Great points Karen! We can't prove a program is "secure" in the same vein.
The danger I am spouting off about is the idea that we would solve the
software security problem if we just take a more "scientific" or
"mature" (or whatever) approach. I think those can definitely reduce
the risk
securecoding.org
Subject: Re: [SC-L] What is the size of this list?
I completely agree with your final statement Karen, but I see a lot
more of the words aiming at the 100% mark and I think that is
ultimately a bad focus since it is unachievable and therefore will
waste focus and effort.
While on pa
I completely agree with your final statement Karen, but I see a lot
more of the words aiming at the 100% mark and I think that is
ultimately a bad focus since it is unachievable and therefore will
waste focus and effort.
While on paper we can "prove" programs are bug free (security-relate
6:50 PM
To: Matt Bishop
Cc: Goertzel, Karen [USA]; Secure Coding List
Subject: Re: [SC-L] What is the size of this list?
Let me amplify what Matt Bishop has said.
I tend to deal with TRUSTWORTHINESS, which encompasses
security, reliability, survivability, human safety, and anything
else that you have to t
Let me amplify what Matt Bishop has said.
I tend to deal with TRUSTWORTHINESS, which encompasses
security, reliability, survivability, human safety, and anything
else that you have to trust whether you like it or not.
Security is only one aspect of it. Long ago Butler Lampson
wrote a paper pointin
Karen,
Ah, once again I expressed myself poorly. Apologies to all; it was too
early in the morning to write (I'm on Pacific time).
As far as I'm concerned, being able to understand English is crucial
to meaningful interpretation of literature written in that language,
and being able to wr
rtzel, CISSP
Associate
703.698.7454
goertzel_ka...@bah.com
From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] On Behalf
Of Matt Bishop [bis...@cs.ucdavis.edu]
Sent: Thursday, August 20, 2009 9:27 AM
To: Secure Coding List
Subject: Re: [
Another lurker revealing himself ... my name is Matt Bishop, and I
lurk at the University of California at Davis where I teach and do
research in lots of areas of computer security, including (surprise!)
what is traditionally called "secure programming" and "secure software
development". Fo
hi martin and rafael,
I agree with Martin. Software security is essential in most embedded systems.
Also note that there is an interesting fractal line between hardware and
software in such systems that often makes for interesting security situations.
Consider Java-based smart cards (which I
Rafael Ruiz wrote:
I am a lurker (I think), I am an embedded programmer and work at
Lowrance (a brand of the Navico company), and I don't think I can't
provide too much to security because embedded software is closed per se.
IMHO, it is very dangerous to assume that "since it is embedded, nobo
Hi everyone,
I'm a victim of being a lurker, I work for Codenomicon doing blackbox
security testing, research, and much more. I take interest in the SC-L
to keep a fresh perspective/hone in on peoples ideas about software
assurance and whitebox security.
BR,
Joshua Morin
Security Strategis
inline
On Wed, Aug 19, 2009 at 4:06 AM, Kenneth Van Wyk wrote:
> The list has pretty consistently hovered around 1000 subscribers since
> pretty shortly after I launched it in late 2003.
Interesting. I would not have guessed that the list was so large.
Guess I need to stop making inside jokes an
Hi SC-L,
I'm a Lurker. I work for CERT | SEI | CMU and monitor the list in an
attempt to keep an ear to the ground. While I'm not a professional
programmer I do have an undergrad and graduate degree in CS which
means I've been trained a little about programming. I'm really
interested in two thi
Hi people,
I am a lurker (I think), I am an embedded programmer and work at
Lowrance (a brand of the Navico company), and I don't think I can't
provide too much to security because embedded software is closed per se.
Or maybe I am wrong, is there a way to grab the source code from an
electronic eq
Arian J. Evans wrote:
> I realized I tend to think of SCL as a small list of 30 people from
> 2003 who are are all about 2 degrees of Kevin Bacon away from
> each other.
Sometimes more so than we know! I've been here for almost six years
now, and until May, I had no idea that Karen used to work
On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote:
Jeremiah Grossman and I were both pondering the size of the SCL
recently.
Is the list size public?
It's not public per se, but only in the sense that the number isn't
directly available--unless you ask for it.
The list has pretty consiste
16 matches
Mail list logo