http://www.secappdev.org/handouts/2012/Dan%20J.%20Bernstein/worst%20practices.pdf
--
Jim Manico
@Manicode
(808) 652-3805
On Jul 1, 2013, at 8:55 PM, Jeffrey Walton noloa...@gmail.com wrote:
Hi Jim,
Do you know if there is a slide deck available with the talk? It
sounds like there is, but Dr
is a very sharp and controversial character. I hope you enjoy.
Direct download: https://www.owasp.org/download/jmanico/owasp_podcast_95.mp3
RSS Feed: https://www.owasp.org/download/jmanico/podcast.xml
Thanks for listening!
Aloha,
Jim Manico
OWASP Board Member
@Manicode
...@lists.owasp.org).
Thank you!
Regards,
Jim Manico
OWASP Board Member and Volunteer
@Manicode
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
Herlea for curating this and future
SecAppDev.org presentations.
Thanks for listening.
- Jim Manico
OWASP Volunteer
j...@owasp.org
@manicode
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com
show from Brian Chess prior to HP's
purchase of Fortify. Brian talked about how software security issues are
no longer just about business risk - its now life and death.
http://www.owasp.org/download/jmanico/owasp_podcast_81.mp3
I hope you enjoy. Feedback is always appreciated.
Regards,
Jim
will see in ESAPI 2.0 rc12 within a week or 2, but the
credit goes to Adobe for being on top of this (and to Williams for
pointing this out to me).
http://blogs.adobe.com/asset/2011/02/year-of-the-snail.html
I'm impressed team Adobe!
-Jim Manico
http://manico.net
On Feb 12, 2011, at 10:13
Hello Chris,
Thanks for replying!
I think the reaction from my boss was not so much knee-jerk, but a
reasonable concern. The risk of persisting intellectual property on a
cloud service is real. And that risk differs depending on your business
(as well as many other factors). I'm eager to see
Hey Gary,
Nice article. A brief note, Ounce is dead. The product was renamed
IBM Rational AppScan Source Edition after IBM's acquisition of Ounce.
Small matter but for what it's worth,
Jim
hi sc-l,
John Steven and I recently collaborated on an article for informIT. The
article is called
. How do you work around them?
-Jim Manico
http://manico.net
On Feb 3, 2011, at 1:54 PM, Chris Wysopal cwyso...@veracode.com wrote:
Nice article. In the 5 years Veracode has been selling static analysis
services we have seen the market mature. In the beginning, organizations
were down
potential modifications CSRFGuard users have had to
make in order to implement it successfully for their website. I'd also like
to hear of any success stories of using CSRFGuard out of the box.
Any feedback regarding this matter is greatly appreciated.
Thanks kindly + Aloha,
Jim Manico
My gut feel here is that we gain a lot more by merging the work done here
into ESAPI.
I agree 100%, I'm glad you said it first. J
- Jim
From: Chris Schmidt [mailto:chrisisb...@gmail.com]
Sent: Friday, October 29, 2010 8:36 PM
To: Jim Manico; esapi-...@lists.owasp.org; SC-L
security framework like Spring Security or (wait for it) ESAPI. But client-side
Java? Flash? There are a few large organizations who have banned both from
their clients and they are more secure for it.
-Jim Manico
http://manico.net
On Oct 21, 2010, at 10:58 PM, Steven M. Christey co
and good
security design principles that help dev's build secure apps from day 1.
And Steve, you only see me pop up when I have a criticism. But as I said when
we went hiking on Kauai, I think you and team are doing outstanding work and
I'm thankful for all of your efforts.
Regards,
-Jim
in SATE 2008).
Vadim
From: Jim Manico [...@manico.net]
Sent: Thursday, May 27, 2010 5:31 PM
To: 'Webappsec Group'
Subject: [WEB SECURITY] SATE?
I feel that NIST made a few errors in the first 2 SATE studies.
After the second round of SATE, the results
community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list
: Did someone say slow down ? I missed that as I was running by... ;)
Thanks for listening!
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List
is non-commercial podcast released under the
Creative Commons/ShareAlike license.
Thanks for listening!
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L
changelog.txt at the root of the zip file for more information.
Mahalo Nui Loa,
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information
, Jim Manico,
Andrew van der Stock, Ben Tomhave and Jeff Williams
http://www.owasp.org/download/jmanico/owasp_podcast_59.mp3
#58 Interview with Ron Gula
http://www.owasp.org/download/jmanico/owasp_podcast_58.mp3
I hope you enjoy.
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project
Why are we holding up the statistics from Google, Adobe and Microsoft (
http://www.bsi-mm.com/participate/ ) in BDSIMM?
These companies are examples of recent epic security failure. Probably
the most financially damaging infosec attack, ever. Microsoft let a
plain-vanilla 0-day slip through
://en.wikipedia.org/wiki/Mahalo /to
all of the many developers and users who have contributed to the ESAPI
project in some way.
Warm Regards,
--
Jim Manico
OWASP Podcast Host/Producer
OWASP ESAPI Project Manager
http://www.manico.net
___
Secure Coding
and encouraged directly to
the projects author at chrisisb...@gmail.com !
Other ESAPI resources:
OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/
Thanks all.
--
Jim Manico
OWASP
://www.cigital.com/justiceleague
Papers: http://www.cigital.com/papers/jsteven
http://www.cigital.com
Software Confidence. Achieved.
On Jan 7, 2010, at 10:56 AM, Jim Manico wrote:
John,
You do not need OWASP ESAPI to secure an app. But you need A ESAPI
for your organization in order to build secure Apps
build secure apps.
Jim Manico
On Jan 6, 2010, at 6:20 PM, John Steven jste...@cigital.com wrote:
All,
With due respect to those who work on ESAPI, Jim included, ESAPI is
not the only way to make a secure app even remotely possible. And
I believe that underneath their own pride in what
We are approaching huge industry-wide application security critical
mass for the first time. Now is the time to strike. If all we teach is
input validation+canonicalization, query parameterization, and output
encoding, we stop xss and sqli via education
Jim Manico
On Aug 21, 2009, at 11
A quick note, in the Java world (obfuscation aside), the source and
binary is really the same thing. The fact that Fortify analizes
source and Veracode analizes class files is a fairly minor detail.
Jim Manico
On Jul 28, 2009, at 7:40 AM, Arian J. Evans arian.ev...@anachronic.com
wrote
Very nice work.
Since this is written under the creative common 3 license, I put a copy
(with attribution to Lenny) on OWASP.org at
http://www.owasp.org/index.php/Security_Architecture_Cheat_Sheet in case
anyone wishes to collaborate on this guide.
- Jim
- Original Message -
From:
.
Thanks for listening, I hope you enjoy.
Regards,
Jim Manico
Aspect Security/OWASP Podcast Host
RSS: http://www.owasp.org/download/jmanico/podcast.xml
iTunes:
http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
___
Secure Coding
Security. I hope you enjoy!
Aloha from Kauai,
Jim Manico
OWASP Podcast Series Host
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http
vulns in the AV vendor space
http://www.owasp.org/download/jmanico/owasp_podcast_20.mp3
Thanks kindly for listening!
Jim Manico
OWASP Podcast Series Host
podc...@owasp.org
Archives: https://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows
RSS Feed: http://www.owasp.org/download/jmanico
://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=300769012
Thanks for listening,
- Jim Manico
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
I had the pleasure of interview Dr. Brian Chess from Fortify Software for OWASP
Podcast 15. Brian talked about BSIMM and more - demonstrated a lot of class as
always. Have a listen!
Direct Link: http://www.owasp.org/download/jmanico/owasp_podcast_15.mp3
To stay connected to the OWASP Podcast
and the
software security initiative. Perhaps we suffer from the looking
for the keys under the streetlight problem.
gem
On 3/19/09 2:31 PM, Jim Manico j...@manico.net wrote:
The top N lists we observed among the 9 were BUG lists only. So
that means that in general at least half of the defects
The top N lists we observed among the 9 were BUG lists only. So that
means that in general at least half of the defects were not being
identified on the most wanted list using that BSIMM set of activities.
This sounds very problematic to me. There are many standard software bugs
that are
concearns me. Will you elaborate, please?
- Jim
- Original Message -
From: Gary McGraw g...@cigital.com
To: Jim Manico j...@manico.net; Steven M. Christey
co...@linus.mitre.org
Cc: Sammy Migues smig...@cigital.com; Dustin Sullivan
dustin.sulli...@informit.com; Secure Code Mailing List
On the topics of Podcast, I'm very pleased to announce the release of the
non-rigged live release of OWASP Podcast #12, an Interview with Ryan C.
Barnet.
Ryan Barnett talks about the OWASP ModSecurity core ruleset project and WAF
technology in general. Ryan has such incredible experience in
Hello SC-L
I just pushed OWASP Podcast #6 live at
http://www.owasp.org/index.php/Podcast_6 - an OWASP Roundtable with
Brian Holyfield, Marcin Wielgoszewski, Andre Gironda and myself, Jim
Manico. Our focus was WAF's.
Thanks and I hope you enjoy,
Jim Manico
)
as a free, non-commercial service to the software security community.
___
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your
://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED
and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808
attempts to
do.
http://www.tssci-security.com/archives/2008/06/27/week-of-war-on-wafs-day-5-final-thoughts/
I rest my case.
Stephen
On Mon, Aug 25, 2008 at 7:05 AM, Jim Manico [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED] wrote:
There are plenty of sites that are perfectly x/html valid
AM -1000 8/26/08, Jim Manico wrote:
How does xHTML help stop access control vulnerabilities?
Authorization issues? CSRF problems?
It is indicative of the caliber of the people who built
the site.
My immediate interest is that validation combats browser crashes.
I am
Anyone else have a take on this new attack method?
If I use Parameterized queries w/ binding of all variables, I'm 100%
immune to SQL Injection.
In Java (for Insert/Update/etc) just use PreparedStatement + variable
binding.
There are similar constructs in all languages.
Although the
in error, please immediately notify the sender by reply e-mail and destroy
all copies of the communication and any attachments.
--
Jim Manico, Senior Application Security Engineer
[EMAIL PROTECTED] | [EMAIL PROTECTED]
(301) 604-4882 (work)
(808) 652-3805 (cell)
Aspect Security™
Securing your
How to break web software is one of the best web security coder-
centric books I have read. Its concise and useful.
Sent from my iPhone
On Mar 7, 2008, at 7:45 AM, Lawson, David L
[EMAIL PROTECTED] wrote:
I've read several secure coding books in the past, and was wondering
if
anyone has
at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___
--
Best Regards,
Jim Manico
[EMAIL PROTECTED
46 matches
Mail list logo