Re: [SC-L] Report Standardization to video and unit tests
Today I discuss a simple script that you can write in 02 to find robots.txt. As we all know sometimes these scripts have sensitive information in them. Feel free to comment or e-mail me. 02 is a free platform and an OWASP project. http://parsonsisconsulting.wordpress.com/2010/12/08/how-to-find-robots-txt-with-02/ -- Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsultingblog.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt -- Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsultingblog.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt -- Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsultingblog.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Cross Site Request Forgery and how to find it in the wild with 02
I have been reading on a lot of the security blogs on how people are exploiting Crossdomain.xml with Cross Site Request Forgery, I don't blog about how to exploit it but rather how to find it automatically with 02. Feel free to e-mail me with questions or comments. http://parsonsisconsulting.wordpress.com/2010/12/02/how-to-find-crossdomain-xml-cross-site-request-forgery-with-02/ Thanks, Matt -- Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsultingblog.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Looking for OWASP members to have free web meetings with and work on source code assessments and web penetration testing
Secure Coding List and group, I am thinking about hosting FREE web penetration and source code review web seminars sharing tricks of the trade and giving real life examples of web penetration testing and source code review findings. I am not doing this to profit. I am just looking for like minds to share ideas with and spend a couple hours a month on a webinar. One of the first topics I would like to go over is Dinis Cruz's 02. I wrote about it in my blog today. http://www.parsonsisconsultingblog.com%20http://www.parsonsisconsultingblog.com. Please reply to me off list to mparsons1...@gmail.com if you are interested. I am trying to figure out the level of interest so I can purchase enough phone lines for bridges and bandwidth to hold the live and recorded webinars. I will not spam your e-mail or share it with any other entity. I am looking to advance the field of software security and secure the Internet one application at a time. Thanks, Matt Parsons, CISSP, MSM -- Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsultingblog.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Are people using Threat modeling?
Are people using threat modeling for their clients? I just started having an interest in it with my clients and it is amazing on what you find with threat modeling. I have been using the Microsoft Threat Analysis tool. What other tools are people using? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Introductions Matt Parsons Video Blog is there an interest
I have been on this list for a while and see a lot of value to the community. I wanted to introduce myself to the software security community through a video blog. http://parsonsisconsulting.blogspot.com/2010/05/matt-parsons-introduction-ci ssp.html I plan on doing some hands on videos demonstrating OWASP top ten vulnerabilities. I am interested in getting to know others on this list. If you feel comfortable please shoot me an email with what you do and what you hope to achieve in the software security field. I am not sure if others on the list will find this valuable so I will let the moderator determine if it is allowed. I am also an open networker looking to expand my software security contacts via LinkedIN.http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting mparsons1...@gmail.com Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt http://twitter.com/parsonsmatt 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?
I am working on a collaborative effort trying to blog daily about a
different software security bug. I am looking for comments on my
blog on how to make it better. Maybe eventually we can turn this
into an OWASP project. I am really just doing this because at the
current time all I am doing is web penetration testing and I want to
make sure that I don't lose any of my code review skills. Any
comments positive or negative would be very helpful.
http://parsonsisconsulting.blogspot.com/
Thanks,
Matt Parsons, CISSP, MSM
On Wed, Apr 28, 2010 at 12:10 AM, SneakySimian sneaky.sim...@gmail.com wrote:
I couldn't let this one go.
Having done both source code analysis and blackbox testing, I see
merits in both. The failure that was the Debian SSL bug is a prime
example of why I prefer blackbox testing. That's not to say things
can't go wrong in blackbox testing, because they do, but not all code
behaves the same way in the same environment, so if you actually test
it in the environment it is running in, you can then understand why
the code behaves the way it does. Oversimplified example:
?php
$file = $_GET['file'];
if(file_exists($file))
{
echo $file;
}
else
{
echo 'File not found. :(';
}
Ignoring the other blatant issues with that code snippet, is that
vulnerable to XSS? No? Are you sure? Yes? Can you prove it? As it
turns out, it depends on a configuration setting in php.ini. The only
real way to know if it is an issue is to run it in the environment it
is meant to be run in. Now, that's not to say that the developer who
wrote that code shouldn't be told to fix it in a source code analysis,
but the point is, some issues are wholly dependent on the environment
and may or may not get caught during code analysis. Other issues such
as code branches that don't execute or do execute in certain
environments can be problematic to spot during normal source code
analysis.
That all said, I do enjoy reading code, especially comment coding from
other developers. :P
On Tue, Apr 27, 2010 at 2:29 PM, Andre Gironda and...@gmail.com wrote:
On Tue, Apr 27, 2010 at 4:08 PM, Arian J. Evans
arian.ev...@anachronic.com wrote:
I think everyone would agree that you definitely want to apply
additional (deeper?) degrees of analysis and defensive
compensating-control to high-value and high-risk assets. The tough
question is what ruler you use to justify degree of security
investment to degree of potential Risk/Loss.
That requires information sharing and trend analysis, something that
our classic vulnerability management programs have also not solved
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA
--
Matt Parsons, CISSP
315-559-3588 Blackberry
817-238-3325 Home Office
mparsons1...@gmail.com
www.parsonsisconsulting.com
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
Gary, I was not stating which was better for security. I was stating what I thought was more fun. I feel that penetration testing is sexier. I find penetration testing like driving a Ferrari and static code analysis like driving a Ford Taurus. I believe with everyone else on this list that software security needs to be integrated early in the development life cycle. I have also read most of your books and agree with your findings. As you would say I don't think that penetration testing is magic security pixie dust but it is fun when you are doing it legally and ethically. My two cents. Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Gary McGraw Sent: Thursday, April 22, 2010 2:15 PM To: Peter Neumann; Secure Code Mailing List Subject: Re: [SC-L] What do you like better Web penetration testing or static code analysis? I hereby resonate with my esteemed colleague and mentor pgn. But no puns from me. gem On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote: Matt Parsons wrote: What do you like doing better as application security professionals, web penetration testing or static code analysis? McGovern, James F. (P+C Technology) wrote: Should a security professional have a preference when both have different value propositions? While there is overlap, a static analysis tool can find things that pen testing tools cannot. Likewise, a pen test can report on secure applications deployed insecurely which is not visible to static analysis. So, the best answer is I prefer both... Both is better than either one by itself, but I think Gary McGraw would resonate with my seemingly contrary answer: BOTH penetration testing AND static code analysis are still looking at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN. Gary and I and many others have for a very long time been advocated security architectures and development practices that greatly enhance INHERENT TRUSTWORTHINESS, long before anyone has to even think about penetration testing and static code analysis. This discussion is somewhat akin to arguments about who has the best malware detection. If system developers (past-Multics) had paid any attention to system architectures and sound system development practices, viruses and worms would be mostly a nonproblem! Please pardon my soapbox. The past survives. The archives have lives, not knives. High fives! (I strive to thrive with jive.) PGN ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it from my perspective. I am interested in hearing about other peoples experience with
I have not seen many people comment on the new OWASP top Ten. What does every one think. I blogged about it from my perspective. I am interested in hearing about other people's experience with it. http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to p-10-in.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 http://twitter.com/parsonsmatt http://twitter.com/parsonsmatt 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] What do you like better Web penetration testing or static code analysis?
What do you like doing better as application security professionals, web penetration testing or static code analysis? I offered my thoughts in today's blog. http://parsonsisconsulting.blogspot.com/2010/04/what-do-you-like-better-secu re-code.html Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image003.jpgimage004.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] any one a CSSLP is it worth it?
I am a CISSP with programming experience, static code analysis and web penetration testing. I am thinking about taking the CSSLP. I just bought the review book. Is it worth getting this certification? Is it going to raise my rates and help me get more contracts? Is the GIAC better or should I pursue both or neither? I wrote about the first concept of the CSSLP on my blog. Any feedback would be greatly appreciated. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] has any one completed a python security code review`
Has anyone completed a python security code review? What would you look for besides inputs, outputs and dangerous functions? Do any of the commercial static code analysis vendors scan that code? I would think not because python is not compiled at run time like the other languages that static analysis tools can scan. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] working on java security help from experts
I am trying to become an expert in source code review in java application security. Are there any experts on this list that are willing to share some of their knowledge? I am reading Java Security by Scott Oaks and I am rereading all of the Sun Docs on java security. Any help would be greatly appreciated. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about
I am not suggesting exposing zero days. I only want known vulnerabilities in applications like web goat etc that are known to everyone. I don't even plan on naming where each vulnerability comes from but rather instead change the code to protect the innocent. I would never encourage promoting sharing zero days. I hope this clears it up. Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled From: Arshan Dabirsiaghi [mailto:arshan.dabirsia...@aspectsecurity.com] Sent: Tuesday, March 16, 2010 2:49 PM To: McGovern, James F. (P+C Technology); Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: RE: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about I'm not sure Matt was suggesting burning sharing 0days, but if he was, I think he should not be discouraged. I think disclosure preference should be something like a protected class within OWASP. Arshan From: McGovern, James F. (P+C Technology) [mailto:james.mcgov...@thehartford.com] Sent: Tuesday, March 16, 2010 2:36 PM To: Matt Parsons; owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities to blog about This doesn't feel like responsible disclosure and is not the way to announce weaknesses in software. It is best to deal with scenarios that have already been addressed. _ From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Matt Parsons Sent: Tuesday, March 16, 2010 11:41 AM To: owaspdal...@utdallas.edu Cc: websecur...@webappsec.org; SC-L@securecoding.org Subject: [SC-L] blog post and open source vulnerabilities to blog about Hello, I am working on a software security blog and I am trying to find open source vulnerabilities to present and share. Does anyone else have any open source vulnerabilities that they could share and talk about? I think this could be the best way to learn in the open source community about security. I have a few but I would like to blog about a different piece of code almost every day. God Bless. Matt http://parsonsisconsulting.blogspot.com/ Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. image003.jpgimage004.jpgimage005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] market for training CISSPs how to code
I have been a programmer and a security analyst for a few years now. When I first started developers told me I didn't know how to code good enough and CISSP's told me I didn't have enough security experience. Has anyone had any success training CISSP's and non programmers how to write code securely and train developers how to become CISSP's and learn how to penetration test? If not does everyone think that there would be a market for such training? Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] black berry security
I had too many files open on my black berry last night while listening to music. It produced a java run time error. It made me think about blackberry security. What is the threat to black berrys and having them write secure code and have it undergo a security review? Has anyone worked on mobile app security? I find it very interesting and would like to get involved. I wrote about it on my blog. http://parsonsisconsulting.blogspot.com/ All the best. Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image001.jpgimage002.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] USA today article Cyber Crimes and software security evangelism
I was reading the USA today and it stated more cyber criminals are getting away with cyber crimes. I was thinking that this brings more value to us that are concerned about software security and can help evangelize and fix the problem. God Bless. Matt http://parsonsisconsulting.blogspot.com/ http://www.usatoday.com/news/snapshot.htm Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office Do Good and Fear No Man Fort Worth, Texas A.K.A The Keyboard Cowboy mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ http://www.vimeo.com/8939668 0_0_0_0_250_281_csupload_6117291 untitled image005.jpgimage006.jpg___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] win win for owasp and television spots
Ladies and Gentlemen, I am starting to get approached by a few television stations to talk about application security. I would like to promote Owasp in these talks. What would be the best way to do it professionally and competently? See below news story. Thanks, Matt http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs programmers
I wrote a blog in the state of software security using the analogy of skiers versus snowboarder in the early 90's. Please let me know your thoughts and comments by replying to this list or my blog. http://parsonsisconsulting.blogspot.com/ Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting http://parsonsisconsulting.blogspot.com/ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog
From what I read it appears that this Java EE 6 could be a few rule changers. It looks like to me, java is checking for authorization and authentication with this new framework. If that is the case, I think that static code analyzers could change their rule sets to check what normally is a manual process in the code review of authentication and authorization. Am I correct on my assumption? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Tuesday, January 05, 2010 8:59 AM To: Secure Coding Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog Happy new year SC-Lers. FYI, interesting blog post on some of the new security features in Java EE 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. http://www.coresecuritypatterns.com/blogs/?p=1622 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Questions asked on job interview for application security/penetration testing job
Here are the answers that I was given for the following questions by a non-technical recruiter. 1. What are the security functions of SSL? Encryption and authentication 2. What is a 0 by 90 bytes error. Buffer over flow. 3. What is a digital signature, Not what it is? The senders message is encrypted with a sender's private key and attached like a signature to an encrypted message to ensure that the person is who he claims to be. The recipient uses the sender's public key to decrypt the signature. 4. What is the problem of having a predictable sequence of bits in TCP/IP? TCP/IP session hijacking I also thought it was man in the middle attack. 5. What is heap memory? A heap memory pool is an internal memory pool created at start-up that tasks use to dynamically allocate memory as needed. 6. What is a system call? Call from the operating system. 7. what is two factor authentication? Use of something you know, something you have, something you are. Thanks Matt Parsons Matt Parsons, CISSP From: Matt Parsons [mailto:mparsons1...@gmail.com] Sent: Saturday, March 21, 2009 4:44 PM To: 'Secure Code Mailing List' Subject: RE: Questions asked on job interview for application security/penetration testing job Ladies and gentlemen, I was asked the following questions on a job phone interview and wondered what the proper answers were. I was told their answers after the interview. I was also told that the answers to these questions were one or two word words. In the beginning of next week I will post what they told me were the proper answers. Any references would be greatly appreciated. 1. What are the security functions of SSL? 2. What is a 0 by 90 bytes error. 3. What is a digital signature, Not what it is? 4. What is the problem of having a predictable sequence of bits in TCP/IP? 5. What is heap memory? 6. What is a system call? 7. what is two factor authentication? Thanks Matt Matt Parsons, CISSP Parsons Software Security Consulting, LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
