Hi Michael,
So, unfortunately for the WAF vendors, people can just use a static source
code analysis tool or a web application vulnerability scanner instead of
purchasing and deploying a WAF.
I don't know much about PCI 6.6 (yet), but don't the organizations
have to mitigate the
HI,
maybe the problem with least privilege is that it requires that developers:...
IMHO, your US/UK ivory towers don't exist in other parts of the world.
Developers have no say in what they do. Nor, do they care about
software security and why should they care?
So, at least, change your
:
Sorry I didn't realize developers is an offensive ivory tower in other
parts of the world, in my world its a compliment.
-gunnar
On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:
HI,
maybe the problem with least privilege is that it requires that
developers:...
IMHO, your US/UK
to both of you,
Stephen
On Wed, Nov 26, 2008 at 1:01 AM, Stephen Craig Evans
[EMAIL PROTECTED] wrote:
Gunnar,
Developers have no power. You should be talking to the decision makers.
As an example, to instill the importance of software security, I talk
to decision makers: project managers
to deploy least privilege in the real
world just want to make sure that i communicate my argument.
-gunnar
(who is now letting go)
On Nov 25, 2008, at 12:07 PM, Stephen Craig Evans wrote:
I can't let this go.
Gary, you are self-professed working with financial institutions and
high-end
still be
asked of IBM, and it's their responsibility to get the answers from
the small software shop (and my client will have the documentation as
a trust but verify check for later use).
Stephen
On 11/27/08, Jerry Leichter [EMAIL PROTECTED] wrote:
On Nov 26, 2008, at 3:05 AM, Stephen Craig
I'll preface what I'm going to say with:
- I don't work in the financial vertical or government defense, but
from conversations with colleagues, I think that they get it (they
have to)
- My sphere of experience excludes Australia, India, and Japan:
- Oz has on average a high skill set of s/w
... and demand that they deliver code that is so locked down that it
cannot misbehave.
Your premise is so incorrect that I advise that if you are truly
interested in answering your questions (as opposed to a purely
academic or other exercise), then you should hire a security
specialist to help
Hi Gary,
I think you were on the right path describing software security and
illustrating the difference between software security and web app
security (even though I don't think it was intentional) when you
talked about Pervasive Computing in a BankInfoSecurity podcast
(starting at 5 min 10
Hi,
I did an OWASP Summer of Code 2008 project, Securing WebGoat using
ModSecurity (actually, it expanded into a Fall of Code project too
:-)
First, the project should have been named Protecting WebGoat using
ModSecurity but by the time I figured it out, it was too late to
change the title.
The
Hi Mark,
What I have seen is that the organization develops security
standards/guidelines and secure coding guidelines tailored to the org.
If the org is big enough to have its own security team, then they do
it; if not, then they hire consultants to do it. It's not too
difficult to find out
Hi Arian,
SANS has spoken and I think that is a pretty clear indication what is
going on)
Have you been watching Wizard of Oz re-reruns again? This sentence sounds
too much like The Mighty Oz has spoken :-)
Cheers,
Stephen
On Sat, Jan 17, 2009 at 11:39 AM, Arian J. Evans
Hi Jim,
I check the web site daily before you even announce the podcasts.
Tremendous stuff as you don't lob softball questions plus you get
quickly to the point.
Thanks for your effort; I've learned a lot from them already.
Keep up the great work,
Stephen
On Fri, Apr 10, 2009 at 1:16 AM, Jim
Sergio,
Blackhat IS about breaking stuff, the vendors area offers defense
products and services to improve your security. For building stuff (as
in development) there are other conferences out there. People go to
Blackhat to be aware of what things might go wrong in order to protect
better
Craig Evans wrote:
Sergio,
Blackhat IS about breaking stuff, the vendors area offers defense
products and services to improve your security. For building stuff (as
in development) there are other conferences out there. People go to
Blackhat to be aware of what things might go wrong in order
15 matches
Mail list logo