computer and network forensics
     • Digital forensics tools and applications
     • Digital forensics case studies and best practices
     • Privacy issues in digital forensics
     • Network traffic analysis, traceback and attribution
     • Incident response, investigation and evidence handling
     • Integrity of digital evidence and live investigations
     • Identification, authentication and collection of digital evidence
     • Anti-forensic techniques and methods
     • Watermarking and intellectual property theft
     • Social networking forensics
     • Steganography/steganalysis and covert/subliminal channels
     • Network anomalies detection
     • Novel applications of information hiding in networks
     • Political and business issues related to digital forensics and 
anti-forensic techniques
 
SUBMISSIONS AND REGISTRATION
 
Authors are invited to submit Regular Papers (maximum 8 pages) or Short Papers 
(maximum 4 pages) via EasyChair. Papers accepted by the workshop will be 
published in the Conference Proceedings published by IEEE Computer Society 
Press.
 
Papers must be formatted for US letter (not A4) size paper with margins of at 
least 3/4 inch on all sides. The text must be formatted in a two-column layout, 
with columns no more than 9 in. high and 3.375 in. 

[SC-L] CFP: Mobile Security Technologies (MoST) 2014 - March 3 submission deadline

2014-02-08 Thread Larry Koved
http://mostconf.org/2014/cfp.html 

Mobile Security Technologies (MoST) 2014

co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE SP 2014) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014) 

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems.
Topics
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2014 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies

Paper Submission Instructions

All accepted papers will be published online in the workshop proceedings. 
Important Dates
Paper submission deadline: March 3, 2014 (11:59pm US-PST).
Acceptance notification: March 31, 2014.

Organizing Committee
Hao Chen, University of California, Davis
Larry Koved, IBM Research
Program Chair
Kapil Singh, IBM Research

Program Comittee
Kevin Butler (University of Oregon)
Hao Chen (University of California, Davis)
William Enck (North Carolina State University)
Adrienne Porter Felt (Google)
Rajarshi Gupta (Qualcomm Research Silicon Valley)
Markus Jakobsson
Jaeyeon Jung (Microsoft Research)
Larry Koved (IBM Research)
Zhichun Li (NEC Research Labs)
Long Lu (Stony Brook University)
Adrian Ludwig (Google)
David Wagner (University of California, Berkeley) ___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS - February 26 submission deadline

2014-02-08 Thread Larry Koved
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: February 26, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site: 
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal.
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright.
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates.
The scope of W2SP 2014 includes, but is not limited to:
Analysis of Web, Cloud and Mobile Vulnerabilities
Forensic Analysis of Web, Cloud and Mobile Systems
Security Analysis of Web, Cloud and Mobile Systems
Advances in Penetration Testing
Advances in (SQL/code) Injection Attacks
Trustworthy Cloud-based, Web and Mobile services
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems
Security and Privacy as a Service
Usable Security and Privacy
Security and Privacy Solutions for the Web, Cloud and Mobile
Identity Management, Psuedonymity and ANonymity
Security/Privacy Web Services/Feeds/Mashups
Provenance and Governance
Security and Privacy Policy Management for the Web, Cloud and Mobile
Next-Generation Web/Mobile Browser Technology
Security/Privacy Extensions and Plug-ins
Online Privacy and Security frameworks
Advertisement and Affiliate fraud
Studies on Understanding Web/Cloud/Mobile Security and Privacy
Technical Solutions for Security and Privacy legislation
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy.
Technologies merging Economics with Security/Privacy
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com.

WORKSHOP CO-CHAIRS
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison)
PROGRAM CHAIR
Tyrone Grandison (Proficiency Labs)
PROGRAM COMMITTEE
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)  

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Silver Bullet 94: Ming Chow (Tufts)

2014-02-03 Thread Gary McGraw
hi sc-l,

Episode 94 (in a row) of Silver Bullet features a conversation with Ming Chow, 
a developer who got interested in security and accidentally became a software 
security guy teaching at Tufts.  We talk about that.  We talk about exploiting 
online games (and using that as a teaching mechanism).  And mostly we wonder 
how to get real developers more interested in software security.  Have a listen:

http://www.cigital.com/silver-bullet/show-094/

As always, your feedback is welcome.

gem

company http://www.cigital.com
blog http://www.cigital.com/justiceleague
book http://www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SearchSecurity: Scaling Automated Code Review

2014-01-29 Thread Gary McGraw
hi sc-l,

The latest monthy SearchSecurity article was co-authored with Jim Routh, CSO of 
Aetna.  What Jim is doing for his fifth (!!) software security initiative is 
very interesting.  So interesting that we decided to write about it.

In particular pay attention to Jim's use of a light weight IDE-based static 
analysis tool.  This is important for two reasons: 1) because it runs on all 
dev desktops (and thus scales) and 2) because it finds problems in real time as 
they are being typed in. FIXING security problems found in this way is easier 
than it is in the situation when results arrive a week after they are typed in 
when dev on a new sprint.

Scaling Automated Code Review: http://bit.ly/1iIcAPB

 here is a long URL version 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-automated-code-review

As always, your feedback is welcome.  Pass it on!

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: Mobile Security Technologies (MoST) 2014

2014-01-27 Thread Larry Koved
http://mostconf.org/2014/cfp.html 

Mobile Security Technologies (MoST) 2014

co-located with 
The 34th IEEE Symposium on Security and Privacy (IEEE SP 2014) 
an event of
The IEEE Computer Society's Security and Privacy Workshops (SPW 2014) 

Mobile Security Technologies (MoST) brings together researchers, 
practitioners, policy makers, and hardware and software developers of 
mobile systems to explore the latest understanding and advances in the 
security and privacy for mobile devices, applications, and systems.
Topics
We are seeking both short position papers (2-4 pages) and longer papers (a 
maximum of 10 pages). The scope of MoST 2014 includes, but is not limited 
to, security and privacy specifically for mobile devices and services 
related to:
Device hardware
Operating systems
Middleware
Mobile web
Secure and efficient communication
Secure application development tools and practices
Privacy
Vulnerabilities and remediation techniques
Usable security
Identity and access control
Risks in putting trust in the device vs. in the network/cloud
Special applications, such as medical monitoring and records
Mobile advertisement
Secure applications and application markets
Economic impact of security and privacy technologies

Paper Submission Instructions

All accepted papers will be published online in the workshop proceedings. 
Important Dates
Paper submission deadline: March 3, 2014 (11:59pm US-PST).
Acceptance notification: March 31, 2014.

Organizing Committee
Hao Chen, University of California, Davis
Larry Koved, IBM Research
Program Chair
Kapil Singh, IBM Research
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] CFP: WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

2014-01-27 Thread Larry Koved
WEB 2.0 SECURITY AND PRIVACY 2014 WORKSHOP CALL FOR PAPERS

IMPORTANT DATES
Paper submission deadline: February 26, 2014 (11:59pm US-PST)
Workshop acceptance notification date: March 29, 2014
Workshop date: Sunday, May 18, 2014
Workshop paper submission web site: 
https://www.easychair.org/conferences/?conf=w2sp2014

W2SP brings together researchers, practitioners, web programmers, policy 
makers, and others interested in the latest understanding and advances in 
the security and privacy of the web, browsers, cloud, mobile and their 
eco-system. We have had seven years of successful W2SP workshops. This 
year, we will additionally invite selected papers to a special issue of 
the journal.
W2SP is held in conjunction with the IEEE Symposium on Security and 
privacy, which will take place from May 18-21, 2014, at the Fairmont Hotel 
in San Jose, California. W2SP will continue to be open-access: all papers 
will be made available on the workshop website, and authors will not need 
to forfeit their copyright.
We are seeking both short position papers (2–4 pages) and longer papers (a 
maximum of 10 pages). Papers must be formatted for US letter (not A4) size 
paper with margins of at least 3/4 inch on all sides. The text must be 
formatted in a two-column layout, with columns no more than 9 in. high and 
3.375 in. wide. The text must be in Times font, 10-point or larger, with 
12-point or larger line spacing. Authors are encouraged to use the IEEE 
conference proceedings templates.
The scope of W2SP 2014 includes, but is not limited to:
Analysis of Web, Cloud and Mobile Vulnerabilities
Forensic Analysis of Web, Cloud and Mobile Systems
Security Analysis of Web, Cloud and Mobile Systems
Advances in Penetration Testing
Advances in (SQL/code) Injection Attacks
Trustworthy Cloud-based, Web and Mobile services
Privacy and Reputation in Web (e.g. Social Networks), Cloud, Mobile 
Systems
Security and Privacy as a Service
Usable Security and Privacy
Security and Privacy Solutions for the Web, Cloud and Mobile
Identity Management, Psuedonymity and ANonymity
Security/Privacy Web Services/Feeds/Mashups
Provenance and Governance
Security and Privacy Policy Management for the Web, Cloud and Mobile
Next-Generation Web/Mobile Browser Technology
Security/Privacy Extensions and Plug-ins
Online Privacy and Security frameworks
Advertisement and Affiliate fraud
Studies on Understanding Web/Cloud/Mobile Security and Privacy
Technical Solutions for Security and Privacy legislation
Solutions for connecting the Business, Legal, Technical and Social aspects 
on Web/Cloud/Mobile Security and Privacy.
Technologies merging Economics with Security/Privacy
Innovative Security/Privacy Solutions for Industry Verticals
Any questions should be directed to the program chair: 
tgrandi...@proficiencylabs.com.

WORKSHOP CO-CHAIRS
Larry Koved (IBM Research) 
Matt Fredrikson (University of Wisconsin - Madison)
PROGRAM CHAIR
Tyrone Grandison (Proficiency Labs)
PROGRAM COMMITTEE
Aaron Massey (Georgia Institute of Technology) 
Adrienne Porter Felt (Google) 
Aleecia M. McDonald (Center for Internet  Society) 
Alex Smolen (Twitter) 
Alexander Polyakov (ERPScan) 
Amine Cherrai (Amine Cherrai Consulting) 
Anand Prakash (E-Billing Solutions Pvt. Ltd) 
Bhavani Thuraisingham (University of Texas - Dallas) 
Brad Malin (Vanderbilt University) 
Carrie Gates (CA Technologies) 
Christy Philip Matthew (Offcon Info Security) 
Dieter Gollmann (Hamburg University of Technology) 
Elena Ferrari (University of Insubria) 
Gerome Miklau (University of Massachusetts - Amherst) 
Hakan Hacigumus (NEC Labs) 
Ilya Mironov (Microsoft Research) 
James Kettle (Context Information Security) 
Kimberley Hall (Security Advisory  Management Services Ltd) 
Michael Franz (University of California - Irvine) 
Michael Waidner (Technische Universitat Darmstadt) 
Monica Chew (Mozilla) 
Pierangela Samarati (University of Milan) 
Rafae Bhatti (Price Waterhouse Coopers) 
Reginaldo Silva (Ubercomp) 
Rose Gamble (University of Tulsa) 
Sabrina De Capitani di Vimercati (University of Milan) 
Sean Thorpe (University of Technology - Jamaica) 
Sid Stamm (Mozilla) 
Simson Garfinkel (Naval Postgraduate School) 
Szymon Gruszecki 
Varun Bhagwan (Yahoo) 
Vinnie Moscaritolo (Silent Circle)  

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM-V Article in Application Development Times

2014-01-22 Thread Stephen de Vries

For anyone interested in this topic and working in appsec and/or dev, there’s a 
survey by the trusted software alliance which touches on some of these 
questions here: https://www.surveymonkey.com/s/Developers_and_AppSec 




 On Jan 7, 2014, at 8:07 PM, Christian Heinrich 
 christian.heinr...@cmlh.id.au wrote:
 
 Stephen,
 
 On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries
 step...@continuumsecurity.net wrote:
 Leaving the definition of agile aside for the moment, doesn’t the fact that 
 the BSIMM measures
 organisation wide activities but not individual dev teams mean that we 
 could be drawing inaccurate
 conclusions from the data?  E.g.  if an organisation says it is doing Arch 
 reviews, code reviews and
 sec testing, it doesn’t necessarily mean that every team is doing all of 
 those activities, so it may give
 the BSIMM reader a false impression of the use of those activities in the 
 real world.
 
 In addition to knowing which activities are practiced organisation wide, it 
 would also be valuable to
 know which activities work well on a per-team or per-project basis.
 
 My reading of the Roles section of BSIMM-V.pdf is that the people
 interviewed for the BSIMM sample are:
 1. Executive Leadership (or CISO, VP of Risk, CSO, etc)
 2. Everyone else within the Software Security Group (SSG)
 
 What you are asking to be included is what is referred to as the
 Satellite within BSIMM-V.pdf and I believe this may also require the
 inclusion of http://cmmiinstitute.com/cmmi-solutions/cmmi-for-development/
 too (why not :) ).
 
 The issue with this is that it would invalidate the statistics from
 the prior five BSIMM releases due to the inclusion of new questions
 and in additional these new statistics were not gathered over time
 either hence the improvements measured over time within BSIMM would be
 invalid too due tot he new dataset.
 
 Furthermore, Gary, Sammy and Brian have limited time to interview all
 67 BSIMM participating firms.
 
 However, I would be interested to know the BSIMM Advisory Board i.e.
 http://bsimm.com/community/ view on this is and if it would be
 possible to undertake this additional sampling within their own BSIMM
 participating firm to determine if there is additional value would be
 gained for BSIMM?  However, I suspect that an objective measurement
 would be too hard to quantify due to internal politics of each BSIMM
 participating firm but I could be wrong.
 


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM-V Article in Application Development Times

2014-01-08 Thread Christian Heinrich
Stephen,

On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries
step...@continuumsecurity.net wrote:
 Leaving the definition of agile aside for the moment, doesn’t the fact that 
 the BSIMM measures
 organisation wide activities but not individual dev teams mean that we could 
 be drawing inaccurate
 conclusions from the data?  E.g.  if an organisation says it is doing Arch 
 reviews, code reviews and
 sec testing, it doesn’t necessarily mean that every team is doing all of 
 those activities, so it may give
 the BSIMM reader a false impression of the use of those activities in the 
 real world.

 In addition to knowing which activities are practiced organisation wide, it 
 would also be valuable to
 know which activities work well on a per-team or per-project basis.

My reading of the Roles section of BSIMM-V.pdf is that the people
interviewed for the BSIMM sample are:
1. Executive Leadership (or CISO, VP of Risk, CSO, etc)
2. Everyone else within the Software Security Group (SSG)

What you are asking to be included is what is referred to as the
Satellite within BSIMM-V.pdf and I believe this may also require the
inclusion of http://cmmiinstitute.com/cmmi-solutions/cmmi-for-development/
too (why not :) ).

The issue with this is that it would invalidate the statistics from
the prior five BSIMM releases due to the inclusion of new questions
and in additional these new statistics were not gathered over time
either hence the improvements measured over time within BSIMM would be
invalid too due tot he new dataset.

Furthermore, Gary, Sammy and Brian have limited time to interview all
67 BSIMM participating firms.

However, I would be interested to know the BSIMM Advisory Board i.e.
http://bsimm.com/community/ view on this is and if it would be
possible to undertake this additional sampling within their own BSIMM
participating firm to determine if there is additional value would be
gained for BSIMM?  However, I suspect that an objective measurement
would be too hard to quantify due to internal politics of each BSIMM
participating firm but I could be wrong.


-- 
Regards,
Christian Heinrich

http://cmlh.id.au/contact

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] BSIMM-V Article in Application Development Times

2014-01-07 Thread Stephen de Vries

Hi Sammy, Antti,

On 20 Dec 2013, at 17:29, Sammy Migues smig...@cigital.com wrote:

 Also, in nearly all cases, it would be very hard to characterize an entire 
 firm or even an entire business unit in larger firms as Agile or not. Many 
 larger firms use Agile for only a small percentage of projects 


Leaving the definition of agile aside for the moment, doesn’t the fact that the 
BSIMM measures organisation wide activities but not individual dev teams mean 
that we could be drawing inaccurate conclusions from the data?  E.g.  if an 
organisation says it is doing Arch reviews, code reviews and sec testing, it 
doesn’t necessarily mean that every team is doing all of those activities, so 
it may give the BSIMM reader a false impression of the use of those activities 
in the real world.

In addition to knowing which activities are practiced organisation wide, it 
would also be valuable to know which activities work well on a per-team or 
per-project basis.

On 17 Dec 2013, at 22:01, Antti Vähä-Sipilä a...@iki.fi wrote:
 
 Moreover, I think this sort of split would be largely arbitrary. Especially 
 for large companies, it's often not straightforward to classify them as agile 
 or non-agile. Many companies also have mixed-mode dev shops with waterfall 
 product management bolted on top of an agile dev team, or an agile dev team 
 throwing code over the wall to a traditional ops team, or a mix of agile and 
 non-agile teams working side by side. 

Agree that the split between agile and not-agile would be arbitrary at the 
organisation wide level.  But deciding on an arbitrary line, or better yet an 
arbitrary scale of agility on a per-project level shouldn’t be too difficult.  
If we need to start somewhere, then I think borrowing from devops couldn’t 
hurt, where they measure agility by:
- frequency of code deployments
- lead time from code deploy to running in production

 In addition, I don't think you can measure agility through purely measuring 
 cadence. The point of being agile is to be able to respond to change, and not 
 all companies _need_ to be reinventing their product daily like a budding 
 startup with an existential crisis. Although continuous integration would 
 probably help the majority of companies, on the product management (i.e., 
 backlog management) side, it depends on your customers and industry whether 
 more is indeed better.

With the BSIMM’s objective of just describing activities it wouldn’t be 
necessary to promote agile or agile security practices.  But it would be 
interesting to know that if an organisation happens to have chosen agile or 
continuous delivery as their software dev methodology, then how are they 
integrating security into that process?  The burning questions I have regarding 
agile and continuous delivery and security are:
- What mixture of the BSIMM activities work well in a continuous delivery style 
environment?
- As you move from less-agile to more-agile, which activities tend to fall away 
and which are more emphasised?
- How are the security specialist and time heavy activities like attack models, 
sec arch review and pentesting performed when new code is pushed to production 
daily?
 
The BSIMM seems to be the only place where this type of data exists or could be 
captured- so would be nice to be able to extract this data from it; or include 
these types of questions in future versions.  The devops survey(*) is another 
potential, but as yet they don’t capture security specific activities.


* 
http://itrevolution.com/the-science-behind-the-2013-puppet-labs-devops-survey-of-practice/


regards,
Stephen

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Cfp: IEEE SP 2014 workshop: International Workshop on Cyber Crime (IWCC 2014)

2014-01-07 Thread wmazurczyk
Dear Collegues,
Please consider submitting papers to IWCC 2014 (International Workshop on Cyber 
Crime) which is is part of the IEEE CS Security  Privacy Workshops (SPW 2014), 
an event of the IEEE CS Technical Committee on Security and Privacy and like 
last year will be co-located with IEEE SP 2014 in  the Fairmont Hotel, San 
Jose, CA, USA, May 17-18, 2014.

CALL FOR PAPERS

IWCC 2014 is part of the IEEE CS Security  Privacy Workshops (SPW 2014), an 
event of the IEEE CS Technical Committee on Security and Privacy.

IWCC 2014 website: http://stegano.net/IWCC2014/

Today's world's societies are becoming more and more dependent on open networks 
such as the Internet - where commercial activities, business transactions and 
government services are realized. This has led to the fast development of new 
cyber threats and numerous information security issues which are exploited by 
cyber criminals. The inability to provide trusted secure services in 
contemporary computer network technologies has a tremendous socio-economic 
impact on global enterprises as well as individuals.

Moreover, the frequently occurring international frauds impose the necessity to 
conduct the investigation of facts spanning across multiple international 
borders. Such examination is often subject to different jurisdictions and legal 
systems. A good illustration of the above being the Internet, which has made it 
easier to perpetrate traditional crimes. It has acted as an alternate avenue 
for the criminals to conduct their activities, and launch attacks with relative 
anonymity. The increased complexity of the communications and the networking 
infrastructure is making investigation of the crimes difficult. Traces of 
illegal digital activities are often buried in large volumes of data, which are 
hard to inspect with the aim of detecting offences and collecting evidence. 
Nowadays, the digital crime scene functions like any other network, with 
dedicated administrators functioning as the first responders.

This poses new challenges for law enforcement policies and forces the computer 
societies to utilize digital forensics to combat the increasing number of 
cybercrimes. Forensic professionals must be fully prepared in order to be able 
to provide court admissible evidence. To make these goals achievable, forensic 
techniques should keep pace with new technologies.
The aim of this workshop is to bring together the research accomplishments 
provided by the researchers from academia and the industry. The other goal is 
to show the latest research results in the field of digital forensics and to 
present the development of tools and techniques which assist the investigation 
process of potentially illegal cyber activity. We encourage prospective authors 
to submit related distinguished research papers on the subject of both: 
theoretical approaches and practical case reviews.

The workshop will be accessible to both non-experts interested in learning 
about this area and experts interesting in hearing about new research and 
approaches.

Topics of interest include, but are not limited to:

• Cyber crimes: evolution, new trends and detection
• Cyber crime related investigations
• Computer and network forensics
• Digital forensics tools and applications
• Digital forensics case studies and best practices
• Privacy issues in digital forensics
• Network traffic analysis, traceback and attribution
• Incident response, investigation and evidence handling
• Integrity of digital evidence and live investigations
• Identification, authentication and collection of digital evidence
• Anti-forensic techniques and methods
• Watermarking and intellectual property theft
• Social networking forensics
• Steganography/steganalysis and covert/subliminal channels
• Network anomalies detection
• Novel applications of information hiding in networks
• Political and business issues related to digital forensics and 
anti-forensic techniques

SUBMISSIONS AND REGISTRATION

Authors are invited to submit Regular Papers (maximum 8 pages) or Short Papers 
(maximum 4 pages) via EasyChair. Papers accepted by the workshop will be 
published in the Conference Proceedings published by IEEE Computer Society 
Press.

Papers must be formatted for US letter (not A4) size paper with margins of at 
least 3/4 inch on all sides. The text must be formatted in a two-column layout, 
with columns no more than 9 in. high and 3.375 in. wide. The text must be in 
Times font, 10-point or larger, with 12-point or larger line spacing. Authors 
are encouraged to use the IEEE conference proceedings templates found here. 
Failure to adhere to the page limit and formatting requirements will be grounds 
for rejection.

The following is a URL link to the Author's Final Paper Formatting and 
Submission Instructions Webpage (Online Author Kit) for 2014 

[SC-L] SearchSecurity: Scaling Architectural Risk Analysis

2013-12-26 Thread Gary McGraw
hi sc-l,

Following on the heels of our SearchSecurity article on Architectural Risk 
Analysis (probably the most difficult touchpoint in software security), Jim 
DelGrosso and I write about  how to scale ARA.

http://bit.ly/19Jmk7f  (or 
http://searchsecurity.techtarget.com/opinion/McGraw-Software-insecurity-and-scaling-architecture-risk-analysis)

Merry new year to you all.   We welcome your feedback.

gem

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


  1   2   3   4   5   6   7   8   9   10   >