Hi SC-L folks,
Ken van Wyk and I (we wrote “Secure Coding”, in 2003) are working on a new
book. It’s about how software developers and enterprise security specialists
can work together to help make a business safer.
The project is not moving fast enough for us, so we’d like to take on one or
is there that'll
do the job? Doesn't exist, does it?
MDRSESCO LLC ___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http
Back around 1980, when Ada was new, it was common for compiler manufacturers to
claim it is best to disable bound checking for performance reasons. Getting
your program to run slightly faster trumped knowing that any of your buffers
was overflowing. Code that silently trashes memory can be
The adolescent minds that engage in exploits wouldn't know COBOL if a
printout fell out a window and onto their heads. I'm sure you can write COBOL
programs that crash, but it must be hard to make them take control of the
operating system. COBOL programs are heavy into unit record equipment
Gary McGraw said:
Ed Felten and I found out early on (back in 1996) that you can use the
press as a lever to get companies to do the right thing. We learned
this when releasing the very first Java Security hole. We found out
that Sun paid much more attention once USA Today picked up the
There's another point to consider, when talking about whether True Security
is Possible. And I have to say I've never been happy with the forms I've
found so far to express it...
Security, in many cases, decays. It's like what we used to call, in the Old
Days, bit rot. Software that has worked
Fascinating and heartening development. Raises a couple of questions in my
1. Why now? Many worthies, myself included during my years at Sun, have been
crying for years/decades *from within the software industry* for just such a
shift. So what has changed? Ken and I outlined in Secure
If you fancy yourself as a good code reviewer you can play spot the bug at
MSDN. They will be getting harder !
For a long time I have wanted to be able to point to a common set of
definitions for security terms (not the usual BS
marketing / Hax0r terms) that I can use and adopt in technical and
non-technical writing. Things like the OWASP Top
Ten re-write. So I created one using a Wiki so poeple can add,
the function's signature (return
type, namespace, method name and parameters) asynchronously.
Read more in user guide.
Thanks to Dinis Cruz who developed this tool under contract
Entering the password on the command line could be an option if you
choose the Java Invocation API. I have done this in the past and it
has worked really well.
On 4/25/05, john bart [EMAIL PROTECTED] wrote:
Hello to all the list.
I need some advice on where to store the keystore's password.
JOVIAL goes back to the 1960s as Jules' Own Version of the International
ALGOL and IAL are the same thing. JOVIAL was used almost exclusively by the
United States Air Force.
- Original Message -
From: Dave Aronson [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL
You are not nuts. Your course outline is a very substantial step in the
- Original Message -
From: Dana Epp [EMAIL PROTECTED]
To: Fernando Schapachnik [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Tuesday, July 06, 2004 16:42
Subject: Re: [SC-L] Education and security
percentage of the people who NEED to get the message. Grandma and her
e-mail client and pictures of her grandkids is totally clueless and possibly
hostile towards detailed change information. I'm not grandma. I take pride
in knowing what is going on and can do so if only I am enabled to do so.
Mail list logo