[SC-L] SecAppDev hits the road

2013-05-22 Thread Kenneth R. van Wyk
Greetings SC-L subscribers,

I suspect many of you have heard of SecAppDev (http://secappdev.org) over the 
years. It's a non-profit training event that has hitherto been held in Leuven, 
Belgium for 1 week each Feb/Mar. Well, we're excited to say that this year 
we've added a second event: SecAppDev Dublin!

Yes, SecAppDev will be hitting the road for its first foray outside of Belgium. 
For one week in July (15th-19th), we'll be making Dublin, Ireland our home. 
Just like the events in Belgium, we've lined up a great curriculum and faculty, 
to give each delegate a look at myriad aspects of developing secure 
applications. It's a pretty intense week-long immersion into the topics, for 
sure.

Registration is now open. The course is organized by secappdev.org, a 
non-profit organization that aims to broaden security
awareness in the development community and advance secure software engineering 
practices. The course is a joint initiative with Dublin City University, 
Trinity College Dublin, KU Leuven and Solvay Brussels School of Economics and
Management.

SecAppDev Dublin is the first edition of our widely acclaimed courses to be run 
in Ireland. Our previous 9 courses took place in Belgium and were attended by 
an international audience from a broad range of industries including financial 
services, telecom, consumer electronics and media. We pride ourselves on our 
world-class faculty, which, for SecAppDev Dublin, includes

+ Prof. dr. ir. Bart Preneel who heads COSIC, the renowned Leuven crypto lab.
+ Ken van Wyk, co-founder of the US CERT Coordination Center and widely  
acclaimed author and lecturer.
+ Prof. dr. Dan Wallach, head of Rice University's computer security lab.
+ Prof. dr. Mike Scott, previously the head of DCU's School of Computing, now  
Chief Cryptographer at Certivox.

When we ran our first annual course in 2005, emphasis was on awareness and 
security basics, but as the field matured and a thriving security training 
market developed, we felt it was not appropriate to compete as a non-profit 
organization. Our focus has hence shifted to providing a platform for 
leading-edge and experimental material from thought leaders in academia and 
industry. We look toward academics to provide research results that are ready 
to break into the mainstream and attract people with an industrial background 
to try out new content and formats.

The course takes place from July 15th to 19th at the Science Gallery, Trinity 
College, Dublin.

For more information visit the web site: http://secappdev.org.

Seating is limited, so do not delay registering to avoid disappointment. 
Registration is on a first-come, first-served basis.  A 25% discount is 
available for Early Bird registration until June 15th. Alumni, public servants, 
and independents receive a 50% discount.  I hope that we will be able to 
welcome you or your colleagues to our course.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: @KRvW or @KRvW_Associates





signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] ANNOUNCING: #MobAppSecTri Scholarship Program

2013-03-18 Thread Kenneth R. van Wyk
Hey SC-Lers,

Gunnar Peterson (@OneRaindrop) and I (@KRvW) are once again giving away to a 
few deserving Mobile App Developers a small number of FREE tickets to our next 
Mobile App Sec Triathlon. If you know any deserving students / interns 
(especially in the greater New York City region), point them in our direction 
for a chance to get a free seat.

See 
http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html
 for details.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: @KRvW or @KRvW_Associates



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Fwd: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!!

2013-02-26 Thread Kenneth R. van Wyk
Greetings SC-L,

For all of you who are interested in mobile app sec (or interested in learning 
more about it), we released OWASP iGoat version 2.0 today. See the details in 
our announcement below.

Cheers,

Ken van Wyk

Begin forwarded message:

 From: Kenneth R. van Wyk k...@krvw.com
 Subject: [Owasp-igoat-project] OWASP iGoat version 2.0 RELEASED!!!
 Date: February 26, 2013 2:48:48 PM EST
 To: owasp-igoat-proj...@lists.owasp.org 
 owasp-igoat-proj...@lists.owasp.org
 
 OWASP iGoat Project:
 
 Thanks to iGoat lead developer, Sean Eidemiller, it gives me great pleasure 
 to announce the immediate release of OWASP iGoat version 2.0! See the project 
 web site at: 
 
 https://www.owasp.org/index.php/OWASP_iGoat_Project
 
 for more information, or go directly to the source repository to download at:
 
 http://code.google.com/p/owasp-igoat/
 
 
 The OWASP iGoat tool is a stand-alone iOS app (distributed solely in source 
 code) designed to introduce iOS developers to many of the security pitfalls 
 that plague poorly-written apps. Like its namesake, OWASP's WebGoat tool, 
 iGoat is intended to teach software developers about these issues by stepping 
 them through a series of exercises, each of which focuses on a single aspect 
 of iOS security.
 
 OWASP iGoat is an ideal tool to use in a classroom setting to teach iOS 
 developers (and technically minded IT Security staff with at least some 
 exposure to object oriented programming).
 
 Exercises include many typical problem issues (and their solutions) including:
 - Securing sensitive data in transit
 - Securing sensitive data at rest
 - Securely connecting to back-end authentication services
 - Side channel data leakage (e.g., system screen shots, cut-and-paste, and 
 keystroke logging via the autocorrection feature)
 - Making use of the system keychain to store small amounts of consumer-grade 
 sensitive data
 
 
 New to version 2.0:
 
 - iGoat is now a true Universal app, so it builds and runs on iPhones, iPod 
 Touches, as well as iPads. Full screen views are supported on all of these 
 devices. (It also runs on the iPhone simulator included with XCode, of course 
 -- which is ideal for a classroom environment.)
 
 - A few behind the scenes improvements were made to the iGoat platform 
 itself, making it easier to work with and develop new exercises. These 
 include:
   o Storyboards for main screen navigation.
   o ARC support for object memory management.
 
 - General code clean-ups.
 
 
 Requirements:
 
 To build and run iGoat, you'll need a Mac running OS X (real or virtual 
 machine), with XCode installed. iGoat was built for Mountain Lion, but should 
 run fine on any OS X newer than Snow Leopard. We recommend the latest XCode 
 and built iGoat using XCode version 4.6. Similarly, iGoat was built on iOS 
 6.1, but should be backwards compatible with at least version 5.x. 
 
 
 We invite the OWASP community to download and try iGoat, and we welcome your 
 suggestions for improvements. We're always looking for willing participants 
 to contribute to the project as well!
 
 Cheers,
 
 Ken van Wyk
 OWASP iGoat Project Leader
 
 
 
 ___
 Owasp-igoat-project mailing list
 owasp-igoat-proj...@lists.owasp.org
 https://lists.owasp.org/mailman/listinfo/owasp-igoat-project



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Apple Employees Hacked By Visiting iPhoneDevSDK - Mac Rumors

2013-02-20 Thread Kenneth R. van Wyk
Here is an interesting twist to the recent Apple hack. I hope no SC-Lers are 
using iphonedevsdk!

http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/


Cheers,

Ken van Wyk
KRvW Associates, LLC



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] ANNOUNCING: MobAppSecTri Scholarship Program

2012-09-18 Thread Kenneth R. van Wyk
Hey SC-Lers,

We're giving away to a few deserving Mobile App Developers a small number of 
FREE tickets to our Mobile App Sec Triathlon. If you know any deserving 
students / interns, point them in our direction for a chance to get a free seat.

See 
http://mobappsectriathlon.blogspot.com/2012/09/announcing-mobappsectri-scholarship.html
 for details.

Cheers,

Ken van Wyk




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] OWASP Cheat Sheet for iOS Developers

2012-09-11 Thread Kenneth R. van Wyk
Hi SC-L,

Hey, it dawned on me that I never posted a pointer to the OWASP iOS Developer 
Cheat Sheet that was published a couple months ago.

https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet

As the initial author of the cheat sheet, I'd sure love to get feedback and -- 
better yet -- participation on it. Like all OWASP docs, it's open source, so 
find things you want to add/improve and join in.

Either way, I hope you find it useful.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: @KRvW or @KRvW_Associates



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Mobile app security blog, FYI

2012-09-07 Thread Kenneth R. van Wyk
Greetings SC-L,

FYI, Gunnar Peterson (@OneRaindrop) and I (@KRvW) launched a blog last month on 
the topic of mobile app security. The blog can be found at 
http://mobappsectriathlon.blogspot.com

Full disclosure: On the blog, you will see advertisements for the 
MobAppSecTriathlon event that Gunnar and I are running in November, but the 
blog is free and we hope you'll find the topics we post on to be interesting 
and thought provoking. Even if you have no interest in joining us for the 
Triathlon event, we hope you'll stop by and check out the blog. Registered and 
authenticated Google+ users may submit comments as well, which we welcome.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: @KRvW_Associates



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] OWASP Cheat Sheet for iOS App Developers

2012-07-18 Thread Kenneth R. van Wyk
Title: OWASP Cheat Sheet -- iOS App Developers
Author:  Kenneth R. van Wyk
Source: OWASP - the Open Web Application Security Project
Date Published: 2012-07-17

Excerpt:

This document is written for iOS app developers and is intended to provide a 
set of basic pointers to vital aspects of developing secure apps for Appleā€™s 
iOS operating system. It follows the OWASP Mobile Top 10 Risks list.

Full article at: https://www.owasp.org/index.php/IOS_Developer_Cheat_Sheet


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Join us for our 2012 Mobile App Sec Triathlon: www.mobileappsectriathlon.com



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Test

2012-03-11 Thread Kenneth R. van Wyk
Foo

Cheers,

Ken

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
Stories about this (below) X bug and the DHS-sponsored project that found it 
have been floating around the net all week.  This story caught my eye, 
though:

http://www.net-security.org/secworld.php?id=3994

The author claims, This flaw, caused by something as seemingly harmless as a 
missing closing parenthesis, allowed local users to execute code with root 
privileges, giving them the ability to overwrite system files or initiate 
denial of service attacks.

So, it sounds like a single byte change in the entire X src tree could fix a 
bug that could give an attacker complete control of a system.  Lovely...

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


pgpyqSfoo0SaU.pgp
Description: PGP signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-04 Thread Kenneth R. van Wyk
On Thursday 04 May 2006 12:40, Gadi Evron wrote:
 Hmm, I think this was fixed in earlier X versions.

Not impossible, but the article clearly indicated that it's in 6.9.0 and 
7.0.0, which are the most current in general circulation, I believe.

But, some bugs are so important that they deserved to be fixed more than once.  
It sure wouldn't be the first time that a bug found its way back into a src 
tree.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


pgpSwossK0g5Q.pgp
Description: PGP signature
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] AJAX: Is your application secure enough?

2006-04-05 Thread Kenneth R. van Wyk
Another interesting paper passing through slashdot today is AJAX: Is your 
application
secure enough?  You can find it at
http://www.darknet.org.uk/2006/04/ajax-is-your-application-secure-enough/

Looks to me like an interesting read, fwiw.  Much as I like the interactiveness 
that AJAX
brings to the game, I can't help but think that there's tons of room for major 
security
mistakes to be made, if only due to the complexity of knowing what's going on 
at each tier
of the app all the time.

Cheers,

Ken
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Software security efforts at DTCC

2006-03-29 Thread Kenneth R. van Wyk
FYI, some more mainstream coverage of software security issues.  This article --
http://www.securitypipeline.com/183702555;jsessionid=SF0AM1XSETTOEQSNDBECKICCJUMEKJVN
-- describes some software security process improvements under way at the 
Depository Trust
and Clearing Company (DTCC).

What I find encouraging is hearing about companies that are bringing their 
security and
software development efforts together.  YMMV...

Cheers,

Ken
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] CFP -- HICSS 2007

2006-03-15 Thread Kenneth R. van Wyk
Greetings SC-L subscribers:

FYI, a Call for Participation for the Hawaii International Conference on System 
Sciences
(HICSS) Secure Software Architecture, Design, Implementation and Assurance 
(SSADIA)
Minitrack is out.  The conference takes place 3-6 January 2007 in Waikoloa on 
the Big Island
of Hawaii.

The CFP can be found below.

Cheers,

Ken van Wyk
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

==
HICSS-40: Call for Papers

Secure Software Architecture, Design, Implementation and Assurance (SSADIA) 
Minitrack
Hawaii International Conference on System Sciences
Waikoloa, Big Island, Hawaii, January 3-6, 2007

Call For Participation
The Secure Software Architecture, Design, Implementation and Assurance 
minitrack focuses on
the research and automation required to develop secure software systems that do 
not
compromise other system properties such as performance or reliability. Current 
security
engineering methods are demonstrably inadequate, as software vulnerabilities 
are currently
being discovered at the rate of over 4,000 per year. These vulnerabilities are 
caused by
software designs and implementations that do not adequately protect systems and 
by
development practices that do not focus sufficiently on eliminating 
implementation defects
that result in security flaws. An opportunity exists for systematic improvement 
that can
lead to secure software architectures, designs, and implementations.

The following topics are appropriate topics for research papers:
- Static analysis tools and techniques for detecting security flaws and software
vulnerabilities in source or binary code
- Dynamic analysis tools for detecting security flaws and software 
vulnerabilities in source
or binary code
- Model checking tools for detecting security flaws and software 
vulnerabilities in software
systems
- Software architectures and designs for securing against denial-of-service 
attacks and
other software exploits
- Coding practices for improved security and secure library implementations
- Computational security engineering
- Other tools and techniques for reducing or eliminating vulnerabilities during 
development
and maintenance

Co-Chairs
Sven Dietrich, CERT
Daniel Plakosh, CERT/CC
Robert C. Seacord, CERT/CC

Address email to the minitrack chairs to [EMAIL PROTECTED]

Program Committee
Julia Allen, SEI/CMU
Hal Burch, CERT/CC
Brian Chess, Fortify Software
Bob Fleck, Secure Software
Michael Howard, Microsoft
Derek M. Jones, Knowledge Software Ltd
Alan Krassowski, Symantec
Fred Long, University of Wales, Aberystwyth
Tom Longstaff,  CERT
Robert Martin, MITRE
Leon Moonen, Delft University of Technology
James W. Moore, MITRE
Samuel Redwine, James Madison University
David Riley, University of Wisconsin - La Crosse
John Steven, Cigital
Carol Woody, CERT
Kenneth R. van Wyk, KRvW Associates, LLC

Paper Review And Proceedings Publication
HICSS conferences are devoted to the most relevant advances in the information, 
computer,
and system sciences, and encompass developments in both theory and practice. 
Accepted papers
may be theoretical, conceptual, tutorial, or descriptive in nature. Submissions 
must not
have been previously published. Submissions undergo a double-blind peer referee 
process.
Those selected for presentation at the conference will be published in the 
HICSS-40
conference proceedings.

Instructions For Paper Submission
HICSS papers must contain original material not previously published nor 
currently submitted
elsewhere.
It is recommended that authors contact the Minitrack Chair(s) by email for 
guidance
regarding appropriate content.
HICSS will conduct double-blind reviews of each submitted paper.
Submit full paper according to detailed author instructions to be found on the 
HICSS web
site (http://www.hicss.hawaii.edu/hicss_40/apahome40.htm ) by May 1.
The preferred format for papers submission is PDF.

Important 2006 Dates
June 15, 2006 - Authors may contact Minitrack Chairs for guidance and 
indication of
appropriate content at any time before June 15.
August 15, 2006 - Deadlines to submit full papers. All papers will be submitted 
in double
column publication format and limited to 10 pages including diagrams and 
references. Papers
undergo a double-blind review.
September 15, 2006 - Authors receive notification regarding paper acceptances 
through the
review system, not from the Minitrack Chairs. Acceptance may be conditional; 
revisions may
be requested before final acceptance of paper. Attendance by at least one 
author and
presentation of the paper at the conference is a requirement of acceptance.
September 16, 2006 - Authors submit final version of papers following author 
instructions
posted on this site. At least one author of each paper must register by this 
date with
specific plans to attend the conference to present the paper. Early 
registration fee applies
until this date.
September 17, 2006 - General registration

[SC-L] ZDNET: LAMP lights the way in open-source security

2006-03-07 Thread Kenneth R. van Wyk
Interesting article out on ZDNet today:

http://www.zdnetasia.com/news/security/0,39044215,39315781,00.htm

The article refers to the US government sponsored study being done by Stanford 
University,
Symantec, and Coverity.  It says, The so-called LAMP stack of open-source 
software has a
lower bug density--the number of bugs per thousand lines of code--than a 
baseline of 32
open-source projects analyzed, Coverity, a maker of code analysis tools, 
announced Monday.

This surprised me quite a bit, especially given LAMP's popular reliance on 
scripting
languages PHP, Perl, and/or Python.  Still, the article doesn't discuss any of 
the root
causes of the claimed security strengths in LAMP-based code.  Perhaps it's 
because the
scripting languages tend to make things less complex for the coders (as opposed 
to more
complex higher level languages like Java and C#/.NET)?  Opinions?

Cheers,

Ken
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] AJAX security paper

2006-02-15 Thread Kenneth R. van Wyk
FYI, here's a pointer to a just-published paper on AJAX security.  Hope you 
find it useful,
particularly in light of AJAX's quick rise in popularity.

http://www.it-observer.com/articles/1062/ajax_security/

Cheers,

Ken
-- 
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Book review: Essential PHP Security

2006-02-13 Thread Kenneth R. van Wyk
I know that a lot of the folks on this list would consider the words PHP 
Security to be an oxymoron.  That said, there's a book out on the subject, 
and it's been reviewed on /.  The review can be found at:

http://books.slashdot.org/books/06/02/13/1426220.shtml

Cheers,

Ken van Wyk

P.S. It was nice to see a few SC-L folks at S3 in San Diego last week.
-- 
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Administrative: whitelisting on SC-L

2006-02-02 Thread Kenneth R. van Wyk
Hi SC-L folks:

I don't mean to intrude in the bug and flaw debate, but I do want to make 
sure that you're all aware of the whitelisting that I'm doing on the list 
these days, since I switched the list management from Majordomo to Mailman.  

Specifically, in order to cut down on spam, I have Mailman set to drop any 
posting sent from _any_ address that is not explicitly subscribed to the 
list.  That means, for example, if you subscribe via an email exploder or 
alias at your site, that your submissions get automatically /dev/nulled.

The solution, for anyone that wants to post and is subscribed similarly to the 
above scenario, is to subscribe your personal address and set it to NOT 
receive SC-L postings.  That way, your mail alias/exploder will continue to 
function as you set it up, AND you'll be able to post.

Since I get ZERO notification when messages (mostly spam) are dropped by the 
whitelist, I have no way of knowing who is in this situation.  So, if you 
want the ability to post, drop me a note and I'll be happy to set you up with 
a no-mail subscription.  (Don't worry, you won't/shouldn't get duplicates.)

Cheers,

Ken van Wyk
SC-L Moderator
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] Managing the insider threat through code obfuscation

2005-12-15 Thread Kenneth R. van Wyk
On Thursday 15 December 2005 09:26, Jose Nazario wrote:
 if the person can develop exploits against the holes in the code, what
 makes you think they can't fire up a runtime debugger and trace the code
 execution and discover the same things?

Nothing makes me think that at all; in fact, I was quite skeptical of the 
various product claims, which is why I wanted to hear about others' 
experience with them.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] Countering Trusting Trust through Diverse Double-Compiling

2005-12-14 Thread Kenneth R. van Wyk
On Wednesday 14 December 2005 16:40, David A. Wheeler wrote:
 I've written a paper on an approach to counter this attack. See:
   Countering Trusting Trust through Diverse Double-Compiling
   http://www.acsa-admin.org/2005/abstracts/47.html

Thanks for sharing it here, David.

 Here's the abstract:
 ... Simply recompile the purported source code twice: once with a second
 (trusted) compiler, and again using the result of the first compilation.
 If the result is bit-for-bit identical with the untrusted
 binary, then the source code accurately represents the binary. ...

This reminded me of an old class of PC viruses (circa 1992) that evaded 
detection by file scanners by hooking the S-DOS  file read interrupt and 
returning the original, uninfected version of infected files whenever a 
program opened up an infected file for reading.  It tricked a lot of file 
scanners at the time.  If I'm not mistaken, it was the DIR-II family of 
viruses.  I'm sure that you've taken that sort of evasive action into 
account, but I thought that I'd mention it here for the SC-L folks.

Heck, by today's rather loose definitions of what a rootkit is, perhaps the 
DIR-II family was the first malware to feature rootkit-like stealth 
techniques.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Missing URL -- ZDNet: Attackers switching to applications, media players

2005-11-22 Thread Kenneth R. van Wyk
Sorry, I neglected to include the URL for the story that I cited.  It can be 
found at:

http://news.zdnet.com/2100-1009_22-593.html?tag=zdfd.newsfeed

Cheers,

Ken


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Slashdot | Developing Securely In Windows

2005-11-21 Thread Kenneth R. van Wyk
FYI, there's a review (by Jim Holmes) of Keith Brown's book, The .NET 
Developer's Guide to Windows Security available out on Slashdot at:

http://books.slashdot.org/books/05/11/21/1442228.shtml

The review summary reads, Terrific coverage of how to go about securely 
developing .NET software.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Administrative: SC-L changes

2005-11-18 Thread Kenneth R. van Wyk
Greetings all,

FYI, I have moved the securecoding.org site and SC-L mailing list over to a
different host.  The new host should be quite a bit faster, as it's used by a
much (!) smaller number of domains than the old one.

More importantly, at least for SC-L, is that I've changed the mailing list
manager from Majordomo to Mailman.  That means that the user interface for
subscribing, unsubscribing, digest vs. normal, etc., is now completely
different.  Additionally, Mailman automatically handles archiving of the
list, so the list traffic (from now on) will be nicely archived for easy
viewing and such.

For any and all subscription changes, just point your browsers to
http://www.securecoding.org/list/ and you'll see a link to the Mailman page.
For those so inclined, it should now be easier for you to change between
digest and non-digest format for the list.  Mailman makes that quite easy for
users.  Please try to follow the instructions on the Mailman page.  If that
doesn't work, contact me and I'll be happy to make the change for you.

Lastly, I did a bit of testing of Mailman before doing the cutover, but I'm by
no means a Mailman expert (yet).  I _hope_ that all goes smoothly, but I ask
you all to be patient if there are any unexpected burps and such.

Thanks for your patience.

Cheers,

Ken van Wyk
---
KRvW Associates, LLC
http://www.KRvW.com


___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
http://krvw.com/mailman/listinfo/sc-l


[SC-L] Fwd from CIO Update: Why is application security so elusive?

2005-09-18 Thread Kenneth R. van Wyk
FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons 
why secure software is so hard to find.  Unlikely to be anything new to SC-L 
readers, but it could be worth a quick read in any case.  In particular, his 
recommendations (to his presumably mostly CIO audience) are quite different 
than what you might expect to find, say, here on SC-L.  In any case, you can 
find the article at: http://www.cioupdate.com/trends/article.php/3548306

(Full disclosure: CIO Update is run by Jupiter Media, who also owns the site 
(eSecurityPlanet.com) where I'm a monthly columnist.)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] SC-L changes

2005-09-09 Thread Kenneth R. van Wyk
Greetings SC-L folks,

Although it's been particularly quiet here recently, I've also been moving the 
list over to a new system, which has caused some additional outages.  
(Read: tree fell in the forest and no one heard it.)  In any case, the new 
system should be fully functional in the next day or two, so on the off 
chance that anyone does post anything, please bear with me while I get things 
up and running.  I'll probably send out one or two tests to ensure that 
things are flowing.  Sorry for any inconvenience...

Cheers,

Ken van Wyk
SC-L moderator


[SC-L] Wall Street Journal article on Software Security and upcoming events

2005-07-19 Thread Kenneth R. van Wyk
Hi all,

FYI, a couple of interesting things going on in the software security space 
that those here on SC-L might appreciate:

- Good article/interview in yesterday's Wall Street Journal on the topic of 
Software Security.  The interview is with Gary McGraw, and I'm sure that no 
one here will be too surprised by the content.  It's just great to see that 
kind of visibility and attention being given to Software Security.  Check it 
out (registration/subscription required) at 
http://online.wsj.com/article/0,,SB112128453130584810,00-search.html?KEYWORDS=cigitalCOLLECTION=wsjie/archive
(Or just find a paper copy -- you know, the kind that our grandparents used to 
read. ;-)

- A couple of upcoming, fairly mainstream IT Security conferences both have 
numerous Software Security sessions on their agendas (including, for full 
disclosure, my own sessions at each).  I'm refering to CSI's upcoming 32nd 
annual conference (14-16 November in Washington, DC) and SANS's Silicon 
Valley event (24-30 September in San Jose, CA).  Here too, it's encouraging 
to me to see software security sessions prominently on the programs of these 
traditionally IT Security focused events.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com




[SC-L] ANNOUNCING: 2nd US OWASP AppSec Conference - Oct 11-12 - Near DC

2005-06-17 Thread Kenneth R. van Wyk
[Ed. Crossposted, as I thought that it was relevant here as well.  KRvW]

Originally From: Dave Wichers [EMAIL PROTECTED]

Dear Colleague,

OWASP is proud to announce its second annual U.S. Application Security 
Conference. This year's conference will be held October 11-12 at the NIST 
campus in Gaithersburg, Maryland near Washington, DC. This location was 
chosen in order to encourage government, industry, and academia to get 
together and talk about the pressing problems we all face in application 
security today. Our first conference last year in NY had almost 150 
attendees. We are expecting to have almost double that at this year's 
conference. NIST's auditorium can hold 700 people so we have plenty of room 
this year. Lets fill it up!

A few firsts for our 2nd US conference:
- Sponsorship: This conference is being sponsored by the National Institute 
of Standards and Technology (NIST)
- Significant Government Participation: Representives of various government 
agencies, including NIST and the Department of Homeland Security (DHS) will 
be speakers at the conference
- Training: A 1-day training course on the Fundamentals of Web Application 
Security is being offered the day prior to the conference
- Its not being held on a weekend :-)

Full details on the conference are available on the OWASP website at 
http://www.owasp.org/conferences/appsec2005dc.html

This year's speakers include:

a.. Joe Jarzombek - Director of Software Assurance at the Department of 
Homeland Security
a.. Ron Ross - FISMA Project Lead - NIST
a.. Jeff Williams - OWASP Chair and CEO Aspect Security
a.. Jack Danahy - CEO Ounce Labs
a.. Paul Black - SAMATE Project Lead and OWASP Conference Sponsor - NIST
a.. Diniz Cruz - OWASP .NET Project Lead
a.. Arian Evans - OWASP Tools Project Lead - FishNet Security
a.. Jeremy Poteet - Author of Canning SPAM - CSO appDefense

OWASP's AppSec conferences are dedicated to real-world application security 
issues and solutions. You'll learn all aspects of application security, 
including people, process, and technology perspectives.

You'll hear presentations on topics like:

  - DHS plans for Software Assurance
  - Status of the Federal Information Security Management Act (FISMA) 
Project
  - A Business Case for Software Assurance
  - Attacking Web Services
  - .NET Security
  - Software Assurance Metrics
  - A Survey of Application Security Tools
  - Details on the new OWASP Guide v2
  - Details on the OWASP .NET Project
  - Defending a High Profile Political Web Site
  - How to Select an Application Security Assessment Vendor

The exact agenda is still being developed and will be posted to the site as 
soon as possible.

REGISTRATION DETAILS: As a non-profit charitable organization, and with 
NIST's sponsorship, OWASP has been able to keep the cost to $300 per seat if 
you are able to register prior to Sept. 10, 2005. The cost to government 
employees is only $250 prior to Sept. 10th.

Registration information is available at: 
http://www.owasp.org/docroot/owasp/Registration/index.jsp

PLEASE NOTE THAT ALL TICKETS ARE NON REFUNDABLE TO REDUCE ADMINISTRATION
COSTS

FOUNDATIONS OF APPLICATION SECURITY COURSE - Oct 10: OWASP has arranged to 
have a one-day hands on Web Application Security training course the day 
prior to the conference. This one day class will be held at the nearby 
Holiday Inn and is only $600 for conference attendees. Registration for this 
course can be done via the conference registration page.

More details on this training course is available at: 
http://www.owasp.org/conferences/appsec2005dc/training.html

EVENING SOCIAL EVENT - Oct 11: An optional dinner event is being held at the 
Holiday Inn Gaithersburg, which is the same location where the training is 
to be held on the 10th, and where discounted rooms are being made available 
to all conference attendees (see Accommodations below).

This event involves a dinner at the hotel from 7-9 PM, followed by drinks at 
O'Malley's Irish Pub right in the hotel or out by the hotel's indoor pool 
adjacent to the pub. We hope to see all of you there as this is a great 
chance to mingle and meet many members of the OWASP community.

ACCOMODATIONS: Information about local accomodations, including reduced rate 
rooms at the nearby Holiday Inn is available at:
http://www.owasp.org/conferences/appsec2005dc/accommodations.html

If you know others that would be interested in attending the 2nd annual US 
OWASP conference, please forward them this email and let them know about 
this opportunity.

Please contact me with any questions. Looking forward to seeing you all 
there!

Thanks, Dave

Dave Wichers, OWASP Conferences Chair
The OWASP Foundation
http://www.owasp.org 




[SC-L] Secure programming with the OpenSSL API, Part 2: Secure handshake

2005-05-11 Thread Kenneth R. van Wyk
FYI, there's a new(ish) article by Kenneth Ballard out on IBM's developerWorks 
site, on the topic of secure use of OpenSSL.  It's actually part 2 in a 
series, but there's a pointer there to part 1 also.  The abstract follows, 
along with the URL to the full article:

Securing the handshake during a Secure Sockets Layer session (SSL) is vital, 
since almost all of the security involving the connection is set up inside 
the handshake. Learn how to secure the SSL handshake against a man in the 
middle (MITM) attack -- in which the intruding party masquerades as another, 
trusted source. This article also introduces the concept of digital 
certificates and how the OpenSSL API handles them.

http://www-128.ibm.com/developerworks/linux/library/l-openssl2.html?ca=dgr-lnxw02SecureHandshake


Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Tech News on ZDNet -- OS makers: Security is job No. 1

2005-05-10 Thread Kenneth R. van Wyk
FYI, somewhat interesting story today on ZDNet (see 
http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about operating 
system makers paying more attention to security.  Note the differing (public) 
statements by Microsoft and Apple...

Being fundamentally a glass half full sort of person, I think that it's 
refreshing to hear that OS vendors are making their products' security a 
higher priority than it's typically been in the past.  There's also an 
implicit message here regarding a proactive software security posture vs. 
firewall and IDS it after the product is released.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Fwd: Novell Adds Security Company to Its Linux Mix

2005-05-10 Thread Kenneth R. van Wyk
FYI, interesting move today in the software security space -- Novell announces 
its acquisition of Immunix.  Story at 
http://www.eweek.com/article2/0,1759,1814599,00.asp

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Mobile phone OS security changing?

2005-04-06 Thread Kenneth R. van Wyk
Greetings,

I noticed an interesting article about a mobile phone virus affecting 
Symbian-based phones out on Slashdot today.  It's an interesting read:

http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220tid=100tid=193tid=137

What particularly caught my attention was the sentence, Will mobile OS 
companies, like desktop OS makers, have to start an automatic update system, 
or will the OS creators have to start making their software secure?  Apart 
from the author implying that this is an or situation, it's something that 
many of us have been saying for a very long time.  (See my/Mark Graff's 
related op-ed from over a year ago at: 
http://www.securecoding.org/authors/oped/feb132004.php)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Application Insecurity --- Who is at Fault?

2005-04-06 Thread Kenneth R. van Wyk
Greetings++,

Another interesting article this morning, this time from eSecurityPlanet.  
(Full disclosure: I'm one of their columnists.)  The article, by Melissa 
Bleasdale and available at 
http://www.esecurityplanet.com/trends/article.php/3495431, is on the general 
state of application security in today's market.  Not a whole lot of new 
material there for SC-L readers, but it's still nice to see the software 
security message getting out to more and more people.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


Re: [SC-L] Mobile phone OS security changing?

2005-04-06 Thread Kenneth R. van Wyk
On Wednesday 06 April 2005 09:26, Michael Silk wrote:
 The last thing I want is my mobile phone updating itself. I imagine
 that sort of operation would take up battery power, and possibly cause
 other interruptions ... (can you be on a call and have it update
 itself?)

I vividly remember a lot of similar arguments a few years ago when desktop PCs 
started doing automatic updates of OS and app software.  Now, though, my 
laptop gets its updates when it's connected and when I'm not busy doing other 
things.

My main point, though, is that the status quo is unacceptable in my opinion.  
If a nasty vulnerability is found in most of today's mobile phone software, 
the repair process -- take the phone to the provider/vendor and have them 
burn new firmware -- just won't cut it.  For that matter, a lot of PDAs are 
in the same boat.

Sure, we'd all prefer better software in those devices to begin with, but as 
long as there are bugs and flaws, the users of these devices need a better 
way of getting the problems fixed.

 Personally, I would prefer a phone that doesn't connect to the
 internet at all rather than a so called 'secure' phone.

For the most part, those days are over.

 From reading the article it seems like the application asks to be
 installed, (is that correct?) so it doesn't seem like that big of a
 problem [unless phones start to get into the 'trusted'/'non-trusted'
 application area..]

Fortunately, no one would ever think of removing that query from the worm
or circumventing the mechanism in the OS, so that it copies itself without 
notice in the future.  ;-\

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] eSecurityPlanet article on Fortify source code scanner

2004-11-22 Thread Kenneth R. van Wyk
FYI, interesting article on eSecurityPlanet regarding Fortify's commercial 
source code scanning tool -- see the full text at 
http://www.esecurityplanet.com/patches/article.php/3439021

Among other things, the article says, In addition to new language support for 
C# -- the software already supports C, C++, PL/SQL, Java Server Pages (JSP) 
and Java -- Fortify has added four new analyzers, a rules manager and an 
audit manager to prioritize the level of software flaws.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] How do we improve s/w developer awareness?

2004-11-11 Thread Kenneth R. van Wyk
Greetings,

In my business travels, I spend quite a bit of time talking with Software 
Developers as well as IT Security folks.  One significant different that I've 
found is that the IT Security folks, by and large, tend to pay a lot of 
attention to software vulnerability and attack information while most of the 
Dev folks that I talk to are blissfully unaware of the likes of 
Full-Disclosure, Bugtraq, PHRACK, etc.  I haven't collected any real stats, 
but it seems to me to be at least a 90/10% and 10/90% difference.  (Yes, I 
know that this is a gross generalization and there are no doubt significant 
exceptions, but...)

I believe that this presents a significant hurdle to getting Dev folks to care 
about Software Security issues.  Books like Gary McGraw's Exploiting Software 
do a great job at explaining how software can be broken, which is a great 
first step, but it's only a first step.

Am I alone in this opinion or have others noticed the same sort of thing?  
It's going to be a long, slow battle, in my opinion.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


Re: [SC-L] Open Source failure analysis tool released for Linux

2004-10-15 Thread Kenneth R. van Wyk
ljknews wrote:
At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote:
I believe that we don't do enough to analyze and learn from software failures.  
I believe the industry as a whole does plenty to analyze software
failures, particularly considering how little is done to avoid
those errors.  Added analysis in the face of near-zero remediation
would be useless.
How many times do we see buffer overflow as the cause, yet even on
this mailing list people still defend the use of languages that not
only permit but actually promote such errors.
Well, I did say ...analyze AND learn  :-)
Seriously, though, there's plenty of data on the symptoms of failures -- 
advisories, securitytracker.com, etc., but not enough on the causes in 
my opinion.

And, to exacerbate the problems, in every software security tutorial 
that I do, I ask the students how many of them read information from 
places like bugtraq, full-disclosure, phrack, and such.  Among the 
software developers, _maybe_ 5% of them say that they do.  Admittedly, 
the percentage is better among the IT Security folks that I talk to, but 
they're not generally the ones that are writing the software.  Of 
course, that's not a scientific survey or anything, but I sure get the 
feeling that very few software dev folks spend any/much time analyzing 
failures.

Cheers,
Ken


[SC-L] eWeek: App Developers Need to Redouble Security Efforts

2004-09-30 Thread Kenneth R. van Wyk
FYI, there's an interesting article in eWeek today -- see 
http://www.eweek.com/article2/0,1759,1663716,00.asp -- regarding a recent 
Gartner study on software security.  Among other things, it says, Gartner 
predicts that if 50 percent of software vulnerabilities were removed prior to 
production use for purchased and internally developed software, enterprise 
configuration management costs and incident response costs each would be 
reduced by 75 percent.   Enjoy...

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] ComputerWorld interview with Theo de Raadt on Software Security

2004-09-10 Thread Kenneth R. van Wyk
FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on 
the state of software security, and OpenBSD in particular.  See 
http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the 
complete text.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] eSecurityPlanet column on Software Security

2004-09-07 Thread Kenneth R. van Wyk
Greetings all,

Wow, it sure has been quiet here for a couple weeks.  Perhaps it's just those 
late summer (or winter, for you southern hemispherians) vacations...

In any event, just an FYI here.  My September eSecurityPlanet column hit the 
streets today (see http://www.esecurityplanet.com/views/article.php/3404191) 
if you're interested.  It's on the topic of Software Security.  I should 
point out that it's primarily written for an IT Security audience.  It's slow 
progress convincing them that Software Security is more than running a pen 
test against an application a week before it goes live in the data center...

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com




[SC-L] Grass roots secure coding efforts

2004-08-23 Thread Kenneth R. van Wyk
Greetings all,

One of the things that I hear most from software developers when I deliver 
secure coding tutorials and such is that they're likely to be unable to do 
things like detailed threat modeling, risk analyses, etc.  The reason most 
often cited is that they're under tight deadlines and there's not enough time 
in the schedule for such activities.  

Of course, to really expect any sort of culture shift, there would need to be 
top-level support for adopting secure coding practices.  That said, I often 
spend some time brainstorming lists of things that the students can consider 
trying by themselves as soon as they are back in their offices.  I'm talking 
about grass roots sorts of activities that won't break the bank (or 
schedule) here.

Some of the things that the students have suggested include the following:

- Informal peer review of code modules
- Incorporation of (usually free) static code review tools in the code reviews
- Setting up an information sharing site/portal/drive internally for 
developers to load useful links, tools, experiences, etc.
- and so on

Most often, the students agree that these sorts of things are the types of 
simple first steps that they could reasonably expect to take.  Anyone here 
have other suggestions on other first steps that developers might consider, 
even in the absence of top-level embracing of a more secure development 
methodology?

(No, I'm not suggesting that a simple list like this be any sort of substitute 
for a more in-depth program, but it's a starting point for developers to 
experiment with in trying to improve the security of their software dev 
practices.)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com




[SC-L] Programming languages -- the third rail of secure coding

2004-07-19 Thread Kenneth R. van Wyk
Greetings,

It appears as though we may well have discovered software security's third 
rail over the last couple of weeks in the discussions regarding programming 
language choices.  I don't mean to fan those flames by any means, trust me.  
However, I noticed several announcements for PHP version 5 (see 
http://www.zend.com/ for the official announcement and press release) over 
the weekend.  PHP has long been the whipping boy of secure programming, and 
version 5 appears to add a great deal of new functionality to this popular 
language.  Secure or not, there's a lot of PHP users and coders out there, 
and this added complexity certainly enhances its trinity of trouble profile 
(with respect to Gary McGraw's Exploiting Software).

Along those lines, there's a good article at 
http://otn.oracle.com/pub/articles/hull_asp.html that compares PHP5 against 
ASP.NET, including the security features of each.

Happy reading...

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com




Re: [SC-L] Protecting users from their own actions

2004-07-07 Thread Kenneth R. van Wyk
Wall, Kevin wrote:
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
software should do these things...
I agree that central administration works best in today's corporate 
environments, but I was referring also to the more general desktop 
environments as well, right down to the home and SOHO users that 
have to install and/or update their own.

Aside from that issue, though, the primary point that I wanted to get 
across is that there are substantial limitations to what we can 
accomplish through user education.  I believe that our 
software -- from enterprise app servers through desktop emailers 
and browsers -- needs to do better at protecting users, even 
when they make decisions that we would think to be unwise.

Cheers,
Ken van Wyk


[SC-L] Protecting users from their own actions

2004-07-06 Thread Kenneth R. van Wyk
Hi All,

FYI...  This topic has come up here a few times, so I thought that I'd send a 
pointer to my July eSecurityPlanet column 
(http://www.esecurityplanet.com/views/article.php/3377201 - free, no registration 
required).  In the column, I take the seemingly unpopular view --at least in 
this group -- that we can't count on things like user awareness training to 
prevent users from doing things like clicking on unsafe email attachments.  I
also make a plug for better software security across the industry.

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


Re: [SC-L] ACM Queue article and security education

2004-06-30 Thread Kenneth R. van Wyk
James Walden wrote:
I'd like to open a discussion based on this quote from Marcus Ranum's 
ACM Queue article entitled Security: The root of the problem:
Thanks.  I also read Marcus's article with interest.  Caveat: clearly, I 
have a biased outlook, since software security training is one of the 
things that I do for a living.

Overall, I like and agree with much of what Marcus said in the article.  
I don't, however, believe that we can count on completely putting 
security below the radar for developers.  Having strong languages, 
compilers, and run-time environments that actively look out for and 
prevent common problems like buffer overruns are worthy goals, to be 
sure, but counting solely on them presumes that there are no security 
problems at the design, integration, or operations stages of the 
lifecycle.  Even if the run-time environment that Marcus advocates is 
_perfect_ in its protection, these other issues are still problematic 
and require the developers and operations staff to understand the problems.

From my perspective, security education is only beginning to climb an 
initial upward curve.  While classes in security topics are becoming 
more common in undergraduate computer science course catalogs, their 
presence is far from universal.  I don't know of any university that 
requires such a class for an undergraduate CS degree; if any such 
programs exist, they're not common.
I agree with you on this, certainly.  My nephew is a senior in an 
undergrad CS curriculum and his university has yet to discuss security 
in any of his course work, to my knowledge. 

While there are non-university classes and workshops that teach 
software security, I doubt that a majority of developers have attended 
even one such class.  Software security has to be integrated into the 
CS curriculum before we can expect a majority of developers to have 
the appropriate skills, and then there will still be the issue of 
applying them under deadline pressure.
Yup, but in the belt and suspenders approach that I like to advocate, 
I'd like to see software security in our undergrad curricula as well as 
professional training that helps developers understand the security 
touch points throughout the development process -- not just during the 
implementation phase.

Cheers,
Ken van Wyk
http://www.KRvW.com


[SC-L] SPI, Ounce Labs Target Poorly Written Code

2004-06-28 Thread Kenneth R. van Wyk
FYI, a couple of announcements from SPI Dynamics and Ounce Labs hit eWeek.com 
today -- see http://www.eweek.com/article2/0,1759,1617901,00.asp for the full 
text.

According to the article, SPI Dynamics has released its SecureObjects 
product, which is a series of (presumably) securely written objects that 
developers can make use of for performing various security-related tasks 
(e.g., input validation) in their code.  The article quotes SPI Dynamics' CTO 
as saying, It doesn't require developers to learn about security, which 
strikes me as being a rather bold statement.

Meanwhile, Ounce Labs has put out a new version of its Prexis source code 
scanner.   It currently scans C and C++, but the article says that a Java 
version will be available in July.

Reports of user experiences with these tools would be appreciated here.

Cheers,

Ken

P.S. Anyone interested in seeing a bit of Budapest can check out some of the 
shots I took while I was there at http://www.vanwyk.org/ken/galleries.php

-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] LinuxWorld | Secure coding attracts interest, investment

2004-05-26 Thread Kenneth R. van Wyk
Greetings all,

FYI, it looks like we're at the beginning of a new wave of software security 
tools.  There's a few commercial products beginning to hit the market that 
take static src code scanning to a new level.  See the link below for a 
LinuxWorld article that briefly (!) describes @stake's new SmartRisk Analyzer 
tool in addition to Fortify's Source Code Analysis suite.  These appear to 
pick up where current static analysis tools (e.g., ITS4, Flawfinder) leave 
off.

Anyone here willing/able to share some _user_ level experiences with any of 
these tools?  It'll be interesting to hear how they hold up in real software 
development environments.

http://www.linuxworld.com.au/nindex.php/id;1780700095;fp;2;fpid;1

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Microsoft threat modeling tool available for free

2004-05-26 Thread Kenneth R. van Wyk
Greetings,

Almost missed this one while I was out of the office for a couple days...  
Microsoft have announced the free availability of a threat modeling tool by 
Frank Swiderski, who is also writing a soon-to-be released book on threat 
modeling.  Details on the tool (warning: requires .NET framework to be 
installed) as well as the book are available at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=62830f95-0e61-4f87-88a6-e7c663444ac1displaylang=en

Has anyone here tested the tool yet?  Opinions?  I'm a firm believer that not 
enough effort is paid to the threat analysis process during the design phase, 
so any tool that makes that easier should be a good thing -- even if it 
doesn't run on my Debian/Sarge desktop system.  :-)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Interesting article on minimizing privileges

2004-05-26 Thread Kenneth R. van Wyk
Anyone looking for a great introduction to putting the principle of least 
privilege into action, check out David Wheeler's article at:

http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges

It cites one of my favorite examples of least privilege, Wietse Venema's 
Postfix program.  Great stuff, check it out.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Andy Tanenbaum on Linux's origins and security

2004-05-20 Thread Kenneth R. van Wyk
Andy Tanenbaum, the author of the MINIX operating system, recently posted an 
opinion piece on the origins of Linux.  It's a fascinating albeit somewhat 
lengthy read -- see http://www.cs.vu.nl/~ast/brown/ for the full text.  

At the very end of the document, he talks about the security of a microkernel 
system like (his own) MINIX vs. that of a monolithic kernel like Linux.  He 
writes, With all the security problems Windows has now, it is increasingly 
obvious to everyone that tiny microkernels, like that of MINIX, are a better 
base for operating systems than huge monolithic systems. Linux has been the 
victim of fewer attacks than Windows because (1) it actually is more secure, 
but also (2) most attackers think hitting Windows offers a bigger bang for 
the buck so Windows simply gets attacked more. As I did 20 years ago, I still 
fervently believe that the only way to make software secure, reliable, and 
fast is to make it small. Fight Features.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] MIT study on software development processes

2004-04-30 Thread Kenneth R. van Wyk
Hi all,

I just saw a Slashdot story 
(http://developers.slashdot.org/article.pl?sid=04/04/30/1421223mode=threadtid=126tid=156tid=185)
 
announcing an MIT study on software development processes used around the 
world.  The report itself can be found at 
http://ebusiness.mit.edu/research/papers/178_Cusumano_Intl_Comp.pdf

I haven't read through the whole thing, but the slashdot entry indicates that 
the study found some interesting things, in particular the low use of 
specification documents in the design cycle.  Although it doesn't seem to 
address security per se, I thought that SC-L readers might find it an 
interesting read nonetheless.

Cheers,

Ken
-- 
KRvW Associates, LLC
http://www.KRvW.com




Re: [SC-L] Yoran on the state of software security

2004-04-20 Thread Kenneth R. van Wyk
Greetings all,

I was asked to clarify what I posted yesterday re Amit Yoran's recent public 
statements on the topic of software security.

On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
 Ken, could you clarify a little please?

Happy to, see below.

 I detect a slighly snide tone that suggests that you disagree with the
 assertion that it is inexplicable to produce software that suffers from
 buffer overruns.  Is that really your position?  If so, why?

Heavens no!  Sorry for the ambiguity.  Indeed, the issue of buffer overruns is 
probably the principal one that convinced me to co-author Secure Coding with 
Mark Graff.  I'd like to see them become the polio of the tech world.

What I was trying to make light about in my note is whether Yoran got that 
notion from my statement in my TechTV interview -- that we have to focus more 
of our attention at improving software security.  That was where the me 
neither... came from, because I have no delusions that he would have caught 
my segment on the show -- or that it would have influenced him in any way 
even if he had.

 Of course there are lots of other security issues (not least social
 engineering ones) but in what way is security /harmed/ by disciplined
 programming in appropriate languages supported by appropriate tools?  Our
 experience is that such rigorous software engineering approaches result in
 more robust and secure product and a significant cost saving over less
 rigorous approaches.

Yes, I fully concur.  I found it encouraging that Yoran is raising software 
security as a major issue also.  I do wish that he'd used other examples than 
only buffer overruns, but it's a good step in the right direction.  I'm 
particularly big on improving the design phase, long before any line of code
(overrun or not) has been written.

Does that help clarify my point?

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Anyone looked at security features of D programming language?

2004-04-19 Thread Kenneth R. van Wyk
Hi all,

I just saw an interesting article about a programming language that's under 
development called D.  (See full article at 
http://www.osnews.com/story.php?news_id=6761)  The description of the 
language is, D is a (relatively) new addition to the C family of programming 
languages, intended as a successor to C++ but also incorporating ideas and 
improvements from other C-like languages such as Java and C#. It is an 
object-oriented, garbage-collected, systems programming language that is 
compiled to executable rather than bytecode. The specification and reference 
compiler are currently at version 0.82, and are expected to reach 1.0 within 
the year. The reference compiler runs on both Windows and Linux x86, and the 
frontend if Open-Sourced. A port of the frontend to GCC is underway and 
already functional on Linux x86 and Mac OS X.

Has anyone here looked into the security strengths/weaknesses of D?  Care to 
discuss or summarize for the rest of us?  Does it inherit the problems of C 
while trying to improve on C++ et al?

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


Re: [SC-L] Computerworld op/ed on vulnerability patch cycle

2004-04-14 Thread Kenneth R. van Wyk
Alexander Antonov wrote:
I believe the issue of automatic updates was already discussed on other security-related lists.
Yes, I agree, but that's not what I was commenting on specifically.  
Certainly, we've seen automatic patches for a few years now.  (And for 
many systems, e.g., desktop users, I believe that they're a good thing, 
in general.)

The column, however, advocates _slowing down_ the patch and distribution 
process so that all (subscribed) users of the product get the patch and 
install it more-or-less simultaneously.  In my view, that doesn't do 
much, if anything, to make matters better.  If anything, it punishes 
those that promptly install (after appropriate testing, no doubt) 
patches because it forces them to wait for the stragglers to catch up.

That said, I certainly agree with the column's notion that the current 
patching process that most product vendors use is not meeting our needs.

Cheers,

Ken van Wyk
http://www.KRvW.com


[SC-L] Administrivia Request: Aloha, the moderator is back

2004-03-27 Thread Kenneth R. van Wyk
Aloha all,

Just got back from a couple of weeks of sun and golf in Hawaii with my wife 
and, although I was checking email daily (thanks to T-Mobile unlimited GPRS 
data), it's been pretty quiet here on SC-L.  In any case, though, I'm back now and 
open for business, FYI.

And here's a bit of food for thought...  I've been invited to be on an 
upcoming TechTV segment on the topic of computer viruses.  I'm not sure how 
much leeway I'll have in steering the discussions, but if appropriate, I'd 
sure like to slip in a good word for software security as a vital topic that 
isn't being adequately addressed presently.  I'd love to hear suggestions 
from this group as to what _the_ key message is that you think I should try 
to get across to the viewers.  Responses on or offline would be most 
appreciated.

Mahalo,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com


[SC-L] Humor: Secure coding in the comics (Foxtrot)

2004-03-04 Thread Kenneth R. van Wyk
Those of us that are lucky (?) enough to get the FoxTrot comic strip 
(http://www.foxtrot.com) may have noticed that yesterday's and today's strips 
were discussing a software security topic.  The author, Bill Amend, addresses 
the issue of the recent leak of some Microsoft source code.  Check it out at:

http://www.ucomics.com/foxtrot/2004/03/03/
and
http://www.ucomics.com/foxtrot/2004/03/04/

...well *I* thought it was funny.  YMMV   ;-)

Cheers,

Ken van Wyk
-- 
KRvW Associates, LLC
http://www.KRvW.com