[SC-L] Off-by-one errors: a brief explanation

2004-05-05 Thread Steven M. Christey
Mads Rasmussen [EMAIL PROTECTED] said: I for one have difficulties understanding the off-by-one vulnerability. Maybe a kind soul would step in? I'll try to tackle this. Corrections or additions are most welcome :) In general, off-by-one bugs involve small errors in which an array of size N

Re: [SC-L] Off-by-one errors: a brief explanation

2004-05-06 Thread Steven M. Christey
[EMAIL PROTECTED] said: that wasnt the question- well 'not how can overwritting 5 bytes help you', but what error do you code thats a miscount by 5 bytes? The off-by-one errors I am familiar with have manipulated character arrays, so each element is one byte long. When the index is off by

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-05 Thread Steven M. Christey
On Tue, 27 Feb 2007, J. M. Seitz wrote: Always a great debate, I somewhat agree with Marcus, there are plenty of pimps out there looking for fame, and there are definitely a lot of them (us) that are working behind the scenes, taking the time to help the vendors and to stay somewhat out of

Re: [SC-L] Disclosure: vulnerability pimps? or super heroes?

2007-03-07 Thread Steven M. Christey
Based on my general impressions in day-to-day operations for CVE (around 150 new vulns a week on average), maybe 40-60% of disclosures happen without any apparent attempt at vendor coordination, another 10-20% with a communication breakdown (including they didn't answer in 2 days), and the rest

Re: [SC-L] What defines an InfoSec Professional?

2007-03-08 Thread Steven M. Christey
On Thu, 8 Mar 2007, Greg Beeley wrote: Perhaps one of the issues here is that if you are in operations work (network security, etc.), there are more aspects of the CISSP that are relevant to your daily work. In software development, there is usually just the one - app development sec - that

Re: [SC-L] Information Protection Policies

2007-03-10 Thread Steven M. Christey
On a slightly tangential note, and apologies if this was mentioned on this list previously, OWASP has some guidelines on how consumers can write up contracts with their vendors related to secure software: http://www.owasp.org/index.php/OWASP_Secure_Software_Contract_Annex - Steve

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-19 Thread Steven M. Christey
On Mon, 19 Mar 2007, Crispin Cowan wrote: Since many users are economically motivated, this may explain why users don't care much about security :) But... but... but... I understand the sentiment, but there's something missing in it. Namely, that the costs related to security are not really

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread Steven M. Christey
On Wed, 21 Mar 2007, mudge wrote: Sorry, but I couldn't help but be reminded of an old L0pht topic that we brought up in January of 1999. Having just re-read it I found it still relatively poignant: Cyberspace Underwriters Laboratories[1]. I was thinking about this, too, I should have

Re: [SC-L] Economics of Software Vulnerabilities

2007-03-21 Thread Steven M. Christey
I was originally going to say this off-list, but it's not that big a deal. Arian J. Evans said: I think you are on to something here in how to think about this subject. Perhaps I should float my little paper out there and we could shape up something worth while describing how the industry is

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread Steven M. Christey
On Mon, 14 May 2007, McGovern, James F (HTSC, IT) wrote: 1. ONLY consultants and vendors have jumped on the bandwagon. Other IT professionals such as those who work in large enterprises have no motivation to pursue. Only vendors have jumped on the bandwagon? The software developers are the

Re: [SC-L] Darkreading: Secure Coding Certification

2007-05-14 Thread Steven M. Christey
On Sat, 12 May 2007, ljknews wrote: but based on biases I see on this list, I tend to believe that those who make such a certification scheme would bias it toward: Programming done in C and derivative languages (C++, Java, etc.) Programming relying on TCP/IP neither of which

Re: [SC-L] Tools: Evaluation Criteria

2007-05-22 Thread Steven M. Christey
On Tue, 22 May 2007, McGovern, James F (HTSC, IT) wrote: We will shortly be starting an evaluation of tools to assist in the secure coding practices initiative and have been wildly successful in finding lots of consultants who can assist us in evaluating but absolutely zero in terms of

Re: [SC-L] Perspectives on Code Scanning

2007-06-07 Thread Steven M. Christey
On Thu, 7 Jun 2007, Michael Silk wrote: and that's the problem. the accountability for insecure coding should reside with the developers. it's their fault [mostly]. The customers have most of the power, but the security community has collectively failed to educate customers on how to ask for

Re: [SC-L] What's the next tech problem to be solved in software security?

2007-06-07 Thread Steven M. Christey
On Wed, 6 Jun 2007, Wietse Venema wrote: more and more people, with less and less experience, will be programming computer systems. The challenge is to provide environments that allow less experienced people to program computer systems without introducing gaping holes or other unexpected

Re: [SC-L] Harvard vs. von Neumann

2007-06-12 Thread Steven M. Christey
On Mon, 11 Jun 2007, Crispin Cowan wrote: Gary McGraw wrote: Though I don't quite understand computer science theory in the same way that Crispin does, I do think it is worth pointing out that there are two major kinds of security defects in software: bugs at the implementation

Re: [SC-L] Harvard vs. von Neumann

2007-06-12 Thread Steven M. Christey
I agree with Ryan, at the top skill levels anyway. Binary reverse engineering seems to have evolved to the point where I refer to binary as source-equivalent, and I was told by some well-known applied researcher that some vulns are easier to find in binary than source. But the bulk of public

Re: [SC-L] The Specifications of the Thing

2007-06-12 Thread Steven M. Christey
On Tue, 12 Jun 2007, Michael S Hines wrote: So - aren't a lot of the Internet security issues errors or omissions in the IETF standards - leaving things unspecified which get implemented in different ways - some of which can be exploited due to implementation flaws (due to specification

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread Steven M. Christey
On Tue, 26 Jun 2007, Kenneth Van Wyk wrote: Mind you, the overrun can only be exploited when specific characters are used as input to the loop in the code. Thus, I'm inclined to think that this is an interesting example of a bug that would have been extraordinarily difficult to find using

Re: [SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

2007-06-26 Thread Steven M. Christey
On 6/26/07 4:25 PM, Wall, Kevin [EMAIL PROTECTED] wrote: I mean, was the fix really rocket science that it had to take THAT LONG??? IMHO, no excuse for taking that long. Some major vendor organizations, most notably Oracle and Microsoft, have frequently stated that they can't always fix even

[SC-L] CWE Researcher List

2007-09-06 Thread Steven M. Christey
All, I figured people on this list might be interested in this. If you have any concerns or suggestions about CWE, the upcoming months will be the best time to raise them in a focused discussion forum, the CWE Researcher List. If you don't know what CWE is, then shame on me for not pimping it

Re: [SC-L] Microsoft Pushes Secure, Quality Code

2007-10-08 Thread Steven M. Christey
Interesting that attack surface isn't included, given that Microsoft was one of the earliest advocates of attack surface, a metric that is likely strongly associated with the number of input-related vulnerabilities. It's probably hard to do perfectly, though, especially if any third-party APIs

Re: [SC-L] Microsoft Pushes Secure, Quality Code

2007-10-08 Thread Steven M. Christey
On Mon, 8 Oct 2007, Gary McGraw wrote: Not surprising. Last time I looked, attack surface is subjective. McCabe is not. BTW, McCabe's Cyclomatic complexity boils down to 85% lines of code and 15% data flow if you do a principal component analysis on it. Hopefully the SEI people are

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

2007-11-30 Thread Steven M. Christey
On Fri, 30 Nov 2007, Shea, Brian A wrote: Software vendors will need a 3 tier approach to software security: Dev training and certification, internal source testing, external independent audit and rating. I don't think I've seen enough emphasis on this latter item. A sufficiently vibrant

Re: [SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek

2008-01-10 Thread Steven M. Christey
Another question is how many of the reported bugs wound up being false positives. Through casual conversations with some vendor (I forget whom), it became clear that the massive number of reported issues was very time-consuming to deal with, and not always productive. Of course this is no

Re: [SC-L] Programming language comparison?

2008-02-05 Thread Steven M. Christey
On Mon, 4 Feb 2008, ljknews wrote: (%s to fill up disk or memory, anybody?), so it's marked with All and it's not in the C-specific view, even though there's a heavy concentration of format strings in C/C++. It is marked as All ? What is the construct in Ada that has such a

Re: [SC-L] Lateral SQL injection paper

2008-04-29 Thread Steven M. Christey
On Tue, 29 Apr 2008, Joe Teff wrote: If I use Parameterized queries w/ binding of all variables, I'm 100% immune to SQL Injection. Sure. You've protected one app and transferred risk to any other process/app that uses the data. If they use that data to create dynamic sql, then what?

Re: [SC-L] Wysopal says tipping point reached...

2008-11-06 Thread Steven M. Christey
On Tue, 4 Nov 2008, Benjamin Tomhave wrote: An interesting read. Not much to really argue with, I don't think. http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/ Agree. But, just to bolster (if it's relevant) I'll expand on my comment to that

Re: [SC-L] Language agnostic secure coding guidelines/standards?

2008-11-17 Thread Steven M. Christey
The CWE Research view (CWE-1000) is language-neutral at its higher-level nodes, and decomposes in some areas into language-specific constructs. Early experience suggests that this view is not necessarily developer-friendly, however, because it's not organized around the types of concepts that

Re: [SC-L] Software Assist to Find Least Privilege

2008-11-25 Thread Steven M. Christey
On Tue, 25 Nov 2008, Mark Rockman wrote: Assuming this is repeated for every use case, the resulting reports would be a very good guide to how CAS settings should be established for production. Of course, everytime the program is changed in any way, the process would have to be repeated.

[SC-L] CWE/SANS Top 25 Most Dangerous Programming Errors

2008-12-17 Thread Steven M. Christey
Since this is the week of the top-lists related to secure coding, I thought I'd notify the SC-L people about a new collaboration between SANS and MITRE. We are creating a Top 25 list of the worst programming errors, targeted largely at developers, software managers, and CIOs. The list is not as

[SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

2009-01-12 Thread Steven M. Christey
All, I'm the editor of the Top 25 list. Thanks to Ken and others on SC-L who provided some amazing feedback before its publication. I hope we were able to address most of your concerns and am sorry that we couldn't address all of them. Note that MITRE's site for the Top 25 is more technically

Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors

2009-01-13 Thread Steven M. Christey
On Tue, 13 Jan 2009, Gary McGraw wrote: I thought you might get a kick out of it. I did! :-) Always good to have debates. Executives don't care about technical bugs No, but they do what PCI says they have to (i.e. listen to the OWASP Top Ten). They do care about the bottom line. They hate

Re: [SC-L] Some Interesting Topics arising from the SANS/CWE Top 25

2009-01-14 Thread Steven M. Christey
On Tue, 13 Jan 2009, Greg Beeley wrote: Steve I agree with you on this one. Both input validation and output encoding are countermeasures to the same basic problem -- that some of the parts of your string of data may get treated as control structures instead of just as data. Note that I'm

[SC-L] SDL / Secure Coding and impact on CWE / Top 25

2009-01-28 Thread Steven M. Christey
In the past year or so, I've been of a growing mindset that one of the hidden powers of CWE and other weakness/bug/vulnerability/attack taxonomies would be in evaluating secure coding practices: if you do X and Y, then what does that actually buy you, in terms of which vulnerabilities are fixed

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-18 Thread Steven M. Christey
On Wed, 18 Mar 2009, Gary McGraw wrote: Many of the top N lists we encountered were developed through the consistent use of static analysis tools. Interesting. Does this mean that their top N lists are less likely to include design flaws? (though they would be covered under various other

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-18 Thread Steven M. Christey
On Wed, 18 Mar 2009, Gary McGraw wrote: Because it is about building a top N list FOR A PARTICULAR ORGANIZATION. You and I have discussed this many times. The generic top 25 is unlikely to apply to any particular organization. The notion of using that as a driver for software purchasing is

Re: [SC-L] BSIMM: Confessions of a Software Security Alchemist (informIT)

2009-03-18 Thread Steven M. Christey
On Wed, 18 Mar 2009, Gary McGraw wrote: Both early phases of software security made use of any sort of argument or 'evidence' to bolster the software security message, and that was fine given the starting point. We had lots of examples, plenty of good intuition, and the best of intentions.

Re: [SC-L] Seeking vulnerable server-side scripts

2009-05-06 Thread Steven M. Christey
Jeremy, CVE is littered with these kinds of issues, for PHP especially. The scripts are often open source, fully-functional packages that just happen to have lots of security issues. Sometimes the root cause is buried fairly deep in the code, but the people who find these bugs often care only

Re: [SC-L] Provably correct microkernel (seL4)

2009-10-03 Thread Steven M. Christey
I wonder what would happen if somebody offered $1 to the first applied researcher to find a fault or security error. According to http://ertos.nicta.com.au/research/l4.verified/proof.pml, buffer overflows, memory leaks, and other issues are not present. Maybe people would give up if they

Re: [SC-L] 2010 bug hits millions of Germans | World news | The Guardian

2010-01-07 Thread Steven M. Christey
On Thu, 7 Jan 2010, Stephen Craig Evans wrote: I am VERY curious to learn how these happened... My name is Steve. I had a 2010 problem. An internal CVE support program was hit by this issue. Fortunately, there weren't any fatal results and it was only an annoyance. However: I had an

Re: [SC-L] BSIMM update (informIT)

2010-01-29 Thread Steven M. Christey
Speaking of top 25 tea leaves, the bug parade boogeyman just called and reminded me that the 2010 Top 25 is due to be released next Thursday, February 4. Thanks for the plug. A preview of some of the brand-new features: 1) Data-driven ranking with alternate metrics to feed the brain and

Re: [SC-L] BSIMM update (informIT)

2010-02-02 Thread Steven M. Christey
On Tue, 2 Feb 2010, Wall, Kevin wrote: To study something scientifically goes _beyond_ simply gathering observable and measurable evidence. Not only does data needs to be collected, but it also needs to be tested against a hypotheses that offers a tentative *explanation* of the observed

Re: [SC-L] BSIMM update (informIT)

2010-02-02 Thread Steven M. Christey
On Tue, 2 Feb 2010, Arian J. Evans wrote: BSIMM is probably useful for government agencies, or some large organizations. But the vast majority of clients I work with don't have the time or need or ability to take advantage of BSIMM. Nor should they. They don't need a software security group.

Re: [SC-L] BSIMM update (informIT)

2010-02-04 Thread Steven M. Christey
On Wed, 3 Feb 2010, Gary McGraw wrote: Popularity contests are not the kind of data we should count on. But maybe we'll make some progress on that one day. That's my hope, too, but I'm comfortable with making baby steps along the way. Ultimately, I would love to see the kind of linkage

Re: [SC-L] BSIMM update (informIT)

2010-02-04 Thread Steven M. Christey
On Thu, 4 Feb 2010, Jim Manico wrote: These companies are examples of recent epic security failure. Probably the most financially damaging infosec attack, ever. Microsoft let a plain-vanilla 0-day slip through ie6 for years Actually, it was a not-so-vanilla use-after-free, which once upon a

Re: [SC-L] Metrics

2010-02-05 Thread Steven M. Christey
On Fri, 5 Feb 2010, McGovern, James F. (eBusiness) wrote: One of the general patterns I noted while providing feedback to the OWASP Top Ten listserv is that top ten lists do sort differently. Within an enterprise setting, it is typical for enterprise applications to be built on Java, .NET or

Re: [SC-L] [WEB SECURITY] RE: blog post and open source vulnerabilities to blog about

2010-03-18 Thread Steven M. Christey
CWE, CLASP, and some other information sources have a number of code snippets that highlight various weaknesses. In CWE, this code is easily extractable from the XML by grabbing the Demonstrative_Examples element, and we've even conveniently labeled examples with the various languages. You

Re: [SC-L] Java: the next platform-independent target

2010-10-21 Thread Steven M. Christey
On Thu, 21 Oct 2010, James Manico wrote: A lot of smart people disagree with me here - but the history of Java sandbox problems, data theft though reflection, the weak security policy mechanism, etc, backs up my recommendation. Given the history of security problems in the PHP interpreter

Re: [SC-L] Java: the next platform-independent target

2010-10-24 Thread Steven M. Christey
On Fri, 22 Oct 2010, Jim Manico wrote: I think the deprecation of these technologies for an enterprise is a wise idea. :) How can a large enterprise use PHP or ASP for security-critical applications with a straight face? Let's move forward to Ruby on Rails, Enterprise Java, .NET and other

[SC-L] DHS Cyber Security BAA announcements related to software assurance

2010-11-11 Thread Steven M. Christey
FYI - heard about this from Russell Thomas on another list. The US Department of Homeland Security will be publishing a Broad Agency Announcement (BAA) related to software assurance; an Industry Day session will take place on November 17, with a registration deadline of November 12.

Re: [SC-L] [WEB SECURITY] Backdoors in custom software applications

2010-12-23 Thread Steven M. Christey
On Mon, 20 Dec 2010, Arian J. Evans wrote: On a day to day basis - here are the most common backdoors in webapps I've encountered over the last 15 years or so: 1) Developer Tools Backdoor hidden under obscure path 2) COTS module improperly deployed results in backdoor 3) Custom admin module,

Re: [SC-L] Food for thought on app sec

2011-01-25 Thread Steven M. Christey
Rohit, Excellent article! For the Top 25, we've had lots of people assume that the entire list is about domain-specific issues, when it also covers domain-agnostic issues as well. My first guess is that domain-specific has a loose association with implementation, and domain-agnostic has a

Re: [SC-L] InformIT: comparing static analysis tools

2011-02-04 Thread Steven M. Christey
Jim, Maybe you would have had more success if you explicitly said in the cloud ;-) - Steve On Thu, 3 Feb 2011, Jim Manico wrote: Chris, I've tried to leverage Veracode in recent engagements. Here is how the conversation went: Jim: Boss, can I upload all of your code to this cool SaaS

Re: [SC-L] informIT: Building versus Breaking

2011-09-01 Thread Steven M. Christey
While I'd like to see Black Hat add some more defensive-minded tracks, I just realized that this desire might a symptom of a larger problem: there aren't really any large-scale conferences dedicated to defense / software assurance. (The OWASP conferences are heavily web-focused; Dept. of

Re: [SC-L] BSIMM3 lives

2011-10-15 Thread Steven M. Christey
Gary, Congratulations to you, Brian, Sammy, and the rest of the BSIMM3 community! I have a few questions: 1) Was any analysis done to ensure that the 3 levels are consistent from a maturity perspective - for example, if an organization performed an activity at level 2, that there was