Re: [SC-L] quick question - SXSW

[Andrew van der Stock]

Hi all,

I have been specifically targeting developer conferences these last  
twelve months. I've had rejections from the likes of OSCON, and in  
fact, I was rejected from BlackHat, too. I have worked out the pattern  
to these conferences.

You gotta SEX IT UP.

Instead of submitting talks like Safe Ajax Coding Techniques or  
Securely using mainframe transactions in your web app, submit talks  
that are titled:

How we pillage your app, identity rape your users, steal all your  
money, and retire in the Caribbean with the loot

Then when you get there, start with a demo or three to end all demos.  
Totally scare them witless. Followed by a picture of a girly drink  
with an umbrella in it with a beach in the background, and take the  
girly drink to the talk, too. Once you've put the fear of god (or at  
least malicious attackers) into them, then you can:

* Do the talk you had in mind all along (Securely using  
mainframe ...), and they'll learn what they needed to learn by  
attending your talk.

This is not to say you should be a boring presenter, but we shouldn't  
shy away from saying to developers that they MUST do this stuff, or  
they'll be pwned.

Just before the folks fill in their presenter feedback forms, do an  
ASTONISHING demo. Something they will remember when they're filling in  
the feedback. When you're at the top of the feedback pile, you'll get  
invited back.

The program committees for these trendy conferences - with some very  
notable exceptions - are for the most part just as hostile /  
apathetic / know little about security as the attendees. Sometimes  
worse - many are truly hostile to security as it gets in the way of  
their fast and crappy beats correct every time mindset. So make your  
submission interesting to the program committee, so much so that they  
want to come see it, too. Once they start accepting the talks, sooner  
or later, after 10 years or so, we'll be able to submit the useful  
talks without any such cover. See the design pattern folks for proof.

Arian - ARGH! Tell Anurag to check out ESAPI - it has already hard  
core white list encoding, direct object reference maps, easy user  
object manipulation (logout that actually does the right thing with  
one call, etc), safe system(), encrypted property files, integrity  
protection and encryption for hidden fields and cookies, and so on and  
on and on.

Encoder::
canonicalize()   Simplifies percent-encoded and entity-encoded  
characters to their simplest form so that they can be properly  
validated.
decodeFromBase64()   Decode data encoded with BASE-64 encoding.
decodeFromURL()  Decode from URL.
encodeForBase64()Encode for base64.
encodeForDN()Encode data for use in an LDAP distinguished  
name.
encodeForHTML()  Encode data for use in HTML content.
encodeForHTMLAttribute() Encode data for use in HTML attributes.
encodeForJavascript()Encode for javascript.
encodeForLDAP()  Encode data for use in LDAP queries.
encodeForSQL()   This method is not recommended.
encodeForURL()   Encode for use in a URL.
encodeForVBScript()  Encode data for use in visual basic script.
encodeForXML()   Encode data for use in an XML element.
encodeForXMLAttribute()  Encode data for use in an XML attribute.
encodeForXPath() This implementation encodes almost everything  
and may overencode.
normalize()  Normalizes special characters down to ASCII  
using the Normalizer built into Java.

It's already done! However, there's more to do - let's work together  
on those gaps (client AJAX ESAPI) instead of re-inventing the wheel.

thanks,
Andrew

On Mar 13, 2008, at 4:11 AM, Arian J. Evans wrote:
 and Anurag will be releasing some APIs
 for java developers to actually do things like output encoding,
 where Java/J2EE is about 4 years behind the rest of the world.


thanks,
Andrew van der Stock
Lead Author, OWASP Guide and OWASP Top 10




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Arian J. Evans]

On Wed, Mar 12, 2008 at 3:05 PM, Andy Steingruebl [EMAIL PROTECTED] wrote:

  On a related note a quick perusal of the JavaOne conference tracks
  doesn't show a lot of content in this area either.  Is this due to a
  lack of interest, or people in the security world not pitching talks
  to the development conference organizer?

Both.

Java is a tricky one. There were security sessions early on in
Java conferences, but they were about the stuff no one on the
planet actually does -- e.g. container security, code signing,
and JVM/applet permissions.

I think that turned a lot of devs off of security in Java-land.

In related news we're building J2EE courseware in a by developers,
for developers fashion and Anurag will be releasing some APIs
for java developers to actually do things like output encoding,
where Java/J2EE is about 4 years behind the rest of the world.

I imaged later this year or next year you'll see a few of us focusing
on developer (versus security) conferences, though I don't think
this changes the business problem/reality at all.

-- 
Arian Evans
software security stuff
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[William L. Anderson]

Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I did not 
see many 
discussions that pay attention to security, or any other software engineering 
oriented concerns, 
explicitly.

There was a discussion of scalability for web services that featured the 
developers from digg, 
Flickr, WordPress, and Media Temple. I got there about half-way through but the 
discussion with 
the audience was about tools and methods to handle high traffic loads. There 
was a question 
about build and deployment strategies and I asked about unit testing (mixed 
answers - some love 
it, some think it's strong-arm micro-mgt (go figure)).

There was a session on OpenID and OAuth (open authorization) standards and 
implementation. These 
discussions kind of assume the use of secure transports but since I couldn't 
stay the whole time 
I don't know if secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves designers and I 
would guess many of 
them are doing web development in PHP, Ruby, etc. I think the majority of 
attendees would not 
classify themselves as software programmers.

To me it seems very much like at craft culture. That doesn't mean that a track 
on how to develop 
secure web services wouldn't be popular. In fact it might be worth proposing 
one for next year.

If you want to talk further, please get in touch.

-Bill Anderson
praxis101.com

Benjamin Tomhave wrote:
 I had just a quick query for everyone out there, with an attached thought.
 
 How many security and/or secure coding professionals are prevalently
 involved with the SXSW conference this week? I know, I know... it's a big
 party for developers - particularly the Web 2.0 clique - but I'm just
 curious.
 
 Here's why: I'm increasingly frustrated by the disconnect between
 business/dev and security. I don't feel like we're being largely
 successful in getting the business and developers to include security as
 part of their standard operating procedures. Developers are still
 oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection holes.
 
 I then look at SXSW from afar and think: a) shouldn't I be there
 evangelizing security? and, b) shouldn't a major thread to all these
 conferences be about how security is integrating with dev processes and
 practices, making it better?
 
 Maybe I'm just too idealist. I'm curious what everyone else thinks.
 
 cheers,
 
 -ben
 
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Benjamin Tomhave]

First, thanks for that Bill, it exemplifies my point perfectly. A couple 
thoughts...

one, targeting designers is just as important as reaching out to the 
developers themselves... if the designers can ensure that security 
requirements are incorporated from the outset, then we receive an added 
benefit...

two, a re-phrasing around my original thought... somehow we need to get 
security thinking and considerations encoded into the DNA of everyone in 
the business, whether they be designers, architects, coders, analysts, 
PMs, sysadmins, etc, etc, etc. Every one of those topics you mention 
could (should!) have had implicit and explicit security attributes 
included... yet we're still at the point where secure coding has to be 
explicitly requested/demanded (often as an afterthought or bolt-on)...

How do we as infosec professionals get people to the next phase of 
including security thoughts in everything they do... with the end-goal 
being that it is then integrated fully into practices and processes as a 
bona fide genetic mutation that is passed along to future generations?

To me, this seems to be where infosec is stuck as an industry. There 
seems to be a need for a catalyst to spur the mutation so that it can 
have a life of its own. :)

fwiw.

-ben

-- 
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Augustine's Second Law of Socioscience: For every scientific (or 
engineering) action, there is an equal and opposite social reaction.
http://globalnerdy.com/2007/07/18/laws-of-software-development/

William L. Anderson wrote:
 Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I 
 did not see many discussions that pay attention to security, or any 
 other software engineering oriented concerns, explicitly.
 
 There was a discussion of scalability for web services that featured the 
 developers from digg, Flickr, WordPress, and Media Temple. I got there 
 about half-way through but the discussion with the audience was about 
 tools and methods to handle high traffic loads. There was a question 
 about build and deployment strategies and I asked about unit testing 
 (mixed answers - some love it, some think it's strong-arm micro-mgt (go 
 figure)).
 
 There was a session on OpenID and OAuth (open authorization) standards 
 and implementation. These discussions kind of assume the use of secure 
 transports but since I couldn't stay the whole time I don't know if 
 secure coding was addressed explicitly.
 
 The main developer attendees at SXSW would call themselves designers and 
 I would guess many of them are doing web development in PHP, Ruby, etc. 
 I think the majority of attendees would not classify themselves as 
 software programmers.
 
 To me it seems very much like at craft culture. That doesn't mean that a 
 track on how to develop secure web services wouldn't be popular. In fact 
 it might be worth proposing one for next year.
 
 If you want to talk further, please get in touch.
 
 -Bill Anderson
 praxis101.com
 
 Benjamin Tomhave wrote:
 I had just a quick query for everyone out there, with an attached 
 thought.

 How many security and/or secure coding professionals are prevalently
 involved with the SXSW conference this week? I know, I know... it's a big
 party for developers - particularly the Web 2.0 clique - but I'm just
 curious.

 Here's why: I'm increasingly frustrated by the disconnect between
 business/dev and security. I don't feel like we're being largely
 successful in getting the business and developers to include security as
 part of their standard operating procedures. Developers are still
 oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection 
 holes.

 I then look at SXSW from afar and think: a) shouldn't I be there
 evangelizing security? and, b) shouldn't a major thread to all these
 conferences be about how security is integrating with dev processes and
 practices, making it better?

 Maybe I'm just too idealist. I'm curious what everyone else thinks.

 cheers,

 -ben

 
 

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Andy Steingruebl]

On Tue, Mar 11, 2008 at 6:43 AM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
 I had just a quick query for everyone out there, with an attached thought.

  How many security and/or secure coding professionals are prevalently
  involved with the SXSW conference this week? I know, I know... it's a big
  party for developers - particularly the Web 2.0 clique - but I'm just
  curious.


On a related note a quick perusal of the JavaOne conference tracks
doesn't show a lot of content in this area either.  Is this due to a
lack of interest, or people in the security world not pitching talks
to the development conference organizer?

-- 
Andy Steingruebl
[EMAIL PROTECTED]
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Kenneth Van Wyk]

Ben,

Your point is a good one -- the software security community needs to  
be vigilant in reaching out to developers and spreading the word.


FWIW, some dev conferences have done this.  I spoke at SD West in  
2006, and there was a significant security track there.  Still, it'd  
be great to see that sort of thing at more dev-specific conferences.


Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

First, thanks for that Bill, it exemplifies my point perfectly. A  
couple

thoughts...

one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an  
added

benefit...

two, a re-phrasing around my original thought... somehow we need to  
get
security thinking and considerations encoded into the DNA of  
everyone in

the business, whether they be designers, architects, coders, analysts,
PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
could (should!) have had implicit and explicit security attributes
included... yet we're still at the point where secure coding has to be
explicitly requested/demanded (often as an afterthought or bolt-on)...

How do we as infosec professionals get people to the next phase of
including security thoughts in everything they do... with the end-goal
being that it is then integrated fully into practices and processes  
as a

bona fide genetic mutation that is passed along to future generations?

To me, this seems to be where infosec is stuck as an industry. There
seems to be a need for a catalyst to spur the mutation so that it can
have a life of its own. :)

fwiw.

-ben

--
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Augustine's Second Law of Socioscience: For every scientific (or
engineering) action, there is an equal and opposite social reaction.
http://globalnerdy.com/2007/07/18/laws-of-software-development/

William L. Anderson wrote:
Dear Ben, having just been at SXSW Interactive (I live in Austin,  
TX) I

did not see many discussions that pay attention to security, or any
other software engineering oriented concerns, explicitly.

There was a discussion of scalability for web services that  
featured the
developers from digg, Flickr, WordPress, and Media Temple. I got  
there

about half-way through but the discussion with the audience was about
tools and methods to handle high traffic loads. There was a question
about build and deployment strategies and I asked about unit testing
(mixed answers - some love it, some think it's strong-arm micro-mgt  
(go

figure)).

There was a session on OpenID and OAuth (open authorization)  
standards
and implementation. These discussions kind of assume the use of  
secure

transports but since I couldn't stay the whole time I don't know if
secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves  
designers and
I would guess many of them are doing web development in PHP, Ruby,  
etc.

I think the majority of attendees would not classify themselves as
software programmers.

To me it seems very much like at craft culture. That doesn't mean  
that a
track on how to develop secure web services wouldn't be popular. In  
fact

it might be worth proposing one for next year.

If you want to talk further, please get in touch.

-Bill Anderson
praxis101.com

Benjamin Tomhave wrote:

I had just a quick query for everyone out there, with an attached
thought.

How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know...  
it's a big
party for developers - particularly the Web 2.0 clique - but I'm  
just

curious.

Here's why: I'm increasingly frustrated by the disconnect between
business/dev and security. I don't feel like we're being largely
successful in getting the business and developers to include  
security as

part of their standard operating procedures. Developers are still
oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
holes.

I then look at SXSW from afar and think: a) shouldn't I be there
evangelizing security? and, b) shouldn't a major thread to all these
conferences be about how security is integrating with dev  
processes and

practices, making it better?

Maybe I'm just too idealist. I'm curious what everyone else thinks.

cheers,

-ben



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a 

Re: [SC-L] quick question - SXSW

[Andy Steingruebl]

On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw [EMAIL PROTECTED] wrote:
 Hey andy,

  You mean AJAX one?   Last time I went there was zero interest and even less 
 clue about security among attendees.  The only shining light was a long 
 conversation I had with bill joy about security critical decisions those guys 
 screwed up with Java (especially with regards to closure).


  A decade of evangelism only goes so far!   Do help!

Fair enough :)  I was looking at the program for the just finished SD
West and the security track actually looks to have been pretty good.
I think one thing we're missing from there is more emphasis on actual
SDL process, rather than focus on individual items within it.
Activities like how to form a steering group within a company, how to
bootstrap some of the practices, etc.

Do folks here have suggestions of conferences we ought to be targeting
with these sorts of presentations, papers, etc?  JavaOne seems like it
might have been a good place to target.  There are some smaller
developer conferences out there, some general security conferences,
and there has been discussion here and within OWASP as well of how we
can start better targeting these forums for our evangelizing...

Thoughts?

-- 
Andy Steingruebl
[EMAIL PROTECTED]
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Johan Peeters]

I agree.

Reaching the development community, that's precisely what we are
trying to do at secappdev. Thanks for helping with that too, Ken.
I have also taken some security-related sessions to conferences such
as XP Days Benelux, XP Days France and SPA. Appearing soon at ACCU.
I would love to hear from anyone else in this niche.

kr,

Yo

On 3/12/08, Kenneth Van Wyk [EMAIL PROTECTED] wrote:
 Ben,

 Your point is a good one -- the software security community needs to
 be vigilant in reaching out to developers and spreading the word.

 FWIW, some dev conferences have done this.  I spoke at SD West in
 2006, and there was a significant security track there.  Still, it'd
 be great to see that sort of thing at more dev-specific conferences.

 Cheers,

 Ken van Wyk
 SC-L Moderator

 On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

  First, thanks for that Bill, it exemplifies my point perfectly. A
  couple
  thoughts...
 
  one, targeting designers is just as important as reaching out to the
  developers themselves... if the designers can ensure that security
  requirements are incorporated from the outset, then we receive an
  added
  benefit...
 
  two, a re-phrasing around my original thought... somehow we need to
  get
  security thinking and considerations encoded into the DNA of
  everyone in
  the business, whether they be designers, architects, coders, analysts,
  PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
  could (should!) have had implicit and explicit security attributes
  included... yet we're still at the point where secure coding has to be
  explicitly requested/demanded (often as an afterthought or bolt-on)...
 
  How do we as infosec professionals get people to the next phase of
  including security thoughts in everything they do... with the end-goal
  being that it is then integrated fully into practices and processes
  as a
  bona fide genetic mutation that is passed along to future generations?
 
  To me, this seems to be where infosec is stuck as an industry. There
  seems to be a need for a catalyst to spur the mutation so that it can
  have a life of its own. :)
 
  fwiw.
 
  -ben
 
  --
  Benjamin Tomhave, MS, CISSP
  [EMAIL PROTECTED]
  LI: http://www.linkedin.com/in/btomhave
  Blog: http://www.secureconsulting.net/
  Photos: http://photos.secureconsulting.net/
  Web: http://falcon.secureconsulting.net/
 
  [ Random Quote: ]
  Augustine's Second Law of Socioscience: For every scientific (or
  engineering) action, there is an equal and opposite social reaction.
  http://globalnerdy.com/2007/07/18/laws-of-software-development/
 
  William L. Anderson wrote:
  Dear Ben, having just been at SXSW Interactive (I live in Austin,
  TX) I
  did not see many discussions that pay attention to security, or any
  other software engineering oriented concerns, explicitly.
 
  There was a discussion of scalability for web services that
  featured the
  developers from digg, Flickr, WordPress, and Media Temple. I got
  there
  about half-way through but the discussion with the audience was about
  tools and methods to handle high traffic loads. There was a question
  about build and deployment strategies and I asked about unit testing
  (mixed answers - some love it, some think it's strong-arm micro-mgt
  (go
  figure)).
 
  There was a session on OpenID and OAuth (open authorization)
  standards
  and implementation. These discussions kind of assume the use of
  secure
  transports but since I couldn't stay the whole time I don't know if
  secure coding was addressed explicitly.
 
  The main developer attendees at SXSW would call themselves
  designers and
  I would guess many of them are doing web development in PHP, Ruby,
  etc.
  I think the majority of attendees would not classify themselves as
  software programmers.
 
  To me it seems very much like at craft culture. That doesn't mean
  that a
  track on how to develop secure web services wouldn't be popular. In
  fact
  it might be worth proposing one for next year.
 
  If you want to talk further, please get in touch.
 
  -Bill Anderson
  praxis101.com
 
  Benjamin Tomhave wrote:
  I had just a quick query for everyone out there, with an attached
  thought.
 
  How many security and/or secure coding professionals are prevalently
  involved with the SXSW conference this week? I know, I know...
  it's a big
  party for developers - particularly the Web 2.0 clique - but I'm
  just
  curious.
 
  Here's why: I'm increasingly frustrated by the disconnect between
  business/dev and security. I don't feel like we're being largely
  successful in getting the business and developers to include
  security as
  part of their standard operating procedures. Developers are still
  oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
  holes.
 
  I then look at SXSW from afar and think: a) shouldn't I be there
  evangelizing security? and, b) shouldn't a major thread to all these
  conferences be about how security 

Re: [SC-L] quick question - SXSW

[Arian J. Evans]

my responses inline

On Wed, Mar 12, 2008 at 6:08 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
 I think you misunderstood my points a little bit. SXSW was just a
  current conference example. As Gary's pointed out, there are many
  conferences. It's possible SXSW wasn't a good example, but it was meant
  more symbolically. More comments inline...

Oh, I did miss your point. Overall, I agree. I've had mixed experiences
leading me to re-evaluate my stance.

A security-unaware dev friend recently told me about Microsoft coming
to some conference and demonstrating this new SQL Injection thing
to them, and he told me how amazing and cool it was. He asked if I
did SQL Injection.

That's the first time in several years he's responded to what I've primarily
worked on for 8+ years, and incidentally for over 10, and told him about
over god-knows how many Guinness. I don't blame the Guinness. (who can?)


   They just don't care.
  
   They will never care.
  
  I fundamentally disagree. Everybody is the right crowd, assuming the
  message is tailored appropriately. It's precisely the perspective you
  espouse that concerns me greatly. I don't believe the security industry
  _as_a_whole_ has maintained momentum, and I attribute that directly to
  the SEP* effect. This goes directly to my larger point about ingraining
  security considerations/thoughtfulness/practices into all aspects of the
  business (not just coding, btw).

I think this approach is doomed to failure, though my thoughts and experiences
are mixed. Whilst I have quit evangelizing secure software, I do meet more
and more devs interested in software security -- whom were not merely 3 to
5 years ago. Something is definitely changing, but abstract interest in appsec
!= secure design  implementation.

While this isn't an argument -- just an observation -- I hear this
build security in
notion preached most often from the following:

(a) people new to the appsec industry
(b) academic-minded  PHD-type folks into taxonomies
(c) government folks/agencies out of touch with the business world
(d) eager kids just-out-of infosec college joining our industry
(e) people with livelyhood/agendas staked on these notions

Maybe I'm just jaded, but it doesn't seem to work in many, and
possibly most, cases. I think the the momentum is lost because
all these build security in and Secure SDLC things don't work
for a lot of people/organizations. I still have some suspicions
this may be due to implementation, but...

This industry cannot even get it's node-hierarchies right. Even
the mitre CWE is fraught with node-confusion betwixt attack
nodes, vulnerability nodes, and design  implementation weakness nodes.

But at the end of the day the business doesn't care.

Will this model of car sell and will we get sued over defects in it?

That's the world. If building secure cars was the answer Volvo
would have been a wild success many, many years ago.


  If everyone starts coding more responsibly, then at some point the genre
  of secure coding goes away, because it's inherent in everything that's
  written. Today, I'd settle for all externally-facing apps being coded to
  address the OWASP Top 10, and to get developers to think for a change
  before doing silly things like implementing client-side filtering in the
  client code.

Client-side filtering isn't silly. It's smart. You probably mean using it
as a security control, but it's that verbiage that arms legions of the
clueless appsec auditors now joining our industry that don't know
sh*t about software design or implementation, or business use-case,
and cause software professionals to scoff at our industry. I can't tell
you how many appsec reports I've seen that say don't use client
side validation -- it's dangerous and I start looking for more best
practice nonsense listed as vulnerabilities.

Don't allow dangerous characters in input. WTF?
Insufficient input validation. For whom?

I think I see your perspective though.

I think the answer is: IDEs that make it harder to shoot oneself in the
foot, secure frameworks, and secure environments (for all us text-editor
types) and maybe even newer languages with some real notion of a
data/function boundary -- those are the keys. Leave secure coding
out of it.

Combine that with security controls that provide meaningful mis-use
case and fraud detection, instead of attack-vector blocking, and you
and can even allow weak password reset questions. Which is what
the business, and my mother, really wants.

I hesitate to say this, this is like fumbling with flame-bait, but over
the last two years I feel more and more like many in this industry,
including OWASP which you mentioned, are going astray down
this fantasy land of secure-coding and assurance.

The government (and contracting agencies by proxy) are into
assurance. The rest of the world is not.

The private sector is into mitigation, insurance, fraud detection
and incident response.

OWASP notions and directions feel to me like 

Re: [SC-L] quick question - SXSW

[Gunnar Peterson]

I agree this is a big issue, there is no cotton picking way that the 
security people are solving these problems, it has to come from the 
developers. I put together a track for QCon which included Brian Chess 
on Static Analysis, John Steven on Threat Modeling, and Jeff Williams on 
ESAPI and Web 2.0 security. The presentations were great, the audience 
was engaged and enthusiastic but small; it turns that it is hard to 
compete with the likes of Martin Fowler, Joshua Bloch, and Richard 
Gabriel. Even when what they are talking about is some nth level 
refinement and what we are talking about is all the gaping holes in the 
previous a-m refinements and how to close some of them.

http://jaoo.dk/sanfrancisco/tracks/show_track.jsp?trackOID=73

-gp

Kenneth Van Wyk wrote:
 Ben,
 
 Your point is a good one -- the software security community needs to be 
 vigilant in reaching out to developers and spreading the word.
 
 FWIW, some dev conferences have done this.  I spoke at SD West in 2006, 
 and there was a significant security track there.  Still, it'd be great 
 to see that sort of thing at more dev-specific conferences.
 
 Cheers,
 
 Ken van Wyk
 SC-L Moderator
 
 On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:
 
 First, thanks for that Bill, it exemplifies my point perfectly. A couple
 thoughts...

 one, targeting designers is just as important as reaching out to the
 developers themselves... if the designers can ensure that security
 requirements are incorporated from the outset, then we receive an added
 benefit...

 two, a re-phrasing around my original thought... somehow we need to get
 security thinking and considerations encoded into the DNA of everyone in
 the business, whether they be designers, architects, coders, analysts,
 PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
 could (should!) have had implicit and explicit security attributes
 included... yet we're still at the point where secure coding has to be
 explicitly requested/demanded (often as an afterthought or bolt-on)...

 How do we as infosec professionals get people to the next phase of
 including security thoughts in everything they do... with the end-goal
 being that it is then integrated fully into practices and processes as a
 bona fide genetic mutation that is passed along to future generations?

 To me, this seems to be where infosec is stuck as an industry. There
 seems to be a need for a catalyst to spur the mutation so that it can
 have a life of its own. :)

 fwiw.

 -ben

 -- 
 Benjamin Tomhave, MS, CISSP
 [EMAIL PROTECTED]
 LI: http://www.linkedin.com/in/btomhave
 Blog: http://www.secureconsulting.net/
 Photos: http://photos.secureconsulting.net/
 Web: http://falcon.secureconsulting.net/

 [ Random Quote: ]
 Augustine's Second Law of Socioscience: For every scientific (or
 engineering) action, there is an equal and opposite social reaction.
 http://globalnerdy.com/2007/07/18/laws-of-software-development/

 William L. Anderson wrote:
 Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I
 did not see many discussions that pay attention to security, or any
 other software engineering oriented concerns, explicitly.

 There was a discussion of scalability for web services that featured the
 developers from digg, Flickr, WordPress, and Media Temple. I got there
 about half-way through but the discussion with the audience was about
 tools and methods to handle high traffic loads. There was a question
 about build and deployment strategies and I asked about unit testing
 (mixed answers - some love it, some think it's strong-arm micro-mgt (go
 figure)).

 There was a session on OpenID and OAuth (open authorization) standards
 and implementation. These discussions kind of assume the use of secure
 transports but since I couldn't stay the whole time I don't know if
 secure coding was addressed explicitly.

 The main developer attendees at SXSW would call themselves designers and
 I would guess many of them are doing web development in PHP, Ruby, etc.
 I think the majority of attendees would not classify themselves as
 software programmers.

 To me it seems very much like at craft culture. That doesn't mean that a
 track on how to develop secure web services wouldn't be popular. In fact
 it might be worth proposing one for next year.

 If you want to talk further, please get in touch.

 -Bill Anderson
 praxis101.com

 Benjamin Tomhave wrote:
 I had just a quick query for everyone out there, with an attached
 thought.

 How many security and/or secure coding professionals are prevalently
 involved with the SXSW conference this week? I know, I know... it's 
 a big
 party for developers - particularly the Web 2.0 clique - but I'm just
 curious.

 Here's why: I'm increasingly frustrated by the disconnect between
 business/dev and security. I don't feel like we're being largely
 successful in getting the business and developers to include 
 security as
 part of their standard operating 

Re: [SC-L] quick question - SXSW

[Arian J. Evans]

So two thoughts Ben, purely my 0.02 USD:

1. This is largely the wrong crowd. Designers of small web2.0 stuffs,
particularly the domain of widgets and WS interfaces for all the usual
suspect platforms (flickr, facebook etc.) as well as most startups:

They just don't care.

They will never care.

SXSW has * long tail and * design pattern 2007 buzzword
compliant presentations.

You could probably get a snazzy top 5 web2.0 security mistakes
everyone is making or Top 5 Security Design-Patterns in there,
but I don't think it's the right audience. OSCON might be a better
fit, if you praise Ruby and release some open source security project.

2. This security DNA notion -- I don't really buy it. I don't think
there's a big tipping point coming for all hands in for writing secure
software in our near future. Maybe if people start dying because
of insecure software, this will change, but until then ...

I do see increasing awareness is mid to large size organizations
(fortune 2000 +). Developers are more aware and more interested
in security, but mostly in organizations that penalize (fire or
domote) individuals involved in public security blunders.

Overall security is not a feature or a function that you can monetarize.
It's not even cool or sexy. It's an emergent behavior that is only
observed when it is making your software harder to use.

Not until insurance or substantial penalties are the norm (if they are
ever the norm) will we have meaningful quantitative data to drive a
justification for security as a requirement in startup or most open
source software projects. That's my opinion, anyway.

---
Arian J. Evans
Software Security Stuff


On Wed, Mar 12, 2008 at 2:31 PM, Benjamin Tomhave
[EMAIL PROTECTED] wrote:
 First, thanks for that Bill, it exemplifies my point perfectly. A couple
  thoughts...

  one, targeting designers is just as important as reaching out to the
  developers themselves... if the designers can ensure that security
  requirements are incorporated from the outset, then we receive an added
  benefit...

  two, a re-phrasing around my original thought... somehow we need to get
  security thinking and considerations encoded into the DNA of everyone in
  the business, whether they be designers, architects, coders, analysts,
  PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
  could (should!) have had implicit and explicit security attributes
  included... yet we're still at the point where secure coding has to be
  explicitly requested/demanded (often as an afterthought or bolt-on)...

  How do we as infosec professionals get people to the next phase of
  including security thoughts in everything they do... with the end-goal
  being that it is then integrated fully into practices and processes as a
  bona fide genetic mutation that is passed along to future generations?

  To me, this seems to be where infosec is stuck as an industry. There
  seems to be a need for a catalyst to spur the mutation so that it can
  have a life of its own. :)

  fwiw.


  -ben

  --
  Benjamin Tomhave, MS, CISSP
  [EMAIL PROTECTED]
  LI: http://www.linkedin.com/in/btomhave
  Blog: http://www.secureconsulting.net/
  Photos: http://photos.secureconsulting.net/
  Web: http://falcon.secureconsulting.net/

  [ Random Quote: ]
  Augustine's Second Law of Socioscience: For every scientific (or
  engineering) action, there is an equal and opposite social reaction.
  http://globalnerdy.com/2007/07/18/laws-of-software-development/



  William L. Anderson wrote:
   Dear Ben, having just been at SXSW Interactive (I live in Austin, TX) I
   did not see many discussions that pay attention to security, or any
   other software engineering oriented concerns, explicitly.
  
   There was a discussion of scalability for web services that featured the
   developers from digg, Flickr, WordPress, and Media Temple. I got there
   about half-way through but the discussion with the audience was about
   tools and methods to handle high traffic loads. There was a question
   about build and deployment strategies and I asked about unit testing
   (mixed answers - some love it, some think it's strong-arm micro-mgt (go
   figure)).
  
   There was a session on OpenID and OAuth (open authorization) standards
   and implementation. These discussions kind of assume the use of secure
   transports but since I couldn't stay the whole time I don't know if
   secure coding was addressed explicitly.
  
   The main developer attendees at SXSW would call themselves designers and
   I would guess many of them are doing web development in PHP, Ruby, etc.
   I think the majority of attendees would not classify themselves as
   software programmers.
  
   To me it seems very much like at craft culture. That doesn't mean that a
   track on how to develop secure web services wouldn't be popular. In fact
   it might be worth proposing one for next year.
  
   If you want to talk further, please get in touch.
  
   -Bill Anderson
   

Re: [SC-L] quick question - SXSW

[Gary McGraw]

Hi again,

I rebooted the security track completely at SD West in 2003 (thanks to tami who 
I cc'ed here).  I'm on the advisory board.

We're slowly inching our way toward SDL/touchpoints/CLASP stuffs at SD West, 
though when I tried to cover the touchpoints and enterprise security in 2006, 
interest was weak.  After 5 years of pounding we're getting there though!

My suggestion?   Get involved organizing these conferences and helping with 
thought leadership.  And just for the record, having your PR dingbats submit 
(stupid)marketing talks does not count.

Others getting the same treatment;
SD Best Practices
STAR West
Better Software
MISTI
CSI
NDSS
Usenix security

Rock on

gem

- Original Message -
From: Andy Steingruebl [EMAIL PROTECTED]
To: Gary McGraw
Cc: [EMAIL PROTECTED] [EMAIL PROTECTED]; SC-L@securecoding.org 
SC-L@securecoding.org
Sent: Wed Mar 12 19:35:35 2008
Subject: Re: [SC-L] quick question - SXSW

On Wed, Mar 12, 2008 at 4:30 PM, Gary McGraw [EMAIL PROTECTED] wrote:
 Hey andy,

  You mean AJAX one?   Last time I went there was zero interest and even less 
 clue about security among attendees.  The only shining light was a long 
 conversation I had with bill joy about security critical decisions those guys 
 screwed up with Java (especially with regards to closure).


  A decade of evangelism only goes so far!   Do help!

Fair enough :)  I was looking at the program for the just finished SD
West and the security track actually looks to have been pretty good.
I think one thing we're missing from there is more emphasis on actual
SDL process, rather than focus on individual items within it.
Activities like how to form a steering group within a company, how to
bootstrap some of the practices, etc.

Do folks here have suggestions of conferences we ought to be targeting
with these sorts of presentations, papers, etc?  JavaOne seems like it
might have been a good place to target.  There are some smaller
developer conferences out there, some general security conferences,
and there has been discussion here and within OWASP as well of how we
can start better targeting these forums for our evangelizing...

Thoughts?

--
Andy Steingruebl
[EMAIL PROTECTED]

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___