Re: [SC-L] Economics of Software Vulnerabilities
James McGovern apparently wrote... > The uprising from customers may already be starting. It is > called open source. The real question is what is the duty of > others on this forum to make sure that newly created software > doesn't suffer from the same problems as the commercial > closed source stuff... While I agree that the FOSS movement is an uprising, it: 1) it's being pushed by "customers" so much as IT developers 2) the "uprising" isn't so much as being an outcry against security as it is against not being able to have the desired features implemented in a manner desired. At least that's how I see it. With rare exceptions, in general, I do not find that the open source community is that much more security consciousness than those producing closed source. Certainly this seems true if measured in terms of vulnerabilities and we measure "across the board" (e.g., take a random sampling from SourceForge) and not just our favorite security-related applications. Where I _do_ see a remarkable difference is that the open source community seems to be in general much faster in getting security patches out once they are informed of a vulnerability. I suspect that this has to do as much with the lack of bureaucracy in open source projects as it does the fear of loss of reputation to their open source colleagues. However, this is just my gut feeling, so your gut feeling my differ. (But my 'gut' is probably bigger than yours, so feeling prevails. ;-) Does anyone have any hard evidence to back up this intuition. I thought that Ross Anderson had done some research along those lines. -kevin --- Kevin W. Wall Qwest Information Technology, Inc. [EMAIL PROTECTED] Phone: 614.215.4788 "It is practically impossible to teach good programming to students that have had a prior exposure to BASIC: as potential programmers they are mentally mutilated beyond hope of regeneration" - Edsger Dijkstra, How do we tell truths that matter? http://www.cs.utexas.edu/~EWD/transcriptions/EWD04xx/EWD498.html This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Economics of Software Vulnerabilities
The uprising from customers may already be starting. It is called open source. The real question is what is the duty of others on this forum to make sure that newly created software doesn't suffer from the same problems as the commercial closed source stuff... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ed Reed Sent: Monday, March 19, 2007 4:27 PM To: Crispin Cowan Cc: sc-l@securecoding.org Subject: Re: [SC-L] Economics of Software Vulnerabilities Crispin Cowan wrote: > Crispin, now believes that users are fundamentally what holds back security > > I was once berated on stage by Jamie Lewis for sounding like I was placing the blame for poor security on customers themselves. I have moved on, and believe, instead, that it is the economic inequities - the mis-allocation of true costs - that is really to blame. Vendors are getting better, because they're being shamed by publicity - not because they're bearing more of the costs that users incur due to shoddy software. But as bad as the costs are that are born by users of shoddy software (patch costs, loss of utility, denial of service, licenses for anti-virus software to make up for the egregiously bad code that leaves buffer overflow exploits available that anyone can leverage to take over a system) - as bad as those costs are they're still swapped by the value - increased productivity and adrenalin rush - that commercial feature-ism delivers. Add the slowly-warmed pot phenomenon (apocryphal as it may be) - customers don't jump out of the boiling pot because they're too invested to walk away. Eventually I think they'll get fed up and there'll be a consumer uprising. Until then let's encourage better coding practices and secure designs and deep thought about "what policy do I want enforced". (obligatory plug for high assurance) But, let's not confuse code quality with code security, either. It isn't secure (against hostile code) until you can verify that it (a) does what the policy says it should do (functional testing) and (b) doesn't do what the security policy says it shouldn't do (fuzzing is just a way of performing boundary tests on inputs - it tells you nothing about hidden behaviors of the system, and you can't tell anything about those without formal analysis and good life cycle configuration management). Ed ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Question on User Groups
Quick question for folks here. I participate in multiple user-groups and the topic of secure coding practices has never appeared. What would it take for a software vendor on this list to present to the CT OO Users Group ( www.cooug.org). These events are well attended. Likewise, I am also a member of the advisory board for the Technology Managers Forum in NYC ( www.techforum.com) where we are working on an upcoming agenda. I would like to see secure coding practices become a panel topic here as well. Likewise, for folks who want to establish booths, sponsorship opportunities are also available. Between these two events, you could have the opportunity to work with lots of Fortune enterprises in the Northeast. Besides, we are more interesting than the usual government stuff :-) * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How is secure coding sold within enterprises?
JD Meier had a good post recently on influencing without authority, which is the position security finds itself in: 1. assume all potential allies 2. clarify goals and priorities 3. diagnose the allies world 4. identify relevant currencies 5. deal with relationships 6. influence through give and take http://blogs.msdn.com/jmeier/archive/2007/03/09/influencing-without-authority.aspx how does this translate to app security? well i think it means find stakeholders/allies wherever you can. any group that is interested try to 1) educate them about software risks and software security and 2) give them tools/process they can bring to bear on the problem. specifically, legal teams are generally very interested in risks, so i have seen several legal teams at very large companies deploy parts of the OWASP legal project to good effect. business analysts can be trained on how specify some security concerns in use cases/user stories. qa teams can be educated on security specific testing tools and techniques, architects can learn how to design reusable security services, and so on. so whatever group that seems eager to get involved it makes sense to engage, once security concerns are embedded in test plans and use cases, aligned with business goals, the software security effort is not a one off from a developer point of view. find all allies, turn none away, arm them with knowledge, turn em loose. the other issue is that there are many security services that you cannot expect an app project to deliver on its own. skyscrapers should not have to have their own fighter jets to protect against people flying planes into them, that is why you have an air force. making the case for platform security can be hard, but that is where the architects have to help (i seem to recall that security is a nonfunctional requirement and that architects are supposed to own non functional requirements). one of the reasons i like browser-based federated identity is because you can externalize some authN code from the app, you get stronger identity tokens across the wire, you don't have developers creating their own authN code, and of course the users get SSO and SLO. this is like app armor, in my view, a reference model for security services - improved security mechanism, great usability, business value, and a simplified programming model. -gp Quoting "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]>: > Thanks for the response. I already own the book and understand how to engage > vendors. Where I am seeking assistance is all the work that goes on within a > large enterprise before these two things occur. The ideal situation for me > would be to get my hands on the five to ten page Powerpoint slide deck that > others who have blazed this path before me have used to sell the notion to > their executives. > > -Original Message- > From: Andrew van der Stock [mailto:[EMAIL PROTECTED] > Sent: Monday, March 19, 2007 5:06 PM > To: McGovern, James F (HTSC, IT) > Cc: SC-L > Subject: Re: [SC-L] How is secure coding sold within enterprises? > > > In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's > "The Security Development Lifecycle" ISBN 9780735622142 > > http://www.microsoft.com/mspress/books/8753.aspx > > It is simply the best text I've read in a long time. > > You may be interested in the work Mark Curphey et al is doing at his new > start up. They launched an ISM portal a couple of weeks back. > > http://www.ism-community.org/ > > If you're just after ideas on how to engage vendors, check out Curphey's blog > for some nice insider posts: > > http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/ > http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/ > http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/ > > He ran Foundstone's services for a while, and built up a pretty good > consultancy. > > The sort of metrics you're after are notoriously hard to find out in the > wild. There's some folks capturing screenshots of enterprise dashboards. This > may or may not help at all. > > http://dashboardspy.com/ > > Thanks, > Andrew > > > On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" > <[EMAIL PROTECTED]> wrote: > > > > I agree with your assessment of how things are sold at a high-level but still > struggling in that it takes more than just graphicalizing of your points to > sell, hence I am still attempting to figure out a way to get my hands on some > PPT that are used internal to enterprises prior to consulting engagements and > I think a better answer will emerge. PPT may provide a sense of budget, > timelines, roles and responsibilities, who needed to buy-in, industry > metrics, quotes from noted industry analysts, etc that will help shortcut my > own work so I can start moving towards the more important stuff. > > > > -Original Message- > From: Andrew van der Stock [ mailto:[EMAIL PROTECTED] > Sen
Re: [SC-L] Economics of Software Vulnerabilities
Steven M. Christey wrote: > On Mon, 19 Mar 2007, Crispin Cowan wrote: > > >> Since many users are economically motivated, this may explain why users >> don't care much about security :) >> > > But... but... but... > > I understand the sentiment, but there's something missing in it. Namely, > that the costs related to security are not really quantifiable yet, so > consumers are not working with the best information. Then there's simple > lack of understanding, such as that exmplified by an individual consumer - > their computer gets really bogged down and slow, and they don't know > what's happening, so they go buy a new computer, when it was "just" a ton > of spyware from surfing habits that they didn't know were unsafe, or they > were running some zombie that was sucking up all their bandwidth for warez > distribution. > > That's the sort of economic inefficiences that I'm talking about - unfortunately, economic forces operate on scales of decades and centuries, not months. While we're still in this phase of rapid expansion of Information Technology growth software moves too fast for regulations and sluggish consumer reaction to force changes on suppliers. >>> Eventually I think they'll get fed up and there'll be a consumer uprising. >>> >>> >> Why do you think it will be an uprising? Why not a gradual shift of the >> vendors just get better, exactly as fast as the users need them to? >> > > I really really wish for an uprising, but unfortunately I'm not too > optimistic right now. Off the top of my head, I can't think of any > consumer uprisings in other industries, although the US' recent decline in > fuel-inefficient vehicles is sort of close. Didn't some large > brick-and-mortar companies heavily criticize the software industry a > couple years ago? I don't know how that played out. > > Not all of these are consumer uprisings - some are, some aren't - but I think they're all examples of the kinds of economic adjustments that occur in "mature" markets. * Rise and Fall of unions (the triumph of worker safety and rights over egregious industrial working conditions, and the subsequent triumph of increased productivity over lethargic labor responsiveness to international competitive pressures) * "Unsafe at any speed" (the triumph of consumer safety over industrial laziness) * Underwriter Laboratories (the triumph of the fire insurance industry over shoddy electrical manufacturers) * Alternating Current power distribution (still waiting for consensus on 110v/220v disagreement) * The Rise and Fall and Rise of AT&T (industry consolidation, followed by forced divestiture, followed by reconsolidation) * demise of IBM PS2 (the triumph of commoditization over monopoly control) * VHS (vs BetaMax - the triumph of content over technology) Note that only the last two of these occurred "quickly" - within a decade or so or the change that set the stage for them, and they might both be better characterized as featurism competition. But you get my point - Auto safety wasn't an issue in the 1st half century of the industry, it took unions a couple of centuries to gain strength in the face of the industrial revolution (and another half century to squander their good will), and it took decades for the fire insurance industry to develop and respond to the new dangers introduced by poor electrical wiring. Software and computer technology are having similar kinds of sweeping productivity gains (though it took 40 years or longer for the effect to gain enough momentum to be really measurable). And we have already seen the costs of shoddy product born mainly by the end consumers, rather than by the producers. I'm just saying that over the long run, that imbalance will shift and even out - I just hope to live to see it, whether it happens before I retire, or not. Ed (whose beard IS gray and who DOES mutter to himself that you can't add security to a system if its not secure to begin with) > - Steve > > > > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Economics of Software Vulnerabilities
At 8:55 AM -0400 3/20/07, Michael S Hines wrote: > I'm not sure what your sources are but from what I'm hearing and reading the > problem is that there are many missing drivers for what have become standard > peripherals that people are used to - and some of the vendors are reluctant > to develop new drivers (the driver technology changed in Vista - so all > drivers have to be reworked). > > MP3 players, ePhones, PDA's, etc. have become standard components in many > places... and they don't work with Vista - yet (if ever). That is because the features provided by many add-on products depended on the longstanding loose state of security on Microsoft Windows. > It's the feature thing not that users are shunning security. > > And, at least to me, it is an indication that M$ did not understand the > marketplace or rushed the (incomplete) product to market. There's more than > one way to foul up a new product launch. The previous Microsoft mode had been to favor anything that would ease feature implementation over anything that would provide security. -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How is secure coding sold within enterprises?
John, thanks for the response and I think you have an understanding of the essence of the problem in that current books don't cover the "selling" security aspects nor how things actually work in large corporations. One of the benefits to me seeing someone's deck that went before me is that I get to see and understand not only salient points, but also how they were presented in terms of order and emphasis. I of course could like most folks who are new to a space is to take a first shot at it and mercilessly iterate but I do think it is wise to figure out ways to leverage the work of my peers in other enterprises (of course I can return the favor on other initiatives) and only iterate based on local custom and not broader themes. In terms of job grade, no I am not an EVP nor am I a developer. I someone higher on the foodchain than most in that my responsibilities include strategic direction. Likewise, the issue in terms of selling is really about budget, but it is about first buy-in of all participants throughout the enterprise and secondly the ability to make the case once we collectively conclude that we need consulting assistance, the ability to go off preferred vendor list and make the right choice. Based on your comment, in your opinion, I would love to know which analysts should I quote and if you know of specific gems? In terms of keeping up with the Joneses, part of this requires the ability to understand what others are up to. From what I can tell from this list, I have only seen replies from two Fortune enterprises where the vast majority of other folks either have some government connection and/or employed by software vendors/consulting firms. One of my concerns with why ideas sometimes don't fly is not do to validity but the perception that if one waits it out, things will get better and more efficiency in terms of spend will emerge. In other words, one perception may be that focusing on secure coding is too early (Yes, the current description of why it is important is valid but it doesn't address the early concern) Got any URLs to any good architectural checklists? I have only ran across code-oriented ones. Anyone seen any good pictorial representations of roadmaps in this space? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of John Steven Sent: Monday, March 19, 2007 9:56 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? Andrew, James, Agreed, Microsoft has put some interesting thoughts out in their SDL book. Companies that produce a software product will find a lot of this approach resonates well. IT shops supporting financial houses will have more difficulty. McGraw wrote a decent blog entry on this topic: http://www.cigital.com/justiceleague/2007/03/08/cigitals-touchpoints-versus-microsofts-sdl/ Shockingly, however, I seem to be his only commentator on the topic. I think James will find Microsoft's literature falls terribly short of even the raw material required to produce the PPT he desires. Let's see what we can do for him. First: audience. I'm not sure of James' position, but it doesn't sound like he's high enough that he's got the CISO's ear now, nor that he's face-down in the weeds either. James, you sit somewhere in-between? James appears to work for an insurance company. Insurance companies do care about risk, but they're sometimes blind to the kinds (and magnitudes) of software risk their business faces. They fall in a middle ground between securities companies and banks. Second, length: If you're going after a SVP or EVP, James, I'd keep the deck to ~3-5 slides. 1) Motivate the problem, 2) Show your org's. status (as an application security framework) and, 3) show the 6mo., 9mo., 12mo. (maybe) roadmap. Depending on the SVP, another two slides comparing you to others might work, as well as a slide that talks in more detail about costs, deliverables, and resource-requirements, and value. Higher? I'd do two slides: 1) framework and 2) roadmap. The end. Place costs and value on the roadmap. What about content? Longer decks I've seen (or helped create) have begun with research from analyst firms, or with pertinent headlines, to motivate the problem (couched as FUD if you're not careful) on slide one. Still, you'd be wise to pick fodder that will appear to the decision maker's own objectives. His/her objectives may be in pursuit of differentiation/opportunity or risk reduction, as Andrew said, or (more probably) they're pursuant to a more mundane goal: drive down (or hold constant) security cost while driving up the effectiveness of the spending. To this end, the decks I've seen quickly moved beyond motivation into solution. Here, you have to begin thinking about your current org. See: http://www.cigital.com/justiceleague/2007/02/22/keeping-up-with-the-jones-security-initiatives/ To summarize my entry, you
Re: [SC-L] How is secure coding sold within enterprises?
James, I can't believe I forgot to mention the presentation before mine at that particular OWASP con. Anthony Canike did an exceptional job chronicling what he had done at Vanguard. This presentation, if I recall correctly, should have some fodder for you. www.owasp.org/images/0/05/AppSec2005DC-Anthony_Canike- Enterprise_AppSec_Program.ppt John Steven Technical Director; Principal, Software Security Group Direct: (703) 404-5726 Cell: (703) 727-4034 Key fingerprint = 4772 F7F3 1019 4668 62AD 94B0 AE7F Blog: http://www.cigital.com/justiceleague http://www.cigital.com Software Confidence. Achieved. On Mar 19, 2007, at 9:55 PM, John Steven wrote: Andrew, James, Agreed, Microsoft has put some interesting thoughts out in their SDL book. Companies that produce a software product will find a lot of this approach resonates well. IT shops supporting financial houses will have more difficulty. McGraw wrote a decent blog entry on this topic: http://www.cigital.com/justiceleague/2007/03/08/cigitals- touchpoints-versus-microsofts-sdl/ Shockingly, however, I seem to be his only commentator on the topic. I think James will find Microsoft's literature falls terribly short of even the raw material required to produce the PPT he desires. Let's see what we can do for him. First: audience. I'm not sure of James' position, but it doesn't sound like he's high enough that he's got the CISO's ear now, nor that he's face-down in the weeds either. James, you sit somewhere in-between? James appears to work for an insurance company. Insurance companies do care about risk, but they're sometimes blind to the kinds (and magnitudes) of software risk their business faces. They fall in a middle ground between securities companies and banks. Second, length: If you're going after a SVP or EVP, James, I'd keep the deck to ~3-5 slides. 1) Motivate the problem, 2) Show your org's. status (as an application security framework) and, 3) show the 6mo., 9mo., 12mo. (maybe) roadmap. Depending on the SVP, another two slides comparing you to others might work, as well as a slide that talks in more detail about costs, deliverables, and resource-requirements, and value. Higher? I'd do two slides: 1) framework and 2) roadmap. The end. Place costs and value on the roadmap. What about content? Longer decks I've seen (or helped create) have begun with research from analyst firms, or with pertinent headlines, to motivate the problem (couched as FUD if you're not careful) on slide one. Still, you'd be wise to pick fodder that will appear to the decision maker's own objectives. His/her objectives may be in pursuit of differentiation/opportunity or risk reduction, as Andrew said, or (more probably) they're pursuant to a more mundane goal: drive down (or hold constant) security cost while driving up the effectiveness of the spending. To this end, the decks I've seen quickly moved beyond motivation into solution. Here, you have to begin thinking about your current org. See: http://www.cigital.com/justiceleague/2007/02/22/keeping-up-with-the- jones-security-initiatives/ To summarize my entry, your organization probably didn't start thinking about software security yesterday, and they likely have something in place--even if it isn't to your satisfaction yet. Likewise, true strengths lurk, waiting to be leveraged. Out here in mailing-list-land, we can't be sure of specifics, but, I've got some premonitions. Insurance companies I've seen seem to mix small wild-wild-west (Developers cowboys 'follow' Agile as an excuse to just slam code without process) teams with those following a largely monolithic waterfall-like (regardless of how 'iterative' it's described) development process in their application portfolio. In either case, an in-project risk officer exists, but the function seems overshadowed by deadlines, features, and cost. On the topic of the framework slide, you mentioned a _very_ important quality: who, what, when structure. I wrote an IEEE S&P article on this topic long ago: www.cigital.com/papers/download/j2bsi.pdf but you can also look at my talk from OWASP's DC conference in '05 on the same topic for slide help. What about the roadmap--the way forward? Even if currently ineffective, current security items like an architectural review checklist present opportunity with which to start your roadmap. When working on your roadmap focus on how small iterative changes in existing elements (like that checklist) can save you on security effort (spending) later. Pick sure wins and to communicate value, show a metric that will demonstrate the savings. Propose measurements up front, if only verbally, as part of this presentation. For instance: Do your applications have available a custom implementation of input validation routines built on top of Struts' Validator framework? Ask about its use in the architectural
[SC-L] Announcing: 6th OWASP AppSec Conference - May 15-17 2007 - Milan, Italy
Dear Colleague, OWASP is proud to announce its 6th Application Security Conference to be held May 15-17 at the Marriott in Milan, Italy. Please reserve these dates!! This facility looks to be the nicest facility we have had the opportunity to use yet for our European conferences. This conference will include: - Training (On May 15th) Three 1-day application security courses are being offered the day prior to the conference - Main Conference (May 16-17) This year's conference will include daily keynotes, presentations, refereed papers, lots of OWASP projects, and two panels to encourage discussion amongst the attendees. - Evening Social Event (May 16) - We are planning a social event as we do each conference which facilitates the attendees ability to mingle and get to know each other better. Current details on the conference are available on the OWASP website at http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007 This conference is expected to be kicked off with a keynote by a representative from Microsoft on "The Benefits of the SDL initiative to Microsoft and its Customers". This should be similar to the presentation that Mike Howard gave to kick off the 5th OWASP AppSec Conference which was the highlight of that conference (in my opinion). It discusses the Microsoft Security Development Lifecycle (SDL) and the benefits Microsoft and its customers have gained by developing and adopting it. OWASP's AppSec conferences are dedicated to real-world application security issues and solutions. You'll learn many aspects of application security, including people, process, and technology perspectives. REGISTRATION DETAILS: As a non-profit charitable organization, OWASP has been able to keep the cost to 450 Euro's per seat. For OWASP Members it's only 400 Euros. These prices are further reduced by 50 Euros for early registration prior to April 16th. Note: Payment for the conference will actually have to be in US dollars as OWASP currently has no mechanism for accepting Euro's for payment with our current registration system. Registration is available at: http://guest.cvent.com/EVENTS/Register/IdentityConfirmation.aspx?e=4abc9 35c-a7f8-47e1-83a0-23a2c36faf26 PLEASE NOTE THAT ALL TICKETS ARE NON-REFUNDABLE TO REDUCE ADMINISTRATION COSTS TRAINING COURSES (May 15): These classes will be held at the Marriott. Each class is 650 Euros for conference attendees (and includes lunch). - FOUNDATIONS OF APPLICATION SECURITY - WEB SERVICES AND XML SECURITY - ADVANCED .NET SECURITY More details on these training courses are available at: http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007/ Training EVENING SOCIAL EVENT - May 16th - An optional dinner event. This event involves a dinner at a nearby restaurant from 7-9 PM, followed by drinks at local watering holes. We hope to see all of you there as this is a great chance to mingle and meet many members of the OWASP community. ACCOMMODATIONS: Information about local accommodations, including reduced rate rooms is available at: http://www.owasp.org/index.php/6th_OWASP_AppSec_Conference_-_Italy_2007# Accomodations If you know others that would be interested in attending the 6th OWASP AppSec Conference, please forward them this email and let them know about this opportunity. Please contact me with any questions. Looking forward to seeing you all there! Thanks, Dave Dave Wichers, OWASP Conferences Chair The OWASP Foundation http://www.owasp.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Economics of Software Vulnerabilities
I'm not sure what your sources are but from what I'm hearing and reading the problem is that there are many missing drivers for what have become standard peripherals that people are used to - and some of the vendors are reluctant to develop new drivers (the driver technology changed in Vista - so all drivers have to be reworked). MP3 players, ePhones, PDA's, etc. have become standard components in many places... and they don't work with Vista - yet (if ever). It's the feature thing not that users are shunning security. And, at least to me, it is an indication that M$ did not understand the marketplace or rushed the (incomplete) product to market. There's more than one way to foul up a new product launch. IMHO of course. - Michael S Hines [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Crispin Cowan Sent: Monday, March 19, 2007 4:00 PM To: Gary McGraw Cc: Ed Reed; sc-l@securecoding.org Subject: Re: [SC-L] Economics of Software Vulnerabilities Gary McGraw wrote: > I'm not sure vista is bombing because of good quality. That certainly would be ironic. > > Word on the "way down in the guts" street is that vista is too many things cobbled together into one big kinda functioning mess. I.e. it is mis-featured, and lacks on some integration. This is a variation on not having desired features. And there certainly are big features in Vista that were supposed to be there but aren't (most of user-land being managed code, relational file system). It is also infamously late. So if the resources that were put into the code quality in Vista had instead been put into features and ship-date, would it do better in the marketplace? Sure, that's heretical :) but it just might be true :( Crispin, now believes that users are fundamentally what holds back security -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Training at CanSec West http://cansecwest.com/dojoapparmor.html ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] How is secure coding sold within enterprises?
Thanks for the response. I already own the book and understand how to engage vendors. Where I am seeking assistance is all the work that goes on within a large enterprise before these two things occur. The ideal situation for me would be to get my hands on the five to ten page Powerpoint slide deck that others who have blazed this path before me have used to sell the notion to their executives. -Original Message- From: Andrew van der Stock [mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 5:06 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? In terms of creating a SDLC, pop out to Borders and get Howard and Lipner's "The Security Development Lifecycle" ISBN 9780735622142 http://www.microsoft.com/mspress/books/8753.aspx It is simply the best text I've read in a long time. You may be interested in the work Mark Curphey et al is doing at his new start up. They launched an ISM portal a couple of weeks back. http://www.ism-community.org/ If you're just after ideas on how to engage vendors, check out Curphey's blog for some nice insider posts: http://securitybuddha.com/2007/03/07/top-10-tips-for-hiring-web-application-pen-testers/ http://securitybuddha.com/2007/03/07/top-ten-tips-for-hiring-security-code-reviewers/ http://securitybuddha.com/2007/03/08/top-ten-tips-for-managing-technical-security-folks/ He ran Foundstone's services for a while, and built up a pretty good consultancy. The sort of metrics you're after are notoriously hard to find out in the wild. There's some folks capturing screenshots of enterprise dashboards. This may or may not help at all. http://dashboardspy.com/ Thanks, Andrew On 3/19/07 4:12 PM, "McGovern, James F (HTSC, IT)" <[EMAIL PROTECTED]> wrote: I agree with your assessment of how things are sold at a high-level but still struggling in that it takes more than just graphicalizing of your points to sell, hence I am still attempting to figure out a way to get my hands on some PPT that are used internal to enterprises prior to consulting engagements and I think a better answer will emerge. PPT may provide a sense of budget, timelines, roles and responsibilities, who needed to buy-in, industry metrics, quotes from noted industry analysts, etc that will help shortcut my own work so I can start moving towards the more important stuff. -Original Message- From: Andrew van der Stock [ mailto:[EMAIL PROTECTED] Sent: Monday, March 19, 2007 2:50 PM To: McGovern, James F (HTSC, IT) Cc: SC-L Subject: Re: [SC-L] How is secure coding sold within enterprises? There are two major methods: 1. Opportunity cost / competitive advantage (the Microsoft model) 2. Recovery cost reductions (the model used by most financial institutions) Generally, opportunity cost is where an organization can further its goals by a secure business foundation. This requires the CIO/CSO to be able to sell the business on this model, which is hard when it is clear that many businesses have been founded on insecure foundations and do quite well nonetheless. Companies that choose to be secure have a competitive advantage, an advantage that will increase over time and will win conquest customers. For example (and this is my humble opinion), Oracle's security is a long standing unbreakable joke, and in the meantime MS ploughed billions into fixing their tattered reputation by making it a competitive advantage, and thus making their market dominance nearly complete. Oracle is now paying for their CSO's mistake in not understanding this model earlier. Forward looking financial institutions are now using this model, such as my old bank's (with its SMS transaction authentication feature) winning many new customers by not only promoting themselves as secure, but doing the right thing and investing in essentially eliminating Internet Banking fraud. It saves them money, and it works well for customers. This is the best model, but the hardest to sell. The second model is used by most financial institutions. They are mature risk managers and understand that a certain level of risk must be taken in return for doing business. By choosing to invest some of the potential or known losses in reducing the potential for massive losses, they can reduce the overall risk present in the corporate risk register, which plays well to shareholders. For example, if you invest $1m in securing a cheque clearance process worth (say) $10b annually to the business, and that reduces check fraud by $5m per year and eliminates $2m of unnecessary overhead every year, security is an easy sell with obvious targets to improve profitability. A well managed operational risk group will easily identify the riskiest aspects of a mature company's activities, and it's easy to justify improvements in those areas. The FUD model (used by many vendors - "do this or the SOX
