Stephen
P.S. One might argue that a whitehat or security researcher can't
change sides and go into prevention, or in other words, be a Builder
instead of a Breaker. They can't because they don't have the skills to
do it.
Which is precisely my point.
On Fri, Sep 2, 2011 at
Sergio,
"Blackhat IS about breaking stuff, the vendors area offers defense
products and services to improve your security. For building stuff (as
in development) there are other conferences out there. People go to
Blackhat to be aware of what things might go wrong in order to protect
better themse
Hi Ken,
Looks like there's another one:
Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bug-Hits-Endpoint-Protection-Manager-472518/?kc=EWKNLSTE01072010STR1
I am VERY curious to learn how these happened... Only using the
Hi Jim,
I check the web site daily before you even announce the podcasts.
Tremendous stuff as you don't lob softball questions plus you get
quickly to the point.
Thanks for your effort; I've learned a lot from them already.
Keep up the great work,
Stephen
On Fri, Apr 10, 2009 at 1:16 AM, Jim M
Hi Arian,
" SANS has spoken and I think that is a pretty clear indication what is
going on)"
Have you been watching Wizard of Oz re-reruns again? This sentence sounds
too much like "The Mighty Oz has spoken" :-)
Cheers,
Stephen
On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans wrote:
> Hel
Hi Mark,
What I have seen is that the organization develops security
standards/guidelines and secure coding guidelines tailored to the org.
If the org is big enough to have its own security team, then they do
it; if not, then they hire consultants to do it. It's not too
difficult to find out among
Hi Jim,
First, I have to point out - which I do in the documentation - that it
wasn't possible to solve every WebGoat lesson for real-world
implementation (e.g. session management, concurrent file access, a
million users :-). That would take somebody 2 to 3 years to do. So
some lesson solutions ad
Hi,
I did an OWASP Summer of Code 2008 project, "Securing WebGoat using
ModSecurity" (actually, it expanded into a Fall of Code project too
:-)
First, the project should have been named "Protecting WebGoat using
ModSecurity" but by the time I figured it out, it was too late to
change the title.
Hi Gary,
I think you were on the right path describing software security and
illustrating the difference between software security and web app
security (even though I don't think it was intentional) when you
talked about Pervasive Computing in a BankInfoSecurity podcast
(starting at 5 min 10 sec).
"... and demand that they deliver code that is so locked down that it
cannot misbehave".
Your premise is so incorrect that I advise that if you are truly
interested in answering your questions (as opposed to a purely
academic or other exercise), then you should hire a security
specialist to help y
; wrote:
>
> On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:
>
>
>
> Hi Gunnar,
>
> I apologize to everybody if I have come across as being harsh.
>
> >From my 8 years of experience of living in Asia and being actively
> involved as a developer and wor
I'll preface what I'm going to say with:
- I don't work in the financial vertical or government defense, but
from conversations with colleagues, I think that they get it (they
have to)
- My sphere of experience excludes Australia, India, and Japan:
- Oz has on average a high skill set of s/w en
y, willing and possibly able to be proven wrong on this point and
> maybe there is a cost effective way to deploy least privilege in the real
> world just want to make sure that i communicate my argument.
>
> -gunnar
> (who is now letting go)
>
> On Nov 25, 2008, at 12:07 PM, Steph
he greatest, deepest respect to both of you,
Stephen
On Wed, Nov 26, 2008 at 1:01 AM, Stephen Craig Evans
<[EMAIL PROTECTED]> wrote:
> Gunnar,
>
> Developers have no power. You should be talking to the decision makers.
>
> As an example, to instill the importance of software secur
ROTECTED]> wrote:
> Sorry I didn't realize "developers" is an offensive ivory tower in other
> parts of the world, in my world its a compliment.
>
> -gunnar
>
> On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:
>
>> HI,
>>
>> "maybe t
HI,
"maybe the problem with least privilege is that it requires that developers:..."
IMHO, your US/UK ivory towers don't exist in other parts of the world.
Developers have no say in what they do. Nor, do they care about
software security and why should they care?
So, at least, change your nomenc
Hi Jim,
" There are plenty of sites that are perfectly x/html valid that are
completely insecure."
Well, perhaps too many people have been listening to this drumbeat:
"In fact, a non-developer: such as someone in marketing who uses
Dreamweaver, could also do almost as much as a normal WAF by savi
Hi Michael,
> So, unfortunately for the WAF vendors, people can just use a static source
> code analysis tool or a web application vulnerability scanner instead of
> purchasing and deploying a WAF.
I don't know much about PCI 6.6 (yet), but don't the organizations
have to mitigate the vulnerabili
Hi Jim,
Wow, that's a flimsy connect-the-dots if I've ever seen one :-) We could
have fun with this but I don't want to stray 100% off-topic (if we not there
already).
Very coincidentally, I watched South Park Season 10 Episode 6 after my first
post. I rest my case.
I'm sure Al Gore's appearanc
Hi Jim,
I am an infosec newbie but a fierce historian. I have read your previous
posts and I completely respect you.
I cannot agree with your premise that resources are limited on Planet Earth.
There are gobs and gobs of oil to be had within the boundaries of the United
States but the eco-nazis h
Hi Andrew,
I was reminded of what you said in your post when I read the beginning of
this prezo description from HITB 2007:
"Using a lethal combination of various client side attacks we'll smash the
same origin policy, punch our way through your firewall, and dropkick an
Oracle database on your in
Hi Gary,
How can any security conference that has Al Gore as a keynote speaker be
taken seriously? What does 'green technology' have to do with infosec? And
why is his keynote the only one with the tag "*(Please note that this
keynote session will not be available via webcast replay.)"? *Now there
Gary,
Great interview. You've had some powerhouse interviews recently, for example
with Chris Wysopal ("my dream is that a static tool can fix business logic
flaws") and Ed Amoroso ("security researchers are the bomb defusers of the
Internet").
I laughed at your blunt comment: "that would be grea
23 matches
Mail list logo
