[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006

2006-07-07 Thread Kenneth Van Wyk
Greetings SC-L,I saw an article on Dr. Dobb's (via Slashdot) this morning that made me pause a bit.  The article is on "Quick-Kill Project Management" -- full link is here:http://www.ddj.com/dept/architect/189401902The article describes a small project team (say 5 developers) who have suddenly had

[SC-L] Dr. Dobb's | Quick-Kill Project Management | June 30, 2006

2006-07-07 Thread Kenneth Van Wyk
practices (not just security reviews) when they're in crisis mode? I'm sure that the answer varies a lot by team, priorities, etc., but I'd welcome any comments, opinions, etc. from any of you who have been in similar situations. Cheers, Ken Kenneth Van Wyk KRvW Associates, LLC http

[SC-L] Administrivia: Bumper Stickers

2006-07-21 Thread Kenneth Van Wyk
to continue the thread, be prepared to prove to me with each message that your message(s) deserves to be approved for distribution to the list, please. Cheers, Ken Kenneth Van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ___ Secure

[SC-L] Dark Reading - Application and Perimeter Security - Hacking the Vista Kernel - Security News Analysis

2006-07-25 Thread Kenneth Van Wyk
Here's an interesting article from Dark Reading regarding a software attack on the existing Vista beta:http://www.darkreading.com/document.asp?doc_id=99780f_src=darkreading_section_296I noticed, in particular, that the attack is against a design weakness of Vista -- "The attack doesn't use your

[SC-L] A New Open Source Approach to Weakness

2006-08-09 Thread Kenneth Van Wyk
FYI, here's an article about Fortify's pernicious kingdom taxonomy of common coding defects that I thought would be of interest here:http://www.internetnews.com/dev-news/article.php/3623751Cheers,Ken-Kenneth R. Van WykKRvW Associates, LLChttp://www.KRvW.com

[SC-L] Fwd: There's More than One Monoculture

2006-09-10 Thread Kenneth Van Wyk
Greetings SC-L,Check out Peter Coffee's latest column at:http://www.eweek.com/article2/0,1895,2014207,00.aspIt's a follow-up to Dan Geer's (et al's) now famous monoculture paper, three years after the paper was published.  Among other things, Coffee makes some interesting comparisons to the

[SC-L] IEEE Security and Privacy article on software security training

2006-09-27 Thread Kenneth Van Wyk
Wow, it's sure been a quiet few days out here on SC-L. Summer vacations are over, I suppose... In any case, I thought that I'd post a link to a new IEEE Security Privacy article on training for software security engineers. It was written by Cigital's John Steven and yours truly, and can

[SC-L] Insecurity in Open Source

2006-10-10 Thread Kenneth Van Wyk
FYI, there's an interesting opinion article in Business Week by Coverity's CTO, Ben Chelf (see link below).  In it, he discusses the results of their scanning of a significant sampling of both open- and closed-source projects.Chelf compares some special purpose proprietary software

[SC-L] A banner year for software bugs | Tech News on ZDNet

2006-10-11 Thread Kenneth Van Wyk
So here's a lovely statistic for the software community to hang its hat on: http://news.zdnet.com/2100-1009_22-6124541.html?tag=zdfd.newsfeed Among other things, the article says, Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed

Re: [SC-L] Secure programming is NOT just good programming

2006-10-12 Thread Kenneth Van Wyk
On Oct 12, 2006, at 4:32 PM, Gary McGraw wrote: I suppose now is as good a time as any to say that everything david is talking about here is described in great detail in the HOW TO book that I released last february. If you're reading this list, you really should read that book. It's

[SC-L] Apple Places Encrypted Binaries in Mac OS X

2006-11-03 Thread Kenneth Van Wyk
Here's a somewhat interesting link to an eweek article that discusses Apple's use of encryption to protect some of its OS X binaries: http://www.eweek.com/article2/0,1895,2050875,00.asp Of course, encrypting binaries isn't anything new, but it's interesting (IMHO) to see how it's being used

[SC-L] Top 10 Ajax Security Holes and Driving Factors

2006-11-10 Thread Kenneth Van Wyk
FYI, a friend forwarded me a link to this interesting article by Shreeraj Shah on Ajax holes, http://www.net-security.org/article.php? id=956 Since much has been written here on SC-L about relatively safe programming languages recently, I thought it might be interesting to look at the

[SC-L] heise Security - News - Security specialist leaves PHP security team

2006-12-14 Thread Kenneth Van Wyk
I guess this falls in to the you can lead a horse to water, but you can't make him drink category: http://www.heise-security.co.uk/news/82500 A member of the PHP security team has left in apparent disgust over the team's security practices. I doubt that anyone here on SC-L is surprised by

[SC-L] Vulnerability tallies surged in 2006 | The Register

2007-01-22 Thread Kenneth Van Wyk
FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community

[SC-L] Dark Reading - Discovery and management - Security Startups Make Debut - Security News Analysis

2007-01-22 Thread Kenneth Van Wyk
Ok, last software security news item for today, I promise. :-) This article (see http://www.darkreading.com/document.asp?doc_id=115110WT.svl=news1_1) is about a couple of new startup companies. One of them in particular, Veracode, may be of some interest here. The article says,

[SC-L] The seven sins of programmers | Free Software Magazine

2007-02-23 Thread Kenneth Van Wyk
SC-L, So my trusty rss aggregator (NewsFire) found an interesting blog for me this morning, and I thought I'd share it here. The blog is from Free Software Magazine and it's titled, The seven sins of programmers. On the surface, it has nothing whatsoever to do with software security --

[SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk
Here's an interesting article from Dark Reading about web fuzzers. Web fuzzing seems to be gaining some traction these days as a popular means of testing web apps and web services. http://www.darkreading.com/document.asp? doc_id=118162f_src=darkreading_section_296 Any good/bad

Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk
On Feb 27, 2007, at 3:33 AM, Steven M. Christey wrote: Given the complex manipulations that can work in XSS attacks (see RSnake's cheat sheet) as well as directory traversal, combined with the sheer number of potential inputs in web applications, multipied by all the variations in encodings, I

Re: [SC-L] Dark Reading - Desktop Security - Here Comes the (Web) Fuzz - Security News Analysis

2007-02-27 Thread Kenneth Van Wyk
On Feb 27, 2007, at 4:54 AM, Michael Silk wrote: unconvinced of what? what fuzzing is useful? or that it's the best security testing method ever? or you remain unconvinced that fuzzing in web apps is fuzzing in os apps? fuzzing has obvious advantages. that's all anyone should care about. No,

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-06 Thread Kenneth Van Wyk
On Mar 5, 2007, at 9:30 PM, Gary McGraw wrote: I think some vendors have come around to the economics argument. In every case, those vendors with extreme reputation exposure have attempted to move past penetrate and patch. Microsoft, for one, is trying hard, but (to use my broken leg

Re: [SC-L] Information Protection Policies

2007-03-13 Thread Kenneth Van Wyk
On Mar 9, 2007, at 5:27 PM, McGovern, James F ((HTSC, IT)) wrote: Ken, in terms of a previous response to your posting in terms of getting customers to ask for secure coding practices from vendors, wouldn't it start with figuring out how they could simply cut-and- paste InfoSec policies into

[SC-L] SANS Software Security Institute announced

2007-03-30 Thread Kenneth Van Wyk
FYI, the folks at SANS have announced the launch of their Software Security Institute (see http://www.sans-ssi.org/ for details). Their web site cites the following 6 goals: * Allow employers to rate their programmers on security skills so they can be confident that every project has at

[SC-L] Stakes are High for Vista Security

2007-04-09 Thread Kenneth Van Wyk
shameless-self-plug I hope that some of you will find my April column over on eSecurityPlanet interesting. It can be found (for free) at the link below. If not, just press the old delete key. http://www.esecurityplanet.com/article.php/11162_3670486_2 /shameless-self-plug Cheers, Ken

Re: [SC-L] Stakes are High for Vista Security

2007-04-09 Thread Kenneth Van Wyk
On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote: http://www.esecurityplanet.com/article.php/11162_3670486_2 Sorry folks -- I inadvertently posted the URL to page 2 of the column. Page 1 is at http://www.esecurityplanet.com/article.php/3670486 Sorry for the inconvenience (and the list

[SC-L] 1 Raindrop: Common Attack Pattern Enumeration and Classification (CAPEC)

2007-05-23 Thread Kenneth Van Wyk
SC-L, Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/ 1_raindrop/2007/05/common_attack_p.html)... Check out Mitre's first draft of CAPEC, the Common Attack Pattern Enumeration and Classification database (http://capec.mitre.org). It complements the existing CVE

[SC-L] Administrivia: Moderator on hiatus

2007-05-25 Thread Kenneth Van Wyk
SC-L, After an insane travel schedule over the last several months, the moderator is taking some much-needed time to relax on the beach while sipping boat drinks. I'll be checking the SC-L queue over the next week at least once daily, but if you submit something, please be a bit

[SC-L] Administrivia: Moderator is in, and SC-L BoF in Spain?

2007-06-04 Thread Kenneth Van Wyk
SC-Lers, FYI, back from a few days in the sun. It was a quiet week in any case here on SC-L, but I am indeed back at the moderator's (virtual) desk now. Anyone here attending the FIRST conference in Sevilla, Spain later this month? Any interest in an SC-L BoF session? I'll be there

[SC-L] Who's To Blame For Insecure Software? Maybe You

2007-06-05 Thread Kenneth Van Wyk
Some interesting (IMHO) stats coming out of Gartner security summit. One that jumped off the page at me was that 57% of the attendees believe that independent security research labs are providing a useful and valuable service. Whether you agree or not, the article below is an interesting

[SC-L] What's the next tech problem to be solved in software security?

2007-06-06 Thread Kenneth Van Wyk
Hi SC-L, [Hmmm, this didn't make it out to the list as I'd expected, so here's a 2nd try. Apologies for any duplicates. KRvW] At the SC-L BoF sessions held to date (which admittedly is not exactly a huge number, but I'm doing my best to see them continue), I like to ask those that attend

[SC-L] IBM to catch Watchfire security technology | Tech News on ZDNet

2007-06-06 Thread Kenneth Van Wyk
FYI, yet another acquisition in the security world... This time it's IBM buying up Watchfire (makers of AppScan). http://news.zdnet.com/2100-1009_22-6188999.html? part=rsstag=feedsubj=zdnet Kind of reminds me of something Chef Jacques Pepin said in an interview with Terry Gross on NPR's

Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-10 Thread Kenneth Van Wyk
First off, many thanks to all who've contributed to this thread. The responses and range of opinions I find fascinating, and I hope that others have found value in it as well. Great stuff, keep it coming. That said, I see us going towards that favorite of rat-holes here, namely the my

Re: [SC-L] Harvard vs. von Neumann

2007-06-15 Thread Kenneth Van Wyk
On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote: I am in complete agreement with your thinking, which is why one of the touchpoints (and chapter 9 of Software Security is about operations. Ken knows more about this than any of us, but he's on a plane now...right Ken? Wow, I'd stop far

[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread Kenneth Van Wyk
SC-L I'm not quite so sure why this one (below) caught my eye -- we _all_ get tons of product advisories -- but it did. In particular, two things jump out at me: 1) the original author of the defect thought that s/he was doing things correctly in using strncpy (vs. strcpy). 2) the

Re: [SC-L] how far we still need to go

2007-07-25 Thread Kenneth Van Wyk
On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote: Well after a few attempts to install it on a Mac OS X system I finally dope out that it only seems to install and run as admin. That is, I not only need to install it as admin (that's OK, ordinary users can't write to the /

Re: [SC-L] Software process improvement produces secure software?

2007-08-08 Thread Kenneth Van Wyk
On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote: During our conversation, I made a question to Mr. Hayes similar to this: Is it possible that only software development process improvements can produce secure software? The scenario was only based on CMMI without security interference. All

[SC-L] Opera Uses Mozilla Fuzzer Tool To Find 'Highly Severe' Bug -- Browser -- InformationWeek

2007-08-16 Thread Kenneth Van Wyk
Greetings SC-Lers, Here's a great success story regarding Mozilla's new open source fuzzer that they just released during the blackhat conference: http://www.informationweek.com/story/showArticle.jhtml? articleID=201800584cid=RSSfeed_IWK_News Kudos to the Opera team! Cheers, Ken -

[SC-L] Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.

2007-08-23 Thread Kenneth Van Wyk
FYI, I saw the following tool release announcement over on bugtraq, and thought it might be of interest to some of you here. I know the terms PHP and security in the same sentence often are met with laughter here, but what the heck. If the tool helps a few PHP developers write PHP apps

[SC-L] Fwd: [1st-t] Vancouver 2008 First Conference - Call for Papers

2007-09-21 Thread Kenneth Van Wyk
SC-L, I'm forwarding the following Call for Papers (see below) for next year's FIRST conference here. Now, I recognize that FIRST (the Forum of Incident Response and Security Teams) is NOT a software security conference. But, over the past few years, I've started bringing some software

[SC-L] CERT Advances Secure Coding Standards - Desktop Security News Analysis - Dark Reading

2007-10-02 Thread Kenneth Van Wyk
Here's some good news from CERT and Fortify. Shortly, CERT will be generating Fortify SCA rules to help automate reviewing C/C++ source code against their secure coding standards. http://www.darkreading.com/document.asp?doc_id=135352WT.svl=news1_2 Cheers, Ken - Kenneth R. van Wyk SC-L

[SC-L] Microsoft Pushes Secure, Quality Code

2007-10-06 Thread Kenneth Van Wyk
SC-Lers, Hey, here's some good news out of Microsoft. According to EWeek, Now for Visual Studio 2008, Microsoft's code analysis team is adding some new features, including Code Metrics, a new tool window that allows you to not only get an overall view of the health [code-wise] of your

[SC-L] IT industry creates secure coding advocacy group

2007-10-23 Thread Kenneth Van Wyk
Saw this story via Gunnar's blog (thanks!): http://www.gcn.com/online/vol1_no1/45286-1.html Any thoughts on new group, which is calling itself SAFEcode? Anyone here involved in its formation and care to share with us what's the driving force behind it? Cheers, Ken - Kenneth R. van

Re: [SC-L] Mainframe Security

2007-11-01 Thread Kenneth Van Wyk
On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote: sSince so much of the financial services industry is powered by COBOL, I would have thought that someone would have done a thorough study of COBOL's security posture. I certainly have not found one. Anyone else? Just a couple random(ish)

[SC-L] Fwd: People in glass houses shouldn't brick phones

2007-11-08 Thread Kenneth Van Wyk
SC-L, FYI, some of you might find my column this month on eSecurityPlanet to be interesting: http://www.esecurityplanet.com/article.php/3709301 (free, no registration required) In it, I talk about some of the software security lessons to be gleamed from Apple's iPhone bricking

[SC-L] Fwd: SCARE metrics and tool release

2007-11-30 Thread Kenneth Van Wyk
Reposted with permission, FYI... Cheers, Ken SC-L Moderator Begin forwarded message: From: Pete Herzog [EMAIL PROTECTED] Date: November 30, 2007 10:30:18 AM EST To: [EMAIL PROTECTED] Subject: SCARE metrics and tool release Hi, Scare, the Source Code Analysis Risk Evaluation tool for

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Kenneth Van Wyk
On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote: So he's not completely naive, though the history of security metrics and standards - which tend to produce code that satisfies the standards without being any more secure - should certainly give on pause. One could, I suppose, give rebates

[SC-L] Redmond Developer News | Best Defense?

2007-12-03 Thread Kenneth Van Wyk
FYI, interesting article on sandboxing of applications, with quotes from a few SC-L regulars. Enjoy! http://reddevnews.com/features/article.aspx?editorialsid=2386 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME

[SC-L] Code Testing Tools Could Be Acquisition Targets in '08

2008-01-03 Thread Kenneth Van Wyk
New Year's greetings, SC-Lers, FYI, here's an interesting article about the application security testing space, from eWeek. http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594 The author sort of compares apples and oranges a bit, IMHO, in comparing recent

[SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek

2008-01-10 Thread Kenneth Van Wyk
SC-L, I imagine many of you have seen the results of Coverity's DHS-funded scan of a *bunch* of open source projects: http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229cid=RSSfeed_IWK_All The stats are interesting, I suppose. I don't see any prioritization of the

[SC-L] Tech Insight: The Buzz Around Fuzzing - Application and Perimeter Security News Analysis - Dark Reading

2008-02-05 Thread Kenneth Van Wyk
FYI, for those who are interested in fuzz testing tools, here's an interesting article URL from Dark Reading. http://www.darkreading.com/document.asp?doc_id=144773f_src=darkreading_section_296 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME

[SC-L] Michael Howard's Web Log : Introducing SAFECode

2008-02-15 Thread Kenneth Van Wyk
FYI, from Michael Howard's blog: Today SAFECode, the Software Assurance Forum for Excellence in Code, introduced its first white paper, Software Assurance: An Overview of Current Industry Best Practices. The organization was founded by Microsoft, Symantec, EMC, SAP and Juniper to advance

[SC-L] SDLCs and x.509 at OWASP Belgium, 4 March 2008

2008-02-19 Thread Kenneth Van Wyk
During the SecAppDev (http://www.secappdev.org) class next month in Leuven, Belgium, there's also going to be a regional OWASP meeting. I've been asked to join in and present a short session comparing various secure development methodologies (Microsoft's SDL, Cigital's Touchpoints, and

[SC-L] SC-L Administrivia: How does the readership feel about sponsorships?

2008-02-19 Thread Kenneth Van Wyk
Greetings SC-L, So, I've always done my best to keep SC-L non-commercial since its inception in 2003. I'm curious, though, how you the readers would react to accepting sponsorships in the form of sponsored by: banners at the bottom of each posting. The banner presently points to the

[SC-L] PCI: Boon or bust for software security?

2008-03-03 Thread Kenneth Van Wyk
Greetings SC-L, So here's a question to ponder. Now that PCI DSS 1.1 is out there (save a couple June 2008 deadlines still looming), has it been good or bad for software security as a whole? It does require secure development processes (as prescribed by OWASP). It does require sensitive

Re: [SC-L] quick question - SXSW

2008-03-12 Thread Kenneth Van Wyk
Ben, Your point is a good one -- the software security community needs to be vigilant in reaching out to developers and spreading the word. FWIW, some dev conferences have done this. I spoke at SD West in 2006, and there was a significant security track there. Still, it'd be great to

[SC-L] Lateral SQL injection paper

2008-04-28 Thread Kenneth Van Wyk
Greetings SC-Lers, Things have been pretty quiet here on the SC-L list... I hope everyone saw David Litchfield's recent announcement of a new category of SQL attacks. (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf) He refers to this new category as

[SC-L] GCC and pointer overflows [LWN.net]

2008-05-01 Thread Kenneth Van Wyk
FYI, here's an interesting article (and follow-on discussions) about a recent bug in the GCC compiler collection. http://lwn.net/Articles/278137/ The bug, which has been documented in a CERT advisory, affects C code in which, under some circumstances, buffer bounds checking can be

[SC-L] Coverity to Buy Codefast

2008-05-22 Thread Kenneth Van Wyk
FYI, a bit of MA activity going on in the software security (product) space: http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/ Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME

[SC-L] DistriNet Research Group

2008-06-04 Thread Kenneth Van Wyk
FYI, interesting announcement out of KU Leuven in Belgium and the SANS institute: http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description:

[SC-L] Security Bonuses for Vista Programmers

2008-06-16 Thread Kenneth Van Wyk
FYI, interesting eWeek article on some of Vista's security features that are provided to developers. (I misinterpreted the article's title a bit, but it quickly becomes clear in the article. At first, I thought it was about giving $$ bonuses to vista programmers -- it reminded me of an

[SC-L] Any SC-Lers going to FIRST in Vancouver next week?

2008-06-19 Thread Kenneth Van Wyk
Subject says it all. Any of you going to be at the FIRST conference? If you are and want to hook up for a chat--perhaps over a beer--then drop me a note. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME

[SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance

2008-06-30 Thread Kenneth Van Wyk
Happy PCI-DSS 6.6 day, everyone. (Wow, that's a sentence you don't hear often.) http://www.internetnews.com/ec-news/article.php/3755916 In talking with my customers over the past several months, I always find it interesting that the vast majority would sooner have root canal than submit

[SC-L] Survey thread killer

2008-08-26 Thread Kenneth Van Wyk
Hi SC-Lers, With these last 2 messages, let's kill off the survey thread, please. I allowed it to continue on--probably longer than I should have-- because there seemed to be valid and interesting points being made on both sides of the debate. But that seems to have run its course, so

[SC-L] AdaCore - Home GNAT Pro The Tokeneer Project

2008-10-08 Thread Kenneth Van Wyk
http://www.adacore.com/home/gnatpro/tokeneer/ Excerpt: Project Summary In order to demonstrate that developing highly secure systems to the level of rigor required by the higher assurance levels of the Common Criteria is possible, the NSA (National Security Agency) asked Praxis High

[SC-L] (fwd) informIT: A Software Security Framework

2008-10-15 Thread Kenneth Van Wyk
[Posted on behalf of Gary McGraw, who is without comms right now but wanted this to go out today. KRvW] hi sc-l, Brian Chess and I have been working hard on a software security framework that we are using in a scientific study of many of the top software security initiatives. Our plan of

Re: [SC-L] (fwd) informIT: A Software Security Framework

2008-10-16 Thread Kenneth Van Wyk
Greetings SC-L, I thought I'd chime in on this, as it very closely relates to my current book project. On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote: Brian Chess and I have been working hard on a software security framework that we are using in a scientific study

[SC-L] Opportunity at DTCC

2008-11-25 Thread Kenneth Van Wyk
Greetings SC-L, I've been asked to allow a job posting here on SC-L. It certainly doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php ), but then again, we've generally not used SC-L for job listings. And then again++, with the

[SC-L] Fwd: ESSoS'09: Call for Participation

2008-12-11 Thread Kenneth Van Wyk
FYI, see Call for Participation below. Cheers, Ken van Wyk Begin forwarded message: From: Bart De Win [EMAIL PROTECTED] Date: December 9, 2008 8:22:14 AM EST To: [EMAIL PROTECTED] Subject: ESSoS'09: Call for Participation CALL FOR PARTICIPATION

Re: [SC-L] top 10 software security surprises

2008-12-17 Thread Kenneth Van Wyk
On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote: Using the software security framework introduced in October (A Software Security Framework: Working Towards a Realistic Maturity Model http://www.informit.com/articles/article.aspx?p=1271382), we interviewed nine executives running top

[SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

2009-01-12 Thread Kenneth Van Wyk
FYI, a top 25 programming errors list from the folks at SANS has been released. See the following for details: http://www.sans.org/top25errors/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature

[SC-L] InternetNews Realtime IT News - New York Plans Application Security Program

2009-01-14 Thread Kenneth Van Wyk
Now here's an interesting development in the software security space. Seems that New York State is going to start requiring contracted application developers to conform with a minimum set of practices (as covered in the SANS Application Security Procurement Language,

Re: [SC-L] OWASP interviews McGraw (oh my)

2009-01-26 Thread Kenneth Van Wyk
On Jan 26, 2009, at 12:58 PM, Gary McGraw wrote: OWASP just posted an interview with me as part of their budding podcast series. Looking forward to it, thanks. I've been quite impressed with their first couple podcasts. Packed with useful info. After hearing the second one, I grabbed

[SC-L] Web Applications: Achilles' Heel Of Corporate Security -- Security -- InformationWeek

2009-02-03 Thread Kenneth Van Wyk
No big surprises for SC-L readers, I'm sure, but it's still an interesting read: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=213000162 Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description:

Re: [SC-L] Reality Check: EMC Eric Baize

2009-03-03 Thread Kenneth Van Wyk
On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote: Our fearless leader Ken gave a nice presentation on software security methodologies yesterday at secappdev. I wonder what he says about the Touchpoints when I'm not in the room?! Thanks for the kind words. What I say about the Touchpoints,

[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com

2009-03-12 Thread Kenneth Van Wyk
Hello SC-Lers, I saw this blog and thought it may be of interest here: http://blogs.zdnet.com/security/?p=2861 According to the blog, there's a design issue (read: flaw) in iTunes that can allow a maliciously formed podcast to cause a user to get prompted for a username/password -- to

[SC-L] SAMM 1.0 Released! | OpenSAMM

2009-03-25 Thread Kenneth Van Wyk
Good news today from the Software Assurance Maturity Model (SAMM) group. http://www.opensamm.org/2009/03/samm-10-released/ Their release says: The Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback

[SC-L] Application Security Starts in the Development Lifecycle

2009-04-28 Thread Kenneth Van Wyk
FYI, some eWeek coverage of application security and how it is being taken more seriously in the enterprise these days. No big surprises for long-time SC-L folks, but still an interesting read from a fairly mainstream IT Security outlet.

[SC-L] Usability News - Why Security and Usability don't go hand in hand

2009-06-03 Thread Kenneth Van Wyk
FYI, a short but interesting read on usability vs. security in software. http://www.usabilitynews.com/news/article5692.asp Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're

Re: [SC-L] Source or Binary

2009-07-29 Thread Kenneth Van Wyk
On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote: Realizing that java binaries hold a lot more is a mental shift that probably must be actively kept in mind. Those with only Java experience may think it is obvious, but how many developers did not start with Java and have not purged this

Re: [SC-L] What is the size of this list?

2009-08-19 Thread Kenneth Van Wyk
On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote: Jeremiah Grossman and I were both pondering the size of the SCL recently. Is the list size public? It's not public per se, but only in the sense that the number isn't directly available--unless you ask for it. The list has pretty

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

2009-08-26 Thread Kenneth Van Wyk
On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote: Exploits are FUN. I agree, at least to a point. Whenever I work exploits into my workshops, the results are right on the mark. So long as the exploits are balanced with just the right amount of remediations, it works great. The key is

[SC-L] Unicode Security : Microsoft releases BinScope and MiniFuzz to the public

2009-09-17 Thread Kenneth Van Wyk
FYI, a couple of interesting developments in the software security tool space: http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com SC-L Moderator smime.p7s Description:

[SC-L] Another WAF in town

2009-09-24 Thread Kenneth Van Wyk
FYI, some activity in the open source WAF space: http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s Description: S/MIME cryptographic signature ___

[SC-L] Microsoft releases security guidelines for Agile - agile, Microsoft, security, software development - CIO

2009-11-10 Thread Kenneth Van Wyk
Hey, now you agile folks can't any longer feel left out by the various security development processes that bypass you: http://www.cio.com.au/article/325501/microsoft_releases_security_guidelines_agile?eid=-1050 On a somewhat related note, a client of mine referred to their process recently

Re: [SC-L] tweetup Thurs PM for AppSec DC?

2009-11-10 Thread Kenneth Van Wyk
On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote: Just a quick note, for those coming into DC for AppSec DC, rumor has it that a social gathering is brewing for Thurs PM. Let's hope so as I'd love to put faces with names! :) If I hear details, I'll be sure to pass along (feel free to ping

Re: [SC-L] tweetup Thurs PM for AppSec DC?

2009-11-13 Thread Kenneth Van Wyk
On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote: In any case, I'm not sure of the lay of the land at the conference site, but I'm betting there's a bar in or near the site. Let's plan on meeting up there immediately following the day's sessions on Thursday. As soon as I can pinpoint

[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

2010-01-05 Thread Kenneth Van Wyk
Happy new year SC-Lers. FYI, interesting blog post on some of the new security features in Java EE 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. http://www.coresecuritypatterns.com/blogs/?p=1622 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator smime.p7s

[SC-L] FT.com / UK - 'Year 2010' software glitch hits German bank cards

2010-01-06 Thread Kenneth Van Wyk
Greetings SC-L, There have been several reports in the last few days of various devices being hit with a so-called year 2010 software glitch. Several bank ATMs, mobile devices, etc., have reportedly been hit. Below is a link to one such story. My question for SC-L is: anyone here aware of

Re: [SC-L] BSIMM update (informIT)

2010-02-03 Thread Kenneth Van Wyk
On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote: Among other things, David and I discussed the difference between descriptive models like BSIMM and prescriptive models which purport to tell you what you should do. Thought I'd chime in on this a bit, FWIW... From my perspective, I welcome

[SC-L] Thread is dead -- Re: BSIMM update (informIT)

2010-02-04 Thread Kenneth Van Wyk
OK, so this thread has heated up substantially and is on the verge of flare-up. So, I'm declaring the thread to be dead and expunging the extant queue. If anyone has any civil and value-added points to add, feel free to submit them, of course. As always, I encourage free and open debate here,

[SC-L] The International Secure Systems Development Conference

2010-03-29 Thread Kenneth Van Wyk
I saw this event announcement today and thought some SC-L folks might find it of interest, FYI. The International Secure Systems Development Conference addresses the key issues around designing-in security for standard and web-based software and systems, both in terms of developing new

[SC-L] Web Application Exploits and Defenses

2010-05-05 Thread Kenneth Van Wyk
The folks at Google have released some web app training, along with a vulnerable web app sandbox to play in. The tool is called Jarlsberg. Anyone here take a look at it yet, and have an opinion about it? The description (see below) sounds kinda sorta like OWASP's WebGoat, except that the

[SC-L] Vulnerability Analysis Blog: CERT Basic Fuzzing Framework

2010-05-28 Thread Kenneth Van Wyk
New fuzzing framework released from the folks up at CMU, FYI. https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html Aloha, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates smime.p7s

Re: [SC-L] Static code review for iPhone developers?

2010-07-29 Thread Kenneth Van Wyk
On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote: Anyone know of any static code analysis tools that can scan an iPhone app package? Something that integrates with the Xcode SDK and can at the very least scan through all of the Objective C in the src tree is what I'm looking for. Any

[SC-L] Computerworld: Opinion - Making apps secure is hard work

2010-08-12 Thread Kenneth Van Wyk
I figured this was relevant here, so here's a link to my August column for Computerworld. Excerpt: 'What's that you say? All the app vetting you've been doing to date consists only of verifying that the apps play by the rules? That is, that they use only published APIs and such? Well, then,

[SC-L] Building Real Software: Has Static Analysis reached its limits?

2010-08-20 Thread Kenneth Van Wyk
FYI, nice write-up on the Fortify acquisition as well as the static code analysis space here: http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at:

[SC-L] Apple's iOS app review guidelines

2010-09-09 Thread Kenneth Van Wyk
Greetings SC-L, I read the news this morning with a lot of hope -- that Apple has finally published their app review guidelines for iOS app developers. But then I read the document. For starters, I did a quick grep for: security, secure, crypt, safe. Nothing. Nada. The document is

[SC-L] ISO/IEC 27034 application security guideline

2010-10-21 Thread Kenneth Van Wyk
Greetings SC-L folks, I don't participate in standards bodies, so I'm not very familiar with their inner workings and such. However, a colleague has pointed me to an ISO standard under development that will describe an application security development process. I visited the site

[SC-L] New Safecode doc released

2011-02-08 Thread Kenneth Van Wyk
Greets all. FYI: SAFECode has released, “Fundamental Practices for Secure Software Development 2nd Edition: A Guide to the Most Effective Secure Development Practices in Use Today.” The report is intended to help others in the industry initiate or improve their own software security programs

[SC-L] CERT/CC Blog: Announcing the CERT Basic Fuzzing Framework 2.0

2011-03-01 Thread Kenneth Van Wyk
FYI, new version of Basic Fuzzing Framework released by CERT/CC. http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com Follow us on Twitter at: http://twitter.com/KRvW_Associates

[SC-L] SC-L Administrative FAQ

2011-03-23 Thread Kenneth Van Wyk
Greetings SC-L Subscribers, I'm in an airport lounge on the other side of the planet (from my home), and I thought I'd take a few moments to jot down some answers to SC-L administrative issues that come up from time to time here on SC-L. I hope you find them helpful. I try to keep the

  1   2   >