Re: [SC-L] How Can You Tell It Is Written Securely?
Hi Mark, What I have seen is that the organization develops security standards/guidelines and secure coding guidelines tailored to the org. If the org is big enough to have its own security team, then they do it; if not, then they hire consultants to do it. It's not too difficult to find out amongst the consultants who has the experience and who doesn't. Those standards and guidelines are updated either every year or two, or before the next big project. External consultant(s) - not the internal security team within the organization (if it exists) - then does audits at milestones of the project implemented by the outsourcing organization and reports on the conformance to the guidelines and standards, and anything else that might have been left out (which then results in updated standards and guidelines). For non-conformant issues, the 3 groups get together and decide what to do about it. If a direct solution is not possible, often other security controls can be tweaked or enhanced to make that particular risk acceptable or eliminated. This type of system has clear separation of duties. Stephen On Thu, Nov 27, 2008 at 10:03 AM, Mark Rockman [EMAIL PROTECTED] wrote: OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? MARK ROCKMAN MDRSESCO LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How Can You Tell It Is Written Securely?
At 9:03 PM -0500 11/26/08, Mark Rockman wrote: OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? Certainly it exists. Rerun the verification of the formal proof, as used in the Tokeneer project I mentioned earlier. Of course a formal proof only proves that software conforms to a specification, so unless you have a specification you have nothing, and that is what a lot of software is lacking. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How Can You Tell It Is Written Securely?
... and demand that they deliver code that is so locked down that it cannot misbehave. Your premise is so incorrect that I advise that if you are truly interested in answering your questions (as opposed to a purely academic or other exercise), then you should hire a security specialist to help you out, or use google search :-) Cheers, Stephen On Thu, Nov 27, 2008 at 10:03 AM, Mark Rockman [EMAIL PROTECTED] wrote: OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? MARK ROCKMAN MDRSESCO LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How Can You Tell It Is Written Securely?
OK. So you decide to outsource your programming assignment to Asia and demand that they deliver code that is so locked down that it cannot misbehave. How can you tell that what they deliver is truly locked down? Will you wait until it gets hacked? What simple yet thorough inspection process is there that'll do the job? Doesn't exist, does it? This most important thing you can do is provide very specific security requirements as part of your vendor contract BEFORE you hire a vendor - and the process of building these security requirements might call for bringing in a security consultant if you do not have the expertise in-shop. Requirements that allow a vendor to actually provide security are line items like (assuming its a web app): Provide input validation for every piece of user data. Do so by mapping every unique piece of user data to a regular expression that is placed inside a configuration file. Provide CSRF protection by creating and enforcing a form nonce for every user session After you build this list for your company, it should provide you with a core list of security requirements that you can add to any PO. - Jim MARK ROCKMAN MDRSESCO LLC ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Jim Manico, Senior Application Security Engineer [EMAIL PROTECTED] | [EMAIL PROTECTED] (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___