Re: [SC-L] How do we improve s/w developer awareness?

2004-11-12 Thread Gunnar Peterson
. Information like how many lines of code, what languages, what libraries, process used, security testing done, mechanisms included, and other information can and should be disclosed. --Jeff - Original Message - From: Gunnar Peterson [EMAIL PROTECTED] To: Yousef Syed [EMAIL PROTECTED] Cc

Re: [SC-L] Secured Coding

2004-11-13 Thread Gunnar Peterson
so the question then is how do we security professionals catch up to where the anasazis were 700 hundred years ago: http://riskman.typepad.com/perilocity/2004/08/cliff_forts_vs_.html -gp Quoting Greenarrow 1 [EMAIL PROTECTED]: As quoted in a recent email from the article, A Patch is a Patch,

[SC-L] Design for failure

2004-12-15 Thread Gunnar Peterson
Gee, no my OS is better than yours? What are mailing lists for then? [Ed. Nope, sorry. While our volume is low, I like to think that our signal:noise ratio is high. Let's keep it that way. Besides, Debian rocks! :-) KRvW] If people on this list have not read it yet, the conversation with

[SC-L] SOS: Service Oriented Security

2005-04-06 Thread Gunnar Peterson
I have blogged at a high level about some work I am doing on security aspects in SOA and Web Services. Service Oriented Security (SOS) architecture defines a set of architectural views, their key consituents, constraints, and relationships. As the SOA space continues to evolve our software

[SC-L] Doing something about software security

2005-04-19 Thread Gunnar Peterson
I was thinking about something that Dave Winer said on the Gillmor Gang about how the software industry moves forward when small groups (like 1 or 2) of developers get motivated to solve a problem. I was wondering how this applies to software security, since it seems like a perfect description for

RE: [SC-L] Doing something about software security

2005-04-19 Thread Gunnar Peterson
Quoting [EMAIL PROTECTED] [EMAIL PROTECTED]: You seem to be leaving out one of the largest open efforts at security. ISECOM at http://www.isecom.org covers security testing, secure coding, incident response and other security related topics. -Original Message- From: Gunnar Peterson Date

Re: [SC-L] re: Why Software Will Continue to Be Vulnerable

2005-05-02 Thread Gunnar Peterson
It appears that the user-obvious malware would need to reach the anterior insula to make a difference in computer security. From Business Week -- Why Does logic often takes a backseat in making decisons?: The National Hockey League and its players wrangle over a salary cap. The impasse causes

RE: [SC-L] Credentials for Application use

2005-05-11 Thread Gunnar Peterson
Keith Brown has a good discussion of at least one of the design choices, namely delegation vs. impersonation: http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsDelegation.html http://pluralsight.com/wiki/default.aspx/Keith.GuideBook/WhatIsImpersonation.html -gp Quoting Gizmo

Re: [SC-L] Information Security Considerations for Use Case Modeling

2005-06-27 Thread Gunnar Peterson
to also extend user stories to abuser stories (http:// www.johanpeeters.com/papers/abuser stories.pdf). kr, Yo Gunnar Peterson wrote: I have published a new paper on integrating security into Use Case Modeling: http://www.arctecgroup.net/secusecase.htm -gp -- Johan Peeters http

Re: [SC-L] Fwd from CIO Update: Why is application security so elusive?

2005-09-18 Thread Gunnar Peterson
CIO Asia has a column on A Few Good Metrics http://cio-asia.com/ShowPage.aspx? pagetype=2articleid=2560pubid=5issueid=63 The article talks about using metrics to quantify risks and control effectiveness. There's no denying that proven economic principles can—and should—be applied to

[SC-L] Build Security In

2005-10-09 Thread Gunnar Peterson
The DHS/SEI portal Build Security In is now live, there is a ton of resources and artifacts for developers to use to write more secure code: https://buildsecurityin.us-cert.gov/portal/ The ones i worked on are here Identity in Assembly and Integration

Re: [SC-L] Announcement: The Web Application Firewall Evaluation Criteria v1

2005-10-11 Thread Gunnar Peterson
That page is a link to the doc types html: http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.html txt http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.txt pdf http://www.webappsec.org/projects/waf_evaluation/v1/wafec-draft-1-20051007.pdf -gp

Re: [SC-L] Bugs and flaws

2006-02-01 Thread Gunnar Peterson
Hi John, Which of the following more aptly characterizes the problem?: IMPL. BUG: Insufficient security-constraint existed on the admin Servlet in the app's deployment descriptor. ARCH. FLAW: No façade component gated privileged functionality -alternatively- ARCH. FLAW: Privileged

Re: [SC-L] BSI: SOA what?

2006-02-23 Thread Gunnar Peterson
Good stuff, you (and your co-authors) are right: SOA and Web Services are properly viewed as opportunities for security improvements, not security nightmares. Also, I have a paper here (http://www.arctecgroup.net/ISB1009GP.pdf) on Service Oriented Security (SOS) Architecture -gp Quoting Gary

Re: [SC-L] eWeek: AJAX Poses Security, Performance Risks

2006-03-01 Thread Gunnar Peterson
a lot of this gets back to a framework versus roll your own debate http://1raindrop.typepad.com/1_raindrop/2005/05/wsmex_v_httpget.html http://www.identityblog.com/2005/04/30.html#a210 also, for some good context security in ajax, rest, et. al. as well as examples of how amazon and google

Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

2006-03-29 Thread Gunnar Peterson
This comes back to that great concept called 'Faith-based' Security (see Gunnar Peterson's post http://1raindrop.typepad.com/1_raindrop/2005/11/net_and_java_fa.html ), which is when people are told so many times that something is secure, that that they believe that it MUST be secure. Some

Re: [SC-L] Secure Application Protocol Design

2006-06-06 Thread Gunnar Peterson
There is a well understood best practice in software development that developers should not attempt to write their own cryptographic algorithms because of the complexity, lack of peer review, and value of that which the cryptographic functions are protecting. Developers, in contrast, routinely

Re: [SC-L] Comparing Scanning Tools

2006-06-08 Thread Gunnar Peterson
Hi James, I think you are right to look at it as economic issue, but the other factor to add into your model is not just the short term impact to developer productivity (which is non-trivial), but also the long term effects of making decisions *not* to deal with finding bugs. Cleaning up data

Re: [SC-L] Comparing Scanning Tools

2006-06-08 Thread Gunnar Peterson
in the lifecycle rather than later in which X could be pretty much any system quality. -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Thursday, June 08, 2006 9:28 AM To: McGovern, James F (HTSC, IT) Cc: Secure Mailing List Subject: Re: [SC-L] Comparing

Re: [SC-L] Bumper sticker definition of secure software

2006-07-16 Thread Gunnar Peterson
Secure software you're (not) soaking in it. On 7/16/06 8:32 AM, mikeiscool [EMAIL PROTECTED] wrote: On 7/16/06, ljknews [EMAIL PROTECTED] wrote: At 3:27 PM -0400 7/15/06, Goertzel Karen wrote: Content-class: urn:content-classes:message Content-Type: multipart/alternative;

Re: [SC-L] Retrying exceptions - was 'Coding with errors in mind'

2006-09-05 Thread Gunnar Peterson
I can't say enough good things about this interview: Conversation with Bruce Lindsay Design For Failure http://www.acmqueue.org/modules.php?name=Contentpa=showpagepid=233 snip BL: There are two classes of detection. One is that I looked at my own guts and they didn’t look right, and so I say

Re: [SC-L] Google code search games

2006-10-08 Thread Gunnar Peterson
DTDs http://www.google.com/codesearch?hl=enlr=q=file%3AdtdbtnG=Search -gp On 10/6/06 2:14 AM, Robert C. Seacord [EMAIL PROTECTED] wrote: Gadi, Here are some searches from Derek Jones: The new Google source code search page has opened up some interesting research possibilities. How

Re: [SC-L] re-writing college books - erm.. ahm...

2006-10-30 Thread Gunnar Peterson
Seeking perfect correctness as an approach to security is a fool's errand. Security is designing systems that can tolerate imperfect software. Exactly. On Curb Your Enthusiasm this happened recently. Larry David was frantically looking for a DVD case, but could not find it. LD: I don't know

Re: [SC-L] Compilers

2006-12-21 Thread Gunnar Peterson
Sure it should be built into the language, and I assume it will be eventually. Heck it only took 30 or 40 years for people to force developers to use Try...Catch blocks. -gp On 12/21/06 9:30 AM, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote: I have been noodling the problem space of

Re: [SC-L] The seven sins of programmers | Free Software Magazine

2007-02-23 Thread Gunnar Peterson
Along these same lines, I submit ³the Four Coders of the Apocalypse² by Dave Thomas and Andy Hunt. One of the major areas we need to work is adoption. Programmers are not all created equal, this presentation shows four types of programmers, and describes what drives them and ideas on dealing with

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
actually just the former. Robert Garigue characterized firewalls, nids, et al as good network hygiene. The equivalent of a dentist telling you to brush your teeth. An infosec pro needs much more depth than that. The model is charlemagne

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Gunnar Peterson
as professionals. Professionals in this definition being people who are certified and expected to operate within specified standards of quality and behavior much like CISSP, CPA, MD, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gunnar Peterson Sent

Re: [SC-L] How is secure coding sold within enterprises?

2007-03-20 Thread Gunnar Peterson
JD Meier had a good post recently on influencing without authority, which is the position security finds itself in: 1. assume all potential allies 2. clarify goals and priorities 3. diagnose the allies world 4. identify relevant currencies 5. deal with relationships 6. influence through give and

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-23 Thread Gunnar Peterson
Just because people can look at a project in detail, doesn't mean they will. More to the point, just because people can, doesn't mean code auditing gurus will look at it. And sometimes, when they do look they get booted out of the project http://www.heise-security.co.uk/news/82500 -gp

[SC-L] MetriCon 2.0 CFP

2007-04-24 Thread Gunnar Peterson
Dan Geer, Geer Risk Services Andrew Jaquith, Yankee Group Elizabeth Nichols, ClearPoint Metrics, Co-Chair Gunnar Peterson, Arctec Group, Co-Chair Russell Cameron Thomas, Meritology ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

Re: [SC-L] MetriCon 2.0 CFP

2007-04-25 Thread Gunnar Peterson
it will get by without fud. -gp On 4/24/07 7:32 PM, Gary McGraw [EMAIL PROTECTED] wrote: Plus, check out Andrew Jaquith's excellent book: -Original Message- From: Gunnar Peterson [mailto:[EMAIL PROTECTED] Sent: Tue Apr 24 20:14:53 2007 To: Secure Mailing List Subject: [SC-L] MetriCon

[SC-L] Metricon 2.0

2007-07-07 Thread Gunnar Peterson
decisions. If you know others that would be interested this collaborative workshop, please forward them this email and let them know about this opportunity. Please contact us with any questions. Thanks, Betsy Nichols and Gunnar Peterson Metricon 2.0 Co-Chairs

Re: [SC-L] Microsoft Pushes Secure, Quality Code

2007-10-09 Thread Gunnar Peterson
That said, we should keep trying! I believe one answer is to take advantage of relative metrics over time. I agree that this can be a practical starting point for organizations. I had a client starting down the path with static analysis, they have thousands of developers and many

Re: [SC-L] IT industry creates secure coding advocacy group

2007-10-23 Thread Gunnar Peterson
, non-commercial service to the software security community. ___ -- Gunnar Peterson, Managing Principal, Arctec Group http://www.arctecgroup.net Blog: http://1raindrop.typepad.com ___ Secure Coding mailing list

Re: [SC-L] OWASP Publicity

2007-11-15 Thread Gunnar Peterson
Local boy makes good http://online.wsj.com/article/0,,SB112128453130584810,00-search.html -gp On 11/15/07 10:25 AM, McGovern, James F (HTSC, IT) [EMAIL PROTECTED] wrote: I have observed an interesting behavior in that the vast majority of IT executives still haven't heard about the

Re: [SC-L] Darkreading: Getting Started

2008-01-10 Thread Gunnar Peterson
Another approach is decentralized specialized teams, centers of excellence in current managementspeak, with a specific agenda and expertise on an area deemed strategic. This approach is probably best paired with 2,3, or 4 from your list. For example, a roving specialized threat modeling team that

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Gunnar Peterson
I agree this is a big issue, there is no cotton picking way that the security people are solving these problems, it has to come from the developers. I put together a track for QCon which included Brian Chess on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on ESAPI and Web

Re: [SC-L] Microsoft's message at RSA

2008-05-05 Thread Gunnar Peterson
Hi Gary, I think they are doing it, Cardspace is the key enabling technology to making it happen. Given how many enterprises are federation-enabled (and how simply the rest can be), the biggest missing piece right now is that we need an Identity Provider for the Internets. Of course this only

Re: [SC-L] Microsoft's message at RSA

2008-05-10 Thread Gunnar Peterson
Hi Andy, Great post. I especially like the part about making choices. Having users type passwords into websites that protect all their assets pretty clearly isn't working. Cardspace is pretty clearly a massive improvement. That said, I don't think the choice is between perfect liberty and

Re: [SC-L] No general-purpose computer, or everything under surveillance?

2008-05-13 Thread Gunnar Peterson
But the difference is who is in final control. In the end, the users of computers should be in final control, not their makers, or we have given up essential liberty. We can develop systems which provide suites of more specialized privileges to particular functions, without giving up

[SC-L] Building Secure Web Applications Training in Minneapolis

2008-08-27 Thread Gunnar Peterson
Ken van Wyk and I are teaching Building Secure Web Applications in Java/J2EE in Minneapolis, September 30 - October 2. The summary is below, if you would like more info please let me know. More details to follow. Building Secure Web Applications in Java/J2EE Course Description This course

Re: [SC-L] Silver Bullet

2008-09-29 Thread Gunnar Peterson
I strongly agree with James' ask. Its nice to hear from gurus, but we need to hear about real world tradeoffs too. Sausage making aint pretty (ask Hank and Ben), but its the real world and I for one am always fascinated with what choices organizations make and why. I am also very excited to

Re: [SC-L] Cat out of the bag?

2008-10-30 Thread Gunnar Peterson
http://validator.w3.org shows that page has 25 HTML errors. fwiw, mac.com has 28 errors and 1 warning -gunnar p.s. my domain has 42 otoh i wrote the whole design from scratch in vi ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gunnar Peterson
maybe the problem with least privilege is that it requires that developers: 1. define the entire universe of subjects and objects 2. define all possible access rights 3. define all possible relationships 4. apply all settings 5. figure out how to keep 1-4 in synch all the time do all of this

Re: [SC-L] Unclassified NSA document on .NET 2.0 Framework Security

2008-11-25 Thread Gunnar Peterson
software security on the wrong people. Cheers, Stephen On Tue, Nov 25, 2008 at 10:18 PM, Gunnar Peterson [EMAIL PROTECTED] wrote: maybe the problem with least privilege is that it requires that developers: 1. define the entire universe of subjects and objects 2. define all possible access

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

2009-03-21 Thread Gunnar Peterson
Two areas that don't seem to immediately lend themselves to design/ spec level solutions are (1) transitive trust and (2) interaction errors between multiple components that are all working correctly. I'd love to hear from people who've had to solve these problems in the real world.

Re: [SC-L] Silver Bullet 40: Bob Blakley

2009-07-17 Thread Gunnar Peterson
+1 great interview -gunnar On Jul 17, 2009, at 11:25 AM, Gary McGraw wrote: hi sc-l, One of our sc-l listeners (gunnar) suggested Bob Blakley as an interview target. Bob is a particularly interesting guy because he both a well-respected scientist very active in the security research

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-21 Thread Gunnar Peterson
I think we need to start indoctrinating kids in the womb. Start selling Baby Schneier CDs alongside Baby Mozart. :) I can recommend this book, it was given to me by a client. Enigma: A Magical Mystery Grade 3–6—Someone has stolen the props belonging to the residents of a retirement home

Re: [SC-L] Provably correct microkernel (seL4)

2009-10-02 Thread Gunnar Peterson
design flaws. So we have only removed 50% of the problem. for my part there have been many, many days when I would settle for solving 50% of a problem -gunnar ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information,

[SC-L] Genotypes and Phenotypes

2009-10-12 Thread Gunnar Peterson
Its been awhile since there was a bugs vs flaws debate, so here is a snippet from Jaron Lanier Q: What's wrong with the way we create software today? A: I think the whole way we write and think about software is wrong. If you look at how things work right now, it's strange -- nobody --

[SC-L] Bring your Cloud to Work Day

2010-03-20 Thread Gunnar Peterson
Flip side of Lifestyle Hacking aptly described by Messrs McGraw and Routh is when your organization cannot deliver the functionality/data/ usability that the consumers need. http://1raindrop.typepad.com/1_raindrop/2010/03/bring-your-cloud-to-work-in-iraq.html -gunnar

Re: [SC-L] Computerworld: Opinion - Making apps secure is hard work

2010-08-12 Thread Gunnar Peterson
Hi Ken, You raise some important points. Most infosec is approached as a set of controls, but access control only takes you so far in the face of malice. I like this quote from G.K. Chesterton The real trouble with this world of ours is not that it is an unreasonable world, nor even that it

[SC-L] Colin Angle interview

2010-10-26 Thread Gunnar Peterson
from interview with iRobot CEO and founder Colin Angle: Are you planning on developing apps for robots like Roomba and Scooba? The robot operating system architecture will divide in half. The mobile industry is moving far faster and is far larger than the robot industry. You’ve got a couple of

Re: [SC-L] informIT: Modern Malware

2011-03-26 Thread Gunnar Peterson
Advanced = goes through firewall Persistent = tried more than once Threat = people trying to get into valuable stuff Nothing new to sc-l readers, but a Reasonably good marketing term esp by infosec standards (yay we get to scare business people with something other than an auditor's

Re: [SC-L] SearchSecurity: 13 Design Principles for 2013

2013-01-17 Thread Gunnar Peterson
Good piece. Saltzer and Schroeder's work is the deus ex machina in so much of security. On the software side, esp in the case of Twitter, Facebook et al, the equivalent is David Gelernter. I did a mashup of these titans and I must say I think there is a fair(and increasing) amount of impedance

Re: [SC-L] Silver Bullet 111: Marcus Ranum

2015-07-16 Thread Gunnar Peterson
In case anyone needs a summer project, I wonder what percentage of issues discussed in the 111 shows are still issues today? -gunnar On Jul 7, 2015, at 11:45 AM, Kevin W. Wall kevin.w.w...@gmail.com wrote: Ah, I see...so the dirty trick is that you are finally doing reruns. Syndication

[SC-L] MQ Series and Middleware security

2015-10-08 Thread Gunnar Peterson
As the saying goes, a Unix server goes down and you have a bad weekend. A Mainframe goes down and the earth stops rotating on its axis. To the latter point, MQ Series and other messaging systems that communicate with Mainframes and heritage(*) systems get next to no attention from the security