[SC-L] Book project needs co-author(s)

2011-03-07 Thread Mark Graff
Hi SC-L folks, Ken van Wyk and I (we wrote “Secure Coding”, in 2003) are working on a new book. It’s about how software developers and enterprise security specialists can work together to help make a business safer. The project is not moving fast enough for us, so we’d like to take on one or

[SC-L] How Can You Tell It Is Written Securely?

2008-11-27 Thread Mark Rockman
is there that'll do the job? Doesn't exist, does it? MARK ROCKMAN MDRSESCO LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http

[SC-L] Disable Bounds Checking?

2007-11-03 Thread Mark Rockman
Back around 1980, when Ada was new, it was common for compiler manufacturers to claim it is best to disable bound checking for performance reasons. Getting your program to run slightly faster trumped knowing that any of your buffers was overflowing. Code that silently trashes memory can be

[SC-L] COBOL Exploits

2007-11-02 Thread Mark Rockman
The adolescent minds that engage in exploits wouldn't know COBOL if a printout fell out a window and onto their heads. I'm sure you can write COBOL programs that crash, but it must be hard to make them take control of the operating system. COBOL programs are heavy into unit record equipment

Re: [SC-L] SC-L Digest, Vol 2, Issue 183

2006-11-05 Thread Mark Graff
Gary McGraw said: Ed Felten and I found out early on (back in 1996) that you can use the press as a lever to get companies to do the right thing. We learned this when releasing the very first Java Security hole. We found out that Sun paid much more attention once USA Today picked up the

Re: [SC-L] bumper sticker slogan for secure software

2006-07-21 Thread Mark Graff
There's another point to consider, when talking about whether True Security is Possible. And I have to say I've never been happy with the forms I've found so far to express it... Security, in many cases, decays. It's like what we used to call, in the Old Days, bit rot. Software that has worked

[SC-L] Re: WSJ.com - Tech Companies Check Software

2006-05-06 Thread Mark Graff
Fascinating and heartening development. Raises a couple of questions in my mind. 1. Why now? Many worthies, myself included during my years at Sun, have been crying for years/decades *from within the software industry* for just such a shift. So what has changed? Ken and I outlined in Secure

[SC-L] Spot the bug

2005-07-19 Thread Mark Curphey
If you fancy yourself as a good code reviewer you can play spot the bug at MSDN. They will be getting harder ! http://msdn.microsoft.com/security/

[SC-L] Glossary of Terms

2005-07-15 Thread Mark Curphey
For a long time I have wanted to be able to point to a common set of definitions for security terms (not the usual BS marketing / Hax0r terms) that I can use and adopt in technical and non-technical writing. Things like the OWASP Top Ten re-write. So I created one using a Wiki so poeple can add,

[SC-L] New Free Tool - Foundstone .NET Mon

2005-05-13 Thread Curphey, Mark
the function's signature (return type, namespace, method name and parameters) asynchronously. Read more in user guide. Thanks to Dinis Cruz who developed this tool under contract Mark Curphey http://www.foundstone.com

[SC-L] Re: Java keystore password storage

2005-05-03 Thread Mark
Entering the password on the command line could be an option if you choose the Java Invocation API. I have done this in the past and it has worked really well. On 4/25/05, john bart [EMAIL PROTECTED] wrote: Hello to all the list. I need some advice on where to store the keystore's password.

Re: [SC-L] Programming languages -- the third rail of secure coding

2004-07-21 Thread Mark Rockman
JOVIAL goes back to the 1960s as Jules' Own Version of the International Algebraic Language. ALGOL and IAL are the same thing. JOVIAL was used almost exclusively by the United States Air Force. - Original Message - From: Dave Aronson [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL

Re: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-06 Thread Mark Rockman
You are not nuts. Your course outline is a very substantial step in the right direction. - Original Message - From: Dana Epp [EMAIL PROTECTED] To: Fernando Schapachnik [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 16:42 Subject: Re: [SC-L] Education and security

Re: [SC-L] Any software security news from the RSA conference?

2004-03-02 Thread Mark D. Rockman
percentage of the people who NEED to get the message. Grandma and her e-mail client and pictures of her grandkids is totally clueless and possibly hostile towards detailed change information. I'm not grandma. I take pride in knowing what is going on and can do so if only I am enabled to do so. Mark