[SC-L] SecAppDev hits the road

2013-05-22 Thread Kenneth R. van Wyk
is available for Early Bird registration until June 15th. Alumni, public servants, and independents receive a 50% discount. I hope that we will be able to welcome you or your colleagues to our course. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us

[SC-L] ANNOUNCING: #MobAppSecTri Scholarship Program

2013-03-18 Thread Kenneth R. van Wyk
), point them in our direction for a chance to get a free seat. See http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html for details. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates

[SC-L] Fwd: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!!

2013-02-26 Thread Kenneth R. van Wyk
Greetings SC-L, For all of you who are interested in mobile app sec (or interested in learning more about it), we released OWASP iGoat version 2.0 today. See the details in our announcement below. Cheers, Ken van Wyk Begin forwarded message: From: Kenneth R. van Wyk k...@krvw.com Subject

[SC-L] Apple Employees Hacked By Visiting iPhoneDevSDK - Mac Rumors

2013-02-20 Thread Kenneth R. van Wyk
Here is an interesting twist to the recent Apple hack. I hope no SC-Lers are using iphonedevsdk! http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/ Cheers, Ken van Wyk KRvW Associates, LLC ___ Secure Coding

[SC-L] ANNOUNCING: MobAppSecTri Scholarship Program

2012-09-18 Thread Kenneth R. van Wyk
Hey SC-Lers, We're giving away to a few deserving Mobile App Developers a small number of FREE tickets to our Mobile App Sec Triathlon. If you know any deserving students / interns, point them in our direction for a chance to get a free seat. See

[SC-L] OWASP Cheat Sheet for iOS Developers

2012-09-11 Thread Kenneth R. van Wyk
-- participation on it. Like all OWASP docs, it's open source, so find things you want to add/improve and join in. Either way, I hope you find it useful. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW or @KRvW_Associates smime.p7s

[SC-L] Mobile app security blog, FYI

2012-09-07 Thread Kenneth R. van Wyk
+ users may submit comments as well, which we welcome. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: @KRvW_Associates smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding

[SC-L] OWASP Cheat Sheet for iOS App Developers

2012-07-18 Thread Kenneth R. van Wyk
Title: OWASP Cheat Sheet -- iOS App Developers Author: Kenneth R. van Wyk Source: OWASP - the Open Web Application Security Project Date Published: 2012-07-17 Excerpt: This document is written for iOS app developers and is intended to provide a set of basic pointers to vital aspects

[SC-L] Test

2012-03-11 Thread Kenneth R. van Wyk
Foo Cheers, Ken ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and

[SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
Stories about this (below) X bug and the DHS-sponsored project that found it have been floating around the net all week. This story caught my eye, though: http://www.net-security.org/secworld.php?id=3994 The author claims, This flaw, caused by something as seemingly harmless as a missing

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
On Thursday 04 May 2006 12:40, Gadi Evron wrote: Hmm, I think this was fixed in earlier X versions. Not impossible, but the article clearly indicated that it's in 6.9.0 and 7.0.0, which are the most current in general circulation, I believe. But, some bugs are so important that they deserved

[SC-L] AJAX: Is your application secure enough?

2006-04-05 Thread Kenneth R. van Wyk
to the game, I can't help but think that there's tons of room for major security mistakes to be made, if only due to the complexity of knowing what's going on at each tier of the app all the time. Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com

[SC-L] Software security efforts at DTCC

2006-03-29 Thread Kenneth R. van Wyk
find encouraging is hearing about companies that are bringing their security and software development efforts together. YMMV... Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L

[SC-L] CFP -- HICSS 2007

2006-03-15 Thread Kenneth R. van Wyk
of Hawaii. The CFP can be found below. Cheers, Ken van Wyk -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com == HICSS-40: Call for Papers Secure Software Architecture, Design, Implementation and Assurance (SSADIA) Minitrack Hawaii

[SC-L] ZDNET: LAMP lights the way in open-source security

2006-03-07 Thread Kenneth R. van Wyk
, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

[SC-L] AJAX security paper

2006-02-15 Thread Kenneth R. van Wyk
FYI, here's a pointer to a just-published paper on AJAX security. Hope you find it useful, particularly in light of AJAX's quick rise in popularity. http://www.it-observer.com/articles/1062/ajax_security/ Cheers, Ken -- Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com

[SC-L] Book review: Essential PHP Security

2006-02-13 Thread Kenneth R. van Wyk
I know that a lot of the folks on this list would consider the words PHP Security to be an oxymoron. That said, there's a book out on the subject, and it's been reviewed on /. The review can be found at: http://books.slashdot.org/books/06/02/13/1426220.shtml Cheers, Ken van Wyk P.S. It was

[SC-L] Administrative: whitelisting on SC-L

2006-02-02 Thread Kenneth R. van Wyk
Hi SC-L folks: I don't mean to intrude in the bug and flaw debate, but I do want to make sure that you're all aware of the whitelisting that I'm doing on the list these days, since I switched the list management from Majordomo to Mailman. Specifically, in order to cut down on spam, I have

Re: [SC-L] Managing the insider threat through code obfuscation

2005-12-15 Thread Kenneth R. van Wyk
On Thursday 15 December 2005 09:26, Jose Nazario wrote: if the person can develop exploits against the holes in the code, what makes you think they can't fire up a runtime debugger and trace the code execution and discover the same things? Nothing makes me think that at all; in fact, I was

Re: [SC-L] Countering Trusting Trust through Diverse Double-Compiling

2005-12-14 Thread Kenneth R. van Wyk
On Wednesday 14 December 2005 16:40, David A. Wheeler wrote: I've written a paper on an approach to counter this attack. See: Countering Trusting Trust through Diverse Double-Compiling http://www.acsa-admin.org/2005/abstracts/47.html Thanks for sharing it here, David. Here's the

[SC-L] Missing URL -- ZDNet: Attackers switching to applications, media players

2005-11-22 Thread Kenneth R. van Wyk
Sorry, I neglected to include the URL for the story that I cited. It can be found at: http://news.zdnet.com/2100-1009_22-593.html?tag=zdfd.newsfeed Cheers, Ken ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,

[SC-L] Slashdot | Developing Securely In Windows

2005-11-21 Thread Kenneth R. van Wyk
FYI, there's a review (by Jim Holmes) of Keith Brown's book, The .NET Developer's Guide to Windows Security available out on Slashdot at: http://books.slashdot.org/books/05/11/21/1442228.shtml The review summary reads, Terrific coverage of how to go about securely developing .NET software.

[SC-L] Administrative: SC-L changes

2005-11-18 Thread Kenneth R. van Wyk
Greetings all, FYI, I have moved the securecoding.org site and SC-L mailing list over to a different host. The new host should be quite a bit faster, as it's used by a much (!) smaller number of domains than the old one. More importantly, at least for SC-L, is that I've changed the mailing list

[SC-L] Fwd from CIO Update: Why is application security so elusive?

2005-09-18 Thread Kenneth R. van Wyk
FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons why secure software is so hard to find. Unlikely to be anything new to SC-L readers, but it could be worth a quick read in any case. In particular, his recommendations (to his presumably mostly CIO audience) are

[SC-L] SC-L changes

2005-09-09 Thread Kenneth R. van Wyk
Greetings SC-L folks, Although it's been particularly quiet here recently, I've also been moving the list over to a new system, which has caused some additional outages. (Read: tree fell in the forest and no one heard it.) In any case, the new system should be fully functional in the next

[SC-L] Wall Street Journal article on Software Security and upcoming events

2005-07-19 Thread Kenneth R. van Wyk
Hi all, FYI, a couple of interesting things going on in the software security space that those here on SC-L might appreciate: - Good article/interview in yesterday's Wall Street Journal on the topic of Software Security. The interview is with Gary McGraw, and I'm sure that no one here will

[SC-L] ANNOUNCING: 2nd US OWASP AppSec Conference - Oct 11-12 - Near DC

2005-06-17 Thread Kenneth R. van Wyk
[Ed. Crossposted, as I thought that it was relevant here as well. KRvW] Originally From: Dave Wichers [EMAIL PROTECTED] Dear Colleague, OWASP is proud to announce its second annual U.S. Application Security Conference. This year's conference will be held October 11-12 at the NIST campus in

[SC-L] Secure programming with the OpenSSL API, Part 2: Secure handshake

2005-05-11 Thread Kenneth R. van Wyk
FYI, there's a new(ish) article by Kenneth Ballard out on IBM's developerWorks site, on the topic of secure use of OpenSSL. It's actually part 2 in a series, but there's a pointer there to part 1 also. The abstract follows, along with the URL to the full article: Securing the handshake

[SC-L] Tech News on ZDNet -- OS makers: Security is job No. 1

2005-05-10 Thread Kenneth R. van Wyk
FYI, somewhat interesting story today on ZDNet (see http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about operating system makers paying more attention to security. Note the differing (public) statements by Microsoft and Apple... Being fundamentally a glass half full sort of

[SC-L] Fwd: Novell Adds Security Company to Its Linux Mix

2005-05-10 Thread Kenneth R. van Wyk
FYI, interesting move today in the software security space -- Novell announces its acquisition of Immunix. Story at http://www.eweek.com/article2/0,1759,1814599,00.asp Cheers, Ken van Wyk -- KRvW Associates, LLC http://www.KRvW.com

[SC-L] Mobile phone OS security changing?

2005-04-06 Thread Kenneth R. van Wyk
Greetings, I noticed an interesting article about a mobile phone virus affecting Symbian-based phones out on Slashdot today. It's an interesting read: http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220tid=100tid=193tid=137 What particularly caught my attention was the sentence, Will

[SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Kenneth R. van Wyk
Greetings++, Another interesting article this morning, this time from eSecurityPlanet. (Full disclosure: I'm one of their columnists.) The article, by Melissa Bleasdale and available at http://www.esecurityplanet.com/trends/article.php/3495431, is on the general state of application

Re: [SC-L] Mobile phone OS security changing?

2005-04-06 Thread Kenneth R. van Wyk
On Wednesday 06 April 2005 09:26, Michael Silk wrote: The last thing I want is my mobile phone updating itself. I imagine that sort of operation would take up battery power, and possibly cause other interruptions ... (can you be on a call and have it update itself?) I vividly remember a lot

[SC-L] eSecurityPlanet article on Fortify source code scanner

2004-11-22 Thread Kenneth R. van Wyk
FYI, interesting article on eSecurityPlanet regarding Fortify's commercial source code scanning tool -- see the full text at http://www.esecurityplanet.com/patches/article.php/3439021 Among other things, the article says, In addition to new language support for C# -- the software already

[SC-L] How do we improve s/w developer awareness?

2004-11-11 Thread Kenneth R. van Wyk
Greetings, In my business travels, I spend quite a bit of time talking with Software Developers as well as IT Security folks. One significant different that I've found is that the IT Security folks, by and large, tend to pay a lot of attention to software vulnerability and attack information

Re: [SC-L] Open Source failure analysis tool released for Linux

2004-10-15 Thread Kenneth R. van Wyk
ljknews wrote: At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote: I believe that we don't do enough to analyze and learn from software failures. I believe the industry as a whole does plenty to analyze software failures, particularly considering how little is done to avoid those errors. Added

[SC-L] eWeek: App Developers Need to Redouble Security Efforts

2004-09-30 Thread Kenneth R. van Wyk
FYI, there's an interesting article in eWeek today -- see http://www.eweek.com/article2/0,1759,1663716,00.asp -- regarding a recent Gartner study on software security. Among other things, it says, Gartner predicts that if 50 percent of software vulnerabilities were removed prior to production

[SC-L] ComputerWorld interview with Theo de Raadt on Software Security

2004-09-10 Thread Kenneth R. van Wyk
FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on the state of software security, and OpenBSD in particular. See http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the complete text. Cheers, Ken van Wyk -- KRvW Associates, LLC

[SC-L] eSecurityPlanet column on Software Security

2004-09-07 Thread Kenneth R. van Wyk
Greetings all, Wow, it sure has been quiet here for a couple weeks. Perhaps it's just those late summer (or winter, for you southern hemispherians) vacations... In any event, just an FYI here. My September eSecurityPlanet column hit the streets today (see

[SC-L] Grass roots secure coding efforts

2004-08-23 Thread Kenneth R. van Wyk
Greetings all, One of the things that I hear most from software developers when I deliver secure coding tutorials and such is that they're likely to be unable to do things like detailed threat modeling, risk analyses, etc. The reason most often cited is that they're under tight deadlines and

[SC-L] Programming languages -- the third rail of secure coding

2004-07-19 Thread Kenneth R. van Wyk
Greetings, It appears as though we may well have discovered software security's third rail over the last couple of weeks in the discussions regarding programming language choices. I don't mean to fan those flames by any means, trust me. However, I noticed several announcements for PHP

Re: [SC-L] Protecting users from their own actions

2004-07-07 Thread Kenneth R. van Wyk
Wall, Kevin wrote: Isn't this something that users probably shouldn't be given a choice on? Normally I would think that corporate security policy dictate keeping the AV software / signatures up-to-date as well as dictating the (personal) firewall configurations. Some centrally administered

[SC-L] Protecting users from their own actions

2004-07-06 Thread Kenneth R. van Wyk
Hi All, FYI... This topic has come up here a few times, so I thought that I'd send a pointer to my July eSecurityPlanet column (http://www.esecurityplanet.com/views/article.php/3377201 - free, no registration required). In the column, I take the seemingly unpopular view --at least in this

Re: [SC-L] ACM Queue article and security education

2004-06-30 Thread Kenneth R. van Wyk
James Walden wrote: I'd like to open a discussion based on this quote from Marcus Ranum's ACM Queue article entitled Security: The root of the problem: Thanks. I also read Marcus's article with interest. Caveat: clearly, I have a biased outlook, since software security training is one of the

[SC-L] SPI, Ounce Labs Target Poorly Written Code

2004-06-28 Thread Kenneth R. van Wyk
FYI, a couple of announcements from SPI Dynamics and Ounce Labs hit eWeek.com today -- see http://www.eweek.com/article2/0,1759,1617901,00.asp for the full text. According to the article, SPI Dynamics has released its SecureObjects product, which is a series of (presumably) securely written

[SC-L] LinuxWorld | Secure coding attracts interest, investment

2004-05-26 Thread Kenneth R. van Wyk
Greetings all, FYI, it looks like we're at the beginning of a new wave of software security tools. There's a few commercial products beginning to hit the market that take static src code scanning to a new level. See the link below for a LinuxWorld article that briefly (!) describes @stake's

[SC-L] Microsoft threat modeling tool available for free

2004-05-26 Thread Kenneth R. van Wyk
Greetings, Almost missed this one while I was out of the office for a couple days... Microsoft have announced the free availability of a threat modeling tool by Frank Swiderski, who is also writing a soon-to-be released book on threat modeling. Details on the tool (warning: requires .NET

[SC-L] Interesting article on minimizing privileges

2004-05-26 Thread Kenneth R. van Wyk
Anyone looking for a great introduction to putting the principle of least privilege into action, check out David Wheeler's article at: http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges It cites one of my favorite examples of least privilege, Wietse

[SC-L] Andy Tanenbaum on Linux's origins and security

2004-05-20 Thread Kenneth R. van Wyk
Andy Tanenbaum, the author of the MINIX operating system, recently posted an opinion piece on the origins of Linux. It's a fascinating albeit somewhat lengthy read -- see http://www.cs.vu.nl/~ast/brown/ for the full text. At the very end of the document, he talks about the security of a

[SC-L] MIT study on software development processes

2004-04-30 Thread Kenneth R. van Wyk
Hi all, I just saw a Slashdot story (http://developers.slashdot.org/article.pl?sid=04/04/30/1421223mode=threadtid=126tid=156tid=185) announcing an MIT study on software development processes used around the world. The report itself can be found at

Re: [SC-L] Yoran on the state of software security

2004-04-20 Thread Kenneth R. van Wyk
Greetings all, I was asked to clarify what I posted yesterday re Amit Yoran's recent public statements on the topic of software security. On Tuesday 20 April 2004 03:27, an SC-L reader wrote: Ken, could you clarify a little please? Happy to, see below. I detect a slighly snide tone that

[SC-L] Anyone looked at security features of D programming language?

2004-04-19 Thread Kenneth R. van Wyk
Hi all, I just saw an interesting article about a programming language that's under development called D. (See full article at http://www.osnews.com/story.php?news_id=6761) The description of the language is, D is a (relatively) new addition to the C family of programming languages,

Re: [SC-L] Computerworld op/ed on vulnerability patch cycle

2004-04-14 Thread Kenneth R. van Wyk
Alexander Antonov wrote: I believe the issue of automatic updates was already discussed on other security-related lists. Yes, I agree, but that's not what I was commenting on specifically. Certainly, we've seen automatic patches for a few years now. (And for many systems, e.g., desktop users,

[SC-L] Administrivia Request: Aloha, the moderator is back

2004-03-27 Thread Kenneth R. van Wyk
Aloha all, Just got back from a couple of weeks of sun and golf in Hawaii with my wife and, although I was checking email daily (thanks to T-Mobile unlimited GPRS data), it's been pretty quiet here on SC-L. In any case, though, I'm back now and open for business, FYI. And here's a bit of

[SC-L] Humor: Secure coding in the comics (Foxtrot)

2004-03-04 Thread Kenneth R. van Wyk
Those of us that are lucky (?) enough to get the FoxTrot comic strip (http://www.foxtrot.com) may have noticed that yesterday's and today's strips were discussing a software security topic. The author, Bill Amend, addresses the issue of the recent leak of some Microsoft source code. Check it