Re: [SC-L] More on Cyber War
Don't forget about the millionaire cyber-terrorist, osama:/bin/login. ;-) -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] InformIT: You need an SSG
Mike Boberski mike.bober...@gmail.com wrote: A toolkit example that comes to mind, to keep this email short: the highly-matrixed environment (and actually also the smaller environment, now that I think about it) where developers fly on and off projects. I don't quite grok what you're saying here. The syntax looks like you're saying that matrix management is a tool or toolkit, which doesn't make sense to me. Your next paragraph: Toolkits that enforce coding standards, and that are treated like any other module of the application in terms of care and feeding, are the only things that give security a fighting chance in environments like those. seems more like you're saying it's an environment conducive to bad security. Now that I can agree with, and would extend it to quality in general. A typical large-company matrix management environment seems very conducive instead to an attitude of who gives a flying fig, all I have to do is make it work well enough to get the customer to sign off. A given worker is unlikely to ever work on that same project again, so the usual write it well so that you can read it well later doesn't apply, and there's little to no other reward to write it well to be nice to the next poor sod who has to read it. All the more so in the typical Beltway Bandit (DC-speak for government contractors, especially defense) environment, where they'll probably be laid off in a few years anyway, so they won't be pestered by colleagues with questions, As for the tools, again absolutely agreed, though I'd place less emphasis on some of the pickier aspects of coding standards (like do block-opening braces get their own line, and do you put a space before the opening paren of a function call's argument list), and more on any automagically detectable security (or other types of quality) flaws. A couple years ago I was on a project where I was trying desperately to get the company to buy some kind of static analyzer, so we could use it as part of our CM process and have Subversion automagically reject changesets that introduced flaggable flaws. I did at least manage to set up the makefiles so that it would warn if any module had no unit tests, and fail to build if any unit tests failed On the other claw, I still don't grok what you mean by treated like any other module of the application. Maybe it's just a matter of preferred phrasing, but like any other *aspect* is closer to at least my own thoughts on it. IOW, they usually ask does it do the job right (verification) and maybe does it do the right job (validation), but should also ask (for security) does it Do The Right Thing (whatever that may be) in the face of all forseeable types of attacks, and (for quality) diDTRT(wtmb)itfoafto *errors* (including those forced by an attack!) and is it maintainable. -Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)
Chris Wysopal cwyso...@veracode.com wrote: In certain cases like aircraft where the economic pain of failure is high you get DO-178B, Software Considerations in Airborne Systems and Equipment Certification. For that type of software you might see the purchase of highly reliable libraries that have also met that certification. Good point! That's like how my former employer (BAE Systems) relied for sales on those who NEEDED a data guard (or whatever) to be on a platform that passed high levels of common criteria evaluation. If it weren't for that, similar software would have run just fine under Linux (even without SE) or even Windows. -Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] new job!
Since the Power that Be let me post my plea for job help, I figured I'd let y'all know the outcome. Long story short, I have accepted a position at Comcast, in the National Engineering and Technical Operations group, in Herndon VA (possibly moving to Reston VA soonish), starting in probably a week or two. I will no longer be in a position related to security, but will still participate here, and in the broader secure coding community, as time allows -- and keep trying to spread the gospel. ;-) Thanks for all your help, Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)
Andreas Saurwein Franci Gonçalves saurw...@gmail.com wrote (rearranged into correct order): 2009/10/13 Bobby Miller b.g.mil...@gmail.com The obvious difference is parts. In manufacturing, things are assembled from well-known, well-specified, tested parts. Hmmm Thats the idea of libraries. Well known, well specified, well tested parts. Well, whatever. Ideally, yes. However, programmers love to reinvent the wheel. It's MUCH easier, both to do and to get away with, in software than in hardware... and often necessary. Need a bolt of at least a given length and strength, less than a given diameter? There are standard thread sizes, and people make bolts of most common threadings and lengths, for purchase at reasonable prices, at places easily found, and you can be fairly certain that any given one of them will do the job quite well. Need a function for your program? If it's as common as a bolt, it's probably already built into the very language. If it's nearly as common, maybe there's a fairly standard library for it... and if you're very lucky, it's not too buggy or brittle. Otherwise, it's probably going to be much cheaper (which is all your management probably cares about) to just code the damn thing yourself, than to research who makes such a thing, which ones there are, who says which one is how reliable, which ones have licensing terms your company finds palatable, and justifying your choice to management. Lord help you if it requires money, because then you have to justify it to a higher degree, get the beancounters involved, budgetary authority from possibly multiple layers of manglement, and spend the rest of your days filling out purchase orders. If you do wind up coding it yourself, is the company then going to make that piece of functionality available to the world separately, whether for profit or open source? N times out of N+1, for very large values of N, no way! Will they at least make it available *internally*, so that *they* don't have to reinvent the wheel *next* time? Again, N times out of N+1, for almost as large values of N, no. -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?
Goertzel, Karen [USA]goertzel_ka...@bah.com wrote: If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as specified under all conditions, functional correctness would necessarily require security, safety, fault tolerance, and all those other good things that make software dependable instead of just correct. A much-too-late entry for the bumper sticker contest we had here a few years back: Works as you wish, under all condish. (Okay, okay, so maybe that kind of abbreviating is a bit out of style... by 70 years or so) -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Insecure Java Code Snippets
ljknews ljkn...@mac.com wrote: At 12:47 PM -0500 5/7/09, Brad Andrews wrote: Quoting ljknews ljkn...@mac.com: At 5:49 PM -0500 5/6/09, Brad Andrews wrote: Try a few of the PC-Lint bugs, if you ever wrote C/C++ code. They can be really hard to figure out, And yet people keep choosing those programming languages. They offer quite a bit of power in exchange for the danger. I would be interested in hearing what they can do that cannot be done in Ada. It's rarely (I won't say never!) a question of what *can't* be done in language X or Y. Usually, it's about what's *easier* to do in X or Y. Sometimes the security tradeoff is worth taking the hard way, but sometimes the choice is to the point of being at all practical or not. -Dave, making good progress on the job hunt, thanks in part to people here -- Dave Aronson, software engineer soon to be for hire. Looking for job (or contract) in Washington DC area. See http://www.davearonson.com/ for resume - if that is down see http://mysite.verizon.net/~nosnoraevad/. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] more relevant certifications
Paco Hope p...@cigital.com wrote: just as overly-simplistic as someone who disparages all credentials equally. On that note... my company (BAE Systems) has been pushing for people to become CISSPs, because in turn the main client (US gov) has been pushing for contractors to have a bunch of CISSPs on the projects. But, it seems as though that cert is very heavily loaded down with things that front-line grunts like me will NEVER use. I doubt I'll ever get to decide where a data center is located, let alone the entire building, nor what kind of fire detection/suppression or physical security systems it has, and I can probably forget about dictating HR policy as well. So, I was considering other certs, that seem much more relevant. The main relevant one I've heard of is the GSSP (GIAC Secure Software Programmer). 1) What do y'all think of that one? 2) It looked to me as though, other than perhaps from buying books, there is one and only one GSSP practice exam, and it can be taken only once. Am I wrong? Do you know of any others available for free, preferably to be taken online? 3) Have you heard of any other certs relevant for those of us who mainly design and implement computer-based systems, which will usually undergo security scrutiny, and usually have little to no say about all the other stuff around it? (Preferably not technology-specific, as opposed to for example a Secure Java or Secure Web-Apps cert.) Compare and contrast, as the teachers would say Thanks, Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects.| Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs
Jeremy Epstein jeremy.j.epst...@gmail.com wrote: I'm pleased to announce the creation of LAMN, the Legion Against Meaningless certificatioNs. If you don't have a CISSP, CISM, MCSE, or EIEIO - and you're proud of it - this group is for you. Heh. I'm going to be giving a speech today in which I mention PMPs, CISSPs, MCSEs, MDs, JDs, DDSes, and other assorted CAS -- that's Certified Alphabet Soup. -Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects.| Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Perspectives on Code Scanning
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes: the value of tools in this space are not really targeted at developers but should be targeted at executives who care about overall quality and security folks who care about risk. While developers are the ones to remediate, the accountability for secure coding resides elsewhere. Sort of. There are multiple levels of accountability. As has been said here many times: the developers should be held accountable for producing secure software, but the management must give them the time and tools to do so, and management usually places far higher priority on things like ease of use and especially on time to market. It would seem to be that tools that developers plug into their IDE should be free since the value proposition should reside elsewhere. Many of these tools provide audit functionality and allow enterprises to gain a view into their portfolio that they previously had zero clue about and this is where the value should reside. Heh. Yeah, I'd like to see some executive dashboard saying things like whose code currently generates the most warnings, especially if those warnings are from security analysis tools. B-) Of course, most executives won't bother looking at something that techy, let alone understand the significance. B-( If there is even an iota of agreement, wouldn't it be in the best interest of folks here to get vendors to ignore developer specific licensing and instead focus on enterprise concerns? Unfortunately, that often means that ANY license at all for it will be horrendously expensive, so that small shops are totally cut out. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Best practices for encrypting client-side data
Robin Sheat [mailto:[EMAIL PROTECTED] wonders: What I did was take the user's password to create a key What happens when the user changes his password? I didn't quite follow it all, but it looks to me like that means that all of a user's data has to be decrypted and re-encrypted. You didn't tell us how much data that is, so I'm going to ass-u-me that it *could* be a lot. Perhaps you could base the encryption on more stable data, such as the user name combined with when the user joined. This could be used to encrypt the data directly, or, as you proposed, to encrypt the actual key. How difficult would it be for the attacker to figure out whose data something is, and when they joined, or whatever else you base your encryption on, AND the fact that that's how you encrypt? If finding that out would be pretty much trivial, there goes all your protection, under the above scheme. Also, just how secure do you need it to be? Don't waste a thousand-dollar lock on a fifty-dollar bicycle. Is this data actually a tempting target for attackers who are clueful and resourceful (in both the senses of clever and able to spend a lot)? -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How big is the market?
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes: I just conducted a super-official study of what my peers are reading by walking a total of five aisles within a very large building. Here are a list of magazines on folks desk: - Infoworld - Java Developers Journal - Insurance Technology - DMReview - Intelligent Enterprise - CIO - Insurance Networking News I'd also suggest Software Development, and maybe Information Security. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] What defines an InfoSec Professional?
[EMAIL PROTECTED] writes: certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Perhaps what is needed is a separate certification. It would be nice to know that someone knows how to write software in a secure manner, but it's not necessary that they know all about physical security, firewall rules, etc. It could even be done at multiple levels, like Sun's Java certs, to certify knowledge of secure design principles vs. secure *implementation* principles, maybe even going onward to principles of building security into the process. Something like, say, Certified Secure Programmer, Coder, and Software Engineer, respectively. Would be intriguing for folks here that blog to discuss ways ...in their blogs? rant size=microThat's not discussion, that's pontificating. It also detracts from discussion, by fracturing it./rant Discussion is what we're having *here*, so whether someone blogs is irrelevant. -Dave ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Compilers
Tim Hollebeek [mailto:[EMAIL PROTECTED] wonders: are shops that insist on warning free compiles really that rare? Yes. I've worked for or with many companies over the years, totalling probably somewhere in the mid-teens or so. In all that, there was, to the best of my recollection, only ONE that insisted on it, other than my own one man show. Add to that, numerous open source apps I've compiled; I haven't kept track of how many were warning-free, but it's rare enough that I consider it a pleasant surprise. In several projects, I fixed some nasty bugs (inherited from other people) by turning warnings on (they were often totally suppressed!), and fixing the things that the warnings were trying to warn me about. This is of course obvious to you and me, and probably to most of this list, but apparently not to the vast majority of programmers (even so-called software engineers), let alone people in any position of authority to set such policies. :-( -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] On exploits, hubris, and software security
Gary McGraw [mailto:[EMAIL PROTECTED] writes: The main thing I wonder is, what do you think? When you have a hot demonstration of an exploit, how do you responsibly release it? This isn't so much about that, in the usual sense. This was, as you say, a well-known vulnerability, one screamingly obvious to anybody who bothered to think about how to get around the No-Fly List. Bruce Schneier wrote about it on his blog long ago, as did many others. What role do such demonstrations play in moving software security forward? It could help dramatically. Not so much because of the demo itself, which will of course be ignored by the Powers that Be, but the publicity around it. That might possibly eventually make enough of a dent in the public consciousness, to wake them up to the fact that what the PTBs have been doing is almost all just security THEATER. However, it depends how much the media gives background. Unfortunately, even a brief blurb like this flaw in the No-Fly List concept has been well known for several years is unlikely to be aired or printed, since it takes valuable time/space away from the latest scandals of skanky socialites and other such much more important news. Without this little bit of trivia, the sheeple will just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Coding with errors in mind - a solution?
William L. Anderson wrote: Years ago I had to write a Fortran program as part of a job interview. The program problem was quite simple, and I wrote one that checked for as many errors as I could think of. My interviewer wanted to know what took me so long. I didn't get an offer. Years ago (probably not as many), I had to write a C program for a job interview. I also had it test for practically every error I could think of, mainly input format errors. I did get the offer, but I was told that the company placed such a premium on performance (it was telephony stuff) that I should not be quite so thorough on the errorchecking. Silly me, I had thought that they would also value reliability My 2 cents is that people are not really willing to pay for software with the kinds of qualities that we talk about in this list (which is about more than security). Well, *most* people anyway. The avionics, medical, and suchlike fields are quite another story. Bill Anderson Is this perchance the Bill Anderson who was my great grandboss until he left BAE for Cryptek? -- Dave Aronson http://www.davearonson.com/ Specialization is for insects. -Heinlein ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] bumper sticker slogan for secure software
Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps radar, but that doesn't make a very good analogy. Maybe a thicker tougher hull and automatic compartment doors? -Dave ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
[SC-L] bumper sticker slogan for secure software
mikeiscool [mailto:[EMAIL PROTECTED] writes: The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of your political stances, etc., is how to communicate it so that they will understand and receive the message. You can easily confuse them, bore them, or turn them against yourself. Truly putting it on bumper stickers is likely to be useless, but this is a useful exercise in thinking how we could express the concept briefly and simply. Another useful thing would be if all engineers would enroll in Toastmasters, but that's another story. ;-) -Dave, Governor of Toastmasters Area 63 (District 27) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] (no subject)
Gary McGraw [mailto:[EMAIL PROTECTED] wrote: I wrote a book with viega a few years ago called building secure software... Yes, John gave us all copies. Didn't bother to get it autographed though. :-) it was not about that company (at all). It certainly was not about the horribly broken software I spent months banging my head against a wall trying to fix :-( P.s. I actually like ivan's quip as reported by crispy. Me too. It contains the ideas I was trying to convey, more clearly, but it's still too long to fit on a bumper sticker. :-) -Dave ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php
Re: [SC-L] Spot the bug
Christopher Canova [EMAIL PROTECTED] wrote: It seems to me that they may be shifting from a Deploy-first-ask-questions-later tactic to a Code-it-right-before-its-out-the-door. They always did code it right before it's out the door. It's just a question of where you put the comma. ;- -Dave
Re: [SC-L] Credentials for Application use
Gizmo [EMAIL PROTECTED] wrote: the efficacy of the encryption is of some question. Basically, it keeps honest people honest. Sounds a little better than I thought, but I'd still be worried about the owner name leaking into less honest hands. 1) The app is architected around the Btrieve DB, with uses a proprietary API. We can argue the merits of that until the cows come home, but it probably isn't relevant to this list. Right, though come to think of it, the whole question is borderline off-topic, seeing as this is *Secure* Coding, not *Security* Coding. :-)
Re: [SC-L] Credentials for Application use
Gizmo [EMAIL PROTECTED] wrote: I have a similar situation in one of my applications. The customer wishes to secure the database. Since we use a Btrieve database, the only way to do this is be setting an owner name on the DB, and then encrypting using the owner name as the password. That sure doesn't sound secure to me! Does BTrieve make it easy, difficult, or impossible to see what users own what dbs? Does it make it easy/diff/imposs to see what users exist? Does it have well-defined syntax rules for the usernames, and maybe even a fairly short maximum length? Unless the names can be very long (as in, at least a few dozen chars), with very little restriction on content (as in, case sensitive, and including spaces and punctuation), and BT makes it *impossible* to see what users exist, let alone own what, then the entire security there is basically nothing more than one incredibly weak password. However, once the DB is secured, you can't access it unless you have the owner name, and giving out the owner name to everyone who uses the app to access the DB pretty much defeats the whole purpose of the exercise. Looks like BTrieve security is pretty much useless, except possibly for giving a tiny bit of protection to transmission of the entire db. The only way I can see to deal with this is something similar to what I've done in my app: You probably don't need to get that fancy. The first question that both I and my wife thought of is, why not migrate to something with more useful security than BT? B-) But seriously, that brings up the very first question usually asked when developing a security strategy. Exactly what threat(s) are you trying to secure it *against*? Who will be doing what, how, maybe why, possibly even when and (from) where? and the registry. ...which means you're running Windows, which means security isn't really much of a priority after all. B-)/2 -Dave
Re: [SC-L] Why Software Will Continue to Be Vulnerable
Crispin Cowan [EMAIL PROTECTED] wrote: ISPs could also position a non-restricted account as an expert account and charge extra for it. That already happens in many cases, except they call it a business class account. The only one I've heard called some kind of expert account is that Speakeasy has packages with different sets of extras for the same price, such as SysAdmin (access to their rpmfind mirror), Gamer (access to gaming servers), and one I forget the name of (access to music servers). All of the above allow you to run your own swervers. -Dave
Re: [SC-L] Re: Application Insecurity --- Who is at Fault?
[EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact [EMAIL PROTECTED] ; run by MajorDomo List-Id: Secure Coding Mailing List sc-l.securecoding.org List-Post: mailto:sc-l@securecoding.org List-Subscribe: http://www.securecoding.org/list/ List-Unsubscribe: http://www.securecoding.org/list/ List-Help: http://www.securecoding.org/list/charter.php List-Archive: http://lists.virus.org Delivered-To: mailing list SC-L@SecureCoding.org Delivered-To: moderator for SC-L@SecureCoding.org Dave Paris [EMAIL PROTECTED] wrote: The builder and the programmer are synonomous. The builder is neither the architect, nor the engineer for the structure. If the architect and engineer included security for the structure and the builder failed to build to specification, then the builder is at fault. The programmer is neither the application architect nor the system engineer. This is often not true, even on some things that stretch a single programmer's productivity to the limits (which makes it even worse). Programmers work within the specs they are given. That can (NOT SHOULD!) be anything from use this language on this platform to implement this algorithm in this style, to we need something that will help us accomplish this goal. The latter cries out for a requirements analyst to delve into it MUCH further, before an architect, let alone a programmer, is allowed anywhere NEAR it! However, sometimes that's all you get, from a customer who is then NOT reasonably easily available to refine his needs any further, relayed via a manager who is clueless enough not to realize that refinement is needed, to a programmer who is afraid to say so lest he get sacked for insubordination, and will also have to architect it. If this has not happened at your company, you work for a company with far more clue about software development than, I would guess, easily 90% of the companies that do it. -Dave
OT re Cliff Stoll (was Re: [SC-L] Top security papers)
Nash [EMAIL PROTECTED] wrote: _Cuckoo's_Egg_, Clifford Stall. http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362- 2026532?v=glance [Ed. That's Cliff Stoll, not Stall. Great book, though -- IMHO! KRvW] For more on what Cliff's been up to lately, see: http://www.kleinbottle.com/ I got one several years ago -- David J. Aronson, Contract Software Engineer in Washington DC area Resume and other information online at: http://destined.to/program [Ed. Yes, this is WAY off topic... Let's make this the last of the sub-thread, ok? KRvW]
Re: [SC-L] Programming languages -- the third rail of secure coding
Michael S Hines [EMAIL PROTECTED] wrote: I've been compiling a list of programming languages.. You missed FORTRAN, ICON, REXX, SNOBOL, and the assorted OS-based shell scripting languages (bash/csh/ksh/etc., VMS DCL, DOS .bat, etc.). I've heard of JOVIAL, which I *think* is a programming language used almost exclusively in the US military. Since a few companies make things that translate it into code, you might consider UML as well. Then there are a gazillion languages for particular commercial packages -- you got Oracle's PL/SQL, but there are also dBase/Clipper, FrEd (Framework Editor, from an old integrated office suite), Lotus 1-2-3 macros, and many more. Also, depending on your definition of programming language (versus markup language and a few other types), you might have a few extras as well. -- David J. Aronson, Contract Software Engineer in Washington DC area Resume and other information online at: http://destined.to/program
Re: [SC-L] Missing the point?
On Tue April 20 2004 12:34, Michael A. Davis wrote: It is not the source code that is the problem -- it is the developer. The proof of the developer's grokking of secure coding, is in the code. -- Dave Aronson, Senior Software Engineer, Secure Software Inc. Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org (Opinions above NOT those of securesw.com unless so stated!) http://www.securesoftware.com is HIRING developers/auditors!
Re: [SC-L] User Education Tool?
On Thu March 4 2004 10:17, Andreas Saurwein wrote: Now, doing something really flashy like creating an virus like application as follows: * it is sent as zipped attachment * when opened, it brings a huge, clear message, that the user would now have been infected with a virus. A short, understandable message explaining why and how to avoid it would be appropriate. * it asks the user for permission to forward itself to the users contacts, to help spreading the education. Would that still classify as virus? Or would that pass as something else? Would a measure like this be of any success? What other measure could reach the critical user groups? Those of us who receive viri, or bounce-reports alleging that we sent one, are in the addressbooks of lusers who open viri. Don't subject us to more of this $#!^ than we already are. Remove the may I spam your friends aspect, asking them instead to manually forward it to any of their friends that they think could use the education, and it might be tolerable. Either way (especially if the manual forwarding is done with the help of pulling up the contact list), you can bet some jackass will attach a malicious payload, probably triggered right *after* you spread it. So much for being able to treat it as innocent. Find a way to substitute, for the whole mess, an arm coming out of the computer and bitchslapping the idiot silly while calling his attention to how incredibly stupid he has just been, and you've got something. B-) -- Dave Aronson, Senior Software Engineer, Secure Software Inc. Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org (Opinions above NOT those of securesw.com unless so stated!) WE'RE HIRING developers, auditors, and VP of Prof. Services.