On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
>
> > Goertzel Karen wrote:
> >
> >
> > I've been struggling for a while to synthesise a definition of secure
> > software that is short and sweet, yet accurate and comprehensive.
>
> My favorite is by Ivan Arce, CTO of Core Software, coming out
mikeiscool wrote:
> On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
>> > Goertzel Karen wrote:
>> > I've been struggling for a while to synthesise a definition of secure
>> > software that is short and sweet, yet accurate and comprehensive.
>>
>> My favorite is by Ivan Arce, CTO of Core Softw
I wrote a book with viega a few years ago called "building secure
software"...it was not about that company (at all).
Software security: building security in.
gem
P.s. I actually like ivan's quip as reported by crispy.
-Original Message-
From: Dave Aronson [mailto:[EMAIL PROTECTED]
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Dave Aronson
> If you really want to compress that to bumper-sticker size, how about
>
> "Secure Software: Does what it's meant to. Period."
>
> This encompasses both "can't be forced NOT to do what it's
> meant to do",
> a
On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
> mikeiscool wrote:
> > On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
> >> > Goertzel Karen wrote:
> >> > I've been struggling for a while to synthesise a definition of secure
> >> > software that is short and sweet, yet accurate and comp
mikeiscool wrote:
> On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
>> "supposed to" goes to intent.
> I don't know. I think there is a difference between "this does what
> it's supposed to do" and "this has no design faults". That's all I was
> trying to highlight.
The difference between "sup
Hi all,
The silver bullet episode featuring Marcus Ranum went live recently:
http://www.cigital.com/silverbullet/
In the interview, we discuss software security progress briefly.
BTW, I did an interview with the mysterious Dana Epp (silverstr) last
week that is in the production pipeline. I'll
mikeiscool [mailto:[EMAIL PROTECTED] writes:
> The point remains though: trimming this down into a friendly little
> phrase is, IMCO, useless.
One of the common problems in trying to persuade the masses of ANYTHING, be it
the importance of secure software, the factual or moral correctness of y
Gary McGraw [mailto:[EMAIL PROTECTED] wrote:
> I wrote a book with viega a few years ago called "building secure
> software"...
Yes, John gave us all copies. Didn't bother to get it autographed though. :-)
> it was not about that company (at all).
It certainly was not about the horribly br
Crispin Cowan writes...
> IMHO, bumper sticker slogans are necessarily short and glib.
> There isn't room to put in all the qualifications and caveats
> to make it a perfectly precise statement. As such, mincing
> words over it is a futile exercise.
>
> Or you could just print a technical paper
I like the idea of a bumper sticker slogan for the same reason as "elevator
pitches" are useful - they don't cover everything, and they don't try to be
precise - just give enough information to whet the reader's/listener's
appetite.
And with that, I offer the following:
"Software Security Keeps t
My slogan:
Unsecured Applications = Unsecured Business
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jeremy Epstein
Sent: Monday, July 17, 2006 8:46 AM
To: Secure Coding Mailing List
Subject: Re: [SC-L] "Bumper sticker" definition of secure software
I
Another possibility:
Secure software can't be subverted.
--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.902.6981
[EMAIL PROTECTED]
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://kr
Or if not Toastmasters, Actors' Studio. :)
--
Karen Mercedes Goertzel, CISSP
Booz Allen Hamilton
703.902.6981
[EMAIL PROTECTED]
> -Original Message-
> Another useful thing would be if all engineers would enroll
> in Toastmasters, but that's another story. ;-)
>
> -Dave, Governor of T
On Mon, 17 Jul 2006, Goertzel Karen wrote:
> Another possibility:
>
> Secure software can't be subverted.
We Read Your Email
Your Program == Swiss Cheese
>
> --
> Karen Mercedes Goertzel, CISSP
> Booz Allen Hamilton
> 703.902.6981
> [EMAIL PROTECTED]
>
> ___
Jeremy Epstein [mailto:[EMAIL PROTECTED] writes:
> "Software Security Keeps the Bad Guys Out"
That's certainly one important aspect, but this slogan doesn't address issues
such as staying up, producing correct output, etc. It also can blur the
already much too fuzzy (in the public mind) line
On 7/18/06, Goertzel Karen <[EMAIL PROTECTED]> wrote:
> Another possibility:
>
> Secure software can't be subverted.
Again you are all missing that point that design faults are a major
*major* problem. Cannot be "subvered"; well fine. But what if the main
function of the app itself is wrong. It is
You suggest:
Secure software is software that remains dependable despite efforts to
compromise its dependability.
You need a bigger-picture view that encompasses trustworthiness
and assurance.
"Dependable systems are systems that remain dependable despite
would-be compromises to their depe
It's my view, as Ken and I have said in a couple of publications, that
secure code "lets you say yes with confidence, and no with certainty".
-mg-
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http
Secure Software: Safe Ex
ecution
(No, I'm not serious.)
-- Jerry
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc -
On Mon, 17 Jul 2006, Peter G. Neumann wrote:
> Forget the bumper sticker approach.
Hey Peter. :)
Well, one should forget the bumper-sticker approach if all us broing dry
guys keep try to explain to people how math works.
Instead, teling them:
1+1=?
Didn't learn math, eh?
Is bumper-sticker worth
Gary, If you think security is a funny topic, try this one:
http://haha.nu/funny/funny-math/
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
I was recently looking at some code to do regular expression matching,
when it occurred to me that one can produce fairly small regular
expressions that require huge amounts of space and time. There's
nothing in the slightest bit illegal about such regexp's - it's just
inherent in regular expressi
I prefer to define the opposite:
"Insecure Software is like a joke,
Except others laugh at you"
I like it because:
-it captures the notion that vulnerabilities, just like jokes, are very
often made apparent by thinking in a different context from the software's
designers (the straight man).
-It
Crispin Cowan wrote:
> mikeiscool wrote:
>> On 7/17/06, Crispin Cowan <[EMAIL PROTECTED]> wrote:
>>> "supposed to" goes to intent.
>> I don't know. I think there is a difference between "this does what
>> it's supposed to do" and "this has no design faults". That's all I was
>> trying to highlight.
On Mon, Jul 17, 2006 at 05:48:59PM -0400, [EMAIL PROTECTED]
wrote:
> I was recently looking at some code to do regular expression
> matching, when it occurred to me that one can produce fairly small
> regular expressions that require huge amounts of space and time.
> There's nothing in the slight
26 matches
Mail list logo