Re: [SC-L] SC-L Digest, Vol 5, Issue 50
The core problem is that the language/format mixes code and data with no way to differentiate between them. I'm with you on this one. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] SAMM 1.0 Released! | OpenSAMM
Good news today from the Software Assurance Maturity Model (SAMM) group. http://www.opensamm.org/2009/03/samm-10-released/ Their release says: The Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback to help improve the model. I’ve heard lots of stories from people using SAMM (some are consulting firms, and some are development organizations) and that feedback has been some of the most valuable. This release marks the official 1.0 version of SAMM and there’s a few new pieces added: * Executive summary and introduction to the model * Improved details on applying the model to solve problems * Assessment worksheets for evaluating existing programs * Roadmaps for financial services and government organizations * Improvements and refinements to the model (I’ll cover changes individually in separate posts) Many thanks to the individual reviewers and the organizations that have volunteered time to help improve SAMM. I look forward to more active participants as we push forward with some of the future development plans for SAMM. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] SAMM 1.0 Released! | OpenSAMM
Hey Ken. Thanks for sending this out. I've mentioned it before, but today I'm proud to announce that the Software Assurance Maturity Model (SAMM) version 1.0 has been released and is freely available for download from http://www.opensamm.org For those unfamiliar, SAMM is an open framework to help organizations formulate and implement a strategy for software security that is tailored to the specific risks facing the organization. The resources provided by SAMM will aid in: * Evaluating an organization’s existing software security practices * Building a balanced software security program in well-defined iterations * Demonstrating concrete improvements to a security assurance program * Defining and measuring security-related activities within an organization SAMM was defined with flexibility in mind such that it can be utilized by small, medium, and large organizations using any style of development. Additionally, this model can be applied organization-wide, for a single line-of-business, or even for an individual project. As an open project, SAMM content shall always remain vendor-neutral and freely available for all to use. The project has received a huge amount of attention and is keeping me busy, but we're always open to more feedback and supporters. Thanks! p. On Wed, Mar 25, 2009 at 8:09 AM, Kenneth Van Wyk k...@krvw.com wrote: Good news today from the Software Assurance Maturity Model (SAMM) group. http://www.opensamm.org/2009/03/samm-10-released/ Their release says: The Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback to help improve the model. I’ve heard lots of stories from people using SAMM (some are consulting firms, and some are development organizations) and that feedback has been some of the most valuable. This release marks the official 1.0 version of SAMM and there’s a few new pieces added: * Executive summary and introduction to the model * Improved details on applying the model to solve problems * Assessment worksheets for evaluating existing programs * Roadmaps for financial services and government organizations * Improvements and refinements to the model (I’ll cover changes individually in separate posts) Many thanks to the individual reviewers and the organizations that have volunteered time to help improve SAMM. I look forward to more active participants as we push forward with some of the future development plans for SAMM. Cheers, Ken - Kenneth R. van Wyk KRvW Associates, LLC http://www.KRvW.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- ~ ~ ~ ~~~ ~~ ~ Pravir Chandra chandraatlistdotorg PGP:CE60 0E10 9207 7290 06EB 5107 4032 63FC 338E 16E4 ~ ~~ ~~~ ~ ~ ~ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Online Secure Development Training?
My company, Aspect Security, is producing a full line of secure coding CBTs based on our large curriculum of live application security training courses that we have. I am not aware of any other initiatives like this, but there might be others. -Dave -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Brad Andrews Sent: Wednesday, March 25, 2009 11:22 AM To: SC-L@securecoding.org Subject: [SC-L] Online Secure Development Training? Does anyone know of any good CBT training on secure development, especially covering higher level issues and secure code review? Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Online Secure Development Training?
Brad, take a peek at http://denimgroup.com/service_sec_training.html On Wed, Mar 25, 2009 at 11:21 AM, Brad Andrews andr...@rbacomm.com wrote: Does anyone know of any good CBT training on secure development, especially covering higher level issues and secure code review? Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Tom Brennan Board Member OWASP Foundation Tel: 973-795-1046 x112 Url: www.owasp.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
Ok, so your point then is that a desire for type-safety influenced the hardware architecture of these machines. Fair enough, though I don't know enough of the history of these machines to know how accurate it is. But how can I doubt you Gary? :) I was mainly reflecting in my comments though that the programming language and the hardware architecture are coupled in terms of the resulting security model. Or they can be anyway. On Wed, Mar 25, 2009 at 8:42 AM, Gary McGraw g...@cigital.com wrote: Hi Andy, The code/data mix is certainly a problem. Also a problem is the way stacks grow on many particular machines, especially with common C/C++ compilers. You noted a Burroughs where things were done better. There are many others. C is usually just a sloppy mess by default. Language choice can sometimes make up for bad machine architecture, but ultimately at some level of computational abstraction they come to be the same thing. You may recall that I am a scheme guy. TI made a scheme machine that never caught on some years back (around the same time as the LISP machine...like emacs only even more bindings at least on the Symbolics http://en.wikipedia.org/wiki/Lisp_machine). Those machines had a fundamentally different architecture at the processor level. In any case, type safety is at the root of these decisions and makes a HUGE difference. Go back and read your lambda calculus, think about closure, symbolic representation, continuations, and first class objects and I think you'll see what I mean. http://en.wikipedia.org/wiki/Lambda_calculus gem (supposedly still on vacation, but it is a rainy day) http://www.cigital.com/~gem http://www.cigital.com/%7Egem On 3/24/09 2:50 PM, Andy Steingruebl stein...@gmail.com wrote: On Mon, Mar 23, 2009 at 7:22 AM, Gary McGraw g...@cigital.com wrote: hi guys, I think there is a bit of confusion here WRT root problems. In C, the main problem is not simply strings and string representation, but rather that the sea of bits can be recast to represent most anything. The technical term for the problem is the problem of type safety. C is not type safe. Really? It isn't that the standard von Neumann architecture doesn't differentiate between data and code? We've gone over this ground before with stack-machines like the Burroughs B5500 series which were not susceptible to buffer overflows that changed control flow because code and data were truly distinct chunks of memory. Sure its a different programming/hardware model, but if you want to fix the root cause you'll have to go deeper than language choice right? You might have other tradeoffs but the core problem here isn't just type safety. Just like in the HTML example. The core problem is that the language/format mixes code and data with no way to differentiate between them. Or is my brain working too slowly today? -- Andy Steingruebl stein...@gmail.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
Hi Andy, The code/data mix is certainly a problem. Also a problem is the way stacks grow on many particular machines, especially with common C/C++ compilers. You noted a Burroughs where things were done better. There are many others. C is usually just a sloppy mess by default. Language choice can sometimes make up for bad machine architecture, but ultimately at some level of computational abstraction they come to be the same thing. You may recall that I am a scheme guy. TI made a scheme machine that never caught on some years back (around the same time as the LISP machine...like emacs only even more bindings at least on the Symbolics http://en.wikipedia.org/wiki/Lisp_machine). Those machines had a fundamentally different architecture at the processor level. In any case, type safety is at the root of these decisions and makes a HUGE difference. Go back and read your lambda calculus, think about closure, symbolic representation, continuations, and first class objects and I think you'll see what I mean. http://en.wikipedia.org/wiki/Lambda_calculus gem (supposedly still on vacation, but it is a rainy day) http://www.cigital.com/~gem On 3/24/09 2:50 PM, Andy Steingruebl stein...@gmail.com wrote: On Mon, Mar 23, 2009 at 7:22 AM, Gary McGraw g...@cigital.com wrote: hi guys, I think there is a bit of confusion here WRT root problems. In C, the main problem is not simply strings and string representation, but rather that the sea of bits can be recast to represent most anything. The technical term for the problem is the problem of type safety. C is not type safe. Really? It isn't that the standard von Neumann architecture doesn't differentiate between data and code? We've gone over this ground before with stack-machines like the Burroughs B5500 series which were not susceptible to buffer overflows that changed control flow because code and data were truly distinct chunks of memory. Sure its a different programming/hardware model, but if you want to fix the root cause you'll have to go deeper than language choice right? You might have other tradeoffs but the core problem here isn't just type safety. Just like in the HTML example. The core problem is that the language/format mixes code and data with no way to differentiate between them. Or is my brain working too slowly today? ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] Online Secure Development Training?
Thanks for all the replies. I did want to emphasize that I am specifically looking for CBT versions of courses, not the instructor-led variety. Someone asked me about what was available and I said I would ask around. I have only seen the instructor-led ones myself. Thanks for all the replies! :) Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
On Wed, Mar 25, 2009 at 10:18 AM, ljknews ljkn...@mac.com wrote: Worry about enforcement by the hardware architecture after you have squeezed out all errors that can be addressed by software techniques.\ Larry, Given the focus we've seen fro Microsoft and protecting developers from mistakes through things like DEP, ASLR, SEH, etc. why do you think that these can't be done in parallel? I mean, we used to not have Virtual Memory or real MMUs and the developer had to make sure they didn't step on other people's pages. Hardware support for protection on pages has helped with a lot of things right? I'm not saying I'm holding out hope for hardware to solve all our problems (that would be silly) but I do think it can be fairly useful for some classes of problems and a lot more scalable/repeatable. Practical right now, no. But we're sort of in the realm of fantasy in this discussion already if we think the general mass of people writing software are going to switch languages because certain ones are more reliable - Andy ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)
At 1:00 PM -0700 3/25/09, Andy Steingruebl wrote: On Wed, Mar 25, 2009 at 10:18 AM, ljknews mailto:ljkn...@mac.comljkn...@mac.com wrote: Worry about enforcement by the hardware architecture after you have squeezed out all errors that can be addressed by software techniques.\ Larry, Given the focus we've seen fro Microsoft and protecting developers from mistakes through things like DEP, ASLR, SEH, etc. why do you think that these can't be done in parallel? I don't know any of those acronyms, and I have very little to do with Microsoft. The last software of theirs I bought was Microsoft Word V5.1a, the last one _before_ they introduced Macro viruses. I mean, we used to not have Virtual Memory or real MMUs and the developer had to make sure they didn't step on other people's pages. Hardware support for protection on pages has helped with a lot of things right? Yes, but for me that was prior to 1978, and the benefit of hardware protection pales by comparison to the benefit of not programming everything in assembly language. I'm not saying I'm holding out hope for hardware to solve all our problems (that would be silly) but I do think it can be fairly useful for some classes of problems and a lot more scalable/repeatable. Practical right now, no. But we're sort of in the realm of fantasy in this discussion already if we think the general mass of people writing software are going to switch languages because certain ones are more reliable I don't expect programmers to make that decision - I expect astute management to make that decision (wherever astute management happens to surface). Management has a lot easier time changing languages than changing hardware architectures. Sometimes the hardware is even dictated by the customer (such as when trying to sell into a particular market). -- Larry Kilgallen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___