Re: [SC-L] How have you climbed the wall?

2011-07-28 Thread Wall, Kevin
Rohit Sethi wrote: Recently I sent a note about the Organic Progression of the Secure SDLC. One of the major points that we raise in that model is the difficulty with Climbing the Wall: Getting the lines of business to commit resource to application/software security. This is one of the most

Re: [SC-L] informIT: software security zombies

2011-07-21 Thread Wall, Kevin
Gary McCraw wrote: This month's informIT article covers the zombies: [snip] * Software security defects come in two main flavors—bugs at the implementation level (code) and flaws at the architectural level (design) So, two questions: 1) How is this (software *security* defects) different than

Re: [SC-L] Question about HIPAA Compliance in application development

2011-04-26 Thread Wall, Kevin
Rohit, You wrote: Has anyone had to deal with the following HIPAA compliance requirements within a custom application before: §164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized

Re: [SC-L] Question about HIPAA Compliance in application development

2011-04-26 Thread Wall, Kevin
On Tue 4/26/2011 11:13 AM, Rohit Sethi wrote: It sounds like people generally deal with this through techniques outside of the application logic itself such as checksums and/or digital signatures on files / database values that contain protected health information. My initial thought was

Re: [SC-L] Java DOS

2011-02-15 Thread Wall, Kevin
On Feb 15, 2011, at 12:06 AM, Chris Schmidt wrote: On Feb 14, 2011, at 8:57 AM, Wall, Kevin wrote: [snip[ So on a somewhat related note, does anyone have any idea as to how common it is for application developers to call ServletRequest.getLocale

Re: [SC-L] Java DOS

2011-02-14 Thread Wall, Kevin
Jim Manico wrote... Rafal, It's not that tough to blacklist this vuln while you are waiting for your team to patch your JVM (IBM and other JVM's have not even patched yet). I've seen three generations of this filter already. Walk with me, Rafal and I'll show you. :) 1) Generation 1 WAF

Re: [SC-L] Java: the next platform-independent target

2010-10-21 Thread Wall, Kevin
On October 20, 2010, Benjamin Tomhave wrote: snip If I understand this all correctly (never a safe bet), it seems these are actual attacks on Java, not on coding with Java. Ergo, this isn't something ESAPI can fix, but rather fundamental problems. What do you think? Overblown? Legit?

Re: [SC-L] Solution for man-in-the-browser

2010-09-11 Thread Wall, Kevin
On Sep 10, 2010, at 5:34 PM, smurray1 wrote: Hello, I have been discussing an issue with an organization that is having an issue with malware on it's customer's clients that is intercepting user credentials and using them to create fraudulent transactions.

Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Wall, Kevin
Gary McGraw wrote... Way back on May 9, 2007 I wrote my thoughts about certifications like these down. The article, called Certifiable was published by darkreading: I just reread your Dark Reading post

Re: [SC-L] [WEB SECURITY] RE: How to stop hackers at the root cause

2010-04-14 Thread Wall, Kevin
Jeremiah Heller writes... do security professionals really want to wipe hacking activity from the planet? sounds like poor job security to me. Even though I've been involved in software security for the past dozen years or so, I still think this is a laudable goal, albeit a completely

Re: [SC-L] any one a CSSLP is it worth it?

2010-04-14 Thread Wall, Kevin
Dana Epp wrote: Not sure that would work either though. Dana, My comment was meant tongue-in-cheek. Guess I used the wrong emoticon. Figured that ';-)' would work 'cuz I never can remember the one for tongue-in-cheek. I've seen several variations of the latter... :-? :-Q :-J

Re: [SC-L] seeking hard numbers of bug fixes...

2010-02-23 Thread Wall, Kevin
Benjamin Tomhave wrote: ... we're looking for hard research or numbers that covers the cost to catch bugs in code pre-launch and post-launch. The notion being that the organization saves itself money if it does a reasonable amount of QA (and security testing) up front vs trying to chase

Re: [SC-L] BSIMM update (informIT)

2010-02-02 Thread Wall, Kevin
On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote: Among other things, David [Rice] and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. I just wrote an article about that for informIT. The title is

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

2010-01-07 Thread Wall, Kevin
Stephen Craig Evans wrote... Looks like there's another one: Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager g-Hits-Endpoint-Protection-Manager-472518/? kc=EWKNLSTE01072010STR1 I am VERY curious to learn how these

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

2010-01-07 Thread Wall, Kevin
Larry Kilgallen wrote... At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote: I am VERY curious to learn how these happened... Only using the last digit of the year? Hard for me to believe. Maybe it's in a single API and somebody tried to be too clever with some bit-shifting. My wife

Re: [SC-L] Provably correct microkernel (seL4)

2009-10-03 Thread Wall, Kevin
Steve Christy wrote... I wonder what would happen if somebody offered $1 to the first applied researcher to find a fault or security error. According to, buffer overflows, memory leaks, and other issues are not present. Maybe

[SC-L] Provably correct microkernel (seL4)

2009-10-02 Thread Wall, Kevin
Thought there might be several on this list who might appreciate this, at least from a theoretical perspective but had not seen it. (Especially Larry Kilgallen, although he's probably already seen it. :) In,

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-27 Thread Wall, Kevin
Ben Tomhave wrote: Wall, Kevin wrote: I don't mean to split hairs here, but I think fundamental concept vs intermediate-to-advanced concept is a red herring. In your case of you teaching a 1 yr old toddler, NO is about the only thing they understand at this point. That doesn't imply

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
James McGovern wrote... - Taking this one step further, how can we convince professors who don't teach secure coding to not accept insecure code from their students. Professors seed the students thinking by accepting anything that barely works at the last minute. Universities need to be

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Wall, Kevin
Brad Andrews writes... I had proofs in junior high Geometry too, though I do not recall using them outside that class. I went all the way through differential equations, matrix algebra and probability/statistics and I don't recall much focus on proofs. This was in the early 1980s in a good

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Wall, Kevin
Karen Goertzel wrote... I'm more devious. I think what needs to happen is that we need to redefine what we mean by functionally correct or quality code. If determination of functional correctness were extended from must operate as specified under expected conditions to must operate as

Re: [SC-L] IBM Acquires Ounce Labs, Inc.

2009-08-05 Thread Wall, Kevin
Arian J. Evans wrote... The problem I had in the past with benchmarks was the huge degree of customization in each application I would test. While patterns emerge that are almost always automatable to some degree, the technologies almost always require hand care-and-feeding to get them to an

Re: [SC-L] Source or Binary

2009-07-30 Thread Wall, Kevin
In a message dated July 30, 2009 10:09 AM EDT, Paco Hope wrote... The Java Virtual Machine is a theoretical machine, and Java code is compiled down to Java bytecode that runs on this theoretical machine. The Java VM is the actual Windows EXE that runs on the real hardware. It reads these

Re: [SC-L] implementable process level secure development thoughts

2008-03-11 Thread Wall, Kevin
Andy, You wrote... I have been working on developing a series of documents to turn the ideas encompassed on this list and in what I can find in books articles. I am not finding, and it may just be I am looking in the wrong places, for any information on how people are actually

Re: [SC-L] Tools: Evaluation Criteria

2007-05-24 Thread Wall, Kevin
James McGovern wrote... Maybe folks are still building square windows because we haven't realized how software fails and can describe it in terms of a pattern. The only pattern-oriented book I have ran across in my travels is the Core Security Patterns put out by the folks at Sun. Do you

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-20 Thread Wall, Kevin
James McGovern apparently wrote... The uprising from customers may already be starting. It is called open source. The real question is what is the duty of others on this forum to make sure that newly created software doesn't suffer from the same problems as the commercial closed source

Re: [SC-L] Vulnerability tallies surged in 2006 | The Register

2007-01-23 Thread Wall, Kevin
Benjamin Tomhave wrote... This is completely unsurprising. Apparently nobody told the agile dev community that they still need to follow all the secure coding practices preached at the traditional dev folks for eons. XSS, redirects, and SQL injection attacks are not revolutionary, are not

Re: [SC-L] Could I use Java or c#? [was: Re: re-writingcollege books]

2006-11-15 Thread Wall, Kevin
Crispin Cowan wrote... mikeiscool wrote: ... True, but that doesn't mean runtime portability isn't a good thing to aim for. It means that compromising performance to obtain runtime portability that does not actually exist is a poor bargain. To me, the bigger loss than performance is all

Re: [SC-L] re-writing college books - erm.. ahm...

2006-11-06 Thread Wall, Kevin
In response to a post by Jerry Leichter, Gadi Evron wrote... A bridge is a single-purpose device. A watch is a simple purpose computer, as was the Enigma machine, if we can call it such. Multi-purpose computers or programmable computers are where our problems start. Anyone can DO and

Re: [SC-L] How can we stop the spreading insecure coding examplesattraining classes, etc.?

2006-08-31 Thread Wall, Kevin
Tim Hollebeek writes... Really, the root of the problem is the fact that the simple version is short and easy to understand, and the secure version is five times longer and completely unreadable. While there always is some additional complexity inherent in a secure version, it is nowhere

[SC-L] How can we stop the spreading insecure coding examples at training classes, etc.?

2006-08-28 Thread Wall, Kevin
First a bit of background and a confession. The background: I recently attended a local 4 hr Microsoft training seminar called Get Connected with the .NET Framework 2.0 and Visual Studio(c) 2005. However, I want to clarify that this example is NOT just a Microsoft issue. It's an industry-wide

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Wall, Kevin
Dana, Regarding your remarks about writing perfectly secure code... well put. And your remarks about Ross Anderson... Ross Anderson once said that secure software engineering is about building systems to remain dependable in the face of malice, error, or mischance. I think he has something

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-03 Thread Wall, Kevin
David Eisner wrote... Wall, Kevin wrote: The correct attribution for bring this up (and the one whom you are quoting) is Dinis Cruz. same intuition about the verifier, but have just tested this and it is not the case. It seems that the -noverify is the default setting! If you want

RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

2006-03-25 Thread Wall, Kevin
Dinis, Dinis Cruz wrote... Finally, you might have noticed that whenever I talked about 'managed code', I mentioned 'managed and verifiable code', the reason for this distinction, is that I discovered recently that .Net code executed under Full Trust can not be

RE: [SC-L] Design flaw in Lexar JumpDrive

2004-09-30 Thread Wall, Kevin
Joel Kamentz wrote... Also, shouldn't it be easy enough to steal one of these and lift a fingerprint from it with scotch tape and then be able to get at all of the passwords in the device? If that didn't work, the gummy bear approach probably would. --- Kevin W. Wall Qwest Information

RE: [SC-L] Top security papers

2004-08-09 Thread Wall, Kevin
Matt Setzer wrote... It's been kind of quiet around here lately - hopefully just because everyone is off enjoying a well deserved summer (or winter, for those of you in the opposite hemisphere) break. In an effort to stir things up a bit, I thought I'd try to get some opinions about good

RE: [SC-L] Programming languages used for security

2004-07-10 Thread Wall, Kevin
David Crocker wrote... I think there are two other questions that should be asked before trying to answer this: 1. Is it appropriate to look for a single general purpose programming language? Consider the following application areas: a) Application packages b) Operating systems, device

RE: [SC-L] Programming languages used for security

2004-07-10 Thread Wall, Kevin
that a declarative programming language is a high-level language that describes a problem rather than defining a solution, but that pretty much sounds like your definition of a specification language. -kevin wall --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone

[SC-L] Programming languages used for security

2004-07-09 Thread Wall, Kevin
I think the discussion regarding the thread Re: [SC-L] Education and security -- another perspective (was ACMQueue - Content) is in part becoming a debate of language X vs language Y. Instead, I'd like to take this thread off into another direction (if Ken thinks it's appropriate to

RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-09 Thread Wall, Kevin
David Crocker wrote... There is a tendency to regard every programming problem as an O-O problem. Sometime last year I read a thread on some programming newsgroup in which contributors argued about the correct way to write a truly O-O Hello world program. All the solutions provided were

RE: [SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-07 Thread Wall, Kevin
Fernando Schapachnik wrote... I've considered 'secure coding' courses, and the idea always look kind oversized. How much can you teach that students can't read themselves from a book? Can you fill a semester with that? I'm interested in people's experiences here. I suppose that depends

RE: [SC-L] Protecting users from their own actions

2004-07-06 Thread Wall, Kevin
In Ken van Wyk's cited article at he writes... As I said above, user awareness training is a fine practice that shouldn't be abandoned. Users are our first defense against security problems, and they should certainly be educated

[SC-L] Education and security -- another perspective (was ACM Queue - Content)

2004-07-02 Thread Wall, Kevin
Kenneth R. van Wyk wrote... FYI, there's an ACM Queue issue out that focuses on security -- see Two articles there that should be of interest to SC-L readers include Marcus Ranum's Security: The root of the problem

RE: [SC-L] Interesting article on the adoption of Software Security

2004-06-12 Thread Wall, Kevin
Dana Epp wrote... [...snip...] For those of us who write kernel mode / ring0 code, what language are you suggesting we write in? Name a good typesafe language that you have PRACTICALLY seen to write kernel mode code in. Especially on Windows and the Linux platform. I am not trying to fuel