[SC-L] OWASP iGoat 1.2 released

2012-03-30 Thread Kenneth Van Wyk
Greetings SC-L folks,

I thought some of you might find our project announcement (below) interesting. 
If you're an iOS developer or know any iOS developers, I'd like to encourage 
you to check out the OWASP iGoat project. It's modeled after its namesake, 
WebGoat, and is intended to be a tool for iOS developers to learn about the 
major security pitfalls when developing on iOS.


FYI, we released iGoat version 1.2 yesterday. The primary change over 1.1 is 
the addition of a new keychain exercise, contributed by a newcomer to the team, 
Mansi Sheth.

Thanks Mansi and Sean for pulling this together.

It's great to see some external participation on the project, of course. We'd 
love to see more -- any time!

Cheers,

Ken van Wyk
iGoat Project Leader



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium

2011-12-22 Thread Kenneth Van Wyk
We are pleased to announce SecAppDev 2012, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with K.U.
Leuven and Solvay Brussels School of Economics and Management.

SecAppDev 2012 is the 8th edition of our widely acclaimed course, 
attended by an international audience from a broad range of industries
including financial services, telecom, consumer electronics and media
and taught by leading software security experts including

+ Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab.
+ Ken van Wyk, co-founder of the CERT Coordination Center and widely
  acclaimed author and lecturer.
+ Dr. Steven Murdoch of the University of Cambridge Computer 
  Laboratory's security group, well known for his research in
  anonymity and banking system security.
+ Jim Manico, founder, producer and host of the OWASP Podcast Series.

When we ran our first annual course in 2005, emphasis was on awareness
and security basics, but as the field matured and a thriving security
training market developed, we felt it was not appropriate to compete
as a non-profit organization. Our focus has hence shifted to providing
a platform for leading-edge and experimental material from thought
leaders in academia and industry. We look toward academics to provide
research results that are ready to break into the mainstream and 
attract people with an industrial background to try out new content
and formats.

We cover a wide range of facets of secure software engineering
including

+ threat modeling
+ architecture
+ design
+ coding
+ testing
+ cryptography
+ web applications
+ mobile applications
+ economic/business aspects

The course takes place from March 5th to 9th in the Irish College,
Leuven, Belgium.

For more information visit the web site: http://secappdev.org.

Places are limited, so do not delay registering to avoid 
disappointment. Registration is on a first-come, first-served basis.
A 25% discount is available for Early Bird registration until January
15th. Public servants and independents receive a 50% discount.

I hope that we will be able to welcome you or your colleagues to our
course.

Cheers,

Ken van Wyk (and the rest of the SecAppDev organizers)


P.S. I apologize if you have already received this announcement via
another channel. If you do not wish to receive future secappdev.org
announcements, please unsubscribe by replying to this email.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Announcing the first Mobile App Sec Triathlon, 2-4 Nov 2011, San Jose, CA

2011-08-29 Thread Kenneth Van Wyk
Greetings SC-L,

I'll keep this announcement real short...

Gunnar Peterson and I are teaming up to present our Mobile App Sec Triathlon -- 
3 days of training, heavily laden with hands-on exercises -- to San Jose, 
California on 2-4 November 2011. Details available at: 
http://mobileappsectriathlon.com, or email us for more info.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

We're on Facebook now at: http://facebook.com/KRvW.Associates



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] ANNOUNCING: OWASP iGoat initial public release, version 1.0

2011-06-16 Thread Kenneth Van Wyk
Greetings all.

Yesterday, we put out the first public release of the OWASP iGoat project. This 
message is a brief description and call for participants in the project.


Background

The iGoat tool is a learning tool, primarily meant for iOS developers (but also 
useful to IT security practitioners, security architects, and others who simply 
want to learn about iOS security). It takes its name and inspiration from the 
venerable OWASP WebGoat tool. 

Like WebGoat, iGoat users explore a number of security weaknesses in iOS by 
exploiting them first. Then, once each weakness has been explored, the iGoat 
user must implement a remediation to protect against each weakness and validate 
that the remediation was successful--similar to the WebGoat Developer Edition.

Hints and other background information are provided, right down to commented 
solutions in the source code, so that developers can use iGoat as a self-study 
learning tool to explore and understand iOS weaknesses and how to avoid them.

Further, the iGoat platform was specifically designed and built to be as easily 
extensible as possible, so that new exercises can be easily built and 
integrated over time.

iGoat was sponsored and initially developed by KRvW Associates, LLC 
(www.krvw.com), and is being released under GPLv3 licensing to the community.



Status

With the first public release, we've included several initial exercises and 
exercise categories. These include such well known topics as SQL Injection, 
secure communications, etc. We plan to further integrate another handful of 
exercises in the short term, as well as make several improvements to the user 
interface.

In the short term, we'll also be adding more documentation in the form of HOWTO 
documents that will cover how to install and use iGoat, as well as how to add 
new exercises to it.

No doubt, further improvements will quickly surface as the community starts 
using the tool...


Project Site

iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project

All releases and source code are on Google Code. See the project home page 
above for further details.



Call for Participation

The iGoat team would like to invite anyone interested to participate and 
contribute to iGoat's further development. Please contact the project leader, 
Ken van Wyk (k...@krvw.com) if you wish to contribute to the project.



Mailing List

An open, unmoderated forum has been set up for the iGoat project. To subscribe, 
see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] OPINION column re mobile security

2011-06-01 Thread Kenneth Van Wyk
Greetings SC-L,

It occurred to me that I neglected to send a pointer here to my latest 
Computerworld column. The general topic is mobile device security, but more to 
the point, it's about trying to do (security) things differently in the mobile 
world, so we don't have to re-live all our mistakes of the past. Let's at least 
find some _new_ mistakes... ;-)

http://www.computerworld.com/s/article/9216996/Kenneth_van_Wyk_Mobile_security_isn_t_going_to_just_happen

Cheers,

Ken van Wyk
SC-L Moderator




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] SC-L Administrative FAQ

2011-03-23 Thread Kenneth Van Wyk
Greetings SC-L Subscribers,

I'm in an airport lounge on the other side of the planet (from my home), and I 
thought I'd take a few moments to jot down some answers to SC-L administrative 
issues that come up from time to time here on SC-L. I hope you find them 
helpful.

I try to keep the administrative traffic here to a bare minimum, so you don't 
often hear from me. But I do moderate and approve every single posting that 
goes to the list, so I'm always actively involved here. And I deal with quite a 
fair share of administrative issues. So, I thought it would be worth taking a 
few minutes and recording some of the things that people ask me from time to 
time.

Your feedback is always appreciated. Please contact me at ken _at_ krvw.com if 
you have any questions or issues re SC-L.

Cheers,

Ken van Wyk
SC-L Moderator

===

SC-L Administrative FAQ



Q: What is SC-L?

A: SC-L is a moderated mailing list whose mission is to further the state of 
the practice of developing secure software, by providing a free and open, 
objectively moderated, forum for the discussion of issues related to secure 
coding practices throughout a software development lifecycle process (including 
architecture, requirements and specifications, design, implementation, 
deployment, and operations). 

---

Q: Who runs SC-L?

A: I do. I'm Ken van Wyk, and I run the list as a free, non-commercial service 
to the software security community. If you have questions/issues, you can 
contact me at ken _at_ krvw.com.



Q: How do I subscribe to the list?

A: The URL for the Mailman interface to subscribe or unsubscribe is 
http://www.krvw.com/mailman/listinfo/sc-l



Q: What sort of things are allowed and not allowed on SC-L?

A: Basically, my primary rule is civility. You can agree or disagree with 
others to your heart's content, but keep a civil tone and you're likely to have 
your submissions approved. For more details on what I allow and don't allow on 
the list, see the list charter at: http://www.securecoding.org/list/charter.php



Q: How about job postings?

A: So long as they're tasteful and not shotgunned to the list frequently, I'm 
happy to accept the occasional job posting from people within the software 
security community.



Q: Announcements about conferences and training events?

A: Similar to my policy re job postings, I'll accept them if they're not overly 
commercial and if they're occasional. This goes for commercial as well as 
non-commercial events.



Q: Advertisements?

A: No. I do not accept advertisements on SC-L. There are more than plenty 
places on the net to advertise your products and services; just not here.



Q: The moderator has rejected my posting, and I believe the decision was 
unfair. What is my recourse?

A: Well, this isn't a democracy... But, if you feel your submission should have 
been approved, email me and state your case. I'm a reasonable man and I'm 
willing to hear you out -- and admit when I'm wrong.



Q: There seems to be a LOT of traffic from a small vocal minority here. What's 
up with that?

A: The group is what the group makes of it. If you want to see more diverse 
traffic here, post it. I'm don't take a position on who may and may not submit 
to the list. If you're subscribed and your posting conforms to my guidelines, 
then I'll most likely approve your posting.



Q: I'm a subscriber to SC-L, and I submitted a message to the list, but it 
never showed up and I never got any notification. Did the moderator ignore me? 
Why?

A: Perhaps you submitted your email using an email address that isn't itself 
subscribed? To reduce the spams that show up in my inbox, I have configured 
SC-L to discard (without notification) any submissions from email addresses 
that are not subscribed to the list. So, if you subscribed from (say) your 
personal address but are posting from your work address, your submission would 
get discarded.



Q: But I use multiple email addresses regularly. What can I do so I can submit 
from any of them without getting duplicate copies of SC-L in all my inboxes?

A: That's easy to do. Just contact me off-list (ken _at_ krvw.com) and tell me 
which of your email addresses you want to submit from. I can subscribe them 
to the list but have them not get duplicate copies of the list traffic. No 
problem.






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW 

[SC-L] CERT/CC Blog: Announcing the CERT Basic Fuzzing Framework 2.0

2011-03-01 Thread Kenneth Van Wyk
FYI, new version of Basic Fuzzing Framework released by CERT/CC.

http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] New Safecode doc released

2011-02-08 Thread Kenneth Van Wyk
Greets all.  FYI:

SAFECode has released, “Fundamental Practices for Secure Software Development 
2nd Edition: A Guide to the Most Effective Secure Development Practices in Use 
Today.” The report is intended to help others in the industry initiate or 
improve their own software security programs and encourage the industry-wide 
adoption of fundamental secure development methods. 

Doc can be found at: 
http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf
 
Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] ISO/IEC 27034 application security guideline

2010-10-21 Thread Kenneth Van Wyk
Greetings SC-L folks,

I don't participate in standards bodies, so I'm not very familiar with their 
inner workings and such.  However, a colleague has pointed me to an ISO 
standard under development that will describe an application security 
development process.

I visited the site (http://www.iso27001security.com/html/27034.html) and didn't 
find much in the way of documentation, other than a list of really ambitious 
plans for the future.

So my question here is this: anyone here involved in this standards effort?  If 
so, would you mind sharing with us a high level overview of where they are in 
their efforts and when the world is likely to start seeing output from the 
effort?

Much appreciated.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Apple's iOS app review guidelines

2010-09-09 Thread Kenneth Van Wyk
Greetings SC-L,

I read the news this morning with a lot of hope -- that Apple has finally 
published their app review guidelines for iOS app developers.  But then I read 
the document.

For starters, I did a quick grep for: security, secure, crypt, safe.  Nothing.  
Nada.

The document is essentially a big long black list of what things not to do.  
There seems to be nothing in the way of prescriptive guidance on what TO do.

Not inspiring...  :-\  I was really hoping Apple would take this opportunity to 
include some actionable security guidance, but that wasn't the case.  Of 
course, they did say that they don't want any more Fart apps...  Great.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Building Real Software: Has Static Analysis reached its limits?

2010-08-20 Thread Kenneth Van Wyk
FYI, nice write-up on the Fortify acquisition as well as the static code 
analysis space here:

http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Computerworld: Opinion - Making apps secure is hard work

2010-08-12 Thread Kenneth Van Wyk
I figured this was relevant here, so here's a link to my August column for 
Computerworld.

Excerpt:

'What's that you say? All the app vetting you've been doing to date consists 
only of verifying that the apps play by the rules? That is, that they use only 
published APIs and such? Well, then, you really have your work cut out for you, 
because that's not all that your customers expect.'

To read the complete article see:
http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Static code review for iPhone developers?

2010-07-29 Thread Kenneth Van Wyk
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote:
 Anyone know of any static code analysis tools that can scan an iPhone app 
 package?  Something that integrates with the Xcode SDK and can at the very 
 least scan through all of the Objective C in the src tree is what I'm looking 
 for.  Any SCA product vendors currently doing this?  Please contact me on or 
 off list.

Thanks to all who responded.  Great suggestions.

Most focused on the (now) built-in Clang analysis engine (and front-end for 
LLVM ) that Dan Cornell cited here.  
(http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html)

Clang looks like a useful starting point, as it looks for all sorts of common 
mistakes found in the C family, including C++ and Objective C.  Memory leaks, 
uninitialized variables, type mismatches, and that sort of thing should be 
pretty easy to spot using Clang.

I'm hoping also for something that goes beyond that.  How about analysis of 
static code for use of secure network connections, session management (for 
client-server apps), protection of sensitive data (at rest and in transit), and 
that sort of thing.  These are relatively language-agnostic needs, but would be 
extremely useful in a static analysis tool, IMHO.

I'll bet the folks who coded the Citi banking app could have made good use of 
something like that...  :-\

In any case, thanks again for all the responses.  Speaks volumes for the 
quality of folks we have here in the SC-L community.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Vulnerability Analysis Blog: CERT Basic Fuzzing Framework

2010-05-28 Thread Kenneth Van Wyk
New fuzzing framework released from the folks up at CMU, FYI.

https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html 


Aloha,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Web Application Exploits and Defenses

2010-05-05 Thread Kenneth Van Wyk
The folks at Google have released some web app training, along with a 
vulnerable web app sandbox to play in.  The tool is called Jarlsberg.  Anyone 
here take a look at it yet, and have an opinion about it?

The description (see below) sounds kinda sorta like OWASP's WebGoat, except 
that the vulnerable app itself is written in Python.  Oh, and the app is 
available on the web, as well as in source code (under Creative Commons).

http://jarlsberg.appspot.com/ 

There's also an instructor's guide available at:

http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] The International Secure Systems Development Conference

2010-03-29 Thread Kenneth Van Wyk
I saw this event announcement today and thought some SC-L folks might find it 
of interest, FYI.

The International Secure Systems Development Conference addresses the key 
issues around designing-in security for standard and web-based software and 
systems, both in terms of developing new applications securely and also in 
adding security to legacy applications. The aim of the event is to help change 
the balance away from a repeated and ever more costly focus on securing ever 
more insecure infrastructures, to one which focuses on the creation of 
inherently secure systems through the introduction of verifiable, secure 
development methodologies and coherent security architectures.

http://www.issdconference.com/ 


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Thread is dead -- Re: BSIMM update (informIT)

2010-02-04 Thread Kenneth Van Wyk
OK, so this thread has heated up substantially and is on the verge of flare-up. 
 So, I'm declaring the thread to be dead and expunging the extant queue.

If anyone has any civil and value-added points to add, feel free to submit 
them, of course.  As always, I encourage free and open debate here, so long as 
it remains civil and on topic.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] BSIMM update (informIT)

2010-02-03 Thread Kenneth Van Wyk
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:
 Among other things, David and I discussed the difference between descriptive 
 models like BSIMM and prescriptive models which purport to tell you what you 
 should do. 

Thought I'd chime in on this a bit, FWIW...  From my perspective, I welcome 
BSIMM and I welcome SAMM.  I don't see it in the least as a one or the other 
debate.

A decade(ish) since the first texts on various aspects of software security 
started appearing, it's great to have a BSIMM that surveys some of the largest 
software groups on the planet to see what they're doing.  What actually works.  
That's fabulously useful.  On the other hand, it is possible that ten thousand 
lemmings can be wrong.  Following the herd isn't always what's best.

SAMM, by contrast, was written by some bright, motivated folks, and provides us 
all with a set of targets to aspire to.  Some will work, and some won't, 
without a doubt.

To me, both models are useful as guide posts to help a software group--an SSG 
if you will--decide what practices will work best in their enterprise.

But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves 
if we consider these to be standards or even maturity models.  Any other 
engineering discipline on the planet would laugh us all out of the room by the 
mere suggestion.  There's value to them, don't get me wrong.  But we're still 
in the larval mode of building an engineering discipline here folks.  After 
all, as a species, we didn't start (successfully) building bridges in a decade.

For now, my suggestion is to read up, try things that seem reasonable, and 
build a set of practices that work for _you_.  

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] FT.com / UK - 'Year 2010' software glitch hits German bank cards

2010-01-06 Thread Kenneth Van Wyk
Greetings SC-L,

There have been several reports in the last few days of various devices being 
hit with a so-called year 2010 software glitch.  Several bank ATMs, mobile 
devices, etc., have reportedly been hit.  Below is a link to one such story.

My question for SC-L is: anyone here aware of the actual underlying software 
problems willing to share?  Source examples would be most appreciated.

http://www.ft.com/cms/s/0/00da0e24-fa63-11de-beed-00144feab49a.html?nclick_check=1
 


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-05 Thread Kenneth Van Wyk
Happy new year SC-Lers.

FYI, interesting blog post on some of the new security features in Java EE 6, 
by Ramesh Nagappan.  Worth reading for all you Java folk, IMHO.

http://www.coresecuritypatterns.com/blogs/?p=1622 


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] tweetup Thurs PM for AppSec DC?

2009-11-13 Thread Kenneth Van Wyk
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote:
 In any case, I'm not sure of the lay of the land at the conference site, but 
 I'm betting there's a bar in or near the site.  Let's plan on meeting up 
 there immediately following the day's sessions on Thursday.  As soon as I can 
 pinpoint the actual bar name/location, I'll post it here.

OK, so I did fail at getting the word out--sorry.  However, it was nice to see 
at least a few SC-Lers notice the sponsored cocktail hour on the conference 
agenda.  Great to meet some of you face to face.  And thanks to Cenzic for 
hosting the cocktail hour, by the way.

For those of you who weren't there, if you work with web apps at all, you 
really ought to put OWASP on your radar.  Great community of people, and these 
events are a fabulous time to chat with some of the brightest software security 
people on the planet.  Thanks, OWASP!

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Microsoft releases security guidelines for Agile - agile, Microsoft, security, software development - CIO

2009-11-10 Thread Kenneth Van Wyk
Hey, now you agile folks can't any longer feel left out by the various  
security development processes that bypass you:


http://www.cio.com.au/article/325501/microsoft_releases_security_guidelines_agile?eid=-1050

On a somewhat related note, a client of mine referred to their process  
recently as scrummerfall...  That certainly drew a few laughs.



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] tweetup Thurs PM for AppSec DC?

2009-11-10 Thread Kenneth Van Wyk

On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote:
Just a quick note, for those coming into DC for AppSec DC, rumor has  
it

that a social gathering is brewing for Thurs PM. Let's hope so as I'd
love to put faces with names! :) If I hear details, I'll be sure to  
pass

along (feel free to ping me or reply with the 411)


Well, I got a few responses to my note about meeting up there  
(although I doubt I'd ever use the word tweetup except in the  
context of saying I wouldn't use it...).  :-)


In any case, I'm not sure of the lay of the land at the conference  
site, but I'm betting there's a bar in or near the site.  Let's plan  
on meeting up there immediately following the day's sessions on  
Thursday.  As soon as I can pinpoint the actual bar name/location,  
I'll post it here.


Hope to see some SC-L folks there.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Another WAF in town

2009-09-24 Thread Kenneth Van Wyk

FYI, some activity in the open source WAF space:

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Unicode Security : Microsoft releases BinScope and MiniFuzz to the public

2009-09-17 Thread Kenneth Van Wyk
FYI, a couple of interesting developments in the software security  
tool space:


http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Kenneth Van Wyk

On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:

Exploits are FUN.


I agree, at least to a point.  Whenever I work exploits into my  
workshops, the results are right on the mark.  So long as the exploits  
are balanced with just the right amount of remediations, it works great.


The key is to hook the students with the exploits, and then sprinkle  
in a now here's how to do it _right_ discussion while they're still  
paying attention.  ;-)


And FWIW, I've found OWASP's WebGoat to be phenomenally effective at  
doing just that.  There are other similar tools out there as well, but  
the point is to give the class a safe sandbox to play in.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What is the size of this list?

2009-08-19 Thread Kenneth Van Wyk

On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote:
Jeremiah Grossman and I were both pondering the size of the SCL  
recently.

Is the list size public?


It's not public per se, but only in the sense that the number isn't  
directly available--unless you ask for it.


The list has pretty consistently hovered around 1000 subscribers since  
pretty shortly after I launched it in late 2003.



I am curious why I don't see many new names on SC-L. Lots of lurkers?


We do seem to have a high percentage of lurkers, but I always like to  
encourage newcomers as well as new active participants.  I do my best  
to keep my moderating light, and I welcome all perspectives and  
opinions on the topics we discuss here.


My primary moderating criteria are ensuring submissions are relevant  
to the list charter and keep a civil tone.  Beyond that, everyone on  
the list is largely free to say/discuss whatever suits.


Plain and simple: the list is what the members make of it.


btw// SCL has always been a great place for academic and
progressive-minded folks to talk about state of the art, and future
ideas for secure coding. I have always recommended it to developers
looking for new places to learn as a best and brightest haunt. So
thanks for running it guys,


Thanks.  I've consistently found over the years that efforts like this  
are worth the effort in a myriad of ways, and it's something that I  
gladly take on.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Source or Binary

2009-07-29 Thread Kenneth Van Wyk

On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:
Realizing that java binaries hold a lot more is a mental shift  
that probably must be actively kept in mind.  Those with only Java  
experience may think it is obvious, but how many developers did not  
start with Java and have not purged this concept from their mind.


Fair enough, but understand too that a Java class file (like those in  
a typical jar file, which is just a fancy word for ZIP format) can be  
trivially decompiled into quite legible Java source.  Numerous open  
source Java decompilers (e.g., Jode, Jad) exist that make this  
extremely easy.


And FWIW, that's exactly how the Etisalat Blackberry software update  
was analyzed and proven to contain spyware last week.


Note that, there are many options to distributing these trivially  
decompiled class files...


Cheers,

Ken van Wyk




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Usability News - Why Security and Usability don't go hand in hand

2009-06-03 Thread Kenneth Van Wyk

FYI, a short but interesting read on usability vs. security in software.

http://www.usabilitynews.com/news/article5692.asp


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)








smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Application Security Starts in the Development Lifecycle

2009-04-28 Thread Kenneth Van Wyk
FYI, some eWeek coverage of application security and how it is being  
taken more seriously in the enterprise these days.  No big surprises  
for long-time SC-L folks, but still an interesting read from a fairly  
mainstream IT Security outlet.


http://www.eweek.com/c/a/Security/Application-Security-Starts-in-the-Development-Lifecycle-792076/?kc=rss


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] SAMM 1.0 Released! | OpenSAMM

2009-03-25 Thread Kenneth Van Wyk

Good news today from the Software Assurance Maturity Model (SAMM) group.

http://www.opensamm.org/2009/03/samm-10-released/

Their release says:

The Beta release has been out for quite a while now (since August  
2008) and lots of organizations and individuals have provided  
excellent feedback to help improve the model. I’ve heard lots of  
stories from people using SAMM (some are consulting firms, and some  
are development organizations) and that feedback has been some of the  
most valuable. This release marks the official 1.0 version of SAMM and  
there’s a few new pieces added:


* Executive summary and introduction to the model
* Improved details on applying the model to solve problems
* Assessment worksheets for evaluating existing programs
* Roadmaps for financial services and government organizations
* Improvements and refinements to the model (I’ll cover changes  
individually in separate posts)


Many thanks to the individual reviewers and the organizations that  
have volunteered time to help improve SAMM. I look forward to more  
active participants as we push forward with some of the future  
development plans for SAMM.




Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com

2009-03-12 Thread Kenneth Van Wyk

Hello SC-Lers,

I saw this blog and thought it may be of interest here:

http://blogs.zdnet.com/security/?p=2861

According to the blog, there's a design issue (read: flaw) in iTunes  
that can allow a maliciously formed podcast to cause a user to get  
prompted for a username/password -- to iTunes itself.  That dialog box  
can then be hijacked and the victim's credentials stolen.


What made it interesting to me was a couple things: first, the cited  
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says  
it's a design issue.  Tells me we're not likely to see a real fix for  
a while, IMHO.  Indeed, Apple's initial fix to this design issue is,  
This update addresses the issue by clarifying the origin of the  
authentication request in the dialog.  That doesn't sound like much  
of a fix at all, and I'd expect a lot of users will still fall for the  
dialog box ruse.  Sigh...


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Reality Check: EMC Eric Baize

2009-03-03 Thread Kenneth Van Wyk


On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote:
Our fearless leader Ken gave a nice presentation on software  
security methodologies yesterday at secappdev.  I wonder what he  
says about the Touchpoints when I'm not in the room?!



Thanks for the kind words.  What I say about the Touchpoints,  
Microsoft's SDL, or OWASP's CLASP remains the same whether you're in  
the room or not.  They all offer good points and bad points.  I tend  
to favor a hybrid approach that works well for me, which is what I  
always recommend to my customers.


More importantly, though, I am eager to update the message with what  
the companies who participated in the BSIMM are actually doing in  
practice.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Web Applications: Achilles' Heel Of Corporate Security -- Security -- InformationWeek

2009-02-03 Thread Kenneth Van Wyk
No big surprises for SC-L readers, I'm sure, but it's still an  
interesting read:


http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=213000162


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] OWASP interviews McGraw (oh my)

2009-01-26 Thread Kenneth Van Wyk


On Jan 26, 2009, at 12:58 PM, Gary McGraw wrote:
OWASP just posted an interview with me as part of their budding  
podcast series.


Looking forward to it, thanks.  I've been quite impressed with their  
first couple podcasts.  Packed with useful info.  After hearing the  
second one, I grabbed their LiveCD image, which I've found to be  
extremely useful.


Just about anyone using the OWASP tools could benefit from the livecd,  
in my opinion.  Just having a read-to-fly WebGoat/WebScarab is worth  
the effort all by itself.  Great stuff!



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] InternetNews Realtime IT News - New York Plans Application Security Program

2009-01-14 Thread Kenneth Van Wyk
Now here's an interesting development in the software security space.   
Seems that New York State is going to start requiring contracted  
application developers to conform with a minimum set of practices (as  
covered in the SANS Application Security Procurement Language, http://www.sans.org/appseccontract/) 
.


http://www.internetnews.com/dev-news/article.php/3796091

IMHO, putting things like this into contract language is a good  
thing.  Even if the SANS list isn't the right one for everyone, it's a  
starting point.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

2009-01-12 Thread Kenneth Van Wyk
FYI, a top 25 programming errors list from the folks at SANS has been  
released.  See the following for details:


http://www.sans.org/top25errors/


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] top 10 software security surprises

2008-12-17 Thread Kenneth Van Wyk

On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote:
Using the software security framework introduced in October (A  
Software Security Framework: Working Towards a Realistic Maturity  
Model http://www.informit.com/articles/article.aspx?p=1271382), we  
interviewed nine executives running top software security programs  
in order to gather real data from real programs.


Wow, this is great stuff.  Kudos to Gary, Sammy, and Brian.

I have a couple comments/observations on some of your conclusions:

- You obviously wrote the top-10 list in C, since it went from 9 to  
0.  :-)


- Not only are there are no magic software security metrics, bad  
metrics actually hurt.  This is an excellent point.  I think it's  
also worth noting that it's important to carefully consider what  
metrics make sense for an organization _as early as possible_ in the  
life of their software security efforts.  Trying to retro-engineer  
some metrics into a program after the fact is not a fun thing.


- Secure-by-default frameworks can be very helpful, especially if  
they are presented as middleware classes (but watch out for an over  
focus on security stuff).   Yes yes yes!  I've found significantly  
more traction to prescriptive guidance vs. a don't do this list of  
bad practices.  Plus, it inherently supports a mindset of positive  
validation instead of negative.  It's important to look for common  
mistakes, but if you really want your devs to follow, give them clear  
coding guidelines with annotated descriptions of how to follow them.   
Efforts like OWASP's ESAPI are indeed a great starting point here for  
plugging in things like strong positive input validation and such.


- Web application firewalls are not in wide use, especially not as  
Web application firewalls.   I can't say I'm much surprised by this  
one.  Even with PCI-DSS driving people to WAFs (or do external  
independent code reviews), I just don't often see them often.  But you  
go on to say, But even these two didn't use them to block application  
attacks; they used them to monitor Web applications and gather data  
about attacks.--but you don't come back to this point.  One serious  
benefit to WAFs can be enhancing the ability to do monitoring,  
especially of legacy apps.  Adding one network choke point WAF can  
quickly add an app-level monitoring capability that few organizations  
considered when rolling the apps out in the first place.


- Though software security often seems to fit an audit role rather  
naturally, many successful programs evangelize (and provide software  
security resources) rather than audit even in regulated industries   
This one too is very encouraging to see.


- Architecture analysis is just as hard as we thought, and maybe  
harder. And this one is very discouraging.  I've seen good results in  
doing architectural risk analyses, but the ones that produce useful  
results tend to be the more ad hoc ones -- and NOT the ones that  
follow rigorous processes.


- All nine programs we talked to have in-house training curricula,  
and training is considered the most important software security  
practice in the two most mature software security initiatives we  
interviewed.   That explains the quarter-million miles in my United  
account this year alone.  :-) Ugh.


- Though all of the organizations we talked to do some kind of  
penetration testing, the role of penetration testing in all nine  
practices is diminishing over time.   Hallelujah!



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Fwd: ESSoS'09: Call for Participation

2008-12-11 Thread Kenneth Van Wyk

FYI, see Call for Participation below.

Cheers,

Ken van Wyk

Begin forwarded message:


From: Bart De Win [EMAIL PROTECTED]
Date: December 9, 2008 8:22:14 AM EST
To: [EMAIL PROTECTED]
Subject: ESSoS'09: Call for Participation

CALL FOR PARTICIPATION

International Symposium on
 Engineering Secure Software and Systems (ESSoS'09)
  In collaboration with ACM SIGSAC/SIGSOFT and IEEE TCSE

http://distrinet.cs.kuleuven.be/events/essos2009/
   February 04-06, 2009Leuven, Belgium

You are cordially invited to attend ESSoS, a conference-level event  
that
provides a unique research and practitioners' view on the state of  
the art

in secure software engineering. There are many good reasons for you to
participate (and ditto arguments to convince your supervisor or  
boss). The

program includes invited talks by two renowned researchers, as well as
technical papers on a variety of topics ranging from program
transformation to testing and assurance. Being the first edition in a
future series, this is the time to join this growing community, meet  
new
people and interact with peers. As an industry representative, you  
might

be especially interested in the tutorials, which address current
challenges and best practices in secure software construction. And  
last
but not least, the symposium takes place in Leuven, a very enjoyable  
and

historic city with a strong tradition in beer brewing.

The program consists of three days, one day of tutorials and two  
days of

technical program, including among others:
 * Invited talks:
   - Elaborating Security Requirements by Analysis of Malicious
Anti-Models
   (Axel van Lamsweerde, Université Catholique de Louvain)
   - Automating Software Testing Using Program Analysis
   (Wolfram Schulte, Microsoft Research)

 * Tutorials:
   - Security by Construction
   (Rod Champan, Praxis)
   - Risk Management in Practice: Model Based Security Risk Analysis  
with

the CORAS Method
   (Heidi Dahl and Mass Lund, SINTEF)
   - Inside the Biggest of the OWASP Top-10 Issues
   (Kenneth R. van Wyk, KRvW Associates)
   - Security: Philosophy, Patterns and Practices
   (Munawar Hafiz, University of Illinois at Urbana-Champaign)

 * Technical program:
   - a list of accepted papers is available at
 http://distrinet.cs.kuleuven.be/events/essos2009/papers

EARLY REGISTRATION DEADLINE: January 6, 2009

We're looking forward to meeting you all there !

Bart De Win (General Chair)
Fabio Massacci and Samuel Redwine (PC co-Chairs)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Opportunity at DTCC

2008-11-25 Thread Kenneth Van Wyk

Greetings SC-L,

I've been asked to allow a job posting here on SC-L.  It certainly  
doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php 
), but then again, we've generally not used SC-L for job listings.   
And then again++, with the economy such as it is, perhaps this sort of  
thing is a good community service.


So, below is the job listing I was asked to post.  If anyone here on  
SC-L has strong feelings for or against future job postings here,  
please let me know.  I'm always happy to take your opinions into  
consideration!


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com

===

The Depository Trust and Clearing Corporation (DTCC) is the premier  
global
financial institution responsible for clearing and settling many types  
of

financial transactions between banks and brokerage firms for the United
States and many foreign markets.  These include stock, bond, fixed  
income,

government, mortgage, and insurance transactions.

DTCC has an exciting position in Application Security based in Tampa,
Florida.  The position is responsible for leading a highly successful  
and
innovative Application Security Program across the DTCC enterprise.   
This

includes driving security in our SDLC, as well as ensuring products and
services procured are also built with security in mind.  The successful
candidate will find the challenges of our leading edge environment, to  
be

very stimulating.

We are looking for a candidate that has knowledge of SDLC's, Java, C++,
and secure coding practices.  The successful candidate will be able to
interface and speak to programmers in our Development organization about
secure programming, as well as be able to present to senior leadership
including the CIO, CTO, and CDO.  The successful candidate will also
understand the value of KPIs to determine what new controls might be
needed, and to lead the implementation of these.  In addition to the
technical skills above, thought leadership, communication , and
relationship management skills are critical qualities of the successful
candidate.

Qualified candidates should contact Mike Longo, Director (HR) at
[EMAIL PROTECTED]

==






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] (fwd) informIT: A Software Security Framework

2008-10-16 Thread Kenneth Van Wyk

Greetings SC-L,

I thought I'd chime in on this, as it very closely relates to my  
current book project.


On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
Brian Chess and I have been working hard on a software security  
framework that we are using in a scientific study of many of the top  
software security initiatives.


Great work, guys.  In some areas, I think it's probably overly  
simplistic, as some of the practices span more than one domain.   
(Notably, penetration testing can and should be part of a security  
testing regimen as well as a deployment testing regimen, IMHO.)  But  
it's a great starting point for going out and gathering real world  
data on what's being done in the field.  More importantly, it's useful  
at defining what practices should be assessed for a maturity model.


 Our plan of action is to interview the people running the top ten  
large-scale software security initiatives over the next few weeks  
and then build a maturity model with the resulting data.



Our discipline stands to gain significantly from having a maturity  
model in place, if for no other reason than to help dev organizations  
set goals and objectives in their software security efforts.


Pravir et al at OWASP have done a great job at getting one started  
over there.  I also love the idea of using real world data as an  
initial set of measurements for each maturity level, especially for  
early version(s) of a maturity model.  I think that goes a long way to  
helping development organizations realistically know what to aspire  
to--and how to get there--for each maturity level.


In time, however, I'd sure like to see the maturity model advance  
beyond that and set the bars higher than just what's currently being  
done in practice, and define what *should* be done.  That said,  
starting with a solid framework of practices to measure for each  
maturity level is the right way to do things.


IMHO, it'll probably be a few years before these efforts bear  
significant fruit in terms of advancing what is being practiced in the  
field, but we've got to start somewhere.  Kudos.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] (fwd) informIT: A Software Security Framework

2008-10-15 Thread Kenneth Van Wyk
[Posted on behalf of Gary McGraw, who is without comms right now but  
wanted this to go out today. KRvW]


hi sc-l,

Brian Chess and I have been working hard on a software security  
framework that we are using in a scientific study of many of the top  
software security initiatives.  Our plan of action is to interview the  
people running the top ten large-scale software security initiatives  
over the next few weeks and then build a maturity model with the  
resulting data.


That's right, we're actually using real data from real software  
security programs.


Brian and I co-authored my informIT column this month, which just so  
happens to be about the software security framework.  Please check it  
out, we're interested to know what you think!


http://www.informit.com/articles/article.aspx?p=1271382

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] AdaCore - Home GNAT Pro The Tokeneer Project

2008-10-08 Thread Kenneth Van Wyk

http://www.adacore.com/home/gnatpro/tokeneer/

Excerpt:

Project Summary

In order to demonstrate that developing highly secure systems to the  
level of rigor required by the higher assurance levels of the Common  
Criteria is possible, the NSA (National Security Agency) asked Praxis  
High Integrity Systems to undertake a research project to develop part  
of an existing secure system (the Tokeneer System) in accordance with  
Praxis’ Correctness by Construction development process.


This development and research work has now been made available by the  
NSA to the software development and security communities in an effort  
to prove that it is possible to develop secure systems rigorously in a  
cost effective manner.



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Survey thread killer

2008-08-26 Thread Kenneth Van Wyk

Hi SC-Lers,

With these last 2 messages, let's kill off the survey thread, please.   
I allowed it to continue on--probably longer than I should have-- 
because there seemed to be valid and interesting points being made on  
both sides of the debate.  But that seems to have run its course, so  
let's please let it die out.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance

2008-06-30 Thread Kenneth Van Wyk
Happy PCI-DSS 6.6 day, everyone.  (Wow, that's a sentence you don't  
hear often.)


http://www.internetnews.com/ec-news/article.php/3755916

In talking with my customers over the past several months, I always  
find it interesting that the vast majority would sooner have root  
canal than submit their source code to anyone for external review.   
I'm betting PCI 6.6 has been a boon for the web application firewall  
(WAF) world.



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Any SC-Lers going to FIRST in Vancouver next week?

2008-06-19 Thread Kenneth Van Wyk
Subject says it all.  Any of you going to be at the FIRST conference?   
If you are and want to hook up for a chat--perhaps over a beer--then  
drop me a note.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Security Bonuses for Vista Programmers

2008-06-16 Thread Kenneth Van Wyk
FYI, interesting eWeek article on some of Vista's security features  
that are provided to developers.  (I misinterpreted the article's  
title a bit, but it quickly becomes clear in the article.  At first, I  
thought it was about giving $$ bonuses to vista programmers -- it  
reminded me of an old Dilbert where the company was offering cash  
bonuses for finding bugs, and Wally was coding himself a  
minivan... :-)  Anyway, don't let that stop you from reading this  
interesting article.


http://www.eweek.com/c/a/Security/Security-Bonuses-For-Vista-Programmers/


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] DistriNet Research Group

2008-06-04 Thread Kenneth Van Wyk
FYI, interesting announcement out of KU Leuven in Belgium and the SANS  
institute:


http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Coverity to Buy Codefast

2008-05-22 Thread Kenneth Van Wyk
FYI, a bit of MA activity going on in the software security (product)  
space:


http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] GCC and pointer overflows [LWN.net]

2008-05-01 Thread Kenneth Van Wyk
FYI, here's an interesting article (and follow-on discussions) about a  
recent bug in the GCC compiler collection.


http://lwn.net/Articles/278137/

The bug, which has been documented in a CERT advisory, affects C code  
in which, under some circumstances, buffer bounds checking can be  
optimized out to produce binaries that are susceptible to buffer  
overflows.  The article includes a couple examples that really help  
illustrate the issue -- very interesting reading, IMHO.


Of course, many/most SC-Lers will no doubt jump on this as another  
example of why C is such a dangerous language to write (secure) code  
in, and that's fine.  But, I see the issue at least a little  
differently: a compiler making decisions for the programmer and  
producing executable code that does not accurately conform to what the  
programmer coded.  We've all heard of security-related optimizing  
issues for years, right?  Well, here's a prime example of one in action.



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Lateral SQL injection paper

2008-04-28 Thread Kenneth Van Wyk

Greetings SC-Lers,

Things have been pretty quiet here on the SC-L list...

I hope everyone saw David Litchfield's recent announcement of a new  
category of SQL attacks.  (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf)


He refers to this new category as lateral SQL injection attacks.   
It's very different than conventional SQL injection attacks, as well  
as quite a bit more limited.  In the paper, he writes:


Now, whether this becomes exploitable in the normal sense, I  
doubt it... but in very
specific and limited scenarios there may be scope for abuse, for  
example in cursor
snarfing attacks - http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf 
.


In conclusion, even those functions and procedures that don’t take  
user input can be
exploited if SYSDATE is used. The lesson here is always, always  
validate and don’t let
this type of vulnerability get into your code. The second lesson is  
that no longer should
DATE or NUMBER data types be considered as safe and not useful as  
injection vectors:

as this paper has proved, they are. 


It's definitely an interesting read, and anyone doing SQL coding  
should take a close look, IMHO.  It's particularly interesting to see  
how he alters the DATE and NUMBER data types so that they can hold SQL  
injection data.  Yet another demonstration of the importance of doing  
good input validation  -- preferably positive validation.  As long as  
you're doing input validation, I'd think there's probably no need to  
back through your code and audit it for lateral SQL injection vectors.


Anyone else have a take on this new attack method?  (Note that I don't  
normally encourage discussions of specific product vulnerabilities  
here, but most certainly new categories of attacks--and their impacts  
on secure coding practices--are quite welcome.)



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] quick question - SXSW

2008-03-12 Thread Kenneth Van Wyk

Ben,

Your point is a good one -- the software security community needs to  
be vigilant in reaching out to developers and spreading the word.


FWIW, some dev conferences have done this.  I spoke at SD West in  
2006, and there was a significant security track there.  Still, it'd  
be great to see that sort of thing at more dev-specific conferences.


Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

First, thanks for that Bill, it exemplifies my point perfectly. A  
couple

thoughts...

one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an  
added

benefit...

two, a re-phrasing around my original thought... somehow we need to  
get
security thinking and considerations encoded into the DNA of  
everyone in

the business, whether they be designers, architects, coders, analysts,
PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
could (should!) have had implicit and explicit security attributes
included... yet we're still at the point where secure coding has to be
explicitly requested/demanded (often as an afterthought or bolt-on)...

How do we as infosec professionals get people to the next phase of
including security thoughts in everything they do... with the end-goal
being that it is then integrated fully into practices and processes  
as a

bona fide genetic mutation that is passed along to future generations?

To me, this seems to be where infosec is stuck as an industry. There
seems to be a need for a catalyst to spur the mutation so that it can
have a life of its own. :)

fwiw.

-ben

--
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Augustine's Second Law of Socioscience: For every scientific (or
engineering) action, there is an equal and opposite social reaction.
http://globalnerdy.com/2007/07/18/laws-of-software-development/

William L. Anderson wrote:
Dear Ben, having just been at SXSW Interactive (I live in Austin,  
TX) I

did not see many discussions that pay attention to security, or any
other software engineering oriented concerns, explicitly.

There was a discussion of scalability for web services that  
featured the
developers from digg, Flickr, WordPress, and Media Temple. I got  
there

about half-way through but the discussion with the audience was about
tools and methods to handle high traffic loads. There was a question
about build and deployment strategies and I asked about unit testing
(mixed answers - some love it, some think it's strong-arm micro-mgt  
(go

figure)).

There was a session on OpenID and OAuth (open authorization)  
standards
and implementation. These discussions kind of assume the use of  
secure

transports but since I couldn't stay the whole time I don't know if
secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves  
designers and
I would guess many of them are doing web development in PHP, Ruby,  
etc.

I think the majority of attendees would not classify themselves as
software programmers.

To me it seems very much like at craft culture. That doesn't mean  
that a
track on how to develop secure web services wouldn't be popular. In  
fact

it might be worth proposing one for next year.

If you want to talk further, please get in touch.

-Bill Anderson
praxis101.com

Benjamin Tomhave wrote:

I had just a quick query for everyone out there, with an attached
thought.

How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know...  
it's a big
party for developers - particularly the Web 2.0 clique - but I'm  
just

curious.

Here's why: I'm increasingly frustrated by the disconnect between
business/dev and security. I don't feel like we're being largely
successful in getting the business and developers to include  
security as

part of their standard operating procedures. Developers are still
oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
holes.

I then look at SXSW from afar and think: a) shouldn't I be there
evangelizing security? and, b) shouldn't a major thread to all these
conferences be about how security is integrating with dev  
processes and

practices, making it better?

Maybe I'm just too idealist. I'm curious what everyone else thinks.

cheers,

-ben



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a 

[SC-L] PCI: Boon or bust for software security?

2008-03-03 Thread Kenneth Van Wyk

Greetings SC-L,

So here's a question to ponder.  Now that PCI DSS 1.1 is out there  
(save a couple June 2008 deadlines still looming), has it been good or  
bad for software security as a whole?


It does require secure development processes (as prescribed by OWASP).

It does require sensitive cardholder data to be encrypted at rest and  
in transit.


Has it improved the overall state of affairs, worsened it, or have  
things pretty much remained the same.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] SDLCs and x.509 at OWASP Belgium, 4 March 2008

2008-02-19 Thread Kenneth Van Wyk
During the SecAppDev (http://www.secappdev.org) class next month in  
Leuven, Belgium, there's also going to be a regional OWASP meeting.   
I've been asked to join in and present a short session comparing  
various secure development methodologies (Microsoft's SDL, Cigital's  
Touchpoints, and OWASP's own CLASP, mainly).  If you're in the area,  
I hope you'll join us.  Local details are available on OWASP's site at http://www.owasp.org/index.php/Belgium 
.


While I'm there, I'll also be doing a CAcert/Thawte x.509 signing.   
So, if you're using either of these free x.509 certificate services,  
and are still trying to get the 50 assurance points necessary to have  
your real name on your certificates, stop by with two forms of  
government-issued ID (and photocopies, if using Thawte -- not  
necessary for CAcert).  I'll be happy to help out with either/both 10  
Thawte points or 35 CAcert points.  No charge, of course.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] SC-L Administrivia: How does the readership feel about sponsorships?

2008-02-19 Thread Kenneth Van Wyk

Greetings SC-L,

So, I've always done my best to keep SC-L non-commercial since its  
inception in 2003.  I'm curious, though, how you the readers would  
react to accepting sponsorships in the form of sponsored by:   
banners at the bottom of each posting.


The banner presently points to the list, the list charter, along with  
a note saying that the list is hosted and moderated by my company.


So, my question is this: could/should I accept sponsorships where the  
sponsor would get (say) two or three lines of text saying who they are  
and pointing to their web page?


I welcome your candid/serious feedback on this.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Michael Howard's Web Log : Introducing SAFECode

2008-02-15 Thread Kenneth Van Wyk

FYI, from Michael Howard's blog:

Today SAFECode, the Software Assurance Forum for Excellence in Code,  
introduced its first white paper, Software Assurance: An Overview of  
Current Industry Best Practices.


The organization was founded by Microsoft, Symantec, EMC, SAP and  
Juniper to advance understanding and practices related to secure  
development and integrity controls. Our goal is to raise the security  
bar across the software industry to reduce vulnerabilities.


Complete blog text, along with links to SAFECode and the white paper  
can be found here:


http://blogs.msdn.com/michael_howard/archive/2008/02/14/introducing-safecode.aspx


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Tech Insight: The Buzz Around Fuzzing - Application and Perimeter Security News Analysis - Dark Reading

2008-02-05 Thread Kenneth Van Wyk
FYI, for those who are interested in fuzz testing tools, here's an  
interesting article URL from Dark Reading.


http://www.darkreading.com/document.asp?doc_id=144773f_src=darkreading_section_296

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek

2008-01-10 Thread Kenneth Van Wyk

SC-L,

I imagine many of you have seen the results of Coverity's DHS-funded  
scan of a *bunch* of open source projects:


http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229cid=RSSfeed_IWK_All

The stats are interesting, I suppose.  I don't see any prioritization  
of the defects, but I imagine those were provided to the various open  
source project leaders.


The question that isn't addressed here, and I'm sure was well outside  
of the scope of the project, is what each open source project *did*  
with the vulnerability information BEYOND just fixing the bugs?  Did  
they merely fix the problems and move on?  Or, did they use the  
defects as an opportunity to educate their team members on how to  
avoid these same sorts of things from creeping back in to the src  
tree?  If they simply treated the vul lists as checklists of things to  
fix, then I'd expect a similar study in (say) five years to be just as  
bad as the recent Coverity study.


I think it's important to learn from mistakes, not just fix them and  
get on with things.  I sure hope the open source teams in this study  
did some of that.  If any SC-Lers have insight here, please share.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Code Testing Tools Could Be Acquisition Targets in '08

2008-01-03 Thread Kenneth Van Wyk

New Year's greetings, SC-Lers,

FYI, here's an interesting article about the application security  
testing space, from eWeek.


http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594

The author sort of compares apples and oranges a bit, IMHO, in  
comparing recent acquisitions of security testing product firms (e.g.,  
SPI and WatchFire) with potential future acquisitions of source code  
analysis tool companies, but it's still worth a quick read.  The good  
news in the article is, The acquisitions, coupled with an increase in  
the number of providers offering vulnerability assessments, are  
indicators of a growing emphasis on increasing security in the  
development process.



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Redmond Developer News | Best Defense?

2007-12-03 Thread Kenneth Van Wyk
FYI, interesting article on sandboxing of applications, with quotes  
from a few SC-L regulars.  Enjoy!


http://reddevnews.com/features/article.aspx?editorialsid=2386

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Fwd: SCARE metrics and tool release

2007-11-30 Thread Kenneth Van Wyk

Reposted with permission, FYI...

Cheers,

Ken
SC-L Moderator

Begin forwarded message:


From: Pete Herzog [EMAIL PROTECTED]
Date: November 30, 2007 10:30:18 AM EST
To: [EMAIL PROTECTED]
Subject: SCARE metrics and tool release

Hi,

Scare, the Source Code Analysis Risk Evaluation tool for measuring  
security complexity in C source code is now available.  The tool is  
written to support the OpenTC project (opentc.net) as the SCARE  
methodology project available at:


http://www.isecom.org/scare

We have done some test cases with the tool already do track trends  
in Xen and are now working on measuring trends in the Linux Kernel.


USE
The SCARE analysis tool is run against source code.  Currently only  
C code is supported.  The ouput file will contain all operational  
interactions possible which need controls (the current version does  
not yet say if and what controls are already there).  At the bottom  
of the list are three numbers: Visibilities, Access, and Trusts.   
These 3 numbers can be plugged into the RAV Calculation spreadsheet  
available at isecom.org/ravs.  The Delta value is then subtracted  
from 100 to give the SCARE percentage which indicates the complexity  
for securing this particular application.  The lower the value, the  
worse the SCARE.


Trends in Xen:

XEN ver. VisAccessesTrustsSCAREDelta

3.0.3_0   1   3142857758.26-41.74
3.0.4_1   1   3113106057.79-42.21
3.1.0 1   3163313957.43-42.57

As you can see, the security complexity of Xen is getting worse due  
to the increased numbers of Trusts (reliance on external variables  
which a user can manipulate as an input). Trust attacks can be  
tested according to the 4th point of the 4 Point test process in the  
OSSTMM 3: Intervention - changing resource interactions with the  
target or between targets.


At this stage, the tool cannot yet tell which interactions have  
controls already or if those controls are applicable however once  
that is available it will change the RAV but not the SCARE.  The  
SCARE will also not yet tell you where the bugs are in the code  
however if you are bug hunting, it will extract all the places where  
user inputs and trusts with user-accessible resources can be found  
in the code.



We need help!  We are looking for people to help us complete the  
SCARE methodology, add new programming languages to the tool, as  
well as even making a windows binary version for those who do not  
code in Linux. Contact me if you can do this.


Sincerely,
-pete.

--
Pete Herzog - Managing Director - [EMAIL PROTECTED]
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
---
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Kenneth Van Wyk

On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
So he's not completely naive, though the history of security metrics  
and

standards - which tend to produce code that satisfies the standards
without being any more secure - should certainly give on pause.

One could, I suppose, give rebates based on actual field experience:
Look at the number of security problems reported per year over a two-
year period and give rebates to sellers who have low rates.



Right, so this is where I believe the entire idea would fall apart.  I  
don't think we have adequate metrics today to measure products  
fairly.  Basing the tax on field experience would also be problematic  
to measure well, although I could see this leading to development  
organizations getting some sort of actuarial score.


But the real problem with it, as I said, is metrics.  Should it be  
based on (say) defect density per thousand lines of code as reported  
by (say) 3 independent static code analyzers?  What about design  
weaknesses that go blissfully unnoticed by code scanners?  (At least  
the field experience concept could begin to address these over time,  
perhaps.)


I do think that software developers who produce bad (security) code  
should be penalized, but at least for now, I still think the best way  
of doing this is market pressure.  I don't think we're ready for more,  
on the whole, FWIW.  But _consumers_ wield more power than they  
probably realize in most cases.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Fwd: People in glass houses shouldn't brick phones

2007-11-08 Thread Kenneth Van Wyk

SC-L,

FYI, some of you might find my column this month on eSecurityPlanet to  
be interesting:


http://www.esecurityplanet.com/article.php/3709301   (free, no  
registration required)


In it, I talk about some of the software security lessons to be  
gleamed from Apple's iPhone bricking debacle.  Enjoy...


Cheers,

Ken


-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Mainframe Security

2007-11-01 Thread Kenneth Van Wyk

On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote:

sSince so much of the financial
services industry is powered by COBOL, I would have thought that
someone would have done a thorough study of COBOL's security posture.

I certainly have not found one. Anyone else?


Just a couple random(ish) observations here...

1) I believe that COBOL is still behind the *vast* majority of  
financial transactions today.  I don't know the %, but I'd bet it to  
be close to 100%.


2) It's been my experience that COBOL folks (read: mainframe  
programmers) tend to frown on the Internet, the web, and such.   
However, in talking with them, it's often useful to say that they're  
likely to have to interface with internet folks via SOA and other  
mechanisms, so it's worth their while to understand the security  
problems that those guys face, such as XSS and SQL/XML injection (a  
handy tip I picked up from Andrew van der Stock -- thanks Andrew!).


So what's my point?  It's this: I've often found the mainframe crowd  
to be reluctant to even talk about software security because there  
seems to be a pervasive attitude that it's not their problem.  After  
all, the mainframe architectures they're familiar with have had  
secure, trustworthy networks and such for decades, right?  Well,  
easing them into a discussion by simply pointing out that they should  
be aware of the issues that the internet folks have to deal with  
because they *need* to interface with them can help things along.


Lastly, I noticed that at least one static code analysis tool  
(Fortify) now supports COBOL.  I'm not yet sure what things they scan  
for, and I'm *far* from COBOL literate myself, but I figure it's got  
to be good news re James's point.


Cheers,

Ken


-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] IT industry creates secure coding advocacy group

2007-10-23 Thread Kenneth Van Wyk

Saw this story via Gunnar's blog (thanks!):

http://www.gcn.com/online/vol1_no1/45286-1.html

Any thoughts on new group, which is calling itself SAFEcode?  Anyone  
here involved in its formation and care to share with us what's the  
driving force behind it?


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Microsoft Pushes Secure, Quality Code

2007-10-06 Thread Kenneth Van Wyk

SC-Lers,

Hey, here's some good news out of Microsoft.  According to EWeek,  
Now for Visual Studio 2008, Microsoft's code analysis team is adding  
some new features, including Code Metrics, a new tool window that  
allows you to not only get an overall view of the health [code-wise]  
of your application, but also gives you the ability to dig deep to  
find those unmaintainable and complex hotspots, Somasegar said.


For Visual Studio 2008, Code Metrics will ship with five metrics:  
Cyclomatic Complexity, Depth of Inheritance, Class Coupling, Lines of  
Code and Maintainability Index, he said. 


The full story is here http://www.eweek.com/ 
article2/0,1895,2192515,00.asp


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] CERT Advances Secure Coding Standards - Desktop Security News Analysis - Dark Reading

2007-10-02 Thread Kenneth Van Wyk
Here's some good news from CERT and Fortify.  Shortly, CERT will be  
generating Fortify SCA rules to help automate reviewing C/C++ source  
code against their secure coding standards.


http://www.darkreading.com/document.asp?doc_id=135352WT.svl=news1_2

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Fwd: [1st-t] Vancouver 2008 First Conference - Call for Papers

2007-09-21 Thread Kenneth Van Wyk

SC-L,

I'm forwarding the following Call for Papers (see below) for next  
year's FIRST conference here.  Now, I recognize that FIRST (the Forum  
of Incident Response and Security Teams) is NOT a software security  
conference.  But, over the past few years, I've started bringing some  
software security related sessions to the conference, and they've  
been well received.  I'm a big believer in reaching out to other  
communities, and if ever there were two groups that should be talking  
and working together more than they currently do (IMHO), it's  
software developers and information security folks.


Disclaimer: I currently sit on FIRST's steering committee, although I  
have nothing to do with accepting/rejecting conference sessions.   
That said, if any of you ARE interested in reaching out to FIRST a  
bit and would like to chat, please drop me a line.


Cheers,

Ken van Wyk

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator


Begin forwarded message:


From: Reneaué Railton [EMAIL PROTECTED]
Date: September 20, 2007 1:20:29 PM EDT
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [1st-t] Vancouver 2008 First Conference - Call for Papers

FIRST 20th Annual Conference, June 22nd – 27th, 2008, Hyatt Regency  
Vancouver British Columbia, Canada


 Crossing Borders: Towards the Globalization of Security

 Call for Papers
 - - - - ---
 This is a call for papers and tutorials for the 20th Annual FIRST
 Conference. This text is also available at:
 http://www.first.org/conference/2008/papers.html


 Overview
 - - - - -
 The Forum of Incident Response and Security Teams (FIRST,
 http://www.first.org/) is a global non-profit organization dedicated
 to bringing together computer security incident response teams
 (CSIRT's) and includes response teams from 180 corporations,
 government bodies, universities and other institutions spread across
 the Americas, Asia, Europe and Oceania.

 The annual FIRST conference not only provides a setting for
 participants to attend tutorials and hear presentations by leading
 experts in the CSIRT community, it also creates opportunities for
 networking, collaboration, and sharing technical information. Just as
 importantly, the conference enables attendees to meet their peers and
 build confidential relationships across corporate disciplines and
 geographical boundaries.

 FIRST conference participants include not only CSIRT staff, but also
 IT managers, network and system administrators, software and hardware
   vendors, law enforcement representatives, security solutions
 providers, telecommunications organizations, ISPs, and general
   computer and network security personnel. FIRST conferences cover a
 broad range of security related topics such as (but not limited to):
 . Advanced techniques in security incident prevention, detection and
 response. . Latest advances in computer and network security tools .
 Shared views, experiences, and resolutions in the computer security
 incident response field.


 The Conference
 - - - 
 The conference is a five-day event, comprised of two days of
 Tutorials, three days of Plenary Sessions focused on either Business
 or Technical issues. These include paper presentations, keynote
 speeches, Panel discussions and Birds-of-a-Feather Sessions.

 Features planned for this year's conference include:

Geek Zone - Presentations with a Hands On Format aimed at smaller,  
more technical audiences of up to 30 people
Case Studies – Lessons learned in dealing with real events, from  
discovery to remediation.  Share practical experiences in dealing  
with cyber incidents along with the tools that provided most valuable.

SIG (Special Interest Group) meetings
Beer 'n Gear where vendors demonstrate their equipment .
Security Challenge

 The theme for the 2008 conference is ‘Crossing Borders: Towards  
the Globalization of Security '.


 The conference language is English.

 Call for Papers
 - - - ---
 The FIRST program committee solicits original contributions for this
 conference, which are broadly based on the theme of ‘Crossing  
Borders: Towards the Globalization of Security'.


 All submissions must reflect original work and must adequately
 document any overlap with previously published or simultaneously
 submitted papers from any of the authors. If authors have any doubts
 regarding whether such overlap exists, they should contact the
 program chairs prior to submission.

 Papers will be scheduled as part of the Main Conference.

 Timeslots are available in three lengths:
 a) 50 Minutes, with 10 minutes question time
 b) 40 minutes, with 10 minutes question time
 c) 25 Minutes, with 5 minutes question time.

 The program committee is also looking for contributions to the 'Geek
 Zone Sessions', where presentations may last for up to three hours  
and which are aimed

 at a smaller more technical audience of up to 30 people. These
 presentations are intended to 

[SC-L] Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.

2007-08-23 Thread Kenneth Van Wyk
FYI, I saw the following tool release announcement over on bugtraq,  
and thought it might be of interest to some of you here.  I know the  
terms PHP and security in the same sentence often are met with  
laughter here, but what the heck.  If the tool helps a few PHP  
developers write PHP apps that are hardened against SQL injection  
attacks, then why not.


Cheers,

Ken van Wyk
SC-L Moderator

Begin forwarded message:


From: Ezequiel Gutesman [EMAIL PROTECTED]
Date: August 22, 2007 12:26:55 PM EDT
To: [EMAIL PROTECTED]
Subject: Announcement: Releasing CORE GRASP for PHP. An open  
source, dynamic web application protection system.


CORE GRASP for PHP is a web-application protection software aimed at
detecting and blocking injection vulnerabilities and privacy  
violations.

As mentioned during its presentation at Black Hat USA 2007, GRASP is
being released as open source under the Apache 2.0 license and can be
obtained from http://gasp.coresecurity.com/.

The present implementation protects PHP 5.2.3 against SQL-injection
attacks for the MySQL engine, it can be installed with almost the same
effort as the PHP engine, both in Unix and Windows systems, and
protection is immediate with any PHP web application running in the
protected server.

CORE GRASP works by enhancing the PHP execution engine (VM) to permit
byte-level taint tracking and analysis for all the user-controlled or
otherwise untrustable variables of the web application. Tainted bytes
are then tracked and their taint marks propagated throughout the web
application's runtime. Whenever the web application tries to interact
with an DB backend using SQL statements that contain tainted bytes,
GRASP analyzes the statment and detects and prevents attacks or  
abnormal

actions.

CORE GRASP was developed by CoreLabs, the research unit of Core  
Security

Technologies. At CoreLabs, we plan to improve the tool and include new
protections shortly. However, the invitation to collaborate with the
project is open. If you would like to collaborate, please go to the
GRASP website and subscribe to our mailing list.

Project home: http://grasp.coresecurity.com/
Documentation, presentation and papers:
http://grasp.coresecurity.com/index.php?m=doc
Download: http://grasp.coresecurity.com/index.php?m=dld



-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Opera Uses Mozilla Fuzzer Tool To Find 'Highly Severe' Bug -- Browser -- InformationWeek

2007-08-16 Thread Kenneth Van Wyk

Greetings SC-Lers,

Here's a great success story regarding Mozilla's new open source  
fuzzer that they just released during the blackhat conference:


http://www.informationweek.com/story/showArticle.jhtml? 
articleID=201800584cid=RSSfeed_IWK_News


Kudos to the Opera team!

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Software process improvement produces secure software?

2007-08-08 Thread Kenneth Van Wyk


On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:

During our conversation, I made a question to Mr.
Hayes similar to this: Is it possible that only
software development process improvements can produce
secure software?

The scenario was only based on CMMI without security
interference.


All that follows is IMHO, of course...  I would have to agree with  
you, Francisco, that process improvements without security  
interference are unlikely to produce significant changes in the  
security of the software produced.


That said, I am a believer in somewhat more rigorous security-based  
software process.  In particular, I think it's worth spending  
additional time/effort delving into the non-functional aspects of  
software, from requirements gathering through design as well as  
during the implementation/coding phases.  I think that solutions that  
focus solely on implementation improvement are not sufficient.  To  
me, a vital component in improving throughout the dev process must  
focus on process improvement.


That is, process improvement based not (necessarily) on CMMI, and  
_with_ security interference.  :-)  But I also don't like to see  
process for the sake of _process_.  I'm fine with intelligently  
applied ad hoc processes, if that's not too much of a contradiction  
in terms.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] how far we still need to go

2007-07-25 Thread Kenneth Van Wyk


On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:
Well after a few attempts to install it on a Mac OS X system I  
finally dope out
that it only seems to install and run as admin. That is, I not only  
need to
install it as admin (that's OK, ordinary users can't write to the / 
Applications

area), but I need to run it as admin.


Maddening, isn't it?  I maintain that this is a software issue,  
insofar as how the software is bolted into its operating  
environment.  Many disagree with that point of view, which I can  
accept, but I believe that to pass this off to the ops guys is a  
bad practice that borders on negligence.  Even for those who disagree  
with me, I still would argue that it's largely under the control of  
the developer to be able to bolt the code into a safe operating  
environment -- that promotes the principle of least privilege  
effectively.


One of my customers uses -- and hence, so do I -- VPN software and a  
software one-time token (SoftToken) that requires the SoftToken.app  
software to have read/write access to its folder under /Applications  
on OS X.  The presumption was that it would always be run as root.   
Well, I've gone out of my way to run my desktop OS X user without  
privs, which broke SoftToken (it would generate the same token EVERY  
time it was invoked).  I still wouldn't accept running it as root,  
however, and was able to circumvent the problem by only giving my  
desktop user read/write to the one data file that SoftToken needed to  
write to.  Still not as good as designing it properly in the first  
place, but it was an acceptable compromise for me to be able to do  
what I need to do.  FWIW...


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread Kenneth Van Wyk

SC-L

I'm not quite so sure why this one (below) caught my eye -- we _all_  
get tons of product advisories -- but it did.  In particular, two  
things jump out at me:


1) the original author of the defect thought that s/he was doing  
things correctly in using strncpy (vs. strcpy).
2) the original author had apparently been doing static source  
analysis using David Wheeler's Flawfinder tool, as we can tell from  
the comments.


Yet, a simple coding mistake was made in calculating the length of a  
buffer and passing that incorrect length to strncpy.  The result was  
a buffer overrun on the stack, just like the millions that we've all  
seen.


Mind you, the overrun can only be exploited when specific characters  
are used as input to the loop in the code.  Thus, I'm inclined to  
think that this is an interesting example of a bug that would have  
been extraordinarily difficult to find using black box testing, even  
fuzzing.  The iDefense team doesn't say how the (anonymous) person  
who reported it found it, but I for one would be really curious to  
hear that story.


Just some random thoughts this afternoon...  Perhaps I'm still  
getting over the jet lag after returning from the FIRST conference in  
Seville.


Cheers,

Ken van Wyk
SC-L Moderator


Begin forwarded message:


From: iDefense Labs [EMAIL PROTECTED]
Date: June 26, 2007 3:53:46 PM EDT
To: [EMAIL PROTECTED], [EMAIL PROTECTED],  
[EMAIL PROTECTED]
Subject: iDefense Security Advisory 06.26.07: RealNetworks  
RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability


RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow
Vulnerability

iDefense Security Advisory 06.26.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 26, 2007

I. BACKGROUND

RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. HelixPlayer is the open source version
of RealPlayer. More information can be found at the URLs shown below.

http://www.real.com/realplayer.html
http://helixcommunity.org/

Synchronized Multimedia Integration Language (SMIL) is a markup  
language

used to specify the use of several multi-media concepts when rendering
media. Some such concepts are timing, transitions, and embedding. More
information is available from WikiPedia at the following URL.

http://en.wikipedia.org/wiki/ 
Synchronized_Multimedia_Integration_Language


II. DESCRIPTION

Remote exploitation of a buffer overflow within RealNetworks'  
RealPlayer
and HelixPlayer allows attackers to execute arbitrary code in the  
context

of the user.

The issue specifically exists in the handling of HH:mm:ss.f time  
formats

by the 'wallclock' functionality within the code supporting SMIL2. An
excerpt from the code follows.

   924HX_RESULT
   925SmilTimeValue::parseWallClockValue(REF(const char*) pCh)
   926{
   ...
   957char buf[10]; /* Flawfinder: ignore */
   ...
   962while (*pCh)
   963{
   ...
   972 else if (isspace(*pCh) || *pCh == '+' || *pCh ==  
'-'

|| *pCh == 'Z')
   973 {
   974 // this will find the last +, - or Z...  
which is

what we want.
   975 pTimeZone = pCh;
   976 }
   ...
   982 ++pCh;
   983}
   ...
  1101if (pTimePos)
  1102{
  1103//HH:MM...
  
  1133  if (*(pos-1) == ':')
  1134  {
  
  1148if (*(pos-1) == '.')
  1149{
  1150// find end.
  1151UINT32 len = 0;
  1152if (pTimeZone)
  1153{
  1154len = pTimeZone - pos;
  1155}
  1156else
  1157{
  1158len = end - pos;
  1159}
  1160strncpy(buf, pos, len); /* Flawfinder: ignore */

The stack buffer is declared to be 10 bytes on line 957. You can see
that it has a comment which will cause the FlawFinder program to  
ignore

this buffer.

The loop, which begins on line 962, runs through the parameter to the
function looking for characters that denote different sections of the
time format. When it encounters white space, or the +, -, or Z
characters it will record the location for later use. If a time was
located and it contains both a colon and a period the vulnerable code
will be reached.

The length of data to copy into the stack buffer is calculated  
either on
line 1154 or line 1158 depending on whether or not a timezone is  
present.
Neither calculations take into consideration the constant length of  
the

'buf' buffer and therefore a stack-based buffer overflow can occur on
line 1160. Again, notice that this unsafe use of strncpy() is also
marked with a FlawFinder ignore comment.

III. ANALYSIS

Exploitation requires that an attacker persuade a user to supply
RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For
example, this can be accomplished by convincing them to visit a
malicious web 

Re: [SC-L] Harvard vs. von Neumann

2007-06-15 Thread Kenneth Van Wyk

On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote:
I am in complete agreement with your thinking, which is why one of  
the touchpoints (and chapter 9 of Software Security is about  
operations.  Ken knows more about this than any of us, but he's on  
a plane now...right Ken?


Wow, I'd stop far short of such strong words, but I have spent a  
great deal of time in operations land, and I am convinced we're (all)  
missing out on significant opportunities to enhance our software  
security by better making use of deployment security, for lack of a  
better term.  I've seen far too many one size fits all approaches  
to software deployments that fall far short of adequately protecting  
the app, much less enabling the detection and response of issues when  
they come up.


Cheers,

Ken

P.S. And yes, I was on a plane.  Greetings from Lisbon, en route to  
Sevilla, Spain for the FIRST conference.  I'll again toss out the  
offer to meet with any SC-Lers who are at the conference.

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-10 Thread Kenneth Van Wyk
First off, many thanks to all who've contributed to this thread.  The  
responses and range of opinions I find fascinating, and I hope that  
others have found value in it as well.  Great stuff, keep it coming.


That said, I see us going towards that favorite of rat-holes here,  
namely the my programming language is better than yours, nyeah!  
path.  Let's please avoid that.  I'm confident that we've seen it  
enough times to know that it ends with no clear winners (but plenty  
of losers).


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] What's the next tech problem to be solved in software security?

2007-06-06 Thread Kenneth Van Wyk

Hi SC-L,

[Hmmm, this didn't make it out to the list as I'd expected, so here's  
a 2nd try. Apologies for any duplicates. KRvW]


At the SC-L BoF sessions held to date (which admittedly is not  
exactly a huge number, but I'm doing my best to see them continue), I  
like to ask those that attend what we can be doing to make SC-L more  
useful and meaningful to the subscribers.  Of course, as with all  
mailing lists, SC-L  will always be what its members make of it.   
However, at one recent SC-L BoF session, it was suggested that I pose  
periodic questions/issues for comment and discussion.  As last week  
was particularly quiet here with my hiatus and all, this seems like a  
good opportunity to give that a go, so...


What do you think is the _next_ technological problem for the  
software security community to solve?  PLEASE, let's NOT go down the  
rat hole of senior management buy-in, use [this language], etc.  (In  
fact, be warned that I will /dev/null any responses in this thread  
that go there.)  So, what technology could/would make life easier for  
a secure software developer?  Better source code analysis?  High(er)  
level languages to help automate design reviews?  Better security  
testing tools?  To any of these, *better* in what ways, specifically?


Any takers?

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] IBM to catch Watchfire security technology | Tech News on ZDNet

2007-06-06 Thread Kenneth Van Wyk
FYI, yet another acquisition in the security world...  This time it's  
IBM buying up Watchfire (makers of AppScan).


http://news.zdnet.com/2100-1009_22-6188999.html? 
part=rsstag=feedsubj=zdnet


Kind of reminds me of something Chef Jacques Pepin said in an  
interview with Terry Gross on NPR's Fresh Air some time back  
(IIRC).  He said when he was growing up, leftover food never went to  
waste.  They always took yesterday's leftovers and made something  
completely new with it the next day -- NEVER simply re-heating it to  
serve the same thing again, which always ends up being bland.  By the  
time the last of the real food was gone, nobody remembered what the  
original recipe even was.  That kept them interested in the food even  
as it went through several transformations.


Not sure why this comes to mind now...  ;-\

Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Who's To Blame For Insecure Software? Maybe You

2007-06-05 Thread Kenneth Van Wyk
Some interesting (IMHO) stats coming out of Gartner security summit.   
One that jumped off the page at me was that 57% of the attendees  
believe that independent security research labs are providing a  
useful and valuable service.  Whether you agree or not, the article  
below is an interesting read.


http://www.informationweek.com/security/showArticle.jhtml? 
articleID=199901402pgno=1queryText=


Cheers,

Ken

P.S. I'm surprised to say that I've so far had no takers on my  
question yesterday -- what is the next technology hurdle for us to  
clear?  Perhaps everyone is off enjoying their summer breaks like I  
was last week...

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Administrivia: Moderator is in, and SC-L BoF in Spain?

2007-06-04 Thread Kenneth Van Wyk

SC-Lers,

FYI, back from a few days in the sun.  It was a quiet week in any  
case here on SC-L, but I am indeed back at the moderator's (virtual)  
desk now.


Anyone here attending the FIRST conference in Sevilla, Spain later  
this month?  Any interest in an SC-L BoF session?  I'll be there all  
week and would be happy to meet with any SC-L folks who'll be there.   
Drop me a line and say hi.  First Rioja Crianza and jambon Iberia is  
on me.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Administrivia: Moderator on hiatus

2007-05-25 Thread Kenneth Van Wyk

SC-L,

After an insane travel schedule over the last several months, the  
moderator is taking some much-needed time to relax on the beach while  
sipping boat drinks.  I'll be checking the SC-L queue over the next  
week at least once daily, but if you submit something, please be a  
bit patient.  It'll go out, but might take a little while.  Sorry for  
the inconvenience.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] 1 Raindrop: Common Attack Pattern Enumeration and Classification (CAPEC)

2007-05-23 Thread Kenneth Van Wyk

SC-L,

Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/ 
1_raindrop/2007/05/common_attack_p.html)...  Check out Mitre's first  
draft of CAPEC, the Common Attack Pattern Enumeration and  
Classification database (http://capec.mitre.org).  It complements the  
existing CVE (http://cve.mitre.org) and CWE (http://cwe.mitre.org)  
efforts by presenting the attack patterns used to exploit the various  
vulnerabilities.


Great stuff that should be of interest to our readers here at SC-L,  
though the site itself does require Javascript to work -- boo hiss! :-)


Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Stakes are High for Vista Security

2007-04-09 Thread Kenneth Van Wyk

shameless-self-plug

I hope that some of you will find my April column over on  
eSecurityPlanet interesting.  It can be found (for free) at the link  
below.  If not, just press the old delete key.


http://www.esecurityplanet.com/article.php/11162_3670486_2

/shameless-self-plug

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Stakes are High for Vista Security

2007-04-09 Thread Kenneth Van Wyk

On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote:

http://www.esecurityplanet.com/article.php/11162_3670486_2


Sorry folks -- I inadvertently posted the URL to page 2 of the  
column.  Page 1 is at http://www.esecurityplanet.com/article.php/3670486


Sorry for the inconvenience (and the list clutter).  Mea culpa++

Cheers,

Ken van Wyk




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] SANS Software Security Institute announced

2007-03-30 Thread Kenneth Van Wyk
FYI, the folks at SANS have announced the launch of their Software  
Security Institute (see http://www.sans-ssi.org/ for details).


Their web site cites the following 6 goals:

* Allow employers to rate their programmers on security skills  
so they can be confident that every project has at least one  
security master and all of their programmers understand the common  
errors and how to avoid them.
* Provide a means for buyers of software and systems vendors to  
measure the secure programming skills of the people who work for the  
supplier.
* Allow programmers to identify their gaps in secure programming  
knowledge in the language they use and target education to fill those  
gaps.
* Allow employers to evaluate job candidates and potential  
consultants on their secure programming skills and knowledge.
* Provide incentive for universities to include secure coding in  
required computer science, engineering, and programming courses.
* Provide reporting to allow individuals and organizations to  
compare their skills against others in their industry, with similar  
education or experience or in similar regions around the world.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Information Protection Policies

2007-03-13 Thread Kenneth Van Wyk

On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote:
Ken, in terms of a previous response to your posting in terms of  
getting customers to ask for secure coding practices from vendors,  
wouldn't it start with figuring out how they could simply cut-and- 
paste InfoSec policies into their own?


Using someone's boilerplate policies as a starting point is great,  
as long as they go beyond just infosec policies and include examples/ 
guidelines for writing contracts for outsourcing software development  
and acquisition.


Steve Christey pointed to OWASP's example at http://www.owasp.org/ 
index.php/OWASP_Secure_Software_Contract_Annex.  While I haven't  
(yet) looked at this AND while I'm certainly no authority on contract  
writing, I'd bet that this OWASP example will at least provide some  
pretty good food for thought for anyone who is contracting software  
development.


I firmly believe that we as consumers and as a whole, are not doing  
an adequate job at demanding more in the way of software security  
from the software we purchase and outsource.  IMHO, that shouldn't be  
horribly difficult to change in the short- to medium-term.  Better  
contracts and contractor oversight (e.g., independent architectural  
risk analysis, static code analysis, and rigorous security testing)  
should go a long way.  I know I'm over-simplifying things here, but  
still...


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-06 Thread Kenneth Van Wyk

On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote:
I think some vendors have come around to the economics argument. In  
every case, those vendors with extreme reputation exposure have  
attempted to move past penetrate and patch.  Microsoft, for one, is  
trying hard, but (to use my broken leg analogy) they had a sever  
case of osteoporosis and must take lots of calcium to build up bone  
mass.   The financial vertical, led by the credit card consortiums  
is likewise making good progress.  Other vendors with less brand  
exposure (or outright apathy from users) are slower on the uptake.


Having spent several years on the incident handling side of this  
argument at CMU's CERT/CC, US. Dept. of Defense, etc., I thought I'd  
chime in here as well.  It's encouraging to me to see that many  
vendors now recognize the reputation exposure and economics  
argument.  I know that in my years at CERT (1989-1993), we were more  
than once threatened by uncooperative vendors, saying that they would  
sue us if we published information about their product's  
vulnerabilities.  We spent years developing those vendor  
relationships and building up some level of mutual trust.  It's not  
always an easy path.


In the full disclosure years, it's been my observation that many  
vendors get forced into publishing patches when the vulnerability  
pimps (as Marcus calls them) call them out in public.  Without a  
doubt, that's lead many vendors to respond more quickly and more  
publicly than they otherwise might have.  At the same time, (and to  
try to bring this thread back to *software security*) I'm concerned  
about the software security ramifications of being bullied into  
patching something too quickly.  While a simple strcpy--strncpy (or  
similar) src edit takes just moments, and shouldn't impact the  
functionality and reliability of any software, patches are rarely  
that simple.  When software producers are forced to develop patches  
in unnaturally rushed situations, bigger problems (IMHO) will  
inevitably be introduced.


So, I applaud the public disclosure model from the standpoint of  
consumer advocacy.  But, I'm convinced that we need to find a process  
that better balances the needs of the consumer against the secure  
software engineering needs.  Some patches can't reasonably be  
produced in the amount of time that the vulnerability pimps give  
the vendors.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk
Here's an interesting article from Dark Reading about web fuzzers.   
Web fuzzing seems to be gaining some traction these days as a popular  
means of testing web apps and web services.


http://www.darkreading.com/document.asp? 
doc_id=118162f_src=darkreading_section_296


Any good/bad experiences and opinions to be shared here on SC-L  
regarding fuzzing as a means of testing web apps/services?  I have to  
say I'm unconvinced, but agree that they should be one part--and a  
small one at that--of a robust testing regimen.


Cheers,

Ken

P.S. I'm over in Belgium right now for SecAppDev (http:// 
www.secappdev.org).  HD Moore wowed the class here with a demo of  
Metasploit 3.0.  For those of you that haven't looked at this (soon  
to be released, but available in beta now) tool, you really should  
check it out.  Although it's geared at the IT Security pen testing  
audience, I do believe that it has broader applicability as a  
framework for constructing one-off exploits against applications.

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk

On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote:
Given the complex manipulations that can work in XSS attacks (see  
RSnake's

cheat sheet) as well as directory traversal, combined with the sheer
number of potential inputs in web applications, multipied by all the
variations in encodings, I wouldn't be surprised if they were  
effective in

finding those kinds of implementation bugs, even in well-designed
software.  Although successfully diagnosing some XSS without live
verification smells like a hard problem akin to the Ptacek/Newsham
vantage point issues in IDS.

With the track record of non-web fuzzers and PROTOS style test  
suites, why

do you think web app fuzzing is less likely to succeed?


It's not so much that I don't think fuzzing is useful, it's that I  
don't see one size fits all fuzzing _products_ being useful.


To me, it gets to an issue of informed vs. uninformed (or white box  
vs. black box if you prefer) testing.  While they're both useful  
and should both be exercised, I believe (though I have no hard  
statistics to validate) that issues of coverage/state are always  
going to doom uninformed testing to being less effective than  
informed testing.  For a fuzzer to be really meaningful, I believe  
that a smart fuzzing approach is going to be the best bet, and that  
makes it hard for a one size fits all product solution to be feasible.


To do smart fuzzing, a lot of setup time is necessary in establishing  
an appropriate test harness and cases that fully exercise the files,  
network interface data, user data, etc., that the software is expecting.


Perhaps I'm totally off base, and I invite any product folks here to  
chime in and correct my misconceptions.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk

On Feb 27, 2007, at 4:54 AM, Michael Silk wrote:

unconvinced of what? what fuzzing is useful? or that it's the best
security testing method ever? or you remain unconvinced that fuzzing
in web apps is  fuzzing in os apps?

fuzzing has obvious advantages. that's all anyone should care about.


No, not that it's useful or not.  As I said in my other reply, my  
real wariness is of the one size fits all product solutions.  It  
seems to me that the best fuzzing tools are in fact frameworks for  
building customized fuzzing tests.  OWASP's jbrofuzz (in beta release  
currently) is an example of what I mean here.  It gives the tester  
the means for identifying fields to fuzz and how to fuzz them (say,  
integer size testing), and then you press the fuzz button and it  
generates all the tests.  That's useful, meaningful, and valuable,  
IMHO.  But it's not a fire and forget general purpose tool that can  
test any web app.


Beyond that, to me it's an issue of coverage.  As was any uninformed  
testing, it's bound to miss things, which is to be expected.  (E.g.,  
a state tree that contains a format string vulnerability that doesn't  
execute because the testing never triggered that particular state --  
hence my comments about test coverage/state earlier.)


So, my impression is that fuzzing is useful (in Howard/Lipner's SDL  
book, they say that some 25% of the bugs they find during testing  
come out during fuzzing), but that it should only be a small, say  
10-20%, part of a testing regimen.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] The seven sins of programmers | Free Software Magazine

2007-02-23 Thread Kenneth Van Wyk

SC-L,

So my trusty rss aggregator (NewsFire) found an interesting blog for  
me this morning, and I thought I'd share it here.  The blog is from  
Free Software Magazine and it's titled, The seven sins of  
programmers.  On the surface, it has nothing whatsoever to do with  
software security -- the word security is never even mentioned in  
passing -- but I believe there are some worthy security lessons to be  
gleamed from it.


http://www.freesoftwaremagazine.com/blog/seven_sins

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Vulnerability tallies surged in 2006 | The Register

2007-01-22 Thread Kenneth Van Wyk
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a  
35% increase over 2005.


See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/

The article further states, The greatest factor in the skyrocketing  
number of vulnerabilities is that certain types of flaws in community  
and commercial Web applications have become much easier to find, said  
Art Manion, vulnerability team lead for the CERT Coordination Center.


'The best we can figure, most of the growth is due to fairly easy-to- 
discover vulnerabilities in Web applications, Manion said. They are  
easy to find, easy to create, and easy to deploy.'


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

2007-01-22 Thread Kenneth Van Wyk
Ok, last software security news item for today, I promise.  :-)  This  
article (see
http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1)  
is about a couple of new startup companies.  One of them in  
particular, Veracode, may be of some interest here.  The article  
says, Veracode, founded by Chris Wysopal and other former executives  
of @stake, is now offering patented binary-code analysis of software  
for enterprises that want to analyze their software's security on a  
regular basis. The ASP will also offer security reviews of enterprise  
products and security analysis of third-party apps for software  
developers.


The article also provides some counterpoints, including some from  
Gary McGraw, that are worth reading.  Among other things, Gary says,  
However, if you want real security analysis you have to go past the  
binary, past the source code, and actually consider the design.


Opinions on binary vs. source code (and design!) analysis, anyone?

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] heise Security - News - Security specialist leaves PHP security team

2006-12-14 Thread Kenneth Van Wyk
I guess this falls in to the you can lead a horse to water, but you  
can't make him drink category:


http://www.heise-security.co.uk/news/82500

A member of the PHP security team has left in apparent disgust over  
the team's security practices.


I doubt that anyone here on SC-L is surprised by the article, but PHP  
remains quite popular, and it seems sad to see it losing some vital  
and much-needed security support.


Well, there's always AJAX, I suppose.  ;-\

Cheers,

Ken

P.S. Hey, SC-L is 3 years old this month!
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org

List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l

List charter available at - http://www.securecoding.org/list/charter.php

SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a 
free, non-commercial service to the software security community.
___


[SC-L] Top 10 Ajax Security Holes and Driving Factors

2006-11-10 Thread Kenneth Van Wyk
FYI, a friend forwarded me a link to this interesting article by  
Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php? 
id=956


Since much has been written here on SC-L about relatively safe  
programming languages recently, I thought it might be interesting to  
look at the other end of the spectrum.  ;-)  Yes, I know Ajax is  
wildly popular these days.  10,000 lemmings can't be wrong, certainly!


Cheers,

Ken
-
Kenneth R. van Wyk
Moderator, SC-L
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Apple Places Encrypted Binaries in Mac OS X

2006-11-03 Thread Kenneth Van Wyk
Here's a somewhat interesting link to an eweek article that discusses  
Apple's use of encryption to protect some of its OS X binaries:


http://www.eweek.com/article2/0,1895,2050875,00.asp

Of course, encrypting binaries isn't anything new, but it's  
interesting (IMHO) to see how it's being used in a real OS.  The  
article cites speculation as to whether Apple uses encryption for  
anti-piracy or anti-reverse-engineering.


Another interesting side topic (though not mentioned in this article)  
is code obfuscation, which is being increasingly used for both  
purposes as well.  Course, some coders have been inadvertently doing  
code obfuscation for years.  ;-\


Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


Re: [SC-L] Secure programming is NOT just good programming

2006-10-12 Thread Kenneth Van Wyk

On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote:
I suppose now is as good a time as any to say that everything david  
is talking about here is described in great detail in the HOW TO  
book that I released last february.   If you're reading this list,  
you really should read that book.  It's called software security.


Ken and I have trained thousands of developers using the book as a  
guide with some success.  Cigital has a number of very large-scale  
software security initiatives underway at various customers that  
leverage that training.  But more importantly, good programs  
instill and measure the kinds of best practices (called touchpoints  
in the book) that are certainly not part of standard good coding  
practice.


Presuming you meant now part of... and not not part of...

In any case, another great source of information on the touchpoint  
processes in Gary's book is the DHS-sponsored Build Security In  
portal at http://BuildSecurityIn.us-cert.gov.  It's still a work in  
progress, but there are a bunch of in-depth articles explaining all  
of Gary's touchpoint activities and such.  Plus, several new articles  
will be appearing there over the next few months, so keep checking in  
for updates.  The site is free and open to the public.  (Full  
disclosure: as one of the BSI authors, I'm certainly not unbiased,  
but I still believe it's a valuable resource for those who are  
interested in learning more about the touchpoints Gary cited.)


Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] A banner year for software bugs | Tech News on ZDNet

2006-10-11 Thread Kenneth Van Wyk
So here's a lovely statistic for the software community to hang its  
hat on:


http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed

Among other things, the article says, Atlanta-based ISS, which is  
being acquired by IBM, predicts there will be a 41 percent increase  
in confirmed security faults in software compared with 2005. That  
year, in its own turn, saw a 37 percent rise over 2004.


Of course, the real losers in this are the software users, who have  
to deal with the never ending onslaught of bugs and patches from  
their vendors.  We've just _got_ to do better, IMHO, and automating  
the patch process is not the answer.


Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Insecurity in Open Source

2006-10-10 Thread Kenneth Van Wyk
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below).  In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software security/quality with the best of what's out in the open source world.  Further, he opines that the open source guys need to adopt far more rigorous QA testing in order to compete with the best of the proprietary source world.I'm passing this along not to launch into the invariable religious debates of closed- vs. open-source, but to encourage discussion about Chelf's claims with regards to rigorous QA testing.  Anyway, here's the article.http://www.businessweek.com/technology/content/oct2006/tc20061006_394140.htm?campaign_id=bier_tco.g3a.rss1007Cheers,Ken -Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com 

PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] IEEE Security and Privacy article on software security training

2006-09-27 Thread Kenneth Van Wyk
Wow, it's sure been a quiet few days out here on SC-L.  Summer  
vacations are over, I suppose...


In any case, I thought that I'd post a link to a new IEEE Security   
Privacy article on training for software security engineers.  It was  
written by Cigital's John Steven and yours truly, and can be found via:


http://www.computer.org/portal/site/security

Enjoy.

Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


[SC-L] Fwd: There's More than One Monoculture

2006-09-10 Thread Kenneth Van Wyk
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published.  Among other things, Coffee makes some interesting comparisons to the Internet monoculture situation that existed in November 1988 when Robert Morris unleashed his Internet worm program.  Interesting reading, IMHO.Cheers,Ken-Kenneth R. van WykKRvW Associates, LLChttp://www.KRvW.com ___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php


  1   2   >