Re: [SC-L] Report Standardization to video and unit tests

2010-12-09 Thread Matt Parsons
Today I discuss a simple script that you can write in 02 to find
robots.txt.   As we all know sometimes these scripts have sensitive
information in them.   Feel free to comment or e-mail me.   02 is a free
platform and an OWASP project.


http://parsonsisconsulting.wordpress.com/2010/12/08/how-to-find-robots-txt-with-02/




 --

 Matt Parsons, MSM, CISSP
 315-559-3588 Blackberry
 817-294-3789 Home office
 Do Good and Fear No Man
 Fort Worth, Texas
 A.K.A The Keyboard Cowboy
 mailto:mparsons1...@gmail.com mparsons1...@gmail.com
 http://www.parsonsisconsulting.com
 http://www.parsonsisconsultingblog.com
 http://www.o2-ounceopen.com/o2-power-users/
 http://www.linkedin.com/in/parsonsconsulting
 http://www.vimeo.com/8939668
 http://twitter.com/parsonsmatt










 --

 Matt Parsons, MSM, CISSP
 315-559-3588 Blackberry
 817-294-3789 Home office
 Do Good and Fear No Man
 Fort Worth, Texas
 A.K.A The Keyboard Cowboy
 mailto:mparsons1...@gmail.com mparsons1...@gmail.com
 http://www.parsonsisconsulting.com
 http://www.parsonsisconsultingblog.com
 http://www.o2-ounceopen.com/o2-power-users/
 http://www.linkedin.com/in/parsonsconsulting
 http://www.vimeo.com/8939668
 http://twitter.com/parsonsmatt










-- 

Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
Do Good and Fear No Man
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.parsonsisconsultingblog.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Cross Site Request Forgery and how to find it in the wild with 02

2010-12-03 Thread Matt Parsons
I have been reading on a lot of the security blogs on how people are
exploiting Crossdomain.xml with Cross Site Request Forgery,  I don't blog
about how to exploit it but rather how to find it automatically with 02.
Feel free to e-mail me with questions or comments.

http://parsonsisconsulting.wordpress.com/2010/12/02/how-to-find-crossdomain-xml-cross-site-request-forgery-with-02/

Thanks,
Matt


-- 

Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
Do Good and Fear No Man
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.parsonsisconsultingblog.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Looking for OWASP members to have free web meetings with and work on source code assessments and web penetration testing

2010-11-24 Thread Matt Parsons
Secure Coding List and group,
I am thinking about hosting FREE web penetration and source code review web
seminars sharing tricks of the trade and giving real life examples of web
penetration testing and source code review findings.   I am not doing this
to profit.  I am just looking for like minds to share ideas with and spend a
couple hours a month on a webinar.   One of the first topics  I would like
to go over is Dinis Cruz's 02.   I wrote about it in my blog today.
http://www.parsonsisconsultingblog.com%20http://www.parsonsisconsultingblog.com.
Please reply to me off list to mparsons1...@gmail.com if you are interested.
I am trying to figure out the level of interest so I can purchase enough
phone lines for bridges and bandwidth to hold the live and recorded
webinars.  I will not spam your e-mail or share it with any other entity.
I am looking to advance the field of software security and secure the
Internet one application at a time.

Thanks,
Matt Parsons, CISSP, MSM


-- 

Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office
Do Good and Fear No Man
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.parsonsisconsultingblog.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] Are people using Threat modeling?

2010-05-12 Thread Matt Parsons
Are people using threat modeling for their clients?  I just started having
an interest in it with my clients and it is amazing on what you find with
threat modeling.   I have been using the Microsoft Threat Analysis tool.
What other tools are people using?   

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

http://twitter.com/parsonsmatt

 

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] Introductions Matt Parsons Video Blog is there an interest

2010-05-05 Thread Matt Parsons
I have been on this list for a while and see a lot of value to the
community.   I wanted to introduce myself to the software security community
through a video blog. 

http://parsonsisconsulting.blogspot.com/2010/05/matt-parsons-introduction-ci
ssp.html I plan on doing some hands on videos demonstrating OWASP top ten
vulnerabilities.   



I am interested in getting to know others on this list.  If you feel
comfortable please shoot me an email with what you do and what you hope to
achieve in the software security field.  I am not sure if others on the list
will find this valuable so I will let the moderator determine if it is
allowed.

 

 I am also an open networker looking to expand my software security contacts
via LinkedIN.http://www.linkedin.com/in/parsonsconsulting
http://www.linkedin.com/in/parsonsconsulting

mparsons1...@gmail.com

 

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

 mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com

 http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com

 http://www.o2-ounceopen.com/o2-power-users/
http://www.o2-ounceopen.com/o2-power-users/

 http://www.linkedin.com/in/parsonsconsulting
http://www.linkedin.com/in/parsonsconsulting

 http://parsonsisconsulting.blogspot.com/
http://parsonsisconsulting.blogspot.com/

 http://www.vimeo.com/8939668 http://www.vimeo.com/8939668

 http://twitter.com/parsonsmatt http://twitter.com/parsonsmatt

 

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [WEB SECURITY] Re: What do you like better Web penetration testing or static code analysis?

2010-04-28 Thread Matt Parsons
I am working on a collaborative effort trying to blog daily about a
different software security bug.   I am looking for comments on my
blog on how to make it better.   Maybe eventually we can turn this
into an OWASP project.  I am really just doing this because at the
current time all I am doing is web penetration testing and I want to
make sure that I don't lose any of my code review skills.  Any
comments positive or negative would be very helpful.
http://parsonsisconsulting.blogspot.com/

Thanks,
Matt Parsons, CISSP, MSM



On Wed, Apr 28, 2010 at 12:10 AM, SneakySimian sneaky.sim...@gmail.com wrote:
 I couldn't let this one go.

 Having done both source code analysis and blackbox testing, I see
 merits in both. The failure that was the Debian SSL bug is a prime
 example of why I prefer blackbox testing. That's not to say things
 can't go wrong in blackbox testing, because they do, but not all code
 behaves the same way in the same environment, so if you actually test
 it in the environment it is running in, you can then understand why
 the code behaves the way it does. Oversimplified example:

 ?php
 $file = $_GET['file'];

 if(file_exists($file))
 {
     echo $file;
 }

 else
 {
    echo 'File not found. :(';
 }

 Ignoring the other blatant issues with that code snippet, is that
 vulnerable to XSS? No? Are you sure? Yes? Can you prove it? As it
 turns out, it depends on a configuration setting in php.ini. The only
 real way to know if it is an issue is to run it in the environment it
 is meant to be run in. Now, that's not to say that the developer who
 wrote that code shouldn't be told to fix it in a source code analysis,
 but the point is, some issues are wholly dependent on the environment
 and may or may not get caught during code analysis. Other issues such
 as code branches that don't execute or do execute in certain
 environments can be problematic to spot during normal source code
 analysis.

 That all said, I do enjoy reading code, especially comment coding from
 other developers. :P



 On Tue, Apr 27, 2010 at 2:29 PM, Andre Gironda and...@gmail.com wrote:
 On Tue, Apr 27, 2010 at 4:08 PM, Arian J. Evans
 arian.ev...@anachronic.com wrote:
 I think everyone would agree that you definitely want to apply
 additional (deeper?) degrees of analysis and defensive
 compensating-control to high-value and high-risk assets. The tough
 question is what ruler you use to justify degree of security
 investment to degree of potential Risk/Loss.

 That requires information sharing and trend analysis, something that
 our classic vulnerability management programs have also not solved

 
 Join us on IRC: irc.freenode.net #webappsec

 Have a question? Search The Web Security Mailing List Archives:
 http://www.webappsec.org/lists/websecurity/archive/

 Subscribe via RSS:
 http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

 Join WASC on LinkedIn
 http://www.linkedin.com/e/gis/83336/4B20E4374DBA



 
 Join us on IRC: irc.freenode.net #webappsec

 Have a question? Search The Web Security Mailing List Archives:
 http://www.webappsec.org/lists/websecurity/archive/

 Subscribe via RSS:
 http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

 Join WASC on LinkedIn
 http://www.linkedin.com/e/gis/83336/4B20E4374DBA





-- 
Matt Parsons, CISSP
315-559-3588 Blackberry
817-238-3325 Home Office
mparsons1...@gmail.com
www.parsonsisconsulting.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] What do you like better Web penetration testing or static code analysis?

2010-04-23 Thread Matt Parsons
Gary,
I was not stating which was better for security.  I was stating what I
thought was more fun.   I feel that penetration testing is sexier.  I find
penetration testing like driving a Ferrari and static code analysis like
driving a Ford Taurus.   I believe with everyone else on this list that
software security needs to be integrated early in the development life
cycle.  I have also read most of your books and agree with your findings.
As you would say I don't think that penetration testing is magic security
pixie dust but it is fun when you are doing it legally and ethically.  My
two cents.
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office 
Do Good and Fear No Man  
Fort Worth, Texas
A.K.A The Keyboard Cowboy
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/
http://www.vimeo.com/8939668
http://twitter.com/parsonsmatt







 
 

 

-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org]
On Behalf Of Gary McGraw
Sent: Thursday, April 22, 2010 2:15 PM
To: Peter Neumann; Secure Code Mailing List
Subject: Re: [SC-L] What do you like better Web penetration testing or
static code analysis?

I hereby resonate with my esteemed colleague and mentor pgn.  But no puns
from me.

gem


On 4/22/10 1:57 PM, Peter Neumann neum...@csl.sri.com wrote:



Matt Parsons wrote:
 What do you like doing better as application security professionals, web
 penetration testing or static code analysis?

McGovern, James F. (P+C Technology) wrote:
 Should a security professional have a preference when both have
 different value propositions? While there is overlap, a static analysis
 tool can find things that pen testing tools cannot. Likewise, a pen test
 can report on secure applications deployed insecurely which is not
 visible to static analysis.

 So, the best answer is I prefer both...

Both is better than either one by itself, but I think Gary McGraw
would resonate with my seemingly contrary answer:

  BOTH penetration testing AND static code analysis are still looking
  at the WRONG END of the horse AFTER it has left the DEVELOPMENT BARN.
  Gary and I and many others have for a very long time been advocated
  security architectures and development practices that greatly enhance
  INHERENT TRUSTWORTHINESS, long before anyone has to even think about
  penetration testing and static code analysis.

  This discussion is somewhat akin to arguments about who has the best
  malware detection.  If system developers (past-Multics) had paid any
  attention to system architectures and sound system development
  practices, viruses and worms would be mostly a nonproblem!

  Please pardon my soapbox.

The past survives.
The archives
have lives,
not knives.
High fives!

(I strive
to thrive
with jive.)

PGN
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] I have not seen many people comment on the new OWASP top Ten What does every one think I blogged about it from my perspective. I am interested in hearing about other peoples experience with

2010-04-21 Thread Matt Parsons
I have not seen many people comment on the new OWASP top Ten. What does
every one think. I blogged about it from my perspective.  I am interested in
hearing about other people's experience with it.   

 

http://parsonsisconsulting.blogspot.com/2010/04/parsons-response-to-owasp-to
p-10-in.html

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

 mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com

 http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com

 http://www.o2-ounceopen.com/o2-power-users/
http://www.o2-ounceopen.com/o2-power-users/

 http://www.linkedin.com/in/parsonsconsulting
http://www.linkedin.com/in/parsonsconsulting

 http://parsonsisconsulting.blogspot.com/
http://parsonsisconsulting.blogspot.com/

 http://www.vimeo.com/8939668 http://www.vimeo.com/8939668

 http://twitter.com/parsonsmatt http://twitter.com/parsonsmatt

 

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] What do you like better Web penetration testing or static code analysis?

2010-04-15 Thread Matt Parsons
What do you like doing better as application security professionals, web
penetration testing or static code analysis?

 

I offered my thoughts in today's blog.   

 

http://parsonsisconsulting.blogspot.com/2010/04/what-do-you-like-better-secu
re-code.html

 

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

 mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com

 http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com

 http://www.o2-ounceopen.com/o2-power-users/
http://www.o2-ounceopen.com/o2-power-users/

 http://www.linkedin.com/in/parsonsconsulting
http://www.linkedin.com/in/parsonsconsulting

 http://parsonsisconsulting.blogspot.com/
http://parsonsisconsulting.blogspot.com/

 http://www.vimeo.com/8939668 http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

 

 

image003.jpgimage004.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] any one a CSSLP is it worth it?

2010-04-13 Thread Matt Parsons
I am a CISSP with programming experience, static code analysis and web
penetration testing.   I am thinking about taking the CSSLP.   I just bought
the review book.   Is it worth getting this certification?   Is it going to
raise my rates and help me get more contracts?   Is the GIAC better or
should I pursue both or neither?   I wrote about the first concept of the
CSSLP on my blog.   Any feedback would be greatly appreciated.   

http://parsonsisconsulting.blogspot.com/

 

Thanks,
Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image005.jpgimage006.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] has any one completed a python security code review`

2010-04-05 Thread Matt Parsons
Has anyone completed a python security code review?  What would you look for
besides inputs, outputs and dangerous functions?   Do any of the commercial
static code analysis vendors scan that code?  I would think not because
python is not compiled at run time like the other languages that static
analysis tools can scan.  Any help would be greatly appreciated.   

 

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


[SC-L] working on java security help from experts

2010-04-01 Thread Matt Parsons
I am trying to become an expert in source code review in java application
security.  Are there any experts on this list that are willing to share some
of their knowledge?   I am reading Java Security by Scott Oaks and I am
rereading all of the Sun Docs on java security.  Any help would be greatly
appreciated.   

 

Thanks,
Matt

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___


Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about

2010-03-17 Thread Matt Parsons
I am not suggesting exposing zero days.   I only want known vulnerabilities
in applications like web goat etc that are known to everyone.   I don't even
plan on naming where each vulnerability comes from but rather instead change
the code to protect the innocent.  I would never encourage promoting sharing
zero days.  I hope this clears it up.   

 

Thanks,

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

 mailto:mparsons1...@gmail.com mailto:mparsons1...@gmail.com

 http://www.parsonsisconsulting.com http://www.parsonsisconsulting.com

 http://www.o2-ounceopen.com/o2-power-users/
http://www.o2-ounceopen.com/o2-power-users/

 http://www.linkedin.com/in/parsonsconsulting
http://www.linkedin.com/in/parsonsconsulting

 http://parsonsisconsulting.blogspot.com/
http://parsonsisconsulting.blogspot.com/

 http://www.vimeo.com/8939668 http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

From: Arshan Dabirsiaghi [mailto:arshan.dabirsia...@aspectsecurity.com] 
Sent: Tuesday, March 16, 2010 2:49 PM
To: McGovern, James F. (P+C Technology); Matt Parsons;
owaspdal...@utdallas.edu
Cc: websecur...@webappsec.org; SC-L@securecoding.org
Subject: RE: [WEB SECURITY] RE: [SC-L] blog post and open source
vulnerabilities to blog about

 

I'm not sure Matt was suggesting burning sharing 0days, but if he was, I
think he should not be discouraged. I think disclosure preference should be
something like a protected class within OWASP.

 

Arshan

 

From: McGovern, James F. (P+C Technology)
[mailto:james.mcgov...@thehartford.com] 
Sent: Tuesday, March 16, 2010 2:36 PM
To: Matt Parsons; owaspdal...@utdallas.edu
Cc: websecur...@webappsec.org; SC-L@securecoding.org
Subject: [WEB SECURITY] RE: [SC-L] blog post and open source vulnerabilities
to blog about

 

This doesn't feel like responsible disclosure and is not the way to announce
weaknesses in software. It is best to deal with scenarios that have already
been addressed. 

 

  _  

From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org]
On Behalf Of Matt Parsons
Sent: Tuesday, March 16, 2010 11:41 AM
To: owaspdal...@utdallas.edu
Cc: websecur...@webappsec.org; SC-L@securecoding.org
Subject: [SC-L] blog post and open source vulnerabilities to blog about

 

Hello,

I am working on a software security blog and I am trying to find open source
vulnerabilities to present and share.  Does anyone else have any open source
vulnerabilities that they could share and talk about?   I think this could
be the best way to learn in the open source community about security.   I
have a few but I would like to blog about a different piece of code almost
every day.   

 

God Bless.
Matt

 

 

http://parsonsisconsulting.blogspot.com/

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 


This communication, including attachments, is for the exclusive use of
addressee and may contain proprietary, confidential and/or privileged
information.  If you are not the intended recipient, any use, copying,
disclosure, dissemination or distribution is strictly prohibited.  If you
are not the intended recipient, please notify the sender immediately by
return e-mail, delete this communication and destroy all copies.

image003.jpgimage004.jpgimage005.jpgimage006.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] market for training CISSPs how to code

2010-03-17 Thread Matt Parsons
I have been a programmer and a security analyst for a few years now.   When
I first started developers told me I didn't know how to code good enough and
CISSP's told me I didn't have enough security experience.  Has anyone had
any success training CISSP's and non programmers how to write code securely
and train developers how to become CISSP's and learn how to penetration
test?  If not does everyone think that there would be a market for such
training?   

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image005.jpgimage006.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] black berry security

2010-03-12 Thread Matt Parsons
I had too many files open on my black berry last night while listening to
music.  It produced a java run time error.  It made me think about
blackberry security.  What is the threat to black berrys and having them
write secure code and have it undergo a security review?  Has anyone worked
on mobile app security? I find it very interesting and would like to get
involved.   I wrote about it on my blog.   

 

http://parsonsisconsulting.blogspot.com/

 

 

All the best.   

 

Matt

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image001.jpgimage002.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


[SC-L] USA today article Cyber Crimes and software security evangelism

2010-03-10 Thread Matt Parsons
I was reading the USA today and it stated more cyber criminals are getting
away with cyber crimes.  I was thinking that this brings more value to us
that are concerned about software security and can help evangelize and fix
the problem.  God Bless.

Matt

 

 

http://parsonsisconsulting.blogspot.com/

 

http://www.usatoday.com/news/snapshot.htm

 

 

 

Matt Parsons, MSM, CISSP

315-559-3588 Blackberry

817-294-3789 Home office 

Do Good and Fear No Man  

Fort Worth, Texas

A.K.A The Keyboard Cowboy

mailto:mparsons1...@gmail.com

http://www.parsonsisconsulting.com

http://www.o2-ounceopen.com/o2-power-users/

http://www.linkedin.com/in/parsonsconsulting

http://parsonsisconsulting.blogspot.com/

http://www.vimeo.com/8939668

 

0_0_0_0_250_281_csupload_6117291

 

untitled

 

 

 

 

 

 

 

image005.jpgimage006.jpg___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] win win for owasp and television spots

2010-01-22 Thread Matt Parsons
Ladies and Gentlemen,
I am starting to get approached by a few television stations to talk about
application security.  I would like to promote Owasp in these talks.  What
would be the best way to do it professionally and competently?   

See below news story.   

Thanks,
Matt


http://www.the33tv.com/news/kdaf-password-security-jim,0,3650695.story



Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office 
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Blog skiiers versus snowboarders CISSPs vs programmers

2010-01-12 Thread Matt Parsons
I wrote a blog in the state of software security using the analogy of skiers
versus snowboarder in the early 90's.  

Please let me know your thoughts and comments by replying to this list or my
blog.  

http://parsonsisconsulting.blogspot.com/

 

Thanks,
Matt



Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office 
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting
http://parsonsisconsulting.blogspot.com/





___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-05 Thread Matt Parsons
From what I read it appears that this Java EE 6 could be a few rule
changers.   It looks like to me, java is checking for authorization and
authentication with this new framework.   If that is the case, I think that
static code analyzers could change their rule sets to check what normally is
a manual process in the code review of authentication and authorization.
Am I correct on my assumption?   

Thanks,
Matt


Matt Parsons, MSM, CISSP
315-559-3588 Blackberry
817-294-3789 Home office 
mailto:mparsons1...@gmail.com
http://www.parsonsisconsulting.com
http://www.o2-ounceopen.com/o2-power-users/
http://www.linkedin.com/in/parsonsconsulting






-Original Message-
From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org]
On Behalf Of Kenneth Van Wyk
Sent: Tuesday, January 05, 2010 8:59 AM
To: Secure Coding
Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security
made simple ! | Core Security Patterns Weblog

Happy new year SC-Lers.

FYI, interesting blog post on some of the new security features in Java EE
6, by Ramesh Nagappan.  Worth reading for all you Java folk, IMHO.

http://www.coresecuritypatterns.com/blogs/?p=1622 


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___


Re: [SC-L] Questions asked on job interview for application security/penetration testing job

2009-03-22 Thread Matt Parsons
Here are the answers that I was given for the following questions by a
non-technical recruiter.

 

 

1.  What are the security functions of SSL?  Encryption and authentication 

2.  What is a 0 by 90 bytes error. Buffer over flow. 

3.  What is a digital signature, Not what it is?  The senders message is
encrypted with a sender's private key and attached like a signature to an
encrypted message to ensure that the person is who he claims to be. The
recipient uses the sender's public key to decrypt the signature.

4.  What is the problem of having a predictable sequence of bits in TCP/IP?
TCP/IP session hijacking  I also thought it was man in the middle attack.  

5.  What is heap memory? A heap memory pool is an internal memory pool
created at start-up that tasks use to dynamically allocate memory as needed.

6.  What is a system call?  Call from the operating system. 

7.  what is two factor authentication?  Use of something you know, something
you have, something you are.   

 

Thanks

Matt Parsons 

Matt Parsons, CISSP

 

 

 

 

From: Matt Parsons [mailto:mparsons1...@gmail.com] 
Sent: Saturday, March 21, 2009 4:44 PM
To: 'Secure Code Mailing List'
Subject: RE: Questions asked on job interview for application
security/penetration testing job

 

Ladies and gentlemen,

I was asked the following questions on a job phone interview and wondered
what the proper answers were.   I was told their answers after the
interview. I was also told that the answers to these questions were one or
two word words.  In the beginning of next week I will post what they told me
were the proper answers.   Any references would be greatly appreciated.  

 

 

1.  What are the security functions of SSL?

2.  What is a 0 by 90 bytes error.

3.  What is a digital signature, Not what it is?  

4.  What is the problem of having a predictable sequence of bits in TCP/IP?

5.  What is heap memory?

6.  What is a system call?  

7.  what is two factor authentication?  

 

 

 

 

Thanks

Matt 



 

Matt Parsons, CISSP

Parsons Software Security Consulting, LLC

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___