RE: [SC-L] Looking for good software security stats

2004-03-08 Thread Gary McGraw
You might want to check the techtarget site for XSS foo too. If you really want the chapter, avoid the registering nonsense and surf here: http://www.exploitingsoftware.com/ gem (they were supposed to have fixed that XSS thing...nudge nudge, wink wink, say no more)

[SC-L] Change of position

2004-04-01 Thread Gary McGraw
information about that from me soon. gem Gary McGraw, Ph.D. CTO, Cigital http://www.cigital.com This electronic message transmission contains information that may be confidential or privileged. The information contained

RE: [SC-L] Change of position

2004-04-01 Thread Gary McGraw
Oh @[EMAIL PROTECTED] :-)I fell for it, didn't I? Um, yes. Yes you did. As have many others behind the scenes. What fun! April fools. gem p.s. software security rules. [Ed. Yes, quite a few people responded to Gary's note before checking their calendars... (I've taken the liberty of

[SC-L] DHS report

2004-04-01 Thread Gary McGraw
, Mike Howard, Watts Humphreys, and Sam Redwine. A copy of our report can be found here: http://www.cigital.com/papers/download/secure_software_process.pdf Those of you who (unlike me) have not yet abandoned software security will enjoy this report. gem Gary McGraw, Ph.D. CTO, Cigital http

[SC-L] Interview

2004-06-15 Thread Gary McGraw
Hi all, This is one of my favorite interviews about software security and Exploiting Software that has been done to date. http://www.informit.com/articles/article.asp?p=174303 gem [Ed. Apologies for the duplicate/headerless posting, as I am trying to work out the moderating from a PDA while

RE: [SC-L] Determina claims 100% protection against all buffer overflows

2004-06-15 Thread Gary McGraw
The company was once called araksha. Their technology is good (think compiler optimization foo) but not a silver bullet. Many of the problems and issues with this approach can be found in a paper published a couple of years ago at usenix security. Google for it through the MIT profs name.

[SC-L] Best practices training

2004-07-02 Thread Gary McGraw
Hi all, Some of you may be interested in a Tutorial on software security best practices that I will be giving at Usenix security this year. More information can be found here: http://www.usenix.org/events/sec04/training/ See you in San Diego in August. gem

[SC-L] Risk Analysis: Building Security In #3

2004-07-02 Thread Gary McGraw
Hi all, The third article in my IEEE Security Privacy magazine series called Building Security In is on Risk Analysis in Software Design. This article was co-authored by Denis Verdon of Fidelity National. As a service to the community, we're making advance copies available here:

Re: [SC-L] Education and security -- plus safety, reliability and availability

2004-07-08 Thread Gary McGraw
Les's C subset is good to consider. Also look into cyclone (cornell) and cquel. gem -Original Message- From: Jim Mary Ronback [mailto:[EMAIL PROTECTED] Sent: Thu Jul 08 08:30:30 2004 To: Dana Epp Cc: [EMAIL PROTECTED] Subject:Re: [SC-L] Education and security --

RE: [SC-L] Exploiting Software: How to Break Code

2004-11-11 Thread Gary McGraw
Sixteen reviews of the book can be found here: http://www.exploitingsoftware.com/press/ Also other trade press coverage. gem This electronic message transmission contains information that may be confidential or

[SC-L] Two for one

2005-05-25 Thread Gary McGraw
Hi all, The seventh and eighth articles in my IEEE Security Privacy magazine series called Building Security In are on Knowledge Management for software security and building a Software Security program. These were co-authored with Sean Barnum and Dan Taylor of Cigital. As a service to the

[SC-L] Academic conferences

2005-06-07 Thread Gary McGraw
send me email. Gary McGraw, Ph.D. CTO, Cigital This electronic message transmission contains information that may be confidential or privileged. The information contained herein is intended solely for the recipient and use

RE: [SC-L] Intel turning to hardware for rootkit detection

2005-12-14 Thread Gary McGraw
No, that's a copy of stackguard. The real problem with all of these approaches is that they don't fix the root problem. Finding and removing buffer overflow conditions with a static analysis tool is far superior. gem -Original Message- From: Michael S Hines [mailto:[EMAIL

Re: [SC-L] eWeek says Apple's Switch to Intel Could Allow OS XExploits

2006-01-27 Thread Gary McGraw
Hi all, We talk about different targets and payloads in Exploiting Software. Bottom line, my opinion is that it's not that much harder. So the switch should be a wash. gem -Original Message- From: der Mouse [mailto:[EMAIL PROTECTED] Sent: Fri Jan 27 15:29:59 2006 To:

[SC-L] Bugs and flaws

2006-01-30 Thread Gary McGraw
Hi all, If the WMF vulnerability teaches us anything, it teaches us that we need to pay more attention to flaws. We spend lots of time talking about bugs in software security (witness the perpetual flogging of the buffer overflow), but architectural problems are just as important and deserve

RE: [SC-L] Bugs and flaws

2006-02-02 Thread Gary McGraw
Hi all, When I introduced the bugs and flaws nomenclature into the literature, I did so in an article about the software security workshop I chaired in 2003 (see http://www.cigital.com/ssw/). This was ultimately written up in an On the Horizon paper published by IEEE Security Privacy. Nancy

RE: [SC-L] Bugs and flaws

2006-02-02 Thread Gary McGraw
Hi Weld, You make a very good point. I think we have lots to learn from manufacturing. As a matter of practice, I usually use the terms that you suggested as modifiers and say: implementation bug design flaw software defect As long as there is a clear way to separate the two ends of the

RE: [SC-L] Bugs and flaws

2006-02-02 Thread Gary McGraw
I'm sorry, but it is just not possible to find design flaws by staring at code. gem -Original Message- From: Jeff Williams [mailto:[EMAIL PROTECTED] Sent: Thu Feb 02 20:32:29 2006 To: 'Secure Coding Mailing List' Subject:RE: [SC-L] Bugs and flaws At the risk of piling

RE: [SC-L] Bugs and flaws

2006-02-02 Thread Gary McGraw
. When they don't, you have to try to construct them. Doing them from code is very difficult at best. gem -Original Message- From: Jeff Williams [mailto:[EMAIL PROTECTED] Sent: Thu Feb 02 20:59:14 2006 To: Gary McGraw; 'Secure Coding Mailing List' Subject:RE: [SC-L] Bugs

RE: [SC-L] Bugs and flaws

2006-02-06 Thread Gary McGraw
Hi all, I'm afraid I don't concur with this definition. Here's a (rather vague) flaw example that may help clarify what I mean. Think about an error of omission where an API is exposed with no AA protection whatsoever. This API may have been designed not to have been exposed originally, but

RE: [SC-L] Bugs and flaws

2006-02-06 Thread Gary McGraw
-Original Message- From: Evans, Arian [mailto:[EMAIL PROTECTED] Sent: Fri Feb 03 18:29:29 2006 To: Crispin Cowan; Gary McGraw; Secure Coding Mailing List; Kenneth R. van Wyk Subject:RE: [SC-L] Bugs and flaws per WMF// Let's face it, this was legacy, possibly deprecated code

RE: [SC-L] it's not a bug, it's a feature!

2006-02-09 Thread Gary McGraw
Nope! gem -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Thu Feb 09 09:50:21 2006 To: sc-l@securecoding.org Subject:[SC-L] it's not a bug, it's a feature! Okay, if we are so keen to make distinctions, how about this one? In the recent WMF 0day, it

[SC-L] Podcast

2006-02-16 Thread Gary McGraw
Hi all, Now that there is no more techtv, the biggest media hit you can get seems to be podcasts. It just ain't the same. A podcast from RSA about the book by victor garza can be found here weblog.infoworld.com/zeroday 2 panels today at RSA. Come see em if you're here. gem Sent from my

[SC-L] BSI: SOA what?

2006-02-22 Thread Gary McGraw
Hi all, I'm sure by now everyone has heard at least one marketing person say SOA in some capacity. Such it is with buzzwords. Looks like we're still climbing the hype curve with this one too. The one great opportunity with SOA (or Service Oriented Architecture for those allergic to acronyms)

[SC-L] Software security hits the big time

2006-03-03 Thread Gary McGraw
Though I must admit that I was most disappointed with my diminuitive SANS review (by a person who admits to never having even seen the new book), my life has been salvaged by my local paper. Turns out if you read closely, that software security has become a lifestyle. Does that involve

[SC-L] Interview on informIT

2006-03-06 Thread Gary McGraw
Hi all, Here's some more coverage of the book. I hope you find this interview as interesting to read as I did working on it (last week). Please pass it on! http://www.informit.com/guides/content.asp?g=securityseqNum=181rl=1 gem

RE: [SC-L] Question about the terms encypt and secure

2006-03-06 Thread Gary McGraw
This is a very good question and is worth a careful answer. For most off the shelf users and press people, securing and encrypting traffic on do amount to the same thing when it comes to wireless networks. In this case, the encryption they turn on is hopefully WPA and not WEP. Early versions of

RE: [SC-L] ZDNET: LAMP lights the way in open-source security

2006-03-07 Thread Gary McGraw
Hmm. Time to no longer use flawfinder, RATS, and ITS4. Throw them out and get a real tool. I cover this in gory detail in chapter 5 of Software Security. There's a pretty nice treatment of the history of these tools and the evolution of technology there. gem www.swsec.com

[SC-L] CNN podcast

2006-03-31 Thread Gary McGraw
Software security in the press... http://www.cnn.com/services/podcasting/ gem www.swswec.com Sent from my treo. This electronic message transmission contains information that may be confidential or privileged. The

[SC-L] YAI (yet another interview)

2006-04-08 Thread Gary McGraw
Hi all, I finally listened to today's podcast with Jon Udell (infoworld...once Byte). It's far ranging and intellectually interesting...starting with cognitive science and Letter Spirit (which I worked on with Doug Hofstadter), ranging through type safety, proof carrying code, and

[SC-L] IEEE SP: malware

2006-04-18 Thread Gary McGraw
Hi all, Maybe some of you will be interested in participating in this... gem Special issue of IEEE Security Privacy magazine Botnets, spyware, rootkits and assorted malware, September/October 2006 Deadline for

[SC-L] New security website: darkreading

2006-05-01 Thread Gary McGraw
Hi all, Some of you may have read some of the monthly [in]security columns I wrote for IT Architect over the last couple of years (a collection lives here http://www.cigital.com/resources/gem/). CMP killed IT Architect (taking out the [in]security column with it) in March. Fortunately, they

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-04 Thread Gary McGraw
I'm psyched about this thread. Rock on guys. For those of you who may need some basics, you might want to read Securing Java (a book I wrote with Ed Felten in 1999...the first edition in 1996 was called Java Security). The book is available completely for free in searchable format at

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-08 Thread Gary McGraw
That's essentially correct kevin. The idea was to be able to run not remote, but untrusted code. Note that modern readers will understand that local code can be untrusted. There is a good picture of this in securing java. gem -Original Message- From: Wall, Kevin [mailto:[EMAIL

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-09 Thread Gary McGraw
The switch from applets vs applications security to trusted code vs untrusted code happened with the introduction of jdk 1.1 (way back when). Ed and I followed the sun marketing lead in 96 when it came to applets vs applications, but we cleared this up later in Securing Java

[SC-L] Tech target interview

2006-05-09 Thread Gary McGraw
Hi all, Today's interview speaks to software security touchpoints: http://searchappsecurity.techtarget.com/qna/0,289202,sid92_gci1187360,00.html gem www.cigital.com/~gem www.swsec.com Sent from my treo. This

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

2006-05-13 Thread Gary McGraw
disabled there are multiple ways you can jump out of the Security Manager Sandbox. Here is a quote from 1997's Java Security (Gary McGraw and Eduard W. Feltern) book, page 75, Chapter Three 'Serious Holes in the Security Model I'm a bit sceptical of this, I know Sun's track record on fixing

[SC-L] New podcast (sneak preview)

2006-05-15 Thread Gary McGraw
Hi all, Tomorrow, we'll announce the existence of the Silver Bullet Security Podcast with Gary McGraw. Woo hoo. The first interview is with Avi Rubin. This activity is sponsored by IEEE SP Magazine...who by now all sc-l readers should know well! See www.cigital.com/silverbullet Hope

[SC-L] Ajax one panel

2006-05-19 Thread Gary McGraw
Ok...it was java one. But it seemed like ajax one on the show floor. I participated in a panel yesterday with superstar bill joy. I had a chance to talk to bill for a while after the gig and asked him why java did not have closure. Bill said he was on a committee of five, and got

Re: [SC-L] Ajax one panel

2006-05-22 Thread Gary McGraw
the fact that javascript may (or may not) have closure fails in comparison to the fact that it is not type safe. Ajax is a disaster from a security perspective. gem -Original Message- From: Johan Peeters [mailto:[EMAIL PROTECTED] Sent: Sat May 20 15:44:46 2006 To: Gary McGraw Cc

Re: [SC-L] Ajax one panel

2006-05-22 Thread Gary McGraw
Steven Cc: Gary McGraw; Mailing List, Secure Coding; SSG Subject:Re: [SC-L] Ajax one panel We may be at cross purposes. I understand your concern about luring attacks, John. I am sure you are right and they are feasible, but I interpreted Gary's comment as meaning 'closures can be used

[SC-L] SD Times

2006-06-06 Thread Gary McGraw
Hi all, I wrote an article for the SD Times about the state of the practice in software security. It was published Friday, just in time for the Software Security Summit East in Baltimore that starts tomorrow. You might ponder where your organization fits in the maturity levels mentioned at the

RE: [SC-L] Comparing Scanning Tools

2006-06-08 Thread Gary McGraw
Hi All, Just a quick reminder that there is a chapter on code scanning technology and its application in Software Security (www.swsec.com). Don't forget that these tools are best used as aids to make a smart human more efficient. They do not replace the human, nor are they of much use among

[SC-L] Silver Bullet: Dan Geer

2006-06-12 Thread Gary McGraw
Hi all, The second edition of the Silver Bullet Security Podcast with Gary McGraw (hey, that's me) went up just a few seconds ago: http://www.cigital.com/silverbullet/ The first show (with Avi Rubin) proved to be pretty popular. Hope you all like this one too! Feedback welcome through

[SC-L] SD West Call for proposals

2006-07-05 Thread Gary McGraw
Hi all, Last year we rebooted the SD West security track and built a world class software security track. The CFP for next year just came out. Please consider sending in a proposal! This is a large, important conference for developers. Full disclosure: I am on the Advisory Board (an unpaid

[SC-L] Sd west

2006-07-06 Thread Gary McGraw
As about 10 of you pointed out to me privately, the url I broadcast today included identity information of mine. It wasn't supposed to, but it did. Should have done some testing in my haste! Anyway, that url is dead now. Here is a generic url for submissions to sd west. I do encourage you

[SC-L] Darkreading: on developer optimism

2006-07-07 Thread Gary McGraw
Hi all, My latest darkreading column (up just 5 minutes ago) is entitled If You Build It, They'll Crash It. http://www.darkreading.com/document.asp?doc_id=98702WT.svl=column1_1 It's about what we all need to do to get developers and builder types to think about bad people. I'm trying to

[SC-L] darkreading covers software security

2006-07-08 Thread Gary McGraw
Well, kinda... http://www.darkreading.com/document.asp?doc_id=98338 Time for you to hop on over there and post some noise! I plan to. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com

[SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gary McGraw
Hi all, Is penetration testing good or bad? http://ddj.com/dept/security/18951 gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com This electronic message transmission contains

RE: [SC-L] ddj: beyond the badnessometer

2006-07-13 Thread Gary McGraw
Excellent post nash. Thanks! I agree with you for the most part. You have a view of pen testing that is quite sophisticated (especially compared to the usual drivel). I agree with you so much that I included pen testing as the third most important touchpoint in my new book Software Security

Re: [SC-L] Bumper sticker definition of secure software

2006-07-17 Thread Gary McGraw
I wrote a book with viega a few years ago called building secure software...it was not about that company (at all). Software security: building security in. gem P.s. I actually like ivan's quip as reported by crispy. -Original Message- From: Dave Aronson [mailto:[EMAIL PROTECTED]

[SC-L] silver bullet: mjr

2006-07-17 Thread Gary McGraw
Hi all, The silver bullet episode featuring Marcus Ranum went live recently: http://www.cigital.com/silverbullet/ In the interview, we discuss software security progress briefly. BTW, I did an interview with the mysterious Dana Epp (silverstr) last week that is in the production pipeline.

Re: [SC-L] bumper sticker slogan for secure software

2006-07-20 Thread Gary McGraw
I'm afraid that's not true. John Knight has a famous paper that shows that design/requirements bugs persist in n-version programming paradigms. I'll let the interested people google that one up for themselves. gem company www.cigital.com. podcast www.cigital.com/silverbullet book

[SC-L] Silver bullet

2006-07-31 Thread Gary McGraw
Hi all, International man of mystery Dana Epp is my guest in the episode of silver bullet that went up seconds ago: http://www.cigital.com/silverbullet/show-004/ Dana is a long time software security guy and has a great blog to boot. Check it out (and feel free to post some comments on the

Re: [SC-L] A New Open Source Approach to Weakness

2006-08-09 Thread Gary McGraw
Also note that there is a chapter in software security about the pernicious kingdoms...www.swsec.com. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -Original Message- From: Gergely Buday [mailto:[EMAIL PROTECTED] Sent: Wed Aug 09 10:53:52 2006

[SC-L] Cheating Online Games and why Google is Evil

2006-08-14 Thread Gary McGraw
Hi all, Just back from vacation and digging out from the pile. Ironic that a vacation seems to be a necessity to catch up from vacation! A couple of things popped while I was flying around (sans toothpaste there at the end). At Blackhat a couple of weeks ago, Greg Hoglund gave a talk called

[SC-L] Silver Bullet #5: Ed Felten

2006-08-28 Thread Gary McGraw
Hi all, The latest Silver Bullet Security Podcast features an interview I did with Ed Felten. It just went up today. You can download the podcast and subscribe to the RSS feed here: www.cigital.com/silverbullet In addition, IEEE Security Privacy magazine has prepared a partial transcript of

Re: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.?

2006-08-31 Thread Gary McGraw
as an industry we did manage to get rid of computed gotos, spaghetti code, etc., so maybe there's hope. ever heard of exceptions? They're basically goto plus limited state. Spaghetti lives! gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com

Re: [SC-L] How can we stop the spreading insecure codingexamplesattraining classes, etc.?

2006-08-31 Thread Gary McGraw
SYNTAX ERROR ON LINE 0: I take exception (haha!) at having them dismissed like this. It sounds like KEYWORD (haha!) ILLEGALLY NEGATED PLEASE RESUBMIT ARTICLE gem This electronic message transmission contains

[SC-L] (free) Software Security seminar next week in silicon valley

2006-08-31 Thread Gary McGraw
Hi all, I'm going to be giving a free seminar about software security along with Greg Rose from Qualcomm in Menlo Park on Thursday. More about the seminar here: http://www.cigital.com/news/cigital_seminar.pdf If you are in the area and you would like to attend, please drop me a quick note. gem

[SC-L] Silver Bullet: Ranum revisited

2006-09-07 Thread Gary McGraw
Hi all, The silver bullet security podcast episode with Marcus Ranum has been transcribed for publication in the Nov/Dec issue of IEEE SP magazine. You can find the pdf here: http://www.cigital.com/silverbullet/shows/silverbullet-003-mranum.pdf To subscribe to the magazine (without even joining

[SC-L] Darkreading: epassport and evoting

2006-09-07 Thread Gary McGraw
Hi all, The latest installment of my column on darkreading went up today. This one is titled Keep Your Laws off my Security. It's about what happens when people in power pay little or no attention to warnings by security engineers.

[SC-L] What happens when security engineering gets ignored

2006-09-09 Thread Gary McGraw
Hi all, My latest column on darkreading shows what can happen when security engineers and technologists are ignored in the rush to embrace hot new technology. Many of us have warned over and over about RFID security and eVoting security, but with very little impact on government behavior. See

[SC-L] Security testing

2006-09-12 Thread Gary McGraw
Hi all, In this podcast interview (the first from sticky minds) I discuss the important differences between security testing and standard functional testing...among other things. Lots of software security stuff in here: http://www.stickyminds.com/Resources/Podcasts.asp gem company

[SC-L] Silver Bullet 6: Michael Howard

2006-09-28 Thread Gary McGraw
Hi all, You'll probably like this one. The latest installment of the Silver Bullet Security Podcast is an interview with Michael Howard. Do we talk about software security? Well, whatddaya think?! http://www.cigital.com/silverbullet/ The Silver Bullet Security Podcast with Gary McGraw is co

[SC-L] darkreading: voting machines

2006-10-09 Thread Gary McGraw
Hi all, I'm sure that many of you saw the Ed Felten and friends break Diebold machines story a couple of weeks ago...maybe in DDJ or on /.. I wrote a piece about the crack for darkreading, which you can find here: http://www.darkreading.com/document.asp?doc_id=105188WT.svl=column1_1 The most

Re: [SC-L] Google code search: good or bad?

2006-10-11 Thread Gary McGraw
is interesting as well. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -Original Message- From: mikeiscool [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 11, 2006 4:50 PM To: Gary McGraw Cc: SC-L@securecoding.org; Neil Daswani Subject: Re: [SC-L] Google

Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Gary McGraw
We're working on it! The problem is not simply a book. gem -Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Wed Oct 11 20:58:12 2006 To: Kenneth Van Wyk Cc: Secure Coding Subject:[SC-L] re-writing college books [was: Re: A banner year for

Re: [SC-L] Secure programming is NOT just good programming

2006-10-12 Thread Gary McGraw
I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's called software security. Ken and I have trained

Re: [SC-L] Why Shouldn't I use C++?

2006-11-01 Thread Gary McGraw
The biggest problem with C++ is that, like C, it is not type safe. The memory model is a disasterous sea of bits. Plus it is an arcane, hard to understand language prone to misunderstandings. If you can at all avoid C++, do so. Use Java, C#, or some other type safe alternative. gem

[SC-L] On exploits, hubris, and software security

2006-11-03 Thread Gary McGraw
Hi all, We all know that there is nothing more powerful for causing software security change than a flashy exploit demonstration. Once again, this has come to the fore in the actions of an IU student who took a well known boarding pass vulnerability and wrote a script to make it real. Just after

Re: [SC-L] p-code was created for PLATFORM PORTABILITY

2006-11-14 Thread Gary McGraw
I am all for the mistake of type safety and reference monitors. All we need to do is build a real machine that runs byte code and/or clr instead of interpreting it. I agree that jit'ing os a kludge... I await the scheme-os which bill joy and I figure may emerge from africa sometime in the

[SC-L] Silverbullet: Bruce Schneier

2006-12-14 Thread Gary McGraw
Hi all, The 9th silver bullet podcast eposide went up last night. This time my victim, er I mean my guest, is Bruce Schneier. I think you'll all agree that Bruce is our most visible spokesmodel when it comes to security, and thankfully he understands the importance of software security. We

Re: [SC-L] Compilers

2006-12-21 Thread Gary McGraw
Integration of some of the static techniques found in tools like fortify into compilers does make sense. However, not all of the kinds of things should be put in the compiler (how many coders do you know that use the -Wall??!). So one use case for some of the knowledge would be compiler

[SC-L] FW: Good Magazines and Books

2007-01-31 Thread Gary McGraw
Let's try that again... -Original Message- From: Gary McGraw Sent: Wed Jan 31 07:22:57 2007 To: 'SC-L Subscriber Dave Aronson' Subject:Re: [SC-L] Good Magazines and Books I believe the number one magazine is: IEEE security privacy - especially the BSI series

[SC-L] Anotated Bibliography from Software Security (take 2)

2007-02-02 Thread Gary McGraw
Ken rejected my first attempt at pass by value, so here's pass by reference instead! See the email below for an explanation. http://www.swsec.com/book/annotated-biblio-from-SS.pdf -Original Message- From: Gary McGraw Sent: Friday, February 02, 2007 12:56 AM Hi all, I got to thinking

Re: [SC-L] Meeting at RSA next week?

2007-02-02 Thread Gary McGraw
I'll be there. I have two panels. Come to the ieee sp reception after the rootkits panel. gem company www.cigital.com podcast www.cigital.com/silverbullet book www.swsec.com -Original Message- From: KT [mailto:[EMAIL PROTECTED] Sent: Fri Feb 02 20:04:40 2007 To: Secure

[SC-L] Silver Bullet 11: Dorothy Denning

2007-02-15 Thread Gary McGraw
Hi sc-lers, We've all been involved in the controversies surrounding disclosure, whether talking to malicious hackers is a good or bad idea, and whether security technology can be evil. One of the first people to ponder these things was Dorothy Denning. I'm pleased to have interviewed Dorothy

Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web)Fuzz - Security News Analysis

2007-02-27 Thread Gary McGraw
Just for the record, the testing literature (non-security) supports ken's point of view. Possibly the most amusing thing about all of this discussion about black box versus white box is that this is only one of many many divisions in testing. Others include partition testing, fault injection,

[SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-02-27 Thread Gary McGraw
Hi all, The neverending debate over disclosure continued at RSA this year with a panel featuring Chris Wysopl and others rehashing old ground. There are points on both sides, with radicals on one side (say marcus ranum) calling the disclosure people vulnerability pimps and radicals on the other

[SC-L] new blog: Justice League

2007-03-01 Thread Gary McGraw
Hi sc-lers, Last week we started a blog at Cigital called Justice League that will be populated by regular postings from Cigital Principals (John Steven, Craig Miller, Sammy Migues, Scott Matsumoto, and Pravir Chandra) http://www.cigital.com/justiceleague/ Our blog is positioned as an ecclectic

[SC-L] Darkreading: compliance

2007-03-12 Thread Gary McGraw
hi sc-l, this month's darkreading column is about compliance. my own belief is that compliance has really helped move software security forward. in particular, sox and pci have been a boon: http://www.darkreading.com/document.asp?doc_id=119163 what do you think? have compliance efforts you

Re: [SC-L] Darkreading: compliance

2007-03-12 Thread Gary McGraw
Maybe it depends on the vertical? What vertical(s) did you find it a distraction in? gem -Original Message- From: Michael Silk [mailto:[EMAIL PROTECTED] Sent: Mon Mar 12 17:34:56 2007 To: Gary McGraw Cc: SC-L@securecoding.org Subject:Re: [SC-L] Darkreading

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gary McGraw
In my opinion, though fuzz testing is certainly a useful technique (we've used it in hardware verification for years), any certification based solely on fuzz testing for security would be ludicrous. Fuzz testing is not a silver bullet. The biggest stumbling block for software certification is

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-13 Thread Gary McGraw
Hi crispy, I'm not sure vista is bombing because of good quality. That certainly would be ironic. Word on the way down in the guts street is that vista is too many things cobbled together into one big kinda functioning mess. My bet is that Vista SP2 will be a completely different beast.

Re: [SC-L] Darkreading: compliance

2007-03-13 Thread Gary McGraw
Once again i'll ask. Which vertical is the kind of company where you're seeing this awful behavior in? BTW, sammy migues agrees with you in a thread we're having on the justice league blog www.cigital.com/justiceleague (look under SOX). gem company www.cigital.com podcast

Re: [SC-L] Information Protection Policies

2007-03-13 Thread Gary McGraw
There is a text box in Software Security about this with some language I copied (with permission) from jack danahy of ounce labs. www.swsec.com gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -Original Message-

[SC-L] Silver Bullet: Becky Bace

2007-03-14 Thread Gary McGraw
Hi all, The 12th episode of the Silver Bullet Security Podcast went live last night. This episode features an interview with Becky Bace, one of the earliest security gurus and a very interesting woman. http://www.cigital.com/silverbullet/show-012/ As usual, my thanks to IEEE Security Privacy

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Gary McGraw
[mailto:[EMAIL PROTECTED] Sent: Mon Mar 19 16:00:48 2007 To: Gary McGraw Cc: Ed Reed; sc-l@securecoding.org Subject:Re: [SC-L] Economics of Software Vulnerabilities Gary McGraw wrote: I'm not sure vista is bombing because of good quality. That certainly would be ironic

Re: [SC-L] Darkreading: compliance

2007-04-04 Thread Gary McGraw
Hi all, Another big momentum machine for software security (and data security) is PCI compliance. There is a challenge, though, and that is figuring out where the credit card data that you want to protect are. We've found in our practice at cigital that the data are literally scattered all

Re: [SC-L] Foundations of Security: What Every Programmer Needs to Know

2007-04-04 Thread Gary McGraw
It was written by a PhD from stanford who worked with dan boneh. He now works for google. The book has lots of hands on examples which makes it powerful. I think it's worth buying and reading. I have a copy on my desk now. gem company www.cigital.com podcast www.cigital.com/silverbullet

[SC-L] Silver Bullet: Ross Anderson

2007-04-14 Thread Gary McGraw
Hi all, A faithful reader of sc-l (and a long time silver bullet listener) suggested that I interview Ross Anderson for an episode. By popular demand, here's Ross: http://www.cigital.com/silverbullet/show-013/ This episode will appear in an upcoming issue of IEEE Security Privacy magazine.

[SC-L] How big is the market?

2007-04-20 Thread Gary McGraw
Hi sc-lers, At s3con this week I gave a keynote about the state of the practice in software security. Some of what I said is captured in my darkreading column this month: http://www.darkreading.com/document.asp?doc_id=122253WT.svl=column1_1 There are a couple of things worth noting. First of

Re: [SC-L] Silver Bullet: Ross Anderson

2007-04-24 Thread Gary McGraw
www.cigital.com/justiceleague book www.swsec.com -Original Message- From: McGovern, James F (HTSC, IT) [mailto:[EMAIL PROTECTED] Sent: Monday, April 23, 2007 12:25 PM To: Gary McGraw; Mailing List, Secure Coding Cc: Clark-Fisher, Kathy; Anderson,Ross Subject: RE: [SC-L] Silver Bullet: Ross

Re: [SC-L] How big is the market?

2007-04-24 Thread Gary McGraw
, April 23, 2007 12:30 PM To: Gary McGraw Cc: SC-L@securecoding.org Subject: RE: [SC-L] How big is the market? One thing that I can say is that vendors sometimes are doing themselves a disservice in terms of getting software security to grow even faster. Currently anything that has the word security

[SC-L] Darkreading: Secure Coding Certification

2007-05-12 Thread Gary McGraw
Hi all, As readers of the list know, SANS recently announced a certification scheme for secure programming. Many vendors and consultants jumped on the bandwagon. I'm not so sure the bandwagon is going anywhere. I explain why in my latest darkreading column:

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-15 Thread Gary McGraw
, Gary McGraw [EMAIL PROTECTED] wrote: Hi all, As readers of the list know, SANS recently announced a certification scheme for secure programming. Many vendors and consultants jumped on the bandwagon. I'm not so sure the bandwagon is going anywhere. I explain why in my latest darkreading

[SC-L] FW: Darkreading: Secure Coding Certification

2007-05-15 Thread Gary McGraw
I meant to send this to the list. -Original Message- From: Gary McGraw Sent: Tuesday, May 15, 2007 9:09 AM To: 'ljknews' Subject: RE: [SC-L] Darkreading: Secure Coding Certification Oops. Sorry about that. I just checked the URL for the darkreading article again. Looks the same to me

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-16 Thread Gary McGraw
Hi all, I like this idea. There is plenty of non-code material to master in our field. I think a bunch of it is covered in detail in Software Security...but I am biased. I would like to see coverage of common attack patterns, coverage of risk analysis basics, and coverage of both positive

[SC-L] JSON of Ajax -or- Little Web 2.0 bugs versus big Web 2.0 flaws: darkreading

2007-06-07 Thread Gary McGraw
Hi sc-l, This month's installment of my darkreading.com column focuses some much needed attention on the bug/flaw distinction that I think we need to pay more attention to. In particular, many of you will recall the discussion of Javascript hijacking that Brian Chess posted to this list in

  1   2   3   4   >