Re: [SC-L] User Education Tool?

2004-03-04 Thread Dave Aronson
, and you've got something. B-) -- Dave Aronson, Senior Software Engineer, Secure Software Inc. Email me at: work (D0T) 2004 (@T) dja (D0T) mailme (D0T) org (Opinions above NOT those of securesw.com unless so stated!) WE'RE HIRING developers, auditors, and VP of Prof. Services.

Re: [SC-L] Missing the point?

2004-04-20 Thread Dave Aronson
On Tue April 20 2004 12:34, Michael A. Davis wrote: It is not the source code that is the problem -- it is the developer. The proof of the developer's grokking of secure coding, is in the code. -- Dave Aronson, Senior Software Engineer, Secure Software Inc. Email me at: work (D0T) 2004 (@T

Re: [SC-L] Programming languages -- the third rail of secure coding

2004-07-20 Thread Dave Aronson
Michael S Hines [EMAIL PROTECTED] wrote: I've been compiling a list of programming languages.. You missed FORTRAN, ICON, REXX, SNOBOL, and the assorted OS-based shell scripting languages (bash/csh/ksh/etc., VMS DCL, DOS .bat, etc.). I've heard of JOVIAL, which I *think* is a programming

OT re Cliff Stoll (was Re: [SC-L] Top security papers)

2004-08-11 Thread Dave Aronson
Nash [EMAIL PROTECTED] wrote: _Cuckoo's_Egg_, Clifford Stall. http://www.amazon.com/exec/obidos/tg/detail/-/0671726889/102-7543362- 2026532?v=glance [Ed. That's Cliff Stoll, not Stall. Great book, though -- IMHO! KRvW] For more on what Cliff's been up to lately, see:

Re: [SC-L] Re: Application Insecurity --- Who is at Fault?

2005-04-11 Thread Dave Aronson
[EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Message-Id: [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Precedence: bulk Mailing-List: contact [EMAIL

Re: [SC-L] Why Software Will Continue to Be Vulnerable

2005-05-01 Thread Dave Aronson
Crispin Cowan [EMAIL PROTECTED] wrote: ISPs could also position a non-restricted account as an expert account and charge extra for it. That already happens in many cases, except they call it a business class account. The only one I've heard called some kind of expert account is that

Re: [SC-L] Credentials for Application use

2005-05-12 Thread Dave Aronson
Gizmo [EMAIL PROTECTED] wrote: I have a similar situation in one of my applications. The customer wishes to secure the database. Since we use a Btrieve database, the only way to do this is be setting an owner name on the DB, and then encrypting using the owner name as the password.

Re: [SC-L] Credentials for Application use

2005-05-13 Thread Dave Aronson
Gizmo [EMAIL PROTECTED] wrote: the efficacy of the encryption is of some question. Basically, it keeps honest people honest. Sounds a little better than I thought, but I'd still be worried about the owner name leaking into less honest hands. 1) The app is architected around the Btrieve

Re: [SC-L] Spot the bug

2005-07-21 Thread Dave Aronson
Christopher Canova [EMAIL PROTECTED] wrote: It seems to me that they may be shifting from a Deploy-first-ask-questions-later tactic to a Code-it-right-before-its-out-the-door. They always did code it right before it's out the door. It's just a question of where you put the comma. ;-

Re: [SC-L] Coding with errors in mind - a solution?

2006-08-30 Thread Dave Aronson
* people anyway. The avionics, medical, and suchlike fields are quite another story. Bill Anderson Is this perchance the Bill Anderson who was my great grandboss until he left BAE for Cryptek? -- Dave Aronson http://www.davearonson.com/ Specialization is for insects. -Heinlein

Re: [SC-L] InformIT: budgeting for software security

2008-04-12 Thread Dave Aronson
Jim Manico wrote: Datacenters - suck up 3% of word power Oh, that must explain why, as we become more and more dependent on companies with data centers, we find ourselves less and less able to actually communicate clearly with each other ;-) -Dave -- Dave Aronson Specialization

Re: [SC-L] InformIT: You need an SSG

2009-12-22 Thread Dave Aronson
forseeable types of attacks, and (for quality) diDTRT(wtmb)itfoafto *errors* (including those forced by an attack!) and is it maintainable. -Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon

Re: [SC-L] More on Cyber War

2010-06-18 Thread Dave Aronson
Don't forget about the millionaire cyber-terrorist, osama:/bin/login. ;-) -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign

[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes: The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of

Re: [SC-L] (no subject)

2006-07-17 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] wrote: I wrote a book with viega a few years ago called building secure software... Yes, John gave us all copies. Didn't bother to get it autographed though. :-) it was not about that company (at all). It certainly was not about the horribly broken

[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps

Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread SC-L Subscriber Dave Aronson
important news. Without this little bit of trivia, the sheeple will just ass-u-me that the demo-giver was, as the PTBs will insinuate, a malefactor in league with $ENEMY[$YEAR], and deserves to be shipped off to the Git-lag. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http

Re: [SC-L] Compilers

2006-12-27 Thread SC-L Subscriber Dave Aronson
engineers), let alone people in any position of authority to set such policies. :-( -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ___ Secure Coding mailing list (SC-L

Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes: certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Perhaps what is needed is a separate certification.

Re: [SC-L] How big is the market?

2007-04-24 Thread SC-L Subscriber Dave Aronson
- Insurance Technology - DMReview - Intelligent Enterprise - CIO - Insurance Networking News I'd also suggest Software Development, and maybe Information Security. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http

Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread SC-L Subscriber Dave Aronson
scheme. Also, just how secure do you need it to be? Don't waste a thousand-dollar lock on a fifty-dollar bicycle. Is this data actually a tempting target for attackers who are clueful and resourceful (in both the senses of clever and able to spend a lot)? -Dave -- Dave Aronson Specialization

Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread SC-L Subscriber Dave Aronson
and instead focus on enterprise concerns? Unfortunately, that often means that ANY license at all for it will be horrendously expensive, so that small shops are totally cut out. -Dave -- Dave Aronson Specialization is for insects. -Heinlein Work: http://www.davearonson.com/ Play: http

Re: [SC-L] Announcing LAMN: Legion Against Meaningless certificatioNs

2009-03-19 Thread SC-L Reader Dave Aronson
I mention PMPs, CISSPs, MCSEs, MDs, JDs, DDSes, and other assorted CAS -- that's Certified Alphabet Soup. -Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects

[SC-L] more relevant certifications

2009-03-20 Thread SC-L Reader Dave Aronson
Thanks, Dave -- Dave Aronson: Have Pun, Will Babble | Work: davearonson.com | /\ ASCII | Play: davearonson.net | \/ Ribbon Specialization is for insects.| Life: dare2xl.com | /\ Campaign -Robert A. Heinlein | Wife: nasjleti.net| EmailWeb

Re: [SC-L] Insecure Java Code Snippets

2009-05-08 Thread SC-L Reader Dave Aronson
or Y. Sometimes the security tradeoff is worth taking the hard way, but sometimes the choice is to the point of being at all practical or not. -Dave, making good progress on the job hunt, thanks in part to people here -- Dave Aronson, software engineer soon to be for hire. Looking for job

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread SC-L Reader Dave Aronson
years or so) -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-14 Thread SC-L Reader Dave Aronson
values of N, no. -Dave -- Dave Aronson, software engineer or trainer for hire. Looking for job (or contract) in Washington DC area. See http://davearonson.com/ for resume other info. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

Re: [SC-L] Genotypes and Phenotypes (Gunnar Peterson)

2009-10-17 Thread SC-L Reader Dave Aronson
fine under Linux (even without SE) or even Windows. -Dave -- Dave Aronson - Have Pun, Will Babble | Work: davearonson.com | /\ ASCII -+ Play: davearonson.net | \/ Ribbon Specialization is for insects. | Life: dare2xl.com | /\ Campaign -Robert A. Heinlein

[SC-L] new job!

2009-10-17 Thread SC-L Reader Dave Aronson
a week or two. I will no longer be in a position related to security, but will still participate here, and in the broader secure coding community, as time allows -- and keep trying to spread the gospel. ;-) Thanks for all your help, Dave -- Dave Aronson - Have Pun, Will Babble | Work