Re: [SC-L] Information Security Considerations for Use Case Modeling

2005-06-27 Thread John Steven
a sampling from a larger laundry list. But, hopefully it provides some more guidance to those whose appetites are whet from Gunnar and Johan's posts. - John Steven Principal, Software Security Group Technical Director, Office of the CTO 703 404 5726 - Direct | 703 727 4034 - Cell Cigital Inc

Re: [SC-L] Bugs and flaws

2006-02-01 Thread John Steven
of further fleshing out the flaw. Is this at all helpful? - John Steven Principal, Software Security Group Technical Director, Office of the CTO 703 404 5726 - Direct | 703 727 4034 - Cell Cigital Inc. | [EMAIL PROTECTED] 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 From

Re: [SC-L] Bugs and flaws

2006-02-02 Thread John Steven
that prevent software folk from making the same mistake again. - John Steven Principal, Software Security Group Technical Director, Office of the CTO 703 404 5726 - Direct | 703 727 4034 - Cell Cigital Inc. | [EMAIL PROTECTED] 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908

Re: [SC-L] Bugs and flaws

2006-02-03 Thread John Steven
contend with a vulnerability is also valuable. In other words, smart guys will always find the problems--by hook, or by crook--but it takes classification to aid in efficient and thorough mitigation. - John Steven Principal, Software Security Group Technical Director, Office

[SC-L] The role static analysis tools play in uncovering elements of design

2006-02-03 Thread John Steven
that overcomes my prejudiceor are you referring to the navigator tools as well? - John Steven Principal, Software Security Group Technical Director, Office of the CTO 703 404 5726 - Direct | 703 727 4034 - Cell Cigital Inc. | [EMAIL PROTECTED] 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5

Re: [SC-L] Ajax one panel

2006-05-22 Thread John Steven
the PriviledgedAction subclass as an explicit top-level class and they've passed information to-and-fro using the inner class syntactic sugar--rather than explicit method calls defined pre- compile time. John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726

Re: [SC-L] Code Analysis Tool Bakeoff

2007-01-08 Thread John Steven
/hurting us isn't _your_ goal. But, by collecting data on 7 figures of your own code base, you can start to see what trends in your programmers' coding practices play to which tools. This, can in fact, help you make a better tool choice. John Steven Technical Director; Principal, Software

Re: [SC-L] How is secure coding sold within enterprises?

2007-03-19 Thread John Steven
as justification. Well, this is long enough for now. If there are topics you'd like me to enumerate more fully, or if I've missed something, shoot me an email. Hope this helps, and sorry I didn't just attach a PPT ;) John Steven Technical Director; Principal, Software Security Group Direct: (703

[SC-L] Technology-specific Security Standards

2007-05-23 Thread John Steven
seen some organizations control this cost effectively and still get value: See: http://www.cigital.com/justiceleague/2007/05/18/security-guidance-and-its-%e 2%80%9cspecificity-knob%e2%80%9d/#comment-1048 Some people think my stand controversial... What do you guys think? John Steven

Re: [SC-L] Really dumb questions?

2007-08-30 Thread John Steven
to support it, but as a commercial organization, I wouldn't hold your breath on near-term support. I could answer how these tools support new languages, but that doesn't seem like public domain knowledge. I'll let the vendors tackle that 'un. John Steven Technical Director; Principal

Re: [SC-L] Language agnostic secure coding guidelines/standards?

2008-11-13 Thread John Steven
in the first month. Though, any seasoned QA professional will tell you--expecting to is ludicrous. John Steven Senior Director; Advanced Technology Consulting Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-19 Thread John Steven
, and a set of constructive steps forward to improve one's practices: http://www.owasp.org/images/d/df/Moving_Beyond_Top_N_Lists.ppt.zip I cover how one should cause their own organization-specific Top N list to emerge and how to manage it once it does. John Steven Senior Director; Advanced

[SC-L] Static Vs. Binary

2009-07-30 Thread John Steven
analysis on binaries via SAAS' battle, they and the organizations they serve would do well to keep this question in mind... Or risk the same failures that the current crop of parser-based static-analysis tools face against dynamic approaches. -jOHN On 7/29/09 8:44 AM, John Steven jste...@cigital.com

Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-07 Thread John Steven
a knowledgeable but separate perspective: the ESAPI approach has pluses and minuses just like all the others. John Steven Senior Director; Advanced Technology Consulting Desk: 703.404.9293 x1204 Cell: 703.727.4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http

Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-07 Thread John Steven
assured that those of us out there that have looked get that ESAPI can be a good thing. John Steven Senior Director; Advanced Technology Consulting Desk: 703.404.9293 x1204 Cell: 703.727.4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F EEF4 62D5 F908 Blog: http://www.cigital.com

Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-12 Thread John Steven
-ESAPI code. I've been on the ESAPI mailing list for a while and can't discern from conversation much information regarding successful operationalization, though I hear rumblings of people working on this very problem. Cheers all, John Steven Senior Director; Advanced Technology Consulting

Re: [SC-L] InformIT: comparing static analysis tools

2011-02-03 Thread John Steven
All, I followed this article up with a blog entry, more targeted at adopting organizations. I hope you find it useful: http://www.cigital.com/justiceleague/2011/02/02/if-its-so-hard-why-bother/ John Steven Senior Director; Advanced Technology Consulting Desk: 703.404.9293 x1204 Cell