Re: [SC-L] [External] Re: SearchSecurity: Dynamism
On Tue, Sep 8, 2015 at 7:44 PM, Gary McGraw wrote: > As far as I know, Microsoft integrated some reference monitoring into their > OS family under Fred Schneider’s guidance. They called it “inline reference > monitoring” and I believe they still use it. A related work by Microsoft is BrowserShield, an inline reference monitor for JavaScript: BrowserShield: Vulnerability-Driven Filtering of Dynamic HTML http://research.microsoft.com/en-us/projects/shield/#browsershield -- Alfonso ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Dynamism
On Thu, Aug 20, 2015 at 8:20 PM, Johan Peeters wrote: > nice one, Gary. Finally something positive about agile and DevOps. A > trick that you may have missed is immutable servers, see Docker and > friends. They will be a leap forward for server security when they hit > the mainstream. Immutable servers are nice -- let's deploy them. Yet, in an execution environment where code is data and data is code, high assurance software will also require control-flow integrity in the face of malicious input. Or, what we would be left with are weird machines instantiated from disposable images. -- Alfonso ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Aedificatoria: Layered Weak Links
Greetings SC-L, I've recently kicked off Aedificatoria, a column on security architectures and architecting security. Articles - sometimes op-ed - will be aimed at addressing: - our working landscape (with its tools, objects, technologies, processes, and challenges); - the architecture, as the set of theoretical and practical knowledge driving our activities; - ourselves and the human element. Without further ado, the first victim of the column is Defense in Depth and its relationship with survivability and mission assurance: Layered Weak Links - The Ability to Refresh Attack Cost is Key to Mission Success, but Seldom Available: http://plaintext.crypto.lo.gy/article/437/aedificatoria-layered-weak-links As always, I very welcome your feedback and, if you feel inclined, your guest posts. It is your contributions which will make Aedificatoria an edifying space. Ciao, alfonso -- Alfonso De Gregorio BeeWise, Security Event Futures - http://beewise.org/ Software Security's Futures Plural http://plaintext.crypto.lo.gy/ssfp ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___