Re: [SC-L] More on Cyber War

2010-06-18 Thread Dave Aronson
Don't forget about the millionaire cyber-terrorist, osama:/bin/login.  ;-)

-- 
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
Specialization is for insects. | Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein  | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Dave Aronson
Mike Boberski mike.bober...@gmail.com wrote:

 A toolkit example that comes to mind, to keep this email short: the
 highly-matrixed environment (and actually also the smaller environment, now
 that I think about it) where developers fly on and off projects.

I don't quite grok what you're saying here.  The syntax looks like
you're saying that matrix management is a tool or toolkit, which
doesn't make sense to me.  Your next paragraph:

 Toolkits that enforce coding standards, and that are treated like any other
 module of the application in terms of care and feeding, are the only things
 that give security a fighting chance in environments like those.

seems more like you're saying it's an environment conducive to bad
security.  Now that I can agree with, and would extend it to quality
in general.

A typical large-company matrix management environment seems very
conducive instead to an attitude of who gives a flying fig, all I
have to do is make it work well enough to get the customer to sign
off.  A given worker is unlikely to ever work on that same project
again, so the usual write it well so that you can read it well later
doesn't apply, and there's little to no other reward to write it well
to be nice to the next poor sod who has to read it.  All the more so
in the typical Beltway Bandit (DC-speak for government contractors,
especially defense) environment, where they'll probably be laid off in
a few years anyway, so they won't be pestered by colleagues with
questions,

As for the tools, again absolutely agreed, though I'd place less
emphasis on some of the pickier aspects of coding standards (like do
block-opening braces get their own line, and do you put a space before
the opening paren of a function call's argument list), and more on any
automagically detectable security (or other types of quality) flaws.
A couple years ago I was on a project where I was trying desperately
to get the company to buy some kind of static analyzer, so we could
use it as part of our CM process and have Subversion automagically
reject changesets that introduced flaggable flaws.  I did at least
manage to set up the makefiles so that it would warn if any module had
no unit tests, and fail to build if any unit tests failed

On the other claw, I still don't grok what you mean by treated like
any other module of the application.  Maybe it's just a matter of
preferred phrasing, but like any other *aspect* is closer to at
least my own thoughts on it.  IOW, they usually ask does it do the
job right (verification) and maybe does it do the right job
(validation), but should also ask (for security) does it Do The Right
Thing (whatever that may be) in the face of all forseeable types of
attacks, and (for quality) diDTRT(wtmb)itfoafto *errors* (including
those forced by an attack!) and is it maintainable.

-Dave

-- 
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
Specialization is for insects. | Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein  | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-17 Thread SC-L Reader Dave Aronson
Chris Wysopal cwyso...@veracode.com wrote:

 In certain cases like aircraft where the economic pain of failure
 is high you get DO-178B, Software Considerations in Airborne Systems and
 Equipment Certification.  For that type of software you might see the
 purchase of highly reliable libraries that have also met that certification.

Good point!  That's like how my former employer (BAE Systems) relied
for sales on those who NEEDED a data guard (or whatever) to be on a
platform that passed high levels of common criteria evaluation.  If it
weren't for that, similar software would have run just fine under
Linux (even without SE) or even Windows.

-Dave

--
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
Specialization is for insects. | Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein  | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] new job!

2009-10-17 Thread SC-L Reader Dave Aronson
Since the Power that Be let me post my plea for job help, I figured
I'd let y'all know the outcome.

Long story short, I have accepted a position at Comcast, in the
National Engineering and Technical Operations group, in Herndon VA
(possibly moving to Reston VA soonish), starting in probably a week or
two.  I will no longer be in a position related to security, but will
still participate here, and in the broader secure coding community, as
time allows -- and keep trying to spread the gospel.  ;-)

Thanks for all your help,
Dave

-- 
Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
-+ Play: davearonson.net | \/ Ribbon
Specialization is for insects. | Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein  | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-14 Thread SC-L Reader Dave Aronson
Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote
(rearranged into  correct order):

 2009/10/13 Bobby Miller b.g.mil...@gmail.com

 The obvious difference is parts.  In manufacturing, things are assembled
 from well-known, well-specified, tested parts.  Hmmm

 Thats the idea of libraries. Well known, well specified, well tested parts.
 Well, whatever.

Ideally, yes.  However, programmers love to reinvent the wheel.  It's
MUCH easier, both to do and to get away with, in software than in
hardware... and often necessary.

Need a bolt of at least a given length and strength, less than a given
diameter?  There are standard thread sizes, and people make bolts of
most common threadings and lengths, for purchase at reasonable prices,
at places easily found, and you can be fairly certain that any given
one of them will do the job quite well.

Need a function for your program?  If it's as common as a bolt, it's
probably already built into the very language.  If it's nearly as
common, maybe there's a fairly standard library for it... and if
you're very lucky, it's not too buggy or brittle.  Otherwise, it's
probably going to be much cheaper (which is all your management
probably cares about) to just code the damn thing yourself, than to
research who makes such a thing, which ones there are, who says which
one is how reliable, which ones have licensing terms your company
finds palatable, and justifying your choice to management.  Lord help
you if it requires money, because then you have to justify it to a
higher degree, get the beancounters involved, budgetary authority from
possibly multiple layers of manglement, and spend the rest of your
days filling out purchase orders.

If you do wind up coding it yourself, is the company then going to
make that piece of functionality available to the world separately,
whether for profit or open source?  N times out of N+1, for very large
values of N, no way!

Will they at least make it available *internally*, so that *they*
don't have to reinvent the wheel *next* time?  Again, N times out of
N+1, for almost as large values of N, no.

-Dave

-- 
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.com/ for resume  other info.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread SC-L Reader Dave Aronson
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote:

 If determination of functional correctness were extended from must
 operate as specified under expected conditions to must operate as
 specified under all conditions, functional correctness would necessarily
 require security, safety, fault tolerance, and all those other good things
 that make software dependable instead of just correct.

A much-too-late entry for the bumper sticker contest we had here a few
years back:

 Works as you wish, under all condish.

(Okay, okay, so maybe that kind of abbreviating is a bit out of
style... by 70 years or so)

-Dave

-- 
Dave Aronson, software engineer or trainer for hire.
Looking for job (or contract) in Washington DC area.
See http://davearonson.com/ for resume  other info.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Insecure Java Code Snippets

2009-05-08 Thread SC-L Reader Dave Aronson
ljknews ljkn...@mac.com wrote:
 At 12:47 PM -0500 5/7/09, Brad Andrews wrote:
 Quoting ljknews ljkn...@mac.com:
 At 5:49 PM -0500 5/6/09, Brad Andrews wrote:
 Try a few of the PC-Lint bugs, if you ever wrote C/C++ code.
 They can be really hard to figure out,
 And yet people keep choosing those programming languages.
 They offer quite a bit of power in exchange for the danger.
 I would be interested in hearing what they can do that cannot
 be done in Ada.

It's rarely (I won't say never!) a question of what *can't* be done in
language X or Y.  Usually, it's about what's *easier* to do in X or Y.
 Sometimes the security tradeoff is worth taking the hard way, but
sometimes the choice is to the point of being at all practical or not.

-Dave, making good progress on the job hunt, thanks in part to people here

-- 
Dave Aronson, software engineer soon to be for hire.
Looking for job (or contract) in Washington DC area.
See http://www.davearonson.com/ for resume - if that
is down see http://mysite.verizon.net/~nosnoraevad/.
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] more relevant certifications

2009-03-20 Thread SC-L Reader Dave Aronson
Paco Hope p...@cigital.com wrote:

 just as overly-simplistic as
 someone who disparages all credentials equally.

On that note... my company (BAE Systems) has been pushing for people
to become CISSPs, because in turn the main client (US gov) has been
pushing for contractors to have a bunch of CISSPs on the projects.
But, it seems as though that cert is very heavily loaded down with
things that front-line grunts like me will NEVER use.  I doubt I'll
ever get to decide where a data center is located, let alone the
entire building, nor what kind of fire detection/suppression or
physical security systems it has, and I can probably forget about
dictating HR policy as well.

So, I was considering other certs, that seem much more relevant.  The
main relevant one I've heard of is the GSSP (GIAC Secure Software
Programmer).

1) What do y'all think of that one?

2) It looked to me as though, other than perhaps from buying books,
there is one and only one GSSP practice exam, and it can be taken only
once.  Am I wrong?  Do you know of any others available for free,
preferably to be taken online?

3) Have you heard of any other certs relevant for those of us who
mainly design and implement computer-based systems, which will usually
undergo security scrutiny, and usually have little to no say about all
the other stuff around it?  (Preferably not technology-specific, as
opposed to for example a Secure Java or Secure Web-Apps cert.)
Compare and contrast, as the teachers would say

Thanks,
Dave

-- 
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
Specialization is for insects.| Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-19 Thread SC-L Reader Dave Aronson
Jeremy Epstein jeremy.j.epst...@gmail.com wrote:

 I'm pleased to announce the creation of LAMN, the Legion Against Meaningless
 certificatioNs.  If you don't have a CISSP, CISM, MCSE, or EIEIO - and
 you're proud of it - this group is for you.

Heh.  I'm going to be giving a speech today in which I mention PMPs,
CISSPs, MCSEs, MDs, JDs, DDSes, and other assorted CAS -- that's
Certified Alphabet Soup.

-Dave

-- 
Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII
| Play: davearonson.net | \/ Ribbon
Specialization is for insects.| Life: dare2xl.com | /\ Campaign
-Robert A. Heinlein | Wife: nasjleti.net| EmailWeb
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] InformIT: budgeting for software security

2008-04-12 Thread Dave Aronson
Jim Manico wrote:

 Datacenters - suck up 3% of word power

Oh, that must explain why, as we become more and more dependent on 
companies with data centers, we find ourselves less and less able to 
actually communicate clearly with each other  ;-)

-Dave

-- 
Dave Aronson
Specialization is for insects. -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:

  the value of tools in this space are not really targeted at developers
  but should be targeted at executives who care about overall quality and
  security folks who care about risk. While developers are the ones to
  remediate, the accountability for secure coding resides elsewhere.

Sort of.  There are multiple levels of accountability.  As has been said here 
many times: the developers should be held accountable for producing secure 
software, but the management must give them the time and tools to do so, and 
management usually places far higher priority on things like ease of use and 
especially on time to market.

  It would seem to be that tools that developers plug into their IDE should
  be free since the value proposition should reside elsewhere. Many of these
  tools provide audit functionality and allow enterprises to gain a view
  into their portfolio that they previously had zero clue about and this is
  where the value should reside.

Heh.  Yeah, I'd like to see some executive dashboard saying things like whose 
code currently generates the most warnings, especially if those warnings are 
from security analysis tools.  B-)  Of course, most executives won't bother 
looking at something that techy, let alone understand the significance.  B-(

  If there is even an iota of agreement, wouldn't it be in the best interest
  of folks here to get vendors to ignore developer specific licensing and
  instead focus on enterprise concerns?

Unfortunately, that often means that ANY license at all for it will be 
horrendously expensive, so that small shops are totally cut out.

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread SC-L Subscriber Dave Aronson
Robin Sheat [mailto:[EMAIL PROTECTED] wonders:

  What I did was take the user's password to create a key

What happens when the user changes his password?  I didn't quite follow it all, 
but it looks to me like that means that all of a user's data has to be 
decrypted and re-encrypted.  You didn't tell us how much data that is, so I'm 
going to ass-u-me that it *could* be a lot.

Perhaps you could base the encryption on more stable data, such as the user 
name combined with when the user joined.  This could be used to encrypt the 
data directly, or, as you proposed, to encrypt the actual key.  How difficult 
would it be for the attacker to figure out whose data something is, and when 
they joined, or whatever else you base your encryption on, AND the fact that 
that's how you encrypt?  If finding that out would be pretty much trivial, 
there goes all your protection, under the above scheme.

Also, just how secure do you need it to be?  Don't waste a thousand-dollar lock 
on a fifty-dollar bicycle.  Is this data actually a tempting target for 
attackers who are clueful and resourceful (in both the senses of clever and 
able to spend a lot)?

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] How big is the market?

2007-04-24 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes:

  I just conducted a super-official study of what my peers are reading by
  walking a total of five aisles within a very large building. Here are a
  list of magazines on folks desk:
  
  - Infoworld
  - Java Developers Journal
  - Insurance  Technology
  - DMReview
  - Intelligent Enterprise
  - CIO
  - Insurance Networking News

I'd also suggest Software Development, and maybe Information Security.

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes:

 certifications such as CISSP whereby the exams that
 prove you are a security professional talk all about
 physical security and network security but really don't
 address software development in any meaningful way.

Perhaps what is needed is a separate certification.  It would be nice to know 
that someone knows how to write software in a secure manner, but it's not 
necessary that they know all about physical security, firewall rules, etc.  It 
could even be done at multiple levels, like Sun's Java certs, to certify 
knowledge of secure design principles vs. secure *implementation* principles, 
maybe even going onward to principles of building security into the process.  
Something like, say, Certified Secure Programmer, Coder, and Software Engineer, 
respectively.

  Would be intriguing for folks here that blog to discuss ways

...in their blogs?  rant size=microThat's not discussion, that's 
pontificating.  It also detracts from discussion, by fracturing it./rant  
Discussion is what we're having *here*, so whether someone blogs is irrelevant.

-Dave



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Compilers

2006-12-27 Thread SC-L Subscriber Dave Aronson
Tim Hollebeek [mailto:[EMAIL PROTECTED] wonders:

  are shops that insist on warning free compiles really that rare?

Yes.  I've worked for or with many companies over the years, totalling probably 
somewhere in the mid-teens or so.  In all that, there was, to the best of my 
recollection, only ONE that insisted on it, other than my own one man show.  
Add to that, numerous open source apps I've compiled; I haven't kept track of 
how many were warning-free, but it's rare enough that I consider it a pleasant 
surprise.

In several projects, I fixed some nasty bugs (inherited from other people) by 
turning warnings on (they were often totally suppressed!), and fixing the 
things that the warnings were trying to warn me about.  This is of course 
obvious to you and me, and probably to most of this list, but apparently not to 
the vast majority of programmers (even so-called software engineers), let alone 
people in any position of authority to set such policies.  :-(

-Dave

-- 
Dave Aronson
Specialization is for insects.  -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] writes:

 The main thing I wonder is, what do you think? When you have a hot
 demonstration of an exploit, how do you responsibly release it?

This isn't so much about that, in the usual sense. This was, as you say, a 
well-known vulnerability, one screamingly obvious to anybody who bothered to 
think about how to get around the No-Fly List. Bruce Schneier wrote about it on 
his blog long ago, as did many others.

 What role do such demonstrations play in moving software security forward?

It could help dramatically. Not so much because of the demo itself, which will 
of course be ignored by the Powers that Be, but the publicity around it. That 
might possibly eventually make enough of a dent in the public consciousness, to 
wake them up to the fact that what the PTBs have been doing is almost all just 
security THEATER.

However, it depends how much the media gives background. Unfortunately, even a 
brief blurb like this flaw in the No-Fly List concept has been well known for 
several years is unlikely to be aired or printed, since it takes valuable 
time/space away from the latest scandals of skanky socialites and other such 
much more important news. Without this little bit of trivia, the sheeple will 
just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor 
in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag.

-Dave

-- 
Dave Aronson
Specialization is for insects. -Heinlein
Work: http://www.davearonson.com/
Play: http://www.davearonson.net/



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] Coding with errors in mind - a solution?

2006-08-30 Thread Dave Aronson
William L. Anderson wrote:

 Years ago I had to write a Fortran
 program as part of a job interview. The program problem was quite
 simple, and I wrote one that checked for as many errors as I could think
 of. My interviewer wanted to know what took me so long. I didn't get an
 offer.

Years ago (probably not as many), I had to write a C program for a job 
interview.  I also had it test for practically every error I could think 
of, mainly input format errors.  I did get the offer, but I was told 
that the company placed such a premium on performance (it was telephony 
stuff) that I should not be quite so thorough on the errorchecking. 
Silly me, I had thought that they would also value reliability

 My 2 cents is that people are not really willing to pay for software
 with the kinds of qualities that we talk about in this list (which is
 about more than security).

Well, *most* people anyway.  The avionics, medical, and suchlike fields 
are quite another story.

 Bill Anderson

Is this perchance the Bill Anderson who was my great grandboss until 
he left BAE for Cryptek?

-- 
Dave Aronson
http://www.davearonson.com/
Specialization is for insects. -Heinlein
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes:

  Software is like Titanic, pleople claim it was unsinkable. Securing is
  providing it power steering

But power steering wouldn't have saved it.  By the time the iceberg was 
spotted, there was not enough time to turn that large a boat.  Perhaps radar, 
but that doesn't make a very good analogy.  Maybe a thicker tougher hull and 
automatic compartment doors?

-Dave




___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes:

  The point remains though: trimming this down into a friendly little
  phrase is, IMCO, useless.

One of the common problems in trying to persuade the masses of ANYTHING, be it 
the importance of secure software, the factual or moral correctness of your 
political stances, etc., is how to communicate it so that they will understand 
and receive the message.  You can easily confuse them, bore them, or turn them 
against yourself.  Truly putting it on bumper stickers is likely to be useless, 
but this is a useful exercise in thinking how we could express the concept 
briefly and simply.

Another useful thing would be if all engineers would enroll in Toastmasters, 
but that's another story.  ;-)

-Dave, Governor of Toastmasters Area 63 (District 27)



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] (no subject)

2006-07-17 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] wrote:

  I wrote a book with viega a few years ago called building secure
  software...

Yes, John gave us all copies.  Didn't bother to get it autographed though.  :-)

  it was not about that company (at all).

It certainly was not about the horribly broken software I spent months banging 
my head against a wall trying to fix  :-(

  P.s. I actually like ivan's quip as reported by crispy.

Me too.  It contains the ideas I was trying to convey, more clearly, but it's 
still too long to fit on a bumper sticker.  :-)

-Dave



___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] Spot the bug

2005-07-21 Thread Dave Aronson
Christopher Canova [EMAIL PROTECTED] wrote:

  It seems to me that they may be shifting from a
  Deploy-first-ask-questions-later tactic to a
  Code-it-right-before-its-out-the-door.

They always did code it right before it's out the door.  It's just a 
question of where you put the comma.  ;-

-Dave




Re: [SC-L] Credentials for Application use

2005-05-13 Thread Dave Aronson
Gizmo [EMAIL PROTECTED] wrote:

  the efficacy of the encryption is of some question.
  Basically, it keeps honest people honest.

Sounds a little better than I thought, but I'd still be worried about the 
owner name leaking into less honest hands.

  1)  The app is architected around the Btrieve DB, with uses a
  proprietary API.  We can argue the merits of that until the cows come
  home, but it probably isn't relevant to this list.

Right, though come to think of it, the whole question is borderline 
off-topic, seeing as this is *Secure* Coding, not *Security* 
Coding.  :-)


Re: [SC-L] Credentials for Application use

2005-05-12 Thread Dave Aronson
Gizmo [EMAIL PROTECTED] wrote:

  I have a similar situation in one of my applications.  The
  customer wishes to secure the database.  Since we use a Btrieve
  database, the only way to do
  this is be setting an owner name on the DB, and then
  encrypting using the owner name as the password.

That sure doesn't sound secure to me!  Does BTrieve make it easy, 
difficult, or impossible to see what users own what dbs?  Does it make 
it easy/diff/imposs to see what users exist?  Does it have well-defined 
syntax rules for the usernames, and maybe even a fairly short maximum 
length?  Unless the names can be very long (as in, at least a few dozen 
chars), with very little restriction on content (as in, case sensitive, 
and including spaces and punctuation), and BT makes it *impossible* to 
see what users exist, let alone own what, then the entire security 
there is basically nothing more than one incredibly weak password.

  However, once the DB is secured, you can't
  access it unless you have the owner name, and giving out the
  owner name to everyone who uses the app to access the DB pretty much
  defeats the whole purpose of the exercise.

Looks like BTrieve security is pretty much useless, except possibly for 
giving a tiny bit of protection to transmission of the entire db.

  The only way I can see to deal with this is something
  similar to what I've done in my app:

You probably don't need to get that fancy.  The first question that both 
I and my wife thought of is, why not migrate to something with more 
useful security than BT?  B-)

But seriously, that brings up the very first question usually asked when 
developing a security strategy.  Exactly what threat(s) are you trying 
to secure it *against*?  Who will be doing what, how, maybe why, 
possibly even when and (from) where?

  and the registry.

...which means you're running Windows, which means security isn't really 
much of a priority after all.  B-)/2

-Dave




Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Dave Aronson
Crispin Cowan [EMAIL PROTECTED] wrote:

  ISPs could also position a non-restricted account as an expert
  account and charge extra for it.

That already happens in many cases, except they call it a business 
class account.  The only one I've heard called some kind of expert 
account is that Speakeasy has packages with different sets of extras for 
the same price, such as SysAdmin (access to their rpmfind mirror), Gamer 
(access to gaming servers), and one I forget the name of (access to 
music servers).  All of the above allow you to run your own swervers.

-Dave




Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-11 Thread Dave Aronson
[EMAIL PROTECTED]
[EMAIL PROTECTED]
In-Reply-To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain;
  charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: [EMAIL PROTECTED]
Sender: [EMAIL PROTECTED]
Precedence: bulk
Mailing-List: contact [EMAIL PROTECTED] ; run by MajorDomo
List-Id: Secure Coding Mailing List sc-l.securecoding.org
List-Post: mailto:sc-l@securecoding.org
List-Subscribe: http://www.securecoding.org/list/
List-Unsubscribe: http://www.securecoding.org/list/
List-Help: http://www.securecoding.org/list/charter.php
List-Archive: http://lists.virus.org
Delivered-To: mailing list SC-L@SecureCoding.org
Delivered-To: moderator for SC-L@SecureCoding.org

Dave Paris [EMAIL PROTECTED] wrote:

  The builder and the programmer are synonomous.
 
  The builder is neither the architect, nor the engineer for the
  structure.  If the architect and engineer included security for the
  structure and the builder failed to build to specification, then the
  builder is at fault.
 
  The programmer is neither the application architect nor the system
  engineer.

This is often not true, even on some things that stretch a single
programmer's productivity to the limits (which makes it even worse).

Programmers work within the specs they are given.  That can (NOT SHOULD!)
be anything from use this language on this platform to implement this
algorithm in this style, to we need something that will help us
accomplish this goal.  The latter cries out for a requirements analyst
to delve into it MUCH further, before an architect, let alone a
programmer, is allowed anywhere NEAR it!  However, sometimes that's all
you get, from a customer who is then NOT reasonably easily available to
refine his needs any further, relayed via a manager who is clueless
enough not to realize that refinement is needed, to a programmer who is
afraid to say so lest he get sacked for insubordination, and will also
have to architect it.

If this has not happened at your company, you work for a company with far
more clue about software development than, I would guess, easily 90% of
the companies that do it.

-Dave



OT re Cliff Stoll (was Re: [SC-L] Top security papers)

2004-08-11 Thread Dave Aronson
Nash [EMAIL PROTECTED] wrote:

  _Cuckoo's_Egg_, Clifford Stall.
 
  http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362-
 2026532?v=glance
 
  [Ed. That's Cliff Stoll, not Stall.  Great book, though -- IMHO! 
  KRvW]

For more on what Cliff's been up to lately, see:

  http://www.kleinbottle.com/

I got one several years ago

-- 
David J. Aronson, Contract Software Engineer in Washington DC area
Resume and other information online at: http://destined.to/program

[Ed. Yes, this is WAY off topic...  Let's make this the last of 
the sub-thread, ok?  KRvW]


Re: [SC-L] Programming languages -- the third rail of secure coding

2004-07-20 Thread Dave Aronson
Michael S Hines [EMAIL PROTECTED] wrote:

  I've been compiling a list of programming languages..

You missed FORTRAN, ICON, REXX, SNOBOL, and the assorted OS-based shell 
scripting languages (bash/csh/ksh/etc., VMS DCL, DOS .bat, etc.).  I've 
heard of JOVIAL, which I *think* is a programming language used almost 
exclusively in the US military.  Since a few companies make things that 
translate it into code, you might consider UML as well.  Then there are 
a gazillion languages for particular commercial packages -- you got 
Oracle's PL/SQL, but there are also dBase/Clipper, FrEd (Framework 
Editor, from an old integrated office suite), Lotus 1-2-3 macros, and 
many more.

Also, depending on your definition of programming language (versus 
markup language and a few other types), you might have a few extras as 
well.

-- 
David J. Aronson, Contract Software Engineer in Washington DC area
Resume and other information online at: http://destined.to/program




Re: [SC-L] Missing the point?

2004-04-20 Thread Dave Aronson
On Tue April 20 2004 12:34, Michael A. Davis wrote:

  It is not the source code that is the
  problem -- it is the developer.

The proof of the developer's grokking of secure coding, is in the code.

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
http://www.securesoftware.com is HIRING developers/auditors! 


Re: [SC-L] User Education Tool?

2004-03-04 Thread Dave Aronson
On Thu March 4 2004 10:17, Andreas Saurwein wrote:

  Now, doing something really flashy like creating an virus like
  application as follows:
  * it is sent as zipped attachment
  * when opened, it brings a huge, clear message, that the user would
  now have been infected with a virus. A short, understandable message
  explaining why and how to avoid it would be appropriate.
  * it asks the user for permission to forward itself to the users
  contacts, to help spreading the education.
 
  Would that still classify as virus? Or would that pass as something
  else? Would a measure like this be of any success? What other
  measure could reach the critical user groups?

Those of us who receive viri, or bounce-reports alleging that we sent 
one, are in the addressbooks of lusers who open viri.  Don't subject us 
to more of this $#!^ than we already are.  Remove the may I spam your 
friends aspect, asking them instead to manually forward it to any of 
their friends that they think could use the education, and it might be 
tolerable.

Either way (especially if the manual forwarding is done with the help of 
pulling up the contact list), you can bet some jackass will attach a 
malicious payload, probably triggered right *after* you spread it.  So 
much for being able to treat it as innocent.

Find a way to substitute, for the whole mess, an arm coming out of the 
computer and bitchslapping the idiot silly while calling his attention 
to how incredibly stupid he has just been, and you've got something.  
B-)

-- 
Dave Aronson, Senior Software Engineer, Secure Software Inc.
Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org
(Opinions above NOT those of securesw.com unless so stated!)
WE'RE HIRING developers, auditors, and VP of Prof. Services.