Re: [SC-L] informIT: Modern Malware
Hi everyone, Assuming that are we missing DEP and assorted userland exploit mitigations for the web is not a rhetorical question, indeed assorted technologies based on randomized instruction sets have been researched and I have seen PoC solutions circa 2004 (SQLi) and more recently for XSS. [1] is a nice starting point, as I am in somewhat of a hurry to locate the papers/PoCs now. Obviously, if that was a rhetorical question, :) [1] http://www.cs.columbia.edu/~angelos/cv.html On 03/26/2011 09:12 PM, Arian J. Evans wrote: [SNIP] And why is that? Are we missing DEP and SEHOP and such for the web? Or is the web, the browser, and userland malware just where the easy money is, so the attackers focus there? --- Arian Evans Software Security Realism -- -- thanasisk ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SC-L Digest, Vol 6, Issue 56
As soon as a non-developer creates code, they are no longer a non-developer. By definition, they are now a developer! Of course, they may completely lack any kind of knowledge about security. Just like most developers, I should add. I expect this problem to *increase* over time. For the case that one is creating a product/service I will have to rephrase a bit. Substitute non-developer with person who lacks all but the most basic notions of software engineering. So, technically, yeah they are developers but probably they are not good developers and will run to a multitude of problems, one of which will be security. However, by non-developers, I was meaning people who write code as a one-off, (e.g. a security consultant writes some quick and dirty code to fuzz something, or someone writing a script for home use). Even if the security knowledge is there, since security is not a required property, it just will not in the resultant code, as the code is supposed to be used a few times and then thrown away (or hopefully rewritten :-) ) That may be true in some places. But all too often real knowledge and expertise is rare. Many System Admins, esp. in the Windows world, do not understand the underlying technology at all. They only know how to how to point-and-click based on recipes created by others (e.g., local instructions or whatever Google tells them). All too often we *train* while ignoring *education*. When they have to program at all, these kinds of people perform cargo cult programming (see http://en.wikipedia.org/wiki/Cargo_cult_programming ). If an organization hires (or outsources to) point-n-click admins (which, I'll hazard a guess, on average will cost cheaper than the admins who have invested time sharpening their saw), the organization will most likely have operational problems, which are not limited to security, even before the admins type shebang, IMHO. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt, Parsons)
Hi all, We are drifting a bit away from my question but here is a forked question: Who says so, in the context of web applications? I can see it (somewhat) from a desktop application perspective, but how is this relevant in web apps? Cheers! Date: Wed, 17 Mar 2010 20:17:05 -0500 From: ljknews ljkn...@mac.com To: sc-l@securecoding.org Subject: Re: [SC-L] market for training CISSPs how to code (Matt Parsons) Message-ID: p05200f26c7c72f5b9...@[146.115.107.213] Content-Type: text/plain; charset=us-ascii At 7:27 PM +0200 3/17/10, AK wrote: Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of Scripting languages should not be used for security-sensitive programs. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] market for training CISSPs how to code (Matt Parsons)
Hi, Regarding training non-developers to write secure code, what are the circumstances that a non-developer would create code that would *require* security? I am assuming that system administrators know the basics of their trade and scripting language of choice so security there is taken care of BUT I fail to see other scenarios where code that would be used more than a one-off is developed by non-programmers. Additional insight would be much appreciated :) Message: 1 Date: Tue, 16 Mar 2010 21:37:03 -0500 From: Matt Parsons mparsons1...@gmail.com To: owaspdal...@utdallas.edu [snipped]I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
