Re: [SC-L] Secure Programming with Static Analysis
The US Dept of Defense has done some work on the procurement side of the problem. Here are two papers for those in very large bureaucracies who might be interested: Best Software Assurance Practices in Acquisition of Trusted Systems http://www.cisse.info/colloquia/cisse10/proceedings10/pdfs/papers/ S02P03.pdf Software Assurance: Five Essential Considerations for Acquisition Officials http://www.stsc.hill.af.mil/CrossTalk/2007/05/0705PolydysWisseman.html On Jul 9, 2007, at 1:16 PM, McGovern, James F (HTSC, IT) wrote: If you are seeking additional book ideas for this series, may I suggest posting to [EMAIL PROTECTED] There are two books that I would love to see: - Designing Secure Software - Not everything is about the code - Procuring Secure Software - Most enterprises nowadays buy software vs build it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw Sent: Thursday, July 05, 2007 9:01 AM To: 'Brian Chess'; 'sc-l@securecoding.org' Subject: Re: [SC-L] Secure Programming with Static Analysis Hi sc-l, I have read this awesome book (more than once) and can vouch for it. It is an important part of the addison-wesley software security series, the series that includes: Software Security www.swsec.com Rootkits Exploiting Software Building Secure Software (and any day now Exploiting Online Games) For more on the series, see www.buildingsecurityin.com. We are always on the lookout for more titles for the series, especially if they dive deeply into one of the seven touchpoints, so if you have a book idea please let me know. Meanwhile, click on this link and buy Brian and Jacob's book: http://www.amazon.com/dp/0321424778 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ** *** This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ** *** ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/ listinfo/sc-l List charter available at - http://www.securecoding.org/list/ charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http:// www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Programming with Static Analysis
Both good ideas. Feel free to ping your friends and enemies with the URL. I would like to see an in depth book on each of the touchpoints. So far, the chess/west book covers code review. My next choice would be a book on architectural risk analysis. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com Sent from my treo. -Original Message- From: McGovern, James F (HTSC, IT) [mailto:[EMAIL PROTECTED] Sent: Monday, July 09, 2007 03:00 PM Eastern Standard Time To: sc-l@securecoding.org Subject:Re: [SC-L] Secure Programming with Static Analysis If you are seeking additional book ideas for this series, may I suggest posting to [EMAIL PROTECTED] There are two books that I would love to see: - Designing Secure Software - Not everything is about the code - Procuring Secure Software - Most enterprises nowadays buy software vs build it -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary McGraw Sent: Thursday, July 05, 2007 9:01 AM To: 'Brian Chess'; 'sc-l@securecoding.org' Subject: Re: [SC-L] Secure Programming with Static Analysis Hi sc-l, I have read this awesome book (more than once) and can vouch for it. It is an important part of the addison-wesley software security series, the series that includes: Software Security www.swsec.com Rootkits Exploiting Software Building Secure Software (and any day now Exploiting Online Games) For more on the series, see www.buildingsecurityin.com. We are always on the lookout for more titles for the series, especially if they dive deeply into one of the seven touchpoints, so if you have a book idea please let me know. Meanwhile, click on this link and buy Brian and Jacob's book: http://www.amazon.com/dp/0321424778 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Secure Programming with Static Analysis
Hi sc-l, I have read this awesome book (more than once) and can vouch for it. It is an important part of the addison-wesley software security series, the series that includes: Software Security www.swsec.com Rootkits Exploiting Software Building Secure Software (and any day now Exploiting Online Games) For more on the series, see www.buildingsecurityin.com. We are always on the lookout for more titles for the series, especially if they dive deeply into one of the seven touchpoints, so if you have a book idea please let me know. Meanwhile, click on this link and buy Brian and Jacob's book: http://www.amazon.com/dp/0321424778 gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com Sent from my treo. -Original Message- From: Brian Chess [mailto:[EMAIL PROTECTED] Sent: Thursday, July 05, 2007 06:11 AM Eastern Standard Time To: sc-l@securecoding.org Subject:[SC-L] Secure Programming with Static Analysis Jacob West and I are proud to announce that our book, Secure Programming with Static Analysis, is now available. http://www.amazon.com/dp/0321424778 The book covers a lot of ground. * It explains why static source code analysis is a critical part of a secure development process. * It shows how static analysis tools work, what makes one tool better than another, and how to integrate static analysis into the SDLC. * It details a tremendous number of vulnerability categories, using real-world examples from programs such as Sendmail, Tomcat, Adobe Acrobat, Mac OSX, and dozens of others. We'd like to thank the many members of the sc-l list who helped us out with the book in one way or another, including: Pravir Chandra Gary McGraw Katrina O'Neil John Steven Ken van Wyk Regards, Brian and Jacob ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
