Re: [SC-L] Security in QA is more than exploits

2009-02-05 Thread bugtraq
For starters I believe you misinterpreted my comments on QA. I was in no way slamming their abilities. With this in mind comments below. Before anyone talks about vulnerabilities to test for, we have to figure ou= t what the business cares about and why. What could go wrong? Who cares? Wh=

Re: [SC-L] Secure development after release

2008-03-05 Thread bugtraq
Hello Andy, Once an application is released or put into production, what are organizations doing to keep the applications secure? As new Some organizations purchase web application security scanners and perform periodic scanning (this could be done by the soc) or use a service such as

Re: [SC-L] What's the next tech problem to be solved in software

2007-06-07 Thread bugtraq
On Wed, 6 Jun 2007, Wietse Venema wrote: more and more people, with less and less experience, will be programming computer systems. The challenge is to provide environments that allow less experienced people to program computer systems without introducing gaping holes or other

Re: [SC-L] Darkreading: compliance

2007-04-04 Thread bugtraq
Gary, may I suggest an alternative response to application firewalls and the notion that it is hair-brained? Of course this is true but this list is missing a major opportunity to finally calculate an ROI model. If you ask yourself, what types of firewalls are pervasively deployed, you

Re: [SC-L] Darkreading: compliance

2007-03-12 Thread bugtraq
what do you think? have compliance efforts you know about helped to forward software security? Compliance brings accountability. Without accountability or financial impact people have little incentive for putting security on the priority list. I for one welcome our compliance overlords.

Re: [SC-L] [WEB SECURITY] Wordpress website hacked, wordpress backdoored

2007-03-03 Thread bugtraq
a) the final binaries were the ones infected (very easy to detect (imagine if the infected code was actually from 'real' SVN source code and made from a 'trusted' developer)) b) by the speed this was detected the exploit (and the blog page didn't give a lot of details about it) must have

Re: [SC-L] Meeting at RSA next week?

2007-02-02 Thread bugtraq
I'll be there. - Robert http://www.cgisecurity.com/ http://www.webappsec.org/ How many of the list members are going to RSA? Any plans to get together for some coffee? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

Re: [SC-L] Could mandates on disclosing software effects benefit

2007-01-31 Thread bugtraq
Question is: would it make sense to lobby for disclosure requirements of all writes software does, to whatever, and reasons for them, as conditions to make it fit for sale? Perhaps likewise to be a (or the?) defense against claims the software is doing things to others' machines without

Re: [SC-L] QASEC Announcement: Writing Software Security Test Cases

2007-01-08 Thread bugtraq
This is great, and something I have incorporated into our own cycle previously, as carving out a spot on our team as the security engineer didn't seem to work. But by creating a process for including security testing, abuse cases, etc. I was able to incorporate security without a big hit to

[SC-L] Challenges faced by automated web application security assessment tools

2006-11-13 Thread bugtraq
I have released a new document 'Challenges faced by automated web application security assessment tools' that a few of you may find interesting. URL: http://www.cgisecurity.com/articles/scannerchallenges.shtml Comments welcome. - Robert http://www.cgisecurity.com/ Website Security news,