[SC-L] Secure Software Architecture, Design, Implementation and Assurance CFP

2006-05-01 Thread Robert C. Seacord
and maintenance CO-CHAIRS Sven Dietrich CERT[EMAIL PROTECTED] Daniel Plakosh CERT/CC [EMAIL PROTECTED] Robert C. Seacord CERT/CC [EMAIL PROTECTED] PROGRAM COMMITTEE Julia Allen SEI/CMU Hal Burch CERT/CC Brian Chess

Re: [SC-L] HNS - Biggest X Window security hole since 2000

2006-05-08 Thread Robert C. Seacord
-- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

[SC-L] STL iterator vulnerabilities

2006-05-25 Thread Robert C. Seacord
Does anyone have any experience of specific examples of vulnerabilities resulting from the use of uninitialized or invalidated STL iterators or other STL related vulnerabilities? I'm doing some research for a new project (which I hope to announce here shortly). Thanks, rCs

[SC-L] managed string library

2006-06-12 Thread Robert C. Seacord
success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of safe characters. rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268

Re: [SC-L] secure integer library

2006-08-17 Thread Robert C. Seacord
. 8^) rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List

[SC-L] CERT C Programming Language Secure Coding Standard

2006-08-31 Thread Robert C. Seacord
2004. ISBN 0 9524156. -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo

Re: [SC-L] Google code search games

2006-10-06 Thread Robert C. Seacord
Gadi, Here are some searches from Derek Jones: The new Google source code search page has opened up some interesting research possibilities. How many instances of: if (...) ; are there out there (skip the first half dozen unusual macro uses)?

Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

2006-10-12 Thread Robert C. Seacord
Coding in C and C++. I'm hoping to take this material and incorporate it into the course. Once I get some experience teaching the material, I could help turn it into a college text. (I've written three books already, so I'm a proven threat. 8^) Thanks, rCs -- Robert C. Seacord Senior

Re: [SC-L] re-writing college books - erm.. ahm...

2006-10-29 Thread Robert C. Seacord
Crispin, I think you may have over spoken below: Seeking perfect correctness as an approach to security is a fool's errand. Security is designing systems that can tolerate imperfect software. I could go along with achieving perfect correctness as an approach to security is a fool's belief but

[SC-L] temporary directories

2006-12-29 Thread Robert C. Seacord
I've seen advice here and there to use the mkdtemp() function to create temporary directories, for example: - Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3 recommends them - David Wheeler's Secure Programming for Linux and Unix HOWTO at

Re: [SC-L] temporary directories

2007-01-03 Thread Robert C. Seacord
David, Thanks for the explanation of mkdtemp(). I got confused reading the man page because I wasn't expecting the function to return char *, but I guess that makes sense. I wish that the C standard body would update the C library and add an exclusive create capability for fopen(), so that

[SC-L] CFP: CERT Software, System and Information Security Cluster (HICSS-41)

2007-05-25 Thread Robert C. Seacord
of registration after this date. CO-CHAIRS OF THE CSSIS CLUSTER Guido Schryen (RWTH Aachen University) Jason A. Rafail(CERT/CC) Address email to the Cluster Chairs to [EMAIL PROTECTED] CO-CHAIRS OF THE CSAS MINITRACK Jason A. Rafail (CERT/CC) Robert C. Seacord (CERT/CC) Dan Plakosh (CERT/CC

Re: [SC-L] FW: What's the next tech problem to be solvedin softwaresecurity?

2007-06-10 Thread Robert C. Seacord
ljknews, Yes, it is virtually impossible to get a serious runtime error in an Ada program. For example: http://www.youtube.com/watch?v=kYUrqdUyEpI rCs At 9:51 PM +0100 6/9/07, David Crocker wrote: If instead we pay people to perform the more skilled tasks of establishing requirements

Re: [SC-L] University lecture on Sec Sw Eng online

2007-08-03 Thread Robert C. Seacord
Meunier at Purdue and by Dieter Gollmann at Hamburg-Harburg; if you know of any others, I'd be glad to hear about those, too. Kind regards from Germany, Holger Peine -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989

Re: [SC-L] Really dumb questions?

2007-08-30 Thread Robert C. Seacord
available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Robert C. Seacord Senior Vulnerability

Re: [SC-L] Secure Coding Books

2008-03-07 Thread Robert C. Seacord
(http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure

[SC-L] CERT C Secure Coding Standard - last call for reviewers

2008-03-13 Thread Robert C. Seacord
We would like to invite the community to review and comment on the current version of the CERT C Secure Coding Standard available online at www.securecoding.cert.org http://www.securecoding.cert.org before Version 1.0 is published. To comment, you can create an account on the Secure Coding wiki

Re: [SC-L] GCC and pointer overflows [LWN.net]

2008-05-01 Thread Robert C. Seacord
Ken, Comment below. FYI, here's an interesting article (and follow-on discussions) about a recent bug in the GCC compiler collection. http://lwn.net/Articles/278137/ The bug, which has been documented in a CERT advisory, affects C code in which, under some circumstances, buffer bounds

Re: [SC-L] Secure Coding Standards

2008-09-29 Thread Robert C. Seacord
, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found 1. www.securecoding.cert.org http://www.securecoding.cert.org/ - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html 2. http