Those of us that are lucky (?) enough to get the FoxTrot comic strip
(http://www.foxtrot.com) may have noticed that yesterday's and today's strips
were discussing a software security topic. The author, Bill Amend, addresses
the issue of the recent leak of some Microsoft source code. Check it
Aloha all,
Just got back from a couple of weeks of sun and golf in Hawaii with my wife
and, although I was checking email daily (thanks to T-Mobile unlimited GPRS
data), it's been pretty quiet here on SC-L. In any case, though, I'm back now and
open for business, FYI.
And here's a bit of
Alexander Antonov wrote:
I believe the issue of automatic updates was already discussed on other security-related lists.
Yes, I agree, but that's not what I was commenting on specifically.
Certainly, we've seen automatic patches for a few years now. (And for
many systems, e.g., desktop users,
Hi all,
I just saw an interesting article about a programming language that's under
development called D. (See full article at
http://www.osnews.com/story.php?news_id=6761) The description of the
language is, D is a (relatively) new addition to the C family of programming
languages,
Greetings all,
I was asked to clarify what I posted yesterday re Amit Yoran's recent public
statements on the topic of software security.
On Tuesday 20 April 2004 03:27, an SC-L reader wrote:
Ken, could you clarify a little please?
Happy to, see below.
I detect a slighly snide tone that
Hi all,
I just saw a Slashdot story
(http://developers.slashdot.org/article.pl?sid=04/04/30/1421223mode=threadtid=126tid=156tid=185)
announcing an MIT study on software development processes used around the
world. The report itself can be found at
Andy Tanenbaum, the author of the MINIX operating system, recently posted an
opinion piece on the origins of Linux. It's a fascinating albeit somewhat
lengthy read -- see http://www.cs.vu.nl/~ast/brown/ for the full text.
At the very end of the document, he talks about the security of a
Greetings all,
FYI, it looks like we're at the beginning of a new wave of software security
tools. There's a few commercial products beginning to hit the market that
take static src code scanning to a new level. See the link below for a
LinuxWorld article that briefly (!) describes @stake's
Greetings,
Almost missed this one while I was out of the office for a couple days...
Microsoft have announced the free availability of a threat modeling tool by
Frank Swiderski, who is also writing a soon-to-be released book on threat
modeling. Details on the tool (warning: requires .NET
Anyone looking for a great introduction to putting the principle of least
privilege into action, check out David Wheeler's article at:
http://www-106.ibm.com/developerworks/linux/library/l-sppriv.html?ca=dgr-lnxw04Privileges
It cites one of my favorite examples of least privilege, Wietse
FYI, a couple of announcements from SPI Dynamics and Ounce Labs hit eWeek.com
today -- see http://www.eweek.com/article2/0,1759,1617901,00.asp for the full
text.
According to the article, SPI Dynamics has released its SecureObjects
product, which is a series of (presumably) securely written
James Walden wrote:
I'd like to open a discussion based on this quote from Marcus Ranum's
ACM Queue article entitled Security: The root of the problem:
Thanks. I also read Marcus's article with interest. Caveat: clearly, I
have a biased outlook, since software security training is one of the
Hi All,
FYI... This topic has come up here a few times, so I thought that I'd send a
pointer to my July eSecurityPlanet column
(http://www.esecurityplanet.com/views/article.php/3377201 - free, no registration
required). In the column, I take the seemingly unpopular view --at least in
this
Wall, Kevin wrote:
Isn't this something that users probably shouldn't be given a choice
on? Normally I would think that corporate security policy dictate
keeping the AV software / signatures up-to-date as well as dictating
the (personal) firewall configurations. Some centrally administered
Greetings,
It appears as though we may well have discovered software security's third
rail over the last couple of weeks in the discussions regarding programming
language choices. I don't mean to fan those flames by any means, trust me.
However, I noticed several announcements for PHP
Greetings all,
One of the things that I hear most from software developers when I deliver
secure coding tutorials and such is that they're likely to be unable to do
things like detailed threat modeling, risk analyses, etc. The reason most
often cited is that they're under tight deadlines and
Greetings all,
Wow, it sure has been quiet here for a couple weeks. Perhaps it's just those
late summer (or winter, for you southern hemispherians) vacations...
In any event, just an FYI here. My September eSecurityPlanet column hit the
streets today (see
FYI, ComputerWorld is running an interesting interview with Theo de Raadt, on
the state of software security, and OpenBSD in particular. See
http://www.computerworld.com.au/index.php/id;1498222899;fp;16;fpid;0 for the
complete text.
Cheers,
Ken van Wyk
--
KRvW Associates, LLC
ljknews wrote:
At 8:23 AM -0400 10/15/04, Kenneth R. van Wyk wrote:
I believe that we don't do enough to analyze and learn from software failures.
I believe the industry as a whole does plenty to analyze software
failures, particularly considering how little is done to avoid
those errors. Added
FYI, there's an interesting article in eWeek today -- see
http://www.eweek.com/article2/0,1759,1663716,00.asp -- regarding a recent
Gartner study on software security. Among other things, it says, Gartner
predicts that if 50 percent of software vulnerabilities were removed prior to
production
Greetings,
In my business travels, I spend quite a bit of time talking with Software
Developers as well as IT Security folks. One significant different that I've
found is that the IT Security folks, by and large, tend to pay a lot of
attention to software vulnerability and attack information
FYI, interesting article on eSecurityPlanet regarding Fortify's commercial
source code scanning tool -- see the full text at
http://www.esecurityplanet.com/patches/article.php/3439021
Among other things, the article says, In addition to new language support for
C# -- the software already
Greetings,
I noticed an interesting article about a mobile phone virus affecting
Symbian-based phones out on Slashdot today. It's an interesting read:
http://it.slashdot.org/it/05/04/06/0049209.shtml?tid=220tid=100tid=193tid=137
What particularly caught my attention was the sentence, Will
Greetings++,
Another interesting article this morning, this time from eSecurityPlanet.
(Full disclosure: I'm one of their columnists.) The article, by Melissa
Bleasdale and available at
http://www.esecurityplanet.com/trends/article.php/3495431, is on the general
state of application
On Wednesday 06 April 2005 09:26, Michael Silk wrote:
The last thing I want is my mobile phone updating itself. I imagine
that sort of operation would take up battery power, and possibly cause
other interruptions ... (can you be on a call and have it update
itself?)
I vividly remember a lot
FYI, somewhat interesting story today on ZDNet (see
http://news.zdnet.com/2100-1009_22-5697133.html?tag=st.prev) about operating
system makers paying more attention to security. Note the differing (public)
statements by Microsoft and Apple...
Being fundamentally a glass half full sort of
FYI, interesting move today in the software security space -- Novell announces
its acquisition of Immunix. Story at
http://www.eweek.com/article2/0,1759,1814599,00.asp
Cheers,
Ken van Wyk
--
KRvW Associates, LLC
http://www.KRvW.com
FYI, there's a new(ish) article by Kenneth Ballard out on IBM's developerWorks
site, on the topic of secure use of OpenSSL. It's actually part 2 in a
series, but there's a pointer there to part 1 also. The abstract follows,
along with the URL to the full article:
Securing the handshake
[Ed. Crossposted, as I thought that it was relevant here as well. KRvW]
Originally From: Dave Wichers [EMAIL PROTECTED]
Dear Colleague,
OWASP is proud to announce its second annual U.S. Application Security
Conference. This year's conference will be held October 11-12 at the NIST
campus in
Hi all,
FYI, a couple of interesting things going on in the software security space
that those here on SC-L might appreciate:
- Good article/interview in yesterday's Wall Street Journal on the topic of
Software Security. The interview is with Gary McGraw, and I'm sure that no
one here will
Greetings SC-L folks,
Although it's been particularly quiet here recently, I've also been moving the
list over to a new system, which has caused some additional outages.
(Read: tree fell in the forest and no one heard it.) In any case, the new
system should be fully functional in the next
FYI, there's a column in CIO Update by Ed Adams exploring some of the reasons
why secure software is so hard to find. Unlikely to be anything new to SC-L
readers, but it could be worth a quick read in any case. In particular, his
recommendations (to his presumably mostly CIO audience) are
Greetings all,
FYI, I have moved the securecoding.org site and SC-L mailing list over to a
different host. The new host should be quite a bit faster, as it's used by a
much (!) smaller number of domains than the old one.
More importantly, at least for SC-L, is that I've changed the mailing list
FYI, there's a review (by Jim Holmes) of Keith Brown's book, The .NET
Developer's Guide to Windows Security available out on Slashdot at:
http://books.slashdot.org/books/05/11/21/1442228.shtml
The review summary reads, Terrific coverage of how to go about securely
developing .NET software.
Sorry, I neglected to include the URL for the story that I cited. It can be
found at:
http://news.zdnet.com/2100-1009_22-593.html?tag=zdfd.newsfeed
Cheers,
Ken
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information,
On Wednesday 14 December 2005 16:40, David A. Wheeler wrote:
I've written a paper on an approach to counter this attack. See:
Countering Trusting Trust through Diverse Double-Compiling
http://www.acsa-admin.org/2005/abstracts/47.html
Thanks for sharing it here, David.
Here's the
On Thursday 15 December 2005 09:26, Jose Nazario wrote:
if the person can develop exploits against the holes in the code, what
makes you think they can't fire up a runtime debugger and trace the code
execution and discover the same things?
Nothing makes me think that at all; in fact, I was
Hi SC-L folks:
I don't mean to intrude in the bug and flaw debate, but I do want to make
sure that you're all aware of the whitelisting that I'm doing on the list
these days, since I switched the list management from Majordomo to Mailman.
Specifically, in order to cut down on spam, I have
I know that a lot of the folks on this list would consider the words PHP
Security to be an oxymoron. That said, there's a book out on the subject,
and it's been reviewed on /. The review can be found at:
http://books.slashdot.org/books/06/02/13/1426220.shtml
Cheers,
Ken van Wyk
P.S. It was
FYI, here's a pointer to a just-published paper on AJAX security. Hope you
find it useful,
particularly in light of AJAX's quick rise in popularity.
http://www.it-observer.com/articles/1062/ajax_security/
Cheers,
Ken
--
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
,
Ken
--
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http
of Hawaii.
The CFP can be found below.
Cheers,
Ken van Wyk
--
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
==
HICSS-40: Call for Papers
Secure Software Architecture, Design, Implementation and Assurance (SSADIA)
Minitrack
Hawaii
find encouraging is hearing about companies that are bringing their
security and
software development efforts together. YMMV...
Cheers,
Ken
--
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
___
Secure Coding mailing list (SC-L)
SC-L
to the game, I can't help but think that there's tons of room for major
security
mistakes to be made, if only due to the complexity of knowing what's going on
at each tier
of the app all the time.
Cheers,
Ken
--
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Stories about this (below) X bug and the DHS-sponsored project that found it
have been floating around the net all week. This story caught my eye,
though:
http://www.net-security.org/secworld.php?id=3994
The author claims, This flaw, caused by something as seemingly harmless as a
missing
On Thursday 04 May 2006 12:40, Gadi Evron wrote:
Hmm, I think this was fixed in earlier X versions.
Not impossible, but the article clearly indicated that it's in 6.9.0 and
7.0.0, which are the most current in general circulation, I believe.
But, some bugs are so important that they deserved
Foo
Cheers,
Ken
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and
Title: OWASP Cheat Sheet -- iOS App Developers
Author: Kenneth R. van Wyk
Source: OWASP - the Open Web Application Security Project
Date Published: 2012-07-17
Excerpt:
This document is written for iOS app developers and is intended to provide a
set of basic pointers to vital aspects
+ users may submit comments as well, which we welcome.
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: @KRvW_Associates
smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding
-- participation on it. Like all OWASP docs, it's open source, so
find things you want to add/improve and join in.
Either way, I hope you find it useful.
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: @KRvW or @KRvW_Associates
smime.p7s
Hey SC-Lers,
We're giving away to a few deserving Mobile App Developers a small number of
FREE tickets to our Mobile App Sec Triathlon. If you know any deserving
students / interns, point them in our direction for a chance to get a free seat.
See
Here is an interesting twist to the recent Apple hack. I hope no SC-Lers are
using iphonedevsdk!
http://www.macrumors.com/2013/02/19/apple-employees-hacked-by-visiting-iphonedevsk/
Cheers,
Ken van Wyk
KRvW Associates, LLC
___
Secure Coding
Greetings SC-L,
For all of you who are interested in mobile app sec (or interested in learning
more about it), we released OWASP iGoat version 2.0 today. See the details in
our announcement below.
Cheers,
Ken van Wyk
Begin forwarded message:
From: Kenneth R. van Wyk k...@krvw.com
Subject
), point them in our direction
for a chance to get a free seat.
See
http://mobappsectriathlon.blogspot.com/2013/03/announcing-mobappsectri-scholarship.html
for details.
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us on Twitter at: @KRvW or @KRvW_Associates
is
available for Early Bird registration until June 15th. Alumni, public servants,
and independents receive a 50% discount. I hope that we will be able to
welcome you or your colleagues to our course.
Cheers,
Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
Follow us
55 matches
Mail list logo
