Re: [SC-L] The Organic Secure SDLC

2011-07-19 Thread Paco Hope
To clarify further, this is not meant to be prescriptive or even a set of best practices. It's simple observation on how many organizations tend to evolve if secure SDLC is not a major priority. I can't say it's based on hard data but we have compiled the steps from experiences at several

Re: [SC-L] The Organic Secure SDLC

2011-07-19 Thread Paco Hope
into the SMB market where most software is written. Don't get me wrong, BSIMM is very interesting data and is useful. But a comprehensive secure software lifecycle for every company it is not. - Jim Manico On Jul 19, 2011, at 9:35 AM, Paco Hope p...@cigital.commailto:p...@cigital.com wrote: Think

Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Paco Hope
On 14 Apr 2010, at 16:24, Wall, Kevin wrote: I just reread your Dark Reading post and I must say I agree with it almost 100%. The only part where I disagree with it is where you wrote: The multiple choice test itself is one of the problems. I have discussed the idea of using

Re: [SC-L] web apps are homogenous?

2010-02-24 Thread Paco Hope
patch for a handful of homogenous systems. I don't think webness conveys any more homogeneity than, say windowsness or linuxness. What part of being a web application provides homogeneity in a way that makes patching cheaper? Paco -- Paco Hope, CISSP - CSSLP Technical Manager, Cigital, Inc

Re: [SC-L] Source or Binary

2009-07-30 Thread Paco Hope
of their execution than an equivalent native-code program would. Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] CSSLP

2009-03-23 Thread Paco Hope
, the law moves in. We need to be on the right side, shaping those laws, not avoiding them. (Apologies to our international audience for an intensely US-centric metaphor) Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence

Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-19 Thread Paco Hope
that you didn't have before is just as overly-simplistic as someone who disparages all credentials equally. It just isn't a black and white world. Paco -- Paco Hope, CISSP, CSSLP Technical Manager, Cigital, Inc http://www.cigital.com/ ? +1.703.585.7868 Software Confidence. Achieved

Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread Paco Hope
, but taking your good approach and extending it a step farther. Cheers, Paco -- Paco Hope, CISSP - CSSLP Technical Manager, Cigital, Inc. http://www.cigital.com/ - +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Security in QA is more than exploits

2009-02-04 Thread Paco Hope
All, I just read Robert's blog entry about re-aligning training expectations for QA. (http://bit.ly/157Pc3) It has some useful points that both developers and so-called security people need to hear. I disagree with some implicit biases, however, and I think we need to get past some stereotypes

Re: [SC-L] Survey

2008-08-26 Thread Paco Hope
in the survey. It's a shame we've gone off on a tangent about the value of validating HTML. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved. ___ Secure Coding mailing list (SC-L) SC

Re: [SC-L] Survey

2008-08-24 Thread Paco Hope
Clearly the survey's content is only of interest if the HTML validates. On Aug 24, 2008, at 9:47 AM, ljknews [EMAIL PROTECTED] wrote: At 2:43 PM -0400 8/22/08, Gary McGraw wrote: BankInfoSecurity is running a survey on software security that some of you may be interested in participating in.

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread Paco Hope
categorically say (none of us being RealNetworks people) that they made the wrong decision. We don't have the information. Paco -- Paco Hope, CISSP Technical Manager, Cigital, Inc http://www.cigital.com/ * +1.703.585.7868 Software Confidence. Achieved

Re: [SC-L] Building Security In vs Auditing

2007-01-04 Thread Paco Hope
Gary, I would love a little refinement of the benefits to badnessometers. Let's say I get a tool to tell me something I already suspect is wrong, what percentage of the population are better than they expected? I won't speak for Gary, but working a few doors down I have seen a few of the same

Re: [SC-L] auditing

2004-05-03 Thread Paco Hope
of the benefits. You can run it under VirtualPC on MacOS X, but it's a bit slow. When I do source code audits of very large projects and I have to grok large sets of intertwining code, this is a decent navigation tool. Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http

Re: [SC-L] virtual server - IPS

2004-03-31 Thread Paco Hope
he was hoping for. It's a host-based question, and the network is not the right place to solve it. Paco -- Paco Hope, CISSP Senior Software Security Consultant Cigital, Inc. http://www.cigital.com/ [EMAIL PROTECTED] -- +1.703.404.5769