[SC-L] Silver Bullet: Peter Neumann

[Gary McGraw]

Hi all,

The Silver Bullet Security Podcast episode 14 just went live today.  This one 
features an interview with Peter Neumann, software quality pundit and moderator 
of comp.RISKS.  We had fun with this one.

http://www.cigital.com/silverbullet/show-014/

Peter and I discuss (among other things) the difference between software 
security a la Multics and software security today.  Plenty of good stuff in 
this one for software security types.

gem

company www.cigital.com
blog www.cigital.com/justiceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Tools: Evaluation Criteria

[Steven M. Christey]

On Tue, 22 May 2007, McGovern, James F (HTSC, IT) wrote:

> We will shortly be starting an evaluation of tools to assist in the
> secure coding practices initiative and have been wildly successful in
> finding lots of consultants who can assist us in evaluating but
> absolutely zero in terms of finding RFI/RFPs of others who have
> travelled this path before us. Would especially love to understand
> stretch goals that we should be looking for beyond simple stuff like
> finding buffer overflows in C, OWASP checklists, etc.

semi-spam: With over 600 nodes in draft 6, the Common Weakness Enumeration
(CWE) at http://cwe.mitre.org is the most comprehensive list of
vulnerability issues out there, and it's not just implementation bugs.
That might help you find other areas you want to test.  In addition, many
code analysis tool vendors are participating in CWE.

> In my travels, it "feels" as if folks are simply choosing tools in this
> space because they are the market leader, incumbent vendor or simply
> asking an industry analyst but none seem to have any "deep" criteria. I
> guess at some level, choosing any tool will move the needle, but
> investments really should be longer term.

Preliminary CWE analyses have shown a lot less overlap across the tools
than expected, so even baased on vulnerabilities tested, this is an
important consideration.

You might also want to check out the SAMATE project (samate.nist.gov),
which is working towards evaluation and understanding of tools, although
it's a multi-year program.

Finally, Network Computing did a tool comparison:


http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=198900460

- Steve
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Tools: Evaluation Criteria

[Peter Amey]

 




From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of McGovern, James F
(HTSC, IT)
Sent: 22 May 2007 14:48
To: SC-L@securecoding.org
Subject: [SC-L] Tools: Evaluation Criteria


We will shortly be starting an evaluation of tools to assist in
the secure coding practices initiative and have been wildly successful
in finding lots of consultants who can assist us in evaluating but
absolutely zero in terms of finding RFI/RFPs of others who have
travelled this path before us. Would especially love to understand
stretch goals that we should be looking for beyond simple stuff like
finding buffer overflows in C, OWASP checklists, etc.
[PNA] 
 
For some "stretch goals ", take a look at www.sparkada.com and
some of the published papers there, especially one on a project called
Tokeneer.
(Caveat: I am commercially involved in the SPARK tools.
 
In my travels, it "feels" as if folks are simply choosing tools
in this space because they are the market leader, incumbent vendor or
simply asking an industry analyst but none seem to have any "deep"
criteria. I guess at some level, choosing any tool will move the needle,
but investments really should be longer term.


[PNA] 
Agreed
 
 
Peter
 



Peter Amey BSc ACGI CEng CITP MRAes FBCS


CTO (Software Engineering)

direct:   +44 (0) 1225 823761

mobile: +44 (0) 7774 148336

[EMAIL PROTECTED]

 

Praxis High Integrity Systems Ltd

20 Manvers St, Bath, BA1 1PX, UK

t: +44 (0)1225 466991

f: +44 (0)1225 469006

w: www.praxis-his.com  



 



This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient, be advised that 
you have received this email in error and that any use, disclosure, copying or 
distribution or any action taken or omitted to be taken in reliance on it is 
strictly prohibited. If you have received this email in error please contact 
the sender. Any views or opinions presented in this email are solely those of 
the author and do not necessarily represent those of Praxis. 

Although this email and any attachments are believed to be free of any virus or 
other defect, no responsibility is accepted by Praxis or any of its associated 
companies for any loss or damage arising in any way from the receipt or use 
thereof. The IT Department at Praxis can be contacted at [EMAIL PROTECTED]

Praxis High Integrity Systems Ltd:

Company Number: 3302507, registered in England and Wales

Registered Address: 20 Manvers Street, Bath. BA1 1PX

VAT Registered in Great Britain: 682635707

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Tools: Evaluation Criteria

[McGovern, James F (HTSC, IT)]

We will shortly be starting an evaluation of tools to assist in the secure 
coding practices initiative and have been wildly successful in finding lots of 
consultants who can assist us in evaluating but absolutely zero in terms of 
finding RFI/RFPs of others who have travelled this path before us. Would 
especially love to understand stretch goals that we should be looking for 
beyond simple stuff like finding buffer overflows in C, OWASP checklists, etc.
 
In my travels, it "feels" as if folks are simply choosing tools in this space 
because they are the market leader, incumbent vendor or simply asking an 
industry analyst but none seem to have any "deep" criteria. I guess at some 
level, choosing any tool will move the needle, but investments really should be 
longer term.


*
This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information.  If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution is
strictly prohibited.  If you are not the intended recipient, please notify
the sender immediately by return e-mail, delete this communication and
destroy all copies.
*

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___