Re: [SC-L] Online Secure Development Training?

2009-03-25 Thread Brad Andrews
Thanks for all the replies. I did want to emphasize that I am specifically looking for CBT versions of courses, not the instructor-led variety. Someone asked me about what was available and I said I would ask around. I have only seen the instructor-led ones myself. Thanks for all the

Re: [SC-L] RSA panel

2009-04-15 Thread Brad Andrews
Are any of these going to be recorded? That would help those of us with no travel budget or time. :) Brad Quoting Gary McGraw g...@cigital.com: hi sc-l, Presumably some of you will be at RSA this year. I'm doing three panels and a talk (with Brian Chess) on the BSIMM.

[SC-L] Insecure Java Code Snippets

2009-05-06 Thread Brad Andrews
Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find the bug like the old C-Lint ads. Does anyone know of a source of something like this. Brad

Re: [SC-L] Insecure Java Code Snippets

2009-05-07 Thread Brad Andrews
Thanks Karen, that site may have enough of what I can use. Still a bit of work to do, but worth pursuing. The other sources were a bit too short on the snippets side, which is my fault for not making the question better. I don't know how many of you used to read the C-Lint ads that said

Re: [SC-L] Integrated Dynamic and Static Scanning

2009-07-30 Thread Brad Andrews
are fixing security issues every day. Everyone doesn't share the vision, unfortunately. And some of those that see the problem don't have the budget and executive support to fix the problem -- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Andre Gironda

Re: [SC-L] Integrated Dynamic and Static Scanning

2009-07-30 Thread Brad Andrews
hear :) -- Brad Andrews RBA Communications CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting McGovern, James F (HTSC, IT) james.mcgov...@thehartford.com: Sometimes integration is a good and bad thing. ___ Secure Coding mailing list (SC-L) SC-L

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Brad Andrews
deeper input inspection, especially in a completely unrelated topic. I am probably blowing some smoke here and I may disagree with myself later, but I think this discussion is worth having. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Mike Lyman

[SC-L] Functional Correctness

2009-08-21 Thread Brad Andrews
are also a lot more complicated, making the correct proof much more difficult. Can we really believe it is just around the corner to prove this? -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Cassidy, Colin (GE Infra, Energy) colin.cass...@ge.com

[SC-L] Customer Demand

2009-08-21 Thread Brad Andrews
it is also not as conceptually interesting to many. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Martin Gilje Jaatun secse-ch...@sislab.no: His stance on this is that if security were important to the customer, the customer would provide and prioritize

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews
Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Stephan Neuhaus stephan.neuh...@disi.unitn.it: On Aug 21, 2009, at 17:51, Brad Andrews wrote: Has anyone who holds to this taught a beginning level programming class? I have. I taught a security class to undergrads

Re: [SC-L] Functional Correctness

2009-08-22 Thread Brad Andrews
. -- Brad Andrews RBA Communications CISM, CSSLP, SANS/GIAC GSEC, GCFW, GCIH, GPCI Quoting Gary McGraw g...@cigital.com: Software security is an intensely practical problem that will require a practical approach. By studying organizations that are doing a decent job, perhaps we can draw

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-22 Thread Brad Andrews
teach secure development, with minimal extra time load, in a basic programming sequence, possibly even at a non-traditional or lower tier school. We won't make significant progress until we can do that, and it still leaves out the self taught. -- Brad Andrews RBA Communications CISM, CSSLP

Re: [SC-L] What is the size of this list?

2009-08-22 Thread Brad Andrews
is a challenge in many companies, so some could argue my concerns are foolish. I think they are important because you want to make sure any buy-in you eventually get expects the right things. If you don't do this, you will end up in an even worse position down the road. -- Brad Andrews RBA

[SC-L] Inherently Secure Code?

2009-08-26 Thread Brad Andrews
can have perfectly secure code is to not allow someone to use it. The same is true of bug free code, but that is another argument. :) Isn't this kind of like wanting the evil bit to be set in all malicious packets? Great idea, but not achievable. -- Brad Andrews RBA Communications CISM

[SC-L] Secure Development Related PhD Work

2010-07-19 Thread Brad Andrews
in the Dallas area now, but open to moving for the right opportunity. Please contact me off the list with any information. :) I can summarize the PhD findings if anyone is interested. Brad Andrews andr...@rbacomm.com CISM, CSSLP, GSEC, GCIH, GCIA, GCFW