RE: [SC-L] Bugs and flaws

2006-02-02 Thread Brian Chess
I spent Phase One of both my academic and professional careers working on hardware fault models and design for testability. In fact, the first static analysis tool I wrote was for hardware: it analyzed Verilog looking for design mistakes that would make it difficult or impossible to perform design

[SC-L] Re: SC-L Digest, Vol 2, Issue 17

2006-02-03 Thread Brian Chess
John, I think this has to do with what you want to achieve when you explore code. A static analysis tool is a fancy sort of pattern matcher. If the kinds of patterns you're interested in aren't that fancy, (does the program use function X()?; what is the class hierarchy?) then a fancy pattern

[SC-L] RE: The role static analysis tools play in uncovering elements of design

2006-02-05 Thread Brian Chess
Jeff Williams [EMAIL PROTECTED] wrote: I think there's a lot more that static analysis can do than what you're describing. They're not (necessarily) just fancy pattern matchers. Jeff, you raise a important point. Getting good value out of static analysis requires a second component in

[SC-L] Re: Comparing Scanning Tools

2006-06-09 Thread Brian Chess
Hi Jerry, as one of the creators of the tool you evaluated, I have to admit I have the urge to comment on your message one line at a time and explain each way in which the presentation you attended did not adequately explain what Fortify does or how we do it. But I don't think the rest of the

[SC-L] RE: Comparing Scanning Tools

2006-06-09 Thread Brian Chess
Title: RE: Comparing Scanning Tools McGovern, James F wrote: I have yet to find a large enterprise that has made a significant investment in such tools. Ill give you pointers to two. Theyre two of the three largest software companies in the world.

[SC-L] Java Open Review Project

2006-12-12 Thread Brian Chess
Hello all, I'm pleased to announce that we've just launched the Java Open Review Project ( We're reviewing open source Java code all the way from Tomcat down to PetStore looking for bugs and security vulnerabilities. We're using two static analysis tools to

[SC-L] JavaScript Hijacking

2007-04-01 Thread Brian Chess
I've been getting questions about Ajax/Web 2.0 for a few years now. Most of the time the first question is along these lines: Does Ajax cause any new security problems? Until recently, my answer has been right in line with the answers I've heard from other corners of the world: No. Then I've

Re: [SC-L] JavaScript Hijacking

2007-04-02 Thread Brian Chess
Paola [EMAIL PROTECTED] Date: Mon, 02 Apr 2007 11:11:24 +0200 To: Cc: Brian Chess [EMAIL PROTECTED] Subject: Re: [SC-L] JavaScript Hijacking Brian, i don't know if you read it but me and Giorgio Fedon presented a paper named Subverting Ajax at 23rd

Re: [SC-L] SC-L Digest, Vol 3, Issue 73

2007-04-09 Thread Brian Chess
Hi Frederik, You're right that IE does not have the setter methods. You're also right that hijacking the Object() or Array() constructor method would be enough to pull off the attack. The bad (good?) news is that IE doesn't call those methods unless an object is explicitly created with the new

Re: [SC-L] JavaScript Hijacking

2007-04-19 Thread Brian Chess
Frederik De Keukelaere [EMAIL PROTECTED] writes: Would you mind sharing the different data formats you came across for exchanging data in mashups/Web 2.0? Considering the challenges you recently discovered, it might be good to have such an overview to look at it from a security point of view.

[SC-L] Secure Programming with Static Analysis

2007-07-05 Thread Brian Chess
Jacob West and I are proud to announce that our book, Secure Programming with Static Analysis, is now available. The book covers a lot of ground. * It explains why static source code analysis is a critical part of a secure development process. * It

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Brian Chess
- So when a vendor says that they are focused on quality and not security, and vice versa what exactly does this mean? We spend most of Chapter 2 of Secure Programming with Static Analysis describing the different problems that static analysis tools try to solve, and we show where we think all

[SC-L] International Symposium on Engineering Secure Software and Systems (ESSoS)

2008-06-26 Thread Brian Chess
, University of California (Davis) - USA Brian Chess, Fortify Software - USA Richard Clayton, Cambridge University - UK Christian Collberg, University of Arizona - USA Bart De Win, Katholieke Universiteit Leuven - BE Juergen Doser, ETH - CH Eduardo Fernandez-Medina, University of Castilla-La Mancha - ES

Re: [SC-L] top 10 software security surprises

2008-12-17 Thread Brian Chess
Thanks Ken. For me this has been an incredibly eye-opening project. It can be hard for people to distinguish between ideas that merely look good on paper and ideas that are actually in widespread use. Once we’ve cleaned up the data and gotten approval from the organizations we

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

2009-01-15 Thread Brian Chess
In the one sense, we are talking about validating user input, which mostly needs to concern itself with adhering to business requirements. This meaning is not very important for security, but the other one, validating data before something is done with it, is. Yes, two forms of validation are

Re: [SC-L] Positive impact of an SSG

2009-03-11 Thread Brian Chess
Ben! Thank you! When you talk about sample size, it gives me hope that we¹re on the right track. We can either: 1) Use ideas that ³experts² theorize will work or 2) Gather empirical evidence to judge one idea against another. We in the security crowd often try to hide behind the need for

Re: [SC-L] Insecure Java Code Snippets

2009-05-06 Thread Brian Chess
We keep a big catalog here: On 5/6/09 10:41 AM, Brad Andrews wrote: Does anyone know of a source of insecure Java snippets? I would like to get some for a monthly meeting of leading technical people. My idea was to have a find

Re: [SC-L] BSIMM update (informIT)

2010-02-04 Thread Brian Chess
At no time did it include corporations who use Ounce Labs or Coverity Bzzzt. False. While there are plenty of Fortify customers represented in BSIMM, there are also plenty of participants who aren't Fortify customers. I don't think there are any hard numbers on market share in this realm, but

Re: [SC-L] What do you like better Web penetration testing or static code analysis?

2010-04-24 Thread Brian Chess
I like your point Matt. Everybody who's responded thus-far has wanted to turn this into a discussion about what's most effective or what has the most benefit, sort of like we were comparing which icky medicine to take or which overcooked vegetable to eat. Maybe they don't get any pleasure from

[SC-L] Java DOS

2011-02-12 Thread Brian Chess
There's a very interesting vulnerability in Java kicking around. I wrote about it here: In brief, you can send Java (and some versions of PHP) into an infinite loop if you can provide some malicious input that will be parsed as a