[SC-L] bumper sticker slogan for secure software

2006-07-17 Thread SC-L Subscriber Dave Aronson
mikeiscool [mailto:[EMAIL PROTECTED] writes: The point remains though: trimming this down into a friendly little phrase is, IMCO, useless. One of the common problems in trying to persuade the masses of ANYTHING, be it the importance of secure software, the factual or moral correctness of

Re: [SC-L] (no subject)

2006-07-17 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] wrote: I wrote a book with viega a few years ago called building secure software... Yes, John gave us all copies. Didn't bother to get it autographed though. :-) it was not about that company (at all). It certainly was not about the horribly broken

[SC-L] bumper sticker slogan for secure software

2006-07-18 Thread SC-L Subscriber Dave Aronson
Paolo Perego [mailto:[EMAIL PROTECTED] writes: Software is like Titanic, pleople claim it was unsinkable. Securing is providing it power steering But power steering wouldn't have saved it. By the time the iceberg was spotted, there was not enough time to turn that large a boat. Perhaps

Re: [SC-L] On exploits, hubris, and software security

2006-11-03 Thread SC-L Subscriber Dave Aronson
Gary McGraw [mailto:[EMAIL PROTECTED] writes: The main thing I wonder is, what do you think? When you have a hot demonstration of an exploit, how do you responsibly release it? This isn't so much about that, in the usual sense. This was, as you say, a well-known vulnerability, one screamingly

Re: [SC-L] Compilers

2006-12-27 Thread SC-L Subscriber Dave Aronson
Tim Hollebeek [mailto:[EMAIL PROTECTED] wonders: are shops that insist on warning free compiles really that rare? Yes. I've worked for or with many companies over the years, totalling probably somewhere in the mid-teens or so. In all that, there was, to the best of my recollection, only

Re: [SC-L] What defines an InfoSec Professional?

2007-03-09 Thread SC-L Subscriber Dave Aronson
[EMAIL PROTECTED] writes: certifications such as CISSP whereby the exams that prove you are a security professional talk all about physical security and network security but really don't address software development in any meaningful way. Perhaps what is needed is a separate certification.

Re: [SC-L] How big is the market?

2007-04-24 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes: I just conducted a super-official study of what my peers are reading by walking a total of five aisles within a very large building. Here are a list of magazines on folks desk: - Infoworld - Java Developers Journal -

Re: [SC-L] Best practices for encrypting client-side data

2007-05-09 Thread SC-L Subscriber Dave Aronson
Robin Sheat [mailto:[EMAIL PROTECTED] wonders: What I did was take the user's password to create a key What happens when the user changes his password? I didn't quite follow it all, but it looks to me like that means that all of a user's data has to be decrypted and re-encrypted. You

Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread SC-L Subscriber Dave Aronson
McGovern, James F \(HTSC, IT\) [mailto:[EMAIL PROTECTED] writes: the value of tools in this space are not really targeted at developers but should be targeted at executives who care about overall quality and security folks who care about risk. While developers are the ones to remediate,