[SC-L] IR/Application Security
In this episode Karl Sigler sit's down with Grayson Lenik, a forensic expert for Trustwave SpiderLabs. We talk about Point-of-Sale malware, including common web application security attack vectors as well as remediation steps to help protect businesses using POS systems. http://blog.spiderlabs.com/2014/01/spiderlabs-radio-january-23-2014.html Enjoy! ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: Building versus Breaking
Ding ding ding... End of first round. insert ring girl with below sign Largest application software security focused event in 2011 - don't miss: http://www.appsecusa.org Sept 20-23 2011 ### Ding ding ding... Now let's get it on Let's keep a professional..debate. Free speech only works with more free speech add bourbon for a party. On Sep 1, 2011, at 3:26 AM, Sergio 'shadown' Alvarez shad...@gmail.com wrote: Blackhat IS about breaking stuff, the vendors area offers defense products and services to improve your security. For building stuff (as in development) there are other conferences out there. People go to Blackhat to be aware of what things might go wrong in order to protect better themselves. I really take offense to your comment. There's no offense within the truth. btw, I forgot trainings in that paragraph. I am seeing malware out in the field that is based on work by so-called noble security researchers. You are seeing?, woow, how? From this mail its clear you have no idea, and even less about the reverse engineering that is required to do such analysis. I am a reverse engineer, and I know what I'm talking about, but this is not the list to get into discussion about malware and reversing. My litmus test is: If there were no whitehats and security researchers, would we be better off at fighting the bad guys? My answer is emphatically yes. Might I ask you a question? Why are you even in this mailinglist if you are the kind of guy or developer that just don't care about doing your products correctly? Based on your answer a whitehat for you is a nightmare, the one who is giving your boss the red pill and because of that you are 'force' to rewrite your code and do things as you should have done from the very beginning. People that follow your line of thinking are the ones who need to be replaced by people willing to learn in order to do better and more secure products. I agree with Gary and from knowing Gary from all of his posts and podcasts, this is not a new stance from him. I am in complete agreement with him and always have been. I do agree with Gary in that there is a need of having a new Conference about Defense Technologies and Awareness *for Developers*, that bring top notch security professionals and researchers together. I highlight *for developers* because for people who know what they are doing there are a bunch of conferences, and since you brought the topic malware, here you have some specifically for that topic: http://www.virusbtn.com/news/calendar/index Specially the VB Conference is really good. (Virus Bulletin) And while I am here, the Builders vs. Breakers term should be attributed to Mark Curphey. You can probably still find his original post. I'm sort of sick of the whole attribution thingy. I've seen many of that in academia 'research', where they just take research from some unknown researcher and put a label to it and clame attribution afterwards. The Builders vs Breakers meme has been discuss since *years*, I mean since before the 90s, and specially in other disciplines than software development. But since you've mentioned a specific person, a resent discussion which predates the author you've mentioned is here from June 3, 2008: http://marc.info/?l=cryptographym=121260561401776w=2 http://news.cnet.com/2300-1029_3-6240826.html?tag=ne.gall.pg Let me know if you find an article from the that Mark Curphey which predates that one and I'll give you another one older just to fit your needs. The next question is: Can we ever prevent people from being security researchers or white hats or black hats or bad guys? No. Can we prevent people from developing shitty code? Can we prevent people from talking BS? Neither. But I think we have to start to take the lipstick off of the pigs and recognize what it is. It's called Blackhat, isn't it? A blackhat is the first one willing to keep things secret, so that nobody knows anything. Thanks to whitehats and researchers who present their work and bring some light to blind people is that products evolve during the time. Otherwise we would still have products like Windows 95 or Windows NT 4.0 which were joke from a security point of view. When Bill Gates sent the famous letter to all the company ask to stop doing what ever it was they were doing and start auditing and reviewing the security of their developments, a lot of developers and project managers quit because they didn't want to rebuild right what they've built wrong. I believe you think like those developers and PMs, that's not the way to go. Very unfortunately, there is more glamour - and probably more reward - in breaking stuff. That's a media/press problem, they are guilty for that. I personally have great respect for products well engineered. What I hate is that security researchers and the white hats try to present
[SC-L] OWASP Summit / Elections
The next global summit for OWASP Foundation Inc (www.owasp.org) will be held on November 11th 2009 (Veterans Day in the USA) in Washington, DC., USA As is customary at our summits we will govern by rough consensus and collaborate face to face town hall style for our professional associations direction. http://www.owasp.org/index.php/Summit_2009 Just one of the many shaping activities that will take place will be, the first democratic ELECTION of a OWASP Board Member by the membership. Eligible individuals have already volunteered time, served as a project leader and or chapter leader and have have demonstrated global leadership acumen as a current and active member of a Global Committee. You will hear from each of these candidates during the town hall session of why they are the best person for the role. If you have never attended a OWASP Summit (such as Portugal 2008 http://www.owasp.org/index.php/OWASP_EU_Summit_2008 ) you will not want to miss this event - when you get passion filled OWASP people together we come together as a community to set the direction for the next 6,12,24 months and we need you to get involved to continue our mission. Semper Fi, Tom Brennan OWASP Foundation 973.506.9303 About OWASP - http://www.owasp.org/index.php/About_OWASP - 2009 OWASP Summit http://www.owasp.org/index.php/Summit_2009 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] IBM Acquires Ounce Labs, Inc.
Fortify (www.fortify.com) has Partnered with WhiteHat Security (www.whitehatsec.com) too Tom Brennan Board Member - OWASP Foundation Url: www.owasp.org | Tel: 973-202-0122 http://www.linkedin.com/in/tombrennan -Original Message- From: Matt Fisher m...@piscis-security.com Date: Tue, 28 Jul 2009 11:29:30 To: Prasad Shenoyprasad.she...@gmail.com; Kenneth Van Wykk...@krvw.com Cc: Secure CodingSC-L@securecoding.org Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Pretty much. Hp /spi has integrations as well but I don't recall devinspect ever being a big hit. Veracode does both as well as static binary but as asaas model. Watchfire had a RAD integration as well iirc but it clearly must not haved had the share ounce does. -Original Message- From: Prasad Shenoy prasad.she...@gmail.com Sent: July 28, 2009 12:22 PM To: Kenneth Van Wyk k...@krvw.com Cc: Secure Coding SC-L@securecoding.org Subject: Re: [SC-L] IBM Acquires Ounce Labs, Inc. Wow indeed. Does that makes IBM the only vendor to offer both Static and Dynamic software security testing/analysis capabilities? Thanks Regards, Prasad N. Shenoy On Tue, Jul 28, 2009 at 10:19 AM, Kenneth Van Wykk...@krvw.com wrote: Wow, big acquisition news in the static code analysis space announced today: http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104STORY=/www/story/07-28-2009/0005067166EDATE= Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com (This email is digitally signed with a free x.509 certificate from CAcert. If you're unable to verify the signature, try getting their root CA certificate at http://www.cacert.org -- for free.) ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Online Secure Development Training?
Brad, take a peek at http://denimgroup.com/service_sec_training.html On Wed, Mar 25, 2009 at 11:21 AM, Brad Andrews andr...@rbacomm.com wrote: Does anyone know of any good CBT training on secure development, especially covering higher level issues and secure code review? Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Tom Brennan Board Member OWASP Foundation Tel: 973-795-1046 x112 Url: www.owasp.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors
CVE - http://cve.mitre.org/ known problems known systems CWE - http://cwe.mitre.org/ classes of problems unknown systems http://cwe.mitre.org/top25/ Will business start to talk CWE as they already talk CVE? Discussion/Debate/Thoughts Tom Brennan -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Monday, January 12, 2009 2:30 PM To: Secure Coding Subject: [SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous ProgrammingErrors FYI, a top 25 programming errors list from the folks at SANS has been released. See the following for details: http://www.sans.org/top25errors/ Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Application Security Conference
The OWASP 2008 Application Security Conference is September 24th 25th 2008 in New York City. (Less than 60 days away) With over 50 APPSEC speakers, 6 training classes and a Capture the Flag event. This event is the largest web application security focused conference anywhere, don't miss it! Event agenda and registration : http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference *NOTE* We have already had reports of some hotels being booked solid, secure your ticket and book your travel ASAP and join OWASP to take a bite out of the Big Apple. Sincerely, Tom Brennan - Board Member OWASP Foundation whois http://www.linkedin.com/in/tombrennan O: 973-795-1046 x112 W: www.owasp.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kenneth Van Wyk Sent: Monday, July 21, 2008 1:34 PM To: Secure Coding Subject: [SC-L] Administrivia Greetings SC-L folks, A couple things re the mailing list... - It's been a couple months since I asked for your opinions regarding accepting sponsorships here on SC-L. Although the opinions I received were almost entirely in favor or neutral -- all but one -- I haven't decided to pull that trigger in any case. I do appreciate your inputs, as always, however. - I'd also like to clarify a posting policy here. The list gets, from time to time, conference announcements, CfPs, and such. I want to be explicit here that I fully encourage that, and would like to take it one step further. Training events that are open to the public may also be announced here, once per event. This includes commercial events. As always, ASCII text is preferred, and no HTML please. But I feel this policy is in line with what I see on other groups. Full disclosure: my own company does do occasional public training events from time to time and I'd like to be able to let folks know about it here. Again, one posting per event announcement. Your opinions, as always, are appreciated. Feel free to contact me on- or off-list about either of these policies. My goal here remains to keep the list a free and open forum for us to discuss matters related to software security. Cheers, Ken - Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] Code Testing Tools Could Be Acquisition Targets in '08
That is not a bad thing ;) Management, Developers, Security Professionals - can only result in one thing.. better security. http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference Sept 22nd-25th 2008 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___