Re: [SC-L] [Esapi-user] Recommending ESAPI?

On Jan 10, 2010, at 5:38 AM, Kevin W. Wall wrote: > > IMO, I think the ideal situation would be if we could get the Spring and > Struts, > etc. development communities to integrate their frameworks so that they could > be used with the ESAPI interfaces. (In many of these cases, these > implement

Re: [SC-L] PHP IPS

You could try the OWASP ESAPI PHP project: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP Stephen On Sep 16, 2010, at 5:20 AM, modversion wrote: > Hi list: > There’s a php ids locate in www.phpids.org ,but it can NOT prevent > the attack. > Does anybody

Re: [SC-L] BSIMM-V Article in Application Development Times

nd non-agile, but different degrees of agile based on the length of iterations and/or the frequency of deployments. E.g. less-agile = 3 month iterations and multi-month deploys, more-agile = continuous delivery with multiple deploys per day. regards, Stephen de Vries http://www.continuumse

Re: [SC-L] BSIMM-V Article in Application Development Times

Hi Sammy, Antti, On 20 Dec 2013, at 17:29, Sammy Migues wrote: > Also, in nearly all cases, it would be very hard to characterize an entire > firm or even an entire business unit in larger firms as "Agile" or not. Many > larger firms use "Agile" for only a small percentage of projects Leav

Re: [SC-L] BSIMM-V Article in Application Development Times

wrote: > >> Stephen, >> >> On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries >> wrote: >>> Leaving the definition of agile aside for the moment, doesn’t the fact that >>> the BSIMM measures >>> organisation wide activities but not individual dev teams m

[SC-L] A Modular Approach to Data Validation in Web Applications

A Corsaire White Paper: A Modular Approach to Data Validation in Web Applications Outline: Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough

Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

]java -cp . -verify FullApp Exception in thread "main" java.lang.IllegalAccessError: tried to access field MyData.secret from class FullApp at FullApp.main (FullApp.java:23) Using the same code with an Applet loaded from the filesystem throws an IllegalAccessError exception as it s

Re: [OWASP-LEADERS] Re: [Owasp-dotnet] RE: [SC-L] 4 Questions: Latest IE vulnerability, Firefox vs IE security, Uservs Admin risk profile, and browsers coded in 100% Managed Verifiable code

plet loaded from the filesystem'? Where? In a Browser? If you load an applet in a browser using a url such as: file:///data/ stuff/launch.html then no verification is performed. But if you access the applet using http/s then it will be verified. cheers, -- Stephen de Vries Corsaire Lt

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

ity policy (equiv to partial trust), but it could still be vulnerable to type confusion attacks if the verifier was not explicitly enabled. To have both enabled you'd need to run with: java -verify -Djava.security.policy ... regards, -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECT

RE: [SC-L] By default, the Verifier is disabled on .Net and Java

Jim Halfpenny on the Webappsec list has discovered that BEA's JRockit JDK _does_ use verification by default, his complete post quoted below (the test was to access private methods on a class): Hi, BEA JRockit verifies by default and as far as I am aware does not offer a -noverify option. $ jav

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

contest to try and crack the new verifier in Mustang: https://jdk.dev.java.net/CTV/learn.html -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECTED] Tel:+44 1483 226014 Fax:+44 1483 226068 Web:http://www.corsaire.com ___ Secure Coding ma

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

t a security manager. For untrusted applets and webstart apps, both the verifier and a security manager are enabled. -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECTED] Tel:+44 1483 226014 Fax:+44 1483 226068 Web:http://www.corsaire.com __

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

On 12 May 2006, at 09:10, Charles Miller wrote: It's not reflection: you're confusing IllegalAccessException and IllegalAccessError. For any non-Java nerd still listening in: there are two fundamental types of "Throwable" exception-conditions in Java: Exceptions and Errors[1]. Exception

Re: [SC-L] By default, the Verifier is disabled on .Net and Java

On 12 May 2006, at 14:58, Dinis Cruz wrote: Michael Silk wrote: You can't disable the security manager even with the verifier off. But you could extend some final or private class that the security manager gives access to. This is not correct. With the verifier disabled there are multiple

[SC-L] Re: [WEB SECURITY] On sandboxes, and why you should care

lt it would be to implement these sandboxes and shed some light on exactly which security issues they would prevent and which they would not. regards, -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECTED] Tel:+44 1483 226014 Fax:+44 1483 226068 Web:http://www.corsaire

[SC-L] Reusable Security for Segmented Data Domains

to deliver software with greater efficiency and predictability at a lower cost." -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECTED] Tel:+44 1483 226014 Fax:+44 1483 226068 Web:http://www.corsaire.com ___ Secure C

[SC-L] OWASP Java Project: Call for volunteers

ng to OWASP: http://www.owasp.org/index.php/Tutorial - And join the mailing list: http://lists.owasp.org/mailman/listinfo/java-project Regards, The OWASP Java Project leads Rohyt Belani and Stephen de Vries ___ Secure Coding mailing list (SC-L)

Re: [SC-L] "Bumper sticker" definition of secure software

Not even Chuck Norris can break Secure Software. ;) -- Stephen de Vries Corsaire Ltd E-mail: [EMAIL PROTECTED] Tel:+44 1483 226014 Fax:+44 1483 226068 Web:http://www.corsaire.com On 16 Jul 2006, at 02:27, Goertzel Karen wrote: > I've been struggling for a while to synt

Re: [SC-L] Google code search games

ur favorite ugly code >> comment). >> - >> >> http://blogs.securiteam.com/index.php/archives/659 >> >> SO... ugly? dirty hack? >> >> Gadi. >> >> > > ___ > Secure Coding mailing list (SC-L) > SC-L@se

Re: [SC-L] Compilers

need to start implementing security tests in addition to the functional tests. [shameless plug] I wrote a paper about this for OWASP a few months back: http://www.corsaire.com/white-papers/060531-security-testing-web- applications-through-automated-software-tests.pdf -- Stephen de Vries Corsaire Ltd

Re: [SC-L] What's the next tech problem to be solved in software security?

On 8 Jun 2007, at 02:23, Steven M. Christey wrote: > > More modern languages advertise security but aren't necessarily > catch-alls. At the same time, the improvements in security made by managed code (e.g. the JRE and .NET runtimes) for example, should not be understated. The fact that apps

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote: > > To all, I'll ask a more strategic question - assuming we're agreed > that > the Top 25 is a non-optimal means to an end, what can the software > security community do better to raise awareness and see real-world > change? From a Web

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

ng wind of this, see: > http://www.informit.com/articles/article.aspx?p=1271382 > http://www.informit.com/articles/article.aspx?p=1315431 Interesting articles, and they really whet the appetite for more of your maturity model. Can we expect a public/open release? Stephen > > > >