Re: [SC-L] Catching up, and some retrospective thoughts
comments:inline On 4/24/07, Jeremy Epstein [EMAIL PROTECTED] wrote: I've just caught up with 6 weeks of backlogged messages in this group, better than me, I fell off all the lists when I moved last year. Pardon list duplicity: (1) SOX is a waste, as several people said, because it's just a way to give auditors more ways to demand irrelevant things on checklists - but not to pay attention to actual security. I've had customers demand that [...] usual non-contextual nonsense audit security requirements removed So yeah, this happens all the time. I used to work with several software companies that store the key with the encrypted message, same host, same DB, all because of the requirement to encrypt sensitive data. e.g.-like firewall log management products and such. zero value. check. (2) PCI, by contrast, is dramatically better, because it's got actual things you can measure, and some of them have some relevance to software security. However, it's having an effect that I think was unintended by the folks who wrote it (or at least the ones I met at a recent conference) - merchants are pushing the requirements down to all of their suppliers, regardless of whether they're applicable. [...] To look the proverbial gift horse in the mouth, there's another pattern I've seen from several PCI assessors: they are requiring some form of software security testing. There seems to be a lot of general confusion about what webappsec in PCI is today and/or means. (It means nothing that I know of, outside some random training/awareness req). The problem is there is absolutely no definition on what this means. WHS for example has two bitbuckets for simiilar attacks: XSS and Content Spoofing. Watchfire added a third, Phishing, which is an overlap of the two above (their developer didn't want to admit to me his XSS checks were lame, so made up /random title). Then you have HTTP Response Splitting, which I think has next to zero attack surface. We stick close to PCI vuln defs so tend to ignore it, but for some vendors that is a HIGH severity issue. (!?) So (a) what is being measured is equivocal, and (b) what is being held up as priority to be fixed is pretty borked at the moment too. The really important stuff, like Authentication and Authorization issues, seem entirely ignored in favor of bit-fiddling like XSS since basic XSS is generally easier to test for w/out context (e.g.-scanner jocky --Click/scan). (3) Vendors do what their customers ask for. If my customers ask for better security, we'll put our engineering resources into improving security - just as Microsoft has done. [...] Cynically speaking: has it paid off for MS? Vista? Is security driving resounding success there? Do we need more time to tell? SQL Server 2005 is nice, but I don't know anyone adopting it because of security. OTOH: there are folks waving the security banner and getting a positive response from it from their clients and prospects, I believe monetary. They come in a couple of flavors: 1. Touting Security whilst doing something about it: - http://www.discoveryproductions.com/ (apology to all the folks I know I'm leaving out, not sure who all I am allowed re: NDAs to mention) 2. Touting security, making completely false claims, without actually implementing or measuring it (there is no price to pay for doing this today, I mean, hey: what is software security anyway?): [url removed] (gives you a nice uber-secure message when you log in, unfortunately thanks to their litigious nature vulns are neither disclosed nor fixed) [url removed] (similar story, website used to have a picture of a safe on product page, at least they took that down, but left all the client-side config parameters in the app) I chickened out and remove both URLs before sending. Nobody probably cares about the specific companies, except those companies, who have gotten testy with me before. 3. People using security verification as a weapon; this is at least the fifth time I have seen this in my career (direct observation, not all the implied vuln research battles): http://forums.aspdotnetstorefront.com/showthread.php?t=6257 I'm going to fire up a blog on all the fun stuff, forensic and like I saw at FishNet, and now that I have visibility into 500+ web-sites, should be some useful measurement stats to provide for folks. I don't think anyone else out there has as many production sites to evaluate at one time, so ideas on what to mine for data welcome. If someone wants a measurement bar (e.g.-we are X,Y compared to like software in our industry for security) this is probably something to discuss how to provide too. At least, I see some *hows* that are all crippled by the sensitivity of the information (at least, the perceived ability to correlate to clients). But worth exploring I think for you ISVs... Thanks, cheers, -- Arian Evans solipsistic software security sophist I spend most of my money on motorcycles, martinis, and mistresses. The
Re: [SC-L] SC-L Digest, Vol 3, Issue 81
Gary/James As an application developer, who has turned into a secure developer (thanks Ken at Secure University), I can attest that not a whole lot of 'decision makers' understand what they're up against (vulnerability speaking). Most my time is spent training and explaining; then I use tools to verify my lectures. Once the 'decision makers' see the results these tools produce, they usually green light the use of tools and time spent in design/development. In my experience, security issues, so far, have came from the ground up (programmers) because people at the top have a hard time understanding the how-to's. It's going to take a few more years for security factors to rank up there with quality but the industry is moving that way. Keep the movement going, these emails and silverbullet podcasts do help. Jason Grembi Web Developer On 4/24/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Send SC-L mailing list submissions to sc-l@securecoding.org To subscribe or unsubscribe via the World Wide Web, visit http://krvw.com/mailman/listinfo/sc-l or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than Re: Contents of SC-L digest... Today's Topics: 1. Re: How big is the market? (McGovern, James F (HTSC, IT)) 2. Re: How big is the market? (Gary McGraw) 3. Re: How big is the market? (McGovern, James F (HTSC, IT)) 4. Re: How big is the market? (SC-L Subscriber Dave Aronson) 5. NYC Security (McGovern, James F (HTSC, IT)) 6. Magazines (McGovern, James F (HTSC, IT)) 7. MetriCon 2.0 CFP (Gunnar Peterson) -- Message: 1 Date: Tue, 24 Apr 2007 11:17:20 -0400 From: McGovern, James F \(HTSC, IT\) [EMAIL PROTECTED] Subject: Re: [SC-L] How big is the market? To: Gary McGraw [EMAIL PROTECTED] Cc: SC-L@securecoding.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 Gary, I do at some level agree in terms of quality of publication. My perspective though is from an large enterprise perspective whose primary business model isn't about technology and the magazines that folks do read especially in the development community. A quick informal survey tells me that absolutely zero of my peers read IEEE (note I am a subscriber). Part of the problem may be the fact that us enterprise folks are bombarded with free magazines and cannot justify spending money to subscribe to ones such as the IEEE. I am merely suggesting some diversification for folks that don't pay for magazines. -Original Message- From: Gary McGraw [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 24, 2007 10:50 AM To: McGovern, James F (HTSC, IT) Cc: SC-L@securecoding.org Subject: RE: [SC-L] How big is the market? I'm sorry James, but I have to respectfully disagree about the vendor thing. Perhaps the tools vendors target the information protection people, but at Cigital we sell services to software execs (in huge companies) who are way up the food chain. Software security is small, and we need to emphasize the growth and get people interested. This goes for everyone who reads this list. To continue our impressive growth as a field, we need to continue to build. I do agree with you that people need to write more for developers (but I hope they pick better places than JDJ to publish in). Toward that end, check out the Building Security In department in IEEE Security Privacy magazine http://www.computer.org/portal/site/security/. Also check out Brian Chess's new book Secure Programming with Static Analysis when it comes out in June. However, for the most part, it's critical to understand that workaday developers can't wrangle enough budget to tackle software security. BTW, I posted a reprise to the darkreading column on justice league today: http://www.cigital.com/justiceleague/ http://www.darkreading.com/document.asp?doc_id=122253WT.svl=column1_1 All told, I am very optimistic about our field, but don't think we can rest on our laurels at all yet. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. * -- Message: 2 Date: Tue, 24 Apr 2007 11:23:51 -0400 From:
Re: [SC-L] MetriCon 2.0 CFP
You know its a little off topic - but I'd kill for a set of metrics around the effectiveness/efficiency of a SOC :) Anyone got any ideas? The usual events per person type metrics are backwards (good security means less events so lower efficiency Thanks Bret ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
