[SC-L] SearchSecurity: Badware versus malware
hi sc-l, What’s worse, bad software or malicious software? In fact, what’s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if we’re going to combat malware we have to start with the badware vector. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
The differences are marginal. > What's worse, bad software or malicious software? ... My book has a pervasive theme: Many things that could happen accidentally could be triggered intentionally. Many things that happen intentionally could be triggered accidentally. Trying to reduce one without the other may be foolhardy in most realistic threat models. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
In other words, flaws and defects caused through developer error, ignorance, negligence etc. can be exploited to cause harm. So even if one could prevent actual intentional malicious inclusions in software, one hasn't eliminated the problem of exploitable flawed logic. The megachallenge, of course, is looking for what one doesn't actually know is there. Which is why software security testing is so hard. === Karen Mercedes Goertzel, CISSP Lead Associate Booz Allen Hamilton 703.698.7454 goertzel_ka...@bah.com "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams From: sc-l-boun...@securecoding.org [sc-l-boun...@securecoding.org] on behalf of Peter G. Neumann [neum...@csl.sri.com] Sent: 08 May 2012 11:30 To: Gary McGraw Cc: Secure Code Mailing List Subject: Re: [SC-L] SearchSecurity: Badware versus malware The differences are marginal. > What's worse, bad software or malicious software? ... My book has a pervasive theme: Many things that could happen accidentally could be triggered intentionally. Many things that happen intentionally could be triggered accidentally. Trying to reduce one without the other may be foolhardy in most realistic threat models. ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
On 8 May 2012 07:18, Gary McGraw wrote: > hi sc-l, > > What’s worse, bad software or malicious software? In fact, what’s the > difference? > > My second column for SearchSecurity is all about that. Read it today. And > pass it on. > http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badware-addresses-malware-problem > > Bottom line: Talking about malware may be more fun and entertaining than > talking about endless security bugs, but if we’re going to combat malware we > have to start with the badware vector. Fixing badware universally would plug one hole - and it's certainly a hole worth plugging. But it won't eliminate malware - it seems it is not hard to persuade users to install it for you, for example. > > gem > > company www.cigital.com > podcast www.cigital.com/silverbullet > blog www.cigital.com/justiceleague > book www.swsec.com > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
The article does not suggest otherwise. gem On 5/11/12 1:51 PM, "Ben Laurie" wrote: >On 8 May 2012 07:18, Gary McGraw wrote: >> hi sc-l, >> >> What¹s worse, bad software or malicious software? In fact, what¹s the >>difference? >> >> My second column for SearchSecurity is all about that. Read it today. >>And pass it on. >> >>http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw >>are-addresses-malware-problem >> >> Bottom line: Talking about malware may be more fun and entertaining >>than talking about endless security bugs, but if we¹re going to combat >>malware we have to start with the badware vector. > >Fixing badware universally would plug one hole - and it's certainly a >hole worth plugging. But it won't eliminate malware - it seems it is >not hard to persuade users to install it for you, for example. > >> >> gem >> >> company www.cigital.com >> podcast www.cigital.com/silverbullet >> blog www.cigital.com/justiceleague >> book www.swsec.com >> >> ___ >> Secure Coding mailing list (SC-L) SC-L@securecoding.org >> List information, subscriptions, etc - >>http://krvw.com/mailman/listinfo/sc-l >> List charter available at - http://www.securecoding.org/list/charter.php >> SC-L is hosted and moderated by KRvW Associates, LLC >>(http://www.KRvW.com) >> as a free, non-commercial service to the software security community. >> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >> ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
On 11 May 2012 20:07, Gary McGraw wrote: > The article does not suggest otherwise. Well, it certainly does _suggest_ it: "All of the things that we do to improve software security are aimed explicitly at the badware problem." It doesn't say it, though, I agree. > > gem > > On 5/11/12 1:51 PM, "Ben Laurie" wrote: > >>On 8 May 2012 07:18, Gary McGraw wrote: >>> hi sc-l, >>> >>> What¹s worse, bad software or malicious software? In fact, what¹s the >>>difference? >>> >>> My second column for SearchSecurity is all about that. Read it today. >>>And pass it on. >>> >>>http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw >>>are-addresses-malware-problem >>> >>> Bottom line: Talking about malware may be more fun and entertaining >>>than talking about endless security bugs, but if we¹re going to combat >>>malware we have to start with the badware vector. >> >>Fixing badware universally would plug one hole - and it's certainly a >>hole worth plugging. But it won't eliminate malware - it seems it is >>not hard to persuade users to install it for you, for example. >> >>> >>> gem >>> >>> company www.cigital.com >>> podcast www.cigital.com/silverbullet >>> blog www.cigital.com/justiceleague >>> book www.swsec.com >>> >>> ___ >>> Secure Coding mailing list (SC-L) SC-L@securecoding.org >>> List information, subscriptions, etc - >>>http://krvw.com/mailman/listinfo/sc-l >>> List charter available at - http://www.securecoding.org/list/charter.php >>> SC-L is hosted and moderated by KRvW Associates, LLC >>>(http://www.KRvW.com) >>> as a free, non-commercial service to the software security community. >>> Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates >>> ___ > ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] SearchSecurity: Badware versus malware
OWASP Has started month awareness proble/solution see updated: http://www.owasp.com Point you ask.. As a united community we raise visibility for the problem that results in a ecosystem - lets make noise about it together, monthly and globally from the builder / breaker & defender perspectives On May 11, 2012, at 3:39 PM, Ben Laurie wrote: > On 11 May 2012 20:07, Gary McGraw wrote: >> The article does not suggest otherwise. > > Well, it certainly does _suggest_ it: "All of the things that we do to > improve software security are aimed explicitly at the badware > problem." > > It doesn't say it, though, I agree. > >> >> gem >> >> On 5/11/12 1:51 PM, "Ben Laurie" wrote: >> >>> On 8 May 2012 07:18, Gary McGraw wrote: hi sc-l, What¹s worse, bad software or malicious software? In fact, what¹s the difference? My second column for SearchSecurity is all about that. Read it today. And pass it on. http://searchsecurity.techtarget.com/opinion/Gary-McGraw-Eliminating-badw are-addresses-malware-problem Bottom line: Talking about malware may be more fun and entertaining than talking about endless security bugs, but if we¹re going to combat malware we have to start with the badware vector. >>> >>> Fixing badware universally would plug one hole - and it's certainly a >>> hole worth plugging. But it won't eliminate malware - it seems it is >>> not hard to persuade users to install it for you, for example. >>> gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ >> > > ___ > Secure Coding mailing list (SC-L) SC-L@securecoding.org > List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l > List charter available at - http://www.securecoding.org/list/charter.php > SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) > as a free, non-commercial service to the software security community. > Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates > ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___