Re: [SC-L] OWASP Podcast 95 is live!

2013-07-02 Thread Jim Manico
http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf -- Jim Manico @Manicode (808) 652-3805 On Jul 1, 2013, at 8:55 PM, Jeffrey Walton noloa...@gmail.com wrote: Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr

[SC-L] OWASP Podcast 95 is live!

2013-07-01 Thread Jim Manico
is a very sharp and controversial character. I hope you enjoy. Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3 RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml Thanks for listening! Aloha, Jim Manico OWASP Board Member @Manicode

[SC-L] 2013 OWASP Mobile Top 10 Call For Data

2013-05-21 Thread Jim Manico
...@lists.owasp.org). Thank you! Regards, Jim Manico OWASP Board Member and Volunteer @Manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

[SC-L] OWASP Podcast 93

2012-10-02 Thread Jim Manico
Herlea for curating this and future SecAppDev.org presentations. Thanks for listening. - Jim Manico OWASP Volunteer j...@owasp.org @manicode ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com

[SC-L] OWASP Podcasts 2011

2011-03-19 Thread Jim Manico
show from Brian Chess prior to HP's purchase of Fortify. Brian talked about how software security issues are no longer just about business risk - its now life and death. http://www.owasp.org/download/jmanico/owasp_podcast_81.mp3 I hope you enjoy. Feedback is always appreciated. Regards, Jim

Re: [SC-L] Java DOS

2011-02-13 Thread Jim Manico
will see in ESAPI 2.0 rc12 within a week or 2, but the credit goes to Adobe for being on top of this (and to Williams for pointing this out to me). http://blogs.adobe.com/asset/2011/02/year-of-the-snail.html I'm impressed team Adobe! -Jim Manico http://manico.net On Feb 12, 2011, at 10:13

Re: [SC-L] InformIT: comparing static analysis tools

2011-02-04 Thread Jim Manico
Hello Chris, Thanks for replying! I think the reaction from my boss was not so much knee-jerk, but a reasonable concern. The risk of persisting intellectual property on a cloud service is real. And that risk differs depending on your business (as well as many other factors). I'm eager to see

Re: [SC-L] InformIT: comparing static analysis tools

2011-02-03 Thread Jim Manico
Hey Gary, Nice article. A brief note, Ounce is dead. The product was renamed IBM Rational AppScan Source Edition after IBM's acquisition of Ounce. Small matter but for what it's worth, Jim hi sc-l, John Steven and I recently collaborated on an article for informIT. The article is called

Re: [SC-L] InformIT: comparing static analysis tools

2011-02-03 Thread Jim Manico
. How do you work around them? -Jim Manico http://manico.net On Feb 3, 2011, at 1:54 PM, Chris Wysopal cwyso...@veracode.com wrote: Nice article. In the 5 years Veracode has been selling static analysis services we have seen the market mature. In the beginning, organizations were down

[SC-L] OWASP CSRFGuard

2010-10-29 Thread Jim Manico
potential modifications CSRFGuard users have had to make in order to implement it successfully for their website. I'd also like to hear of any success stories of using CSRFGuard out of the box. Any feedback regarding this matter is greatly appreciated. Thanks kindly + Aloha, Jim Manico

Re: [SC-L] [Esapi-dev] OWASP CSRFGuard

2010-10-29 Thread Jim Manico
My gut feel here is that we gain a lot more by merging the work done here into ESAPI. I agree 100%, I'm glad you said it first. J - Jim From: Chris Schmidt [mailto:chrisisb...@gmail.com] Sent: Friday, October 29, 2010 8:36 PM To: Jim Manico; esapi-...@lists.owasp.org; SC-L

Re: [SC-L] Java: the next platform-independent target

2010-10-21 Thread Jim Manico
security framework like Spring Security or (wait for it) ESAPI. But client-side Java? Flash? There are a few large organizations who have banned both from their clients and they are more secure for it. -Jim Manico http://manico.net On Oct 21, 2010, at 10:58 PM, Steven M. Christey co

Re: [SC-L] Classification/Enumeration of Software Defect Mitigations

2010-10-21 Thread Jim Manico
and good security design principles that help dev's build secure apps from day 1. And Steve, you only see me pop up when I have a criticism. But as I said when we went hiking on Kauai, I think you and team are doing outstanding work and I'm thankful for all of your efforts. Regards, -Jim

Re: [SC-L] [WEB SECURITY] SATE?

2010-06-09 Thread Jim Manico
in SATE 2008). Vadim From: Jim Manico [...@manico.net] Sent: Thursday, May 27, 2010 5:31 PM To: 'Webappsec Group' Subject: [WEB SECURITY] SATE? I feel that NIST made a few errors in the first 2 SATE studies. After the second round of SATE, the results

Re: [SC-L] SATE

2010-05-28 Thread Jim Manico
community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list

[SC-L] Top Ten OWASP Podcast Series

2010-04-19 Thread Jim Manico
: Did someone say slow down ? I missed that as I was running by... ;) Thanks for listening! -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

[SC-L] OWASP Podcast Series update

2010-04-14 Thread Jim Manico
is non-commercial podcast released under the Creative Commons/ShareAlike license. Thanks for listening! -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L

[SC-L] OWASP ESAPI 2.0 rc6 released!

2010-03-30 Thread Jim Manico
changelog.txt at the root of the zip file for more information. Mahalo Nui Loa, -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information

[SC-L] OWASP Podcast Series

2010-02-05 Thread Jim Manico
, Jim Manico, Andrew van der Stock, Ben Tomhave and Jeff Williams http://www.owasp.org/download/jmanico/owasp_podcast_59.mp3 #58 Interview with Ron Gula http://www.owasp.org/download/jmanico/owasp_podcast_58.mp3 I hope you enjoy. -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project

Re: [SC-L] BSIMM update (informIT)

2010-02-04 Thread Jim Manico
Why are we holding up the statistics from Google, Adobe and Microsoft ( http://www.bsi-mm.com/participate/ ) in BDSIMM? These companies are examples of recent epic security failure. Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through

[SC-L] ESAPI 1.4.4 released!

2010-01-31 Thread Jim Manico
://en.wikipedia.org/wiki/Mahalo /to all of the many developers and users who have contributed to the ESAPI project in some way. Warm Regards, -- Jim Manico OWASP Podcast Host/Producer OWASP ESAPI Project Manager http://www.manico.net ___ Secure Coding

[SC-L] ESAPI for JavaScript!

2010-01-18 Thread Jim Manico
and encouraged directly to the projects author at chrisisb...@gmail.com ! Other ESAPI resources: OWASP ESAPI Developer http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API Check out OWASP ESAPI for Java http://code.google.com/p/owasp-esapi-java/ Thanks all. -- Jim Manico OWASP

Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-08 Thread Jim Manico
://www.cigital.com/justiceleague Papers: http://www.cigital.com/papers/jsteven http://www.cigital.com Software Confidence. Achieved. On Jan 7, 2010, at 10:56 AM, Jim Manico wrote: John, You do not need OWASP ESAPI to secure an app. But you need A ESAPI for your organization in order to build secure Apps

Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-07 Thread Jim Manico
build secure apps. Jim Manico On Jan 6, 2010, at 6:20 PM, John Steven jste...@cigital.com wrote: All, With due respect to those who work on ESAPI, Jim included, ESAPI is not the only way to make a secure app even remotely possible. And I believe that underneath their own pride in what

Re: [SC-L] Functional Correctness

2009-08-22 Thread Jim Manico
We are approaching huge industry-wide application security critical mass for the first time. Now is the time to strike. If all we teach is input validation+canonicalization, query parameterization, and output encoding, we stop xss and sqli via education Jim Manico On Aug 21, 2009, at 11

Re: [SC-L] IBM Acquires Ounce Labs, Inc.

2009-07-28 Thread Jim Manico
A quick note, in the Java world (obfuscation aside), the source and binary is really the same thing. The fact that Fortify analizes source and Veracode analizes class files is a fairly minor detail. Jim Manico On Jul 28, 2009, at 7:40 AM, Arian J. Evans arian.ev...@anachronic.com wrote

Re: [SC-L] Security Architecture Cheat Sheet - Lenny Zeltser

2009-06-20 Thread Jim Manico
Very nice work. Since this is written under the creative common 3 license, I put a copy (with attribution to Lenny) on OWASP.org at http://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet in case anyone wishes to collaborate on this guide. - Jim - Original Message - From:

[SC-L] OWASP Podcast #23 - Dr. Boaz Gelbord

2009-06-02 Thread Jim Manico
. Thanks for listening, I hope you enjoy. Regards, Jim Manico Aspect Security/OWASP Podcast Host RSS: http://www.owasp.org/download/jmanico/podcast.xml iTunes: http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 ___ Secure Coding

[SC-L] OWASP Podcast #22

2009-05-22 Thread Jim Manico
Security. I hope you enjoy! Aloha from Kauai, Jim Manico OWASP Podcast Series Host ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

[SC-L] OWASP Podcast Update

2009-05-13 Thread Jim Manico
vulns in the AV vendor space http://www.owasp.org/download/jmanico/owasp_podcast_20.mp3 Thanks kindly for listening! Jim Manico OWASP Podcast Series Host podc...@owasp.org Archives: https://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows RSS Feed: http://www.owasp.org/download/jmanico

[SC-L] OWASP Podcast 17

2009-04-23 Thread Jim Manico
://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012 Thanks for listening, - Jim Manico ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

[SC-L] OWASP Podcast 15

2009-04-06 Thread Jim Manico
I had the pleasure of interview Dr. Brian Chess from Fortify Software for OWASP Podcast 15. Brian talked about BSIMM and more - demonstrated a lot of class as always. Have a listen! Direct Link: http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3 To stay connected to the OWASP Podcast

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-22 Thread Jim Manico
and the software security initiative. Perhaps we suffer from the looking for the keys under the streetlight problem. gem On 3/19/09 2:31 PM, Jim Manico j...@manico.net wrote: The top N lists we observed among the 9 were BUG lists only. So that means that in general at least half of the defects

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-19 Thread Jim Manico
The top N lists we observed among the 9 were BUG lists only. So that means that in general at least half of the defects were not being identified on the most wanted list using that BSIMM set of activities. This sounds very problematic to me. There are many standard software bugs that are

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-19 Thread Jim Manico
concearns me. Will you elaborate, please? - Jim - Original Message - From: Gary McGraw g...@cigital.com To: Jim Manico j...@manico.net; Steven M. Christey co...@linus.mitre.org Cc: Sammy Migues smig...@cigital.com; Dustin Sullivan dustin.sulli...@informit.com; Secure Code Mailing List

Re: [SC-L] Rigged podcasts can leak your iTunes username/password |Zero Day | ZDNet.com

2009-03-12 Thread Jim Manico
On the topics of Podcast, I'm very pleased to announce the release of the non-rigged live release of OWASP Podcast #12, an Interview with Ryan C. Barnet. Ryan Barnett talks about the OWASP ModSecurity core ruleset project and WAF technology in general. Ryan has such incredible experience in

[SC-L] OWASP Podcast #6

2009-02-05 Thread Jim Manico
Hello SC-L I just pushed OWASP Podcast #6 live at http://www.owasp.org/index.php/Podcast_6 - an OWASP Roundtable with Brian Holyfield, Marcin Wielgoszewski, Andre Gironda and myself, Jim Manico. Our focus was WAF's. Thanks and I hope you enjoy, Jim Manico

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

2009-01-15 Thread Jim Manico
I'd like to offer a different view for your consideration, which is that /*input validation and output encoding actually don't have anything to do with security*/. Those techniques are essential software building. I'm really confused with this statement - and almost feel it's dangerous.

Re: [SC-L] FW: How Can You Tell It Is Written Securely?

2008-12-01 Thread Jim Manico
) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your

Re: [SC-L] How Can You Tell It Is Written Securely?

2008-11-27 Thread Jim Manico
://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED

Re: [SC-L] Secure Coding Standards

2008-09-28 Thread Jim Manico
and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808

Re: [SC-L] Survey

2008-08-26 Thread Jim Manico
attempts to do. http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/ I rest my case. Stephen On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: There are plenty of sites that are perfectly x/html valid

Re: [SC-L] Survey

2008-08-26 Thread Jim Manico
AM -1000 8/26/08, Jim Manico wrote: How does xHTML help stop access control vulnerabilities? Authorization issues? CSRF problems? It is indicative of the caliber of the people who built the site. My immediate interest is that validation combats browser crashes. I am

Re: [SC-L] Lateral SQL injection paper

2008-04-28 Thread Jim Manico
Anyone else have a take on this new attack method? If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. In Java (for Insert/Update/etc) just use PreparedStatement + variable binding. There are similar constructs in all languages. Although the

Re: [SC-L] InformIT: budgeting for software security

2008-04-12 Thread Jim Manico
in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your

Re: [SC-L] Secure Coding Books

2008-03-07 Thread Jim Manico
How to break web software is one of the best web security coder- centric books I have read. Its concise and useful. Sent from my iPhone On Mar 7, 2008, at 7:45 AM, Lawson, David L [EMAIL PROTECTED] wrote: I've read several secure coding books in the past, and was wondering if anyone has

Re: [SC-L] Darkreading: Getting Started

2008-01-10 Thread Jim Manico
at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Best Regards, Jim Manico [EMAIL PROTECTED