Entering the password on the command line could be an option if you
choose the Java Invocation API. I have done this in the past and it
has worked really well.
On 4/25/05, john bart <[EMAIL PROTECTED]> wrote:
> Hello to all the list.
> I need some advice on where to store the keystore's password.
It's my view, as Ken and I have said in a couple of publications, that
secure code "lets you say yes with confidence, and no with certainty".
-mg-
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http
Hi SC-L folks,
Ken van Wyk and I (we wrote “Secure Coding”, in 2003) are working on a new
book. It’s about how software developers and enterprise security specialists
can work together to help make a business safer.
The project is not moving fast enough for us, so we’d like to take on one or
steps that were not in the documentation".
However, he said the documentation didn't make it clear how to secure his network:
"The industry needs to make it easy for users like me -- who are reasonably
technically competent -- to employ solid security features and not make it so tempti
I thought this was interesting. I missed it but I am sure the message will
please many on this list (myself included)
Bill Cheswick <[EMAIL PROTECTED]> wrote:
> Bill Gates gave a keynote on their current approach to security, and
> the contents of SP2, due out 1H 2004. From what I heard, Bi
Before widespread use of the Internet, computers were isolated from
malicious attacks. Many of them were not networked. CPUs were slow.
Memory was small. It was common practice to "trust the user" to minimize
the size of programs to speed up processing and to make programs fit in
memory. Non-ty
I had no idea I was promulgating a syllogism. In fact, I did not intend to.
My point was that the world changed and the software didn't nor did people
change their behaviors to compensate. Remember, the Internet until 1992 was
a community of well-behaved techies: netizens. Software design was n
You are not nuts. Your course outline is a very substantial step in the
right direction.
- Original Message -
From: "Dana Epp" <[EMAIL PROTECTED]>
To: "Fernando Schapachnik" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, July 06, 2004 16:42
Subject: Re: [SC-L] Education and s
JOVIAL goes back to the 1960s as "Jules' Own Version of the International
Algebraic Language."
ALGOL and IAL are the same thing. JOVIAL was used almost exclusively by the
United States Air Force.
- Original Message -
From: "Dave Aronson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMA
(e.g. nonconformant) input.
Mark Rockman
MDRSESCO LLC
- Original Message -
From: "Michael S Hines" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, July 22, 2004 10:32
Subject: RE: [SC-L] Programming languages -- the "third rail" of secure
coding
If I allocate a buffer of n bytes, open the channel and receive n+m bytes
where m>0, then where does the fault lie? Some possibilities: 1) My choice
for n is too small, 2) the software with which I open the channel does not
permit me to specify that my buffer is only n bytes in length and it retu
ch will resolve the function's signature (return
type, namespace, method name and parameters) asynchronously.
Read more in user guide.
Thanks to Dinis Cruz who developed this tool under contract
Mark Curphey
http://www.foundstone.com
For a long time I have wanted to be able to point to a common set of
definitions for security terms (not the usual BS
marketing / Hax0r terms) that I can use and adopt in technical and
non-technical writing. Things like the OWASP Top
Ten re-write. So I created one using a Wiki so poeple can add,
I like the second idea a lot. Thanks. I actually don't want to be web
appliction specific. I think what I will do is create a matrix, map the
current terms in existing standards (RFC 2828, NIST etc) and then I can
reference the term back to the official document in a central place. Argh,
blue skies
If you fancy yourself as a good code reviewer you can play spot the bug at
MSDN. They will be getting harder !
http://msdn.microsoft.com/security/
Fascinating and heartening development. Raises a couple of questions in my
mind.
1. Why now? Many worthies, myself included during my years at Sun, have been
crying for years/decades *from within the software industry* for just such a
shift. So what has changed? Ken and I outlined in "Secure C
There's another point to consider, when talking about whether True Security
is Possible. And I have to say I've never been happy with the forms I've
found so far to express it...
Security, in many cases, decays. It's like what we used to call, in the Old
Days, "bit rot". Software that has "work
Gary McGraw said:
> Ed Felten and I found out early on (back in 1996) that you can use the
> press as a lever to get companies to do the right thing. We learned
> this when releasing the very first Java Security hole. We found out
> that Sun paid much more attention once USA Today picked up the
ersion flaws, as well
as some fun C puzzles. The book will be hitting stores within the next few
days. Any thoughts/comments would be appreciated.
Enjoy!
Mark Dowd
___
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscri
The old Sperry operating system from Unisys for successors to the 1108 computer
has temporary files that are accessible only to the process that creates them.
Such files can be treated as "directories," even though the file system on such
machines is not tree-structured. Space allocated to tem
The adolescent minds that engage in "exploits" wouldn't know COBOL if a
printout fell out a window and onto their heads. I'm sure you can write COBOL
programs that crash, but it must be hard to make them take control of the
operating system. COBOL programs are heavy into unit record equipment
Back around 1980, when Ada was new, it was common for compiler manufacturers to
claim it is best to disable bound checking for performance reasons. Getting
your program to run slightly faster trumped knowing that any of your buffers
was overflowing. Code that silently trashes memory can be expe
course, everytime the program is
changed in any way, the process would have to be repeated.
MARK ROCKMAN
MDRSESCO LLC___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
is there that'll
do the job? Doesn't exist, does it?
MARK ROCKMAN
MDRSESCO LLC ___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available
percentage of the people who NEED to get the message. Grandma and her
e-mail client and pictures of her grandkids is totally clueless and possibly
hostile towards detailed change information. I'm not grandma. I take pride
in knowing what is going on and can do so if only I am enabled to do so.
25 matches
Mail list logo