Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Andy Steingruebl
On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw g...@cigital.com wrote: hi sc-l, The tie between malware (think zeus and stuxnet) and broken software of the sort we work hard on fixing is difficult for some parts of the market to fathom.  I think it's simple: software riddled with bugs and

Re: [SC-L] informIT: Modern Malware

2011-03-23 Thread Andy Steingruebl
On Wed, Mar 23, 2011 at 8:14 AM, Gary McGraw g...@cigital.com wrote: I agree that clueless users who click on whatever pops up lead to many infections even when software is is reasonable shape, but I don't see that as a reason not to build better software.  Presumably, you guys at paypal

Re: [SC-L] Checklist Manifesto applicability to software security

2010-01-07 Thread Andy Steingruebl
a checklist to examine their code, and others not. Might be interesting to see exactly what types of checklist items really result in a reduction in bugs... -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Genotypes and Phenotypes

2009-10-18 Thread Andy Steingruebl
. Is the complexity and expression of it really the key piece here? Or is it general resilience against failure, complexity spread out so that the common enemies (transcription errors in one place) aren't fatal. The system is designed against different threat models. -- Andy Steingruebl stein

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-25 Thread Andy Steingruebl
. And, even learning the basics of what an algorithm are is tricky, much less learning defensive programming, etc. So, yes, it is an advanced concept for the majority of beginning programmers. -- Andy Steingruebl stein...@gmail.com ___ Secure Coding

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Andy Steingruebl
On Wed, Aug 19, 2009 at 2:15 PM, Neil Matatallnmata...@uci.edu wrote: Inspired by the What is the size of this list? discussion, I decided I won't be a lurker :) A question prompted by http://michael-coates.blogspot.com/2009/04/universities-web-app-security.html and the OWASP podcast

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-25 Thread Andy Steingruebl
class objects and I think you'll see what I mean. http://en.wikipedia.org/wiki/Lambda_calculus gem (supposedly still on vacation, but it is a rainy day) http://www.cigital.com/~gem http://www.cigital.com/%7Egem On 3/24/09 2:50 PM, Andy Steingruebl stein...@gmail.com wrote: On Mon, Mar 23

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-25 Thread Andy Steingruebl
On Wed, Mar 25, 2009 at 10:18 AM, ljknews ljkn...@mac.com wrote: Worry about enforcement by the hardware architecture after you have squeezed out all errors that can be addressed by software techniques.\ Larry, Given the focus we've seen fro Microsoft and protecting developers from

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-24 Thread Andy Steingruebl
problem here isn't just type safety. Just like in the HTML example. The core problem is that the language/format mixes code and data with no way to differentiate between them. Or is my brain working too slowly today? -- Andy Steingruebl stein...@gmail.com

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Andy Steingruebl
in the same way that if you have mostly junior programmers who are lucky to get their code to compile you're probably not going to have a lot of luck training them on formal proofs, rigorous design, etc. -- Andy Steingruebl stein...@gmail.com ___ Secure

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Andy Steingruebl
QA cycle. -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Andy Steingruebl
On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote: but actually the main point of my post and the one i would like to hear people's thoughts on - is to say that attempting to apply principle of least privilege in the real world often leads to drilling dry wells. i am

Re: [SC-L] No general-purpose computer, or everything under surveillance?

2008-05-13 Thread Andy Steingruebl
controls. These pollution controls often inhibit your max speed, acceleration, etc. They are really hard to, or impossible to disable. They also make our environment cleaner. Which is the right analogy for the personal computer? -- Andy Steingruebl [EMAIL PROTECTED

Re: [SC-L] Microsoft's message at RSA

2008-05-09 Thread Andy Steingruebl
with developers, its whether its going to fly with the public at large. Are people (and their proxies - Governments) going to finally demand a change in the the rules/game? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Andy Steingruebl
to the development conference organizer? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Andy Steingruebl
for our evangelizing... Thoughts? -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

Re: [SC-L] Darkreading: Getting Started

2008-01-10 Thread Andy Steingruebl
Netegrity originally for the wrong reasons, but they picked it and in implementing it correctly did themselves a huge service. Just one data point on leading with a tool that focused more on architecture and design than it did on finding defects. -- Andy Steingruebl [EMAIL PROTECTED

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-29 Thread Andy Steingruebl
approach on this issue. We'd want to know a lot more about how the economics work out on a small scale before applying it to all software. -- Andy Steingruebl [EMAIL PROTECTED] ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-29 Thread Andy Steingruebl
On Nov 29, 2007 6:07 PM, Blue Boar [EMAIL PROTECTED] wrote: Andy Steingruebl wrote: I like contractual approaches to this problem myself. People buying large quantities of software (large enterprises, governments) should get contracts with vendors that specify money-back for each patch