Colleagues,
In 2012, OWASP is holding Global AppSec AsiaPac Conference in Sydney Australia!
OWASP Asia Pacific is the foremost Application Security conference for the
region, and brings together the community in a central meeting for 4 days to
discuss and present on recent and current Applicati
Hi James,
You're absolutely correct - trying to come up with countermeasures for
730+ issues is crazy. It's much better to have valid controls for the
minimum number of things that must be done right, and if they are,
then hey presto, attacks using one or more of those 730+ vulnerability
The OWASP materials are fairly language neutral. The closest document
to your current requirements is the Developer Guide.
I am also developing a coding standard for Owasp with a likely
deliverable date next year. I am looking for volunteers to help with
it, so if you want a document that ex
mmunity.
I'm glad that Oracle is now drinking the kool aid and treating
security as a fundamental software engineering requirement. It's about
time.
thanks,
Andrew van der Stock
Lead Author, OWASP Guide to Writing Secure Applications and OWASP Top 10
_
ng some APIs
> for java developers to actually do things like output encoding,
> where Java/J2EE is about 4 years behind the rest of the world.
thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10
___
Secure Coding mailing list
In my experience of reviewing COBOL and mainframes in general, it's
worthwhile to evaluate doing bad things to the business logic. The
designers are literal in their translation of the business
requirements to specifications, and never think of the mis-use cases.
Mainframe coders aren't pai
see Fortify tackle the mainframe
with their SCA products. It's really late and delayed, but better late
than never. I know a bunch of sites that could use that tool if it
works even 1% as well as the marketing is likely to make out.
thanks,
Andrew van der Stock
Executive Director, OWASP
P
e important stuff.
>>
>> -Original Message-
>> From: Andrew van der Stock [mailto:[EMAIL PROTECTED]
>> Sent: Monday, March 19, 2007 2:50 PM
>> To: McGovern, James F (HTSC, IT)
>> Cc: SC-L
>> Subject: Re: [SC-L] How is secure coding sold within
There are two major methods:
1. Opportunity cost / competitive advantage (the Microsoft model)
2. Recovery cost reductions (the model used by most financial institutions)
Generally, opportunity cost is where an organization can further its goals
by a secure business foundation. This requires the
NB: I am not speaking on behalf of my employer and this is my
personal opinion.
Banks in general do not use smart cards as they suffer from the same
issue as two factor non-transaction signing fobs - they are somewhat
trivial to trick users into giving up a credential. Connected keys
are
Actually, it is a myth.
For every non-trivial system, there are business pressures on
resourcing, deadlines, and acceptable quality (pick any two). Once a
business has set their taste for risk, it makes no sense to spend say
$10m on security controls on a product and delay it for six months
Best for older cars...
"My other car is a bit more secure"
Best for Volvos (or pick another high safety brand):
"I wish my finance systems are as safe as this car"
"Honk if you want secure software"
"Who has your data? Ask for secure software next time"
thanks,
Andrew
smime.p7s
Description: S
OWASP is pleased to announce the immediate availability of the OWASP
PHP Top 5. The OWASP Top 5 is an education piece which provides up to
date advice to PHP developers, hosters, and other PHP users. The PHP
Top 5 is produced by the OWASP PHP Project.
The PHP Top 5 is based upon attack freq
Dinis,
Sandboxing prevents a machine from having bad system() and buffer
overflows causing system compromise. Sure that's bad enough. However,
sandboxing does not prevent:
* all types of cross-site scripting
* SQL injection
* Command injection via SQL injection (xp_cmdshell and similar Orac
that is an issue.
-- Michael
On 3/29/06, Andrew van der Stock <[EMAIL PROTECTED]> wrote:
This is not quite true.
Java does not prevent integer overflows (it will not throw an
exception). So you still have to be careful about array indexes.
Andrew
smime.p7s
Descrip
This is not quite true.
Java does not prevent integer overflows (it will not throw an
exception). So you still have to be careful about array indexes.
Andrew
On 29/03/2006, at 12:49 PM, [EMAIL PROTECTED] wrote:
no, a browser written in java would not have buffer overflow/stack
issues. the
Yes! :)
I am speaking at the OWASP EU conference in Belgium (I hope people
speak English 'cos my French is now quite appalling) at the end of
May, and I have a paper submission for O'Reilly's OSCON in early
July. I am still mulling over whether to submit a proposal to
BlackHat as although
From: Andrew van der Stock <[EMAIL PROTECTED]>
Date: 7 March 2006 2:54:36 AM
To: kentaro.arai at
Subject: Security problems with Ajax
Kentaro,
In short, yes! :)
I am researching and writing a new chapter on Ajax security for the
OWASP Guide which will be out as soon as it's been properl
18 matches
Mail list logo