Rohit Sethi wrote:
Recently I sent a note about the Organic Progression of the Secure SDLC.
One of the major points that we raise in that model is the difficulty with
Climbing the Wall: Getting the lines of business to commit resource
to application/software security. This is one of the most
Gary McCraw wrote:
This month's informIT article covers the zombies:
* Software security defects come in two main flavors—bugs at the
implementation level (code) and flaws at the architectural level (design)
So, two questions:
1) How is this (software *security* defects) different than
Has anyone had to deal with the following HIPAA compliance requirements
within a custom application before:
Implement electronic mechanisms to corroborate that electronic
protected health information has not been altered or destroyed in
On Tue 4/26/2011 11:13 AM, Rohit Sethi wrote:
It sounds like people generally deal with this through techniques
outside of the application logic itself such as checksums and/or
digital signatures on files / database values that contain protected
health information. My initial thought was
On Feb 15, 2011, at 12:06 AM, Chris Schmidt chrisisb...@gmail.com wrote:
On Feb 14, 2011, at 8:57 AM, Wall, Kevin kevin.w...@qwest.com wrote:
So on a somewhat related note, does anyone have any idea as to how common it
application developers to call ServletRequest.getLocale
Jim Manico wrote...
It's not that tough to blacklist this vuln while you are waiting for your
team to patch your JVM (IBM and other JVM's have not even patched yet).
I've seen three generations of this filter already. Walk with me, Rafal and
I'll show you. :)
1) Generation 1 WAF
On October 20, 2010, Benjamin Tomhave wrote:
If I understand this all correctly (never a safe bet), it seems these
are actual attacks on Java, not on coding with Java. Ergo, this isn't
something ESAPI can fix, but rather fundamental problems. What do you
think? Overblown? Legit?
On Sep 10, 2010, at 5:34 PM, smurray1 smurr...@nycap.rr.com wrote:
I have been discussing an issue with an organization that is having
an issue with malware on it's customer's clients that is intercepting
user credentials and using them to create fraudulent transactions.
Gary McGraw wrote...
Way back on May 9, 2007 I wrote my thoughts about
certifications like these down. The article, called
Certifiable was published by darkreading:
I just reread your Dark Reading post
Jeremiah Heller writes...
do security professionals really want to wipe hacking
activity from the planet? sounds like poor job security to me.
Even though I've been involved in software security for the
past dozen years or so, I still think this is a laudable goal,
albeit a completely
Dana Epp wrote:
Not sure that would work either though.
My comment was meant tongue-in-cheek. Guess I used the wrong
emoticon. Figured that ';-)' would work 'cuz I never can remember
the one for tongue-in-cheek. I've seen several variations of the
:-? :-Q :-J
Benjamin Tomhave wrote:
... we're looking for hard research or
numbers that covers the cost to catch bugs in code pre-launch and
post-launch. The notion being that the organization saves itself money
if it does a reasonable amount of QA (and security testing)
up front vs trying to chase
On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote:
Among other things, David [Rice] and I discussed the difference between
descriptive models like BSIMM and prescriptive models which purport to
tell you what you should do. I just wrote an article about that for
informIT. The title is
Stephen Craig Evans wrote...
Looks like there's another one:
Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
I am VERY curious to learn how these
Larry Kilgallen wrote...
At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
I am VERY curious to learn how these happened... Only using the last
digit of the year? Hard for me to believe. Maybe it's in a
and somebody tried to be too clever with some bit-shifting.
Steve Christy wrote...
I wonder what would happen if somebody offered $1 to the first applied
researcher to find a fault or security error. According to
overflows, memory leaks, and other issues are not present. Maybe
Thought there might be several on this list who might appreciate
this, at least from a theoretical perspective but had not seen
it. (Especially Larry Kilgallen, although he's probably already seen it. :)
Ben Tomhave wrote:
Wall, Kevin wrote:
I don't mean to split hairs here, but I think fundamental concept
vs intermediate-to-advanced concept is a red herring. In your case
of you teaching a 1 yr old toddler, NO is about the only thing
they understand at this point. That doesn't imply
James McGovern wrote...
- Taking this one step further, how can we convince
professors who don't
teach secure coding to not accept insecure code from their students.
Professors seed the students thinking by accepting anything
works at the last minute. Universities need to be
Brad Andrews writes...
I had proofs in junior high Geometry too, though I do not recall using
them outside that class. I went all the way through differential
equations, matrix algebra and probability/statistics and I don't
recall much focus on proofs. This was in the early 1980s in a good
Karen Goertzel wrote...
I'm more devious. I think what needs to happen is that we
need to redefine what we mean by functionally correct or
quality code. If determination of functional correctness
were extended from must operate as specified under expected
conditions to must operate as
Arian J. Evans wrote...
The problem I had in the past with benchmarks was the huge degree of
customization in each application I would test. While patterns emerge
that are almost always automatable to some degree, the technologies
almost always require hand care-and-feeding to get them to an
In a message dated July 30, 2009 10:09 AM EDT, Paco Hope wrote...
The Java Virtual Machine is a theoretical machine, and Java
code is compiled
down to Java bytecode that runs on this theoretical machine.
The Java VM is
the actual Windows EXE that runs on the real hardware. It reads these
I have been working on developing a series of documents to turn the
ideas encompassed on this list and in what I can find in books
articles. I am not finding, and it may just be I am looking in the
wrong places, for any information on how people are actually
James McGovern wrote...
Maybe folks are still building square windows because we haven't
realized how software fails and can describe it in terms of a pattern.
The only pattern-oriented book I have ran across in my travels is the
Core Security Patterns put out by the folks at Sun. Do you
James McGovern apparently wrote...
The uprising from customers may already be starting. It is
called open source. The real question is what is the duty of
others on this forum to make sure that newly created software
doesn't suffer from the same problems as the commercial
Benjamin Tomhave wrote...
This is completely unsurprising. Apparently nobody told the agile
dev community that they still need to follow all the secure coding
practices preached at the traditional dev folks for eons. XSS,
redirects, and SQL injection attacks are not revolutionary, are not
Crispin Cowan wrote...
True, but that doesn't mean runtime portability isn't a
good thing to aim for.
It means that compromising performance to obtain runtime portability
that does not actually exist is a poor bargain.
To me, the bigger loss than performance is all
In response to a post by Jerry Leichter, Gadi Evron wrote...
A bridge is a single-purpose device. A watch is a simple
purpose computer, as was the Enigma machine, if we can call
Multi-purpose computers or programmable computers are where
our problems start. Anyone can DO and
Tim Hollebeek writes...
Really, the root of the problem is the fact that the simple version
is short and easy to understand, and the secure version is five
times longer and completely unreadable. While there always is some
additional complexity inherent in a secure version, it is nowhere
First a bit of background and a confession.
The background: I recently attended a local 4 hr
Microsoft training seminar called Get Connected with the
.NET Framework 2.0 and Visual Studio(c) 2005. However, I
want to clarify that this example is NOT just a Microsoft
issue. It's an industry-wide
Regarding your remarks about writing perfectly secure code...
And your remarks about Ross Anderson...
Ross Anderson once said that secure software engineering is about
building systems to remain dependable in the face of malice, error,
or mischance. I think he has something
David Eisner wrote...
Wall, Kevin wrote:
The correct attribution for bring this up (and the one whom you are
quoting) is Dinis Cruz.
same intuition about the verifier, but have just tested
this and it is not the case. It seems that the -noverify is the
default setting! If you want
Dinis Cruz wrote...
Finally, you might have noticed that whenever I talked
about 'managed code', I mentioned 'managed and verifiable code',
the reason for this distinction, is that I discovered recently
that .Net code executed under Full Trust can not be
Joel Kamentz wrote...
Also, shouldn't it be easy enough to steal one of these and lift a fingerprint
from it with scotch tape and then be able to get at all of the passwords in the
If that didn't work, the gummy bear approach probably would.
Kevin W. Wall Qwest Information
Matt Setzer wrote...
It's been kind of quiet around here lately - hopefully just because everyone
is off enjoying a well deserved summer (or winter, for those of you in the
opposite hemisphere) break. In an effort to stir things up a bit, I thought
I'd try to get some opinions about good
David Crocker wrote...
I think there are two other questions that should be asked before
trying to answer this:
1. Is it appropriate to look for a single general purpose programming
language? Consider the following application areas:
a) Application packages
b) Operating systems, device
that a declarative programming
language is a high-level language that describes a problem rather
than defining a solution, but that pretty much sounds like your
definition of a specification language.
Kevin W. Wall Qwest Information Technology, Inc.
[EMAIL PROTECTED] Phone
I think the discussion regarding the thread
Re: [SC-L] Education and security -- another perspective
(was ACMQueue - Content)
is in part becoming a debate of language X vs language Y. Instead,
I'd like to take this thread off into another direction (if Ken
thinks it's appropriate to
David Crocker wrote...
There is a tendency to regard every programming problem as an
O-O problem. Sometime last year I read a thread on some
programming newsgroup in which contributors argued about the
correct way to write a truly O-O Hello world program. All
the solutions provided were
Fernando Schapachnik wrote...
I've considered 'secure coding' courses, and the idea always
look kind oversized. How much can you teach that students can't read
themselves from a book? Can you fill a semester with that? I'm
interested in people's experiences here.
I suppose that depends
In Ken van Wyk's cited article at
As I said above, user awareness training is a fine practice
that shouldn't be abandoned. Users are our first defense
against security problems, and they should certainly be
Kenneth R. van Wyk wrote...
FYI, there's an ACM Queue issue out that focuses on security -- see
Two articles there that should be of interest to SC-L readers include
Marcus Ranum's Security: The root of the problem
Dana Epp wrote...
For those of us who write kernel mode / ring0 code, what language are
you suggesting we write in? Name a good typesafe language that you have
PRACTICALLY seen to write kernel mode code in. Especially on Windows and
the Linux platform. I am not trying to fuel
Mail list logo