On Jan 10, 2010, at 5:38 AM, Kevin W. Wall wrote:
>
> IMO, I think the ideal situation would be if we could get the Spring and
> Struts,
> etc. development communities to integrate their frameworks so that they could
> be used with the ESAPI interfaces. (In many of these cases, these
> implement
You could try the OWASP ESAPI PHP project:
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP
Stephen
On Sep 16, 2010, at 5:20 AM, modversion wrote:
> Hi list:
> There’s a php ids locate in www.phpids.org ,but it can NOT prevent
> the attack.
> Does anybody
nd
non-agile, but different degrees of agile based on the length of iterations
and/or the frequency of deployments. E.g. less-agile = 3 month iterations and
multi-month deploys, more-agile = continuous delivery with multiple deploys per
day.
regards,
Stephen de Vries
http://www.continuumse
Hi Sammy, Antti,
On 20 Dec 2013, at 17:29, Sammy Migues wrote:
> Also, in nearly all cases, it would be very hard to characterize an entire
> firm or even an entire business unit in larger firms as "Agile" or not. Many
> larger firms use "Agile" for only a small percentage of projects
Leav
wrote:
>
>> Stephen,
>>
>> On Sat, Jan 4, 2014 at 8:12 PM, Stephen de Vries
>> wrote:
>>> Leaving the definition of agile aside for the moment, doesn’t the fact that
>>> the BSIMM measures
>>> organisation wide activities but not individual dev teams m
A Corsaire White Paper:
A Modular Approach to Data Validation in Web Applications
Outline:
Data that is not validated or poorly validated is the root cause of a
number of serious security vulnerabilities affecting applications.
This paper presents a modular approach to performing thorough
]java -cp . -verify FullApp
Exception in thread "main" java.lang.IllegalAccessError: tried to
access field MyData.secret from class FullApp at FullApp.main
(FullApp.java:23)
Using the same code with an Applet loaded from the filesystem throws
an IllegalAccessError exception as it s
plet loaded from the filesystem'?
Where? In a Browser?
If you load an applet in a browser using a url such as: file:///data/
stuff/launch.html then no verification is performed.
But if you access the applet using http/s then it will be verified.
cheers,
--
Stephen de Vries
Corsaire Lt
ity policy (equiv
to partial trust), but it could still be vulnerable to type confusion
attacks if the verifier was not explicitly enabled. To have both
enabled you'd need to run with:
java -verify -Djava.security.policy ...
regards,
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECT
Jim Halfpenny on the Webappsec list has discovered that BEA's JRockit
JDK _does_ use verification by default, his complete post quoted below
(the test was to access private methods on a class):
Hi,
BEA JRockit verifies by default and as far as I am aware does not offer a
-noverify option.
$ jav
contest to try and crack the new
verifier in Mustang: https://jdk.dev.java.net/CTV/learn.html
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel:+44 1483 226014
Fax:+44 1483 226068
Web:http://www.corsaire.com
___
Secure Coding ma
t a security manager.
For untrusted applets and webstart apps, both the verifier and a
security manager are enabled.
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel:+44 1483 226014
Fax:+44 1483 226068
Web:http://www.corsaire.com
__
On 12 May 2006, at 09:10, Charles Miller wrote:
It's not reflection: you're confusing IllegalAccessException and
IllegalAccessError.
For any non-Java nerd still listening in: there are two fundamental
types of "Throwable" exception-conditions in Java: Exceptions and
Errors[1]. Exception
On 12 May 2006, at 14:58, Dinis Cruz wrote:
Michael Silk wrote:
You can't disable the security manager even with the verifier off.
But
you could extend some final or private class that the security
manager
gives access to.
This is not correct. With the verifier disabled there are multiple
lt it would be to
implement these sandboxes and shed some light on exactly which
security issues they would prevent and which they would not.
regards,
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel:+44 1483 226014
Fax:+44 1483 226068
Web:http://www.corsaire
to deliver software with greater efficiency
and predictability at a lower cost."
--
Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel:+44 1483 226014
Fax:+44 1483 226068
Web:http://www.corsaire.com
___
Secure C
ng to OWASP:
http://www.owasp.org/index.php/Tutorial
- And join the mailing list:
http://lists.owasp.org/mailman/listinfo/java-project
Regards,
The OWASP Java Project leads
Rohyt Belani and Stephen de Vries
___
Secure Coding mailing list (SC-L)
Not even Chuck Norris can break Secure Software.
;)
-- Stephen de Vries
Corsaire Ltd
E-mail: [EMAIL PROTECTED]
Tel:+44 1483 226014
Fax:+44 1483 226068
Web:http://www.corsaire.com
On 16 Jul 2006, at 02:27, Goertzel Karen wrote:
> I've been struggling for a while to synt
ur favorite ugly code
>> comment).
>> -
>>
>> http://blogs.securiteam.com/index.php/archives/659
>>
>> SO... ugly? dirty hack?
>>
>> Gadi.
>>
>>
>
> ___
> Secure Coding mailing list (SC-L)
> SC-L@se
need to start implementing security tests in
addition to the functional tests.
[shameless plug] I wrote a paper about this for OWASP a few months back:
http://www.corsaire.com/white-papers/060531-security-testing-web-
applications-through-automated-software-tests.pdf
--
Stephen de Vries
Corsaire Ltd
On 8 Jun 2007, at 02:23, Steven M. Christey wrote:
>
> More modern languages advertise security but aren't necessarily
> catch-alls.
At the same time, the improvements in security made by managed code
(e.g. the JRE and .NET runtimes) for example, should not be
understated. The fact that apps
On Jan 14, 2009, at 8:45 PM, Steven M. Christey wrote:
>
> To all, I'll ask a more strategic question - assuming we're agreed
> that
> the Top 25 is a non-optimal means to an end, what can the software
> security community do better to raise awareness and see real-world
> change?
From a Web
ng wind of this, see:
> http://www.informit.com/articles/article.aspx?p=1271382
> http://www.informit.com/articles/article.aspx?p=1315431
Interesting articles, and they really whet the appetite for more of
your maturity model. Can we expect a public/open release?
Stephen
>
>
>
>
23 matches
Mail list logo