[SC-L] AppSec DC Schedule announced, Registration OPEN!
AppSec DC, the East Coast's premier information security conference, returns with AppSec DC 2012 (http http://www.appsecdc.org/://http://www.appsecdc.org/ www http://www.appsecdc.org/. http://www.appsecdc.org/AppSecDChttp://www.appsecdc.org/ . http://www.appsecdc.org/org http://www.appsecdc.org/). Now in its third year, AppSec DC is the Open Web Application Security Project's (OWASP's) annual gathering of leading experts in the field of application security. The event will be held at the Walter E. Washington Convention Center, April 2-5. AppSec DC features two days of training April 2-3, followed by two days of talks, April 4-5. The event will provide a forum for hundreds of IT professionals interested in securing web technologies to learn, interact, network, and attend presentations and training given by some of the world's top practitioners of application security. With the ever growing number of intrusions that have taken place over the past year, we feel that business federal communities could greatly benefit from what we offer now more than ever, said Mark Bristow, AppSec DC Organizer. We encourage security professionals, technology executives, students, and anyone with who realizes the importance that application security plays in all of our lives to attend. * * *Highlight's of AppSec DC 2012 will include:* Keynote by Daniel Earl Geer, Jr., Sc.D., Creator of the Index of Cyber Security (2011) and the Cyber Security Decision Market (2011), among his numerous other accomplishments. Presentation by Joe Jarzombek, Director for Software Assurance, National Cyber Security Division of the Department of Homeland Security. Presentation by Ken Johnson, Senior Security Architect for LivingSocial.com, responsible for securing mobile applications, web services and web applications. Panel topics to include Critical Infrastructure, Pentesting Smart Grid Web Apps, How to Get Every IT Architect to Become a Security Ambassador, Adapting and Managing IT Security Solutions for Industrial Control Systems. Training classes to include *Assessing and Exploiting Web Applications with Samurai-WTF, Building Secure Android Apps, Secure Web Application Development Training.* *Full schedule at **https://schedule.appsecdc.org* Bristow added, In accordance with the broadening of OWASP's mission after the 2011 OWASP Global Summit, AppSec DC is not restricting its content to strictly to the realm of web applications. We invite all practitioners of application security and those who work with or interact with all facets of application security to submit papers and participate in the conference. OWASP AppSec DC attracts a worldwide audience. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. Past conferences have drawn more than 700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals. Sponsored by Aspect Security, Securicon, MANDIANT, Trustwave, Secure Ideas, and nVisium Security, AppSec DC is hosted by the Washington, D.C. chapter of Open Web Application Security Project (OWASP), a 501c3 Not-For-Profit, is an open-source application security project made up of corporations, educational organizations, and individuals from around the world. Providing free, vendor-neutral, practical, cost-effective application security guidelines, the organization has become the de facto standards body for application security over the past decade. To attend OWASP AppSec DC 2012, visit: *www.AppSecDC.orghttps://mail.google.com/mail/u/1/html/compose/Local%20Settings/Temporary%20Internet%20Files/Content.IE5/Library/Caches/TemporaryItems/Outlook%20Temp/www.AppSecDC.org * or register at *http://reg.appsecdc.org*. To become a member of OWASP or a sponsor of AppSec DC 2012, kindly drop us a note at: * spons...@appsecdc.org*. Looking forward to seeing you there! The AppSec DC Planning Team and the OWASP Foundation ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] informIT: vBSIMM (BSIMM for Vendors)
Hi Gary, You may wish to consider the OWASP Legal Project at https://www.owasp.org/index.php/Category:OWASP_Legal_Project which is a positive, free, and open resource to assist in building legal contractal agreements around software security with your vendors. The state of NY procurement and others have been using this material as a basis for vendor contract language for years. Regards, Jim Manico On Apr 12, 2011, at 10:18 PM, Gary McGraw g...@cigital.com wrote: hi sc-l, During RSA this year Jim Routh (JPMC), Doug Cavit (Microsoft) and I ended up having a productive hall meeting about vendor control, the Microsoft SDL, the BSIMM, and software security. Jim is in search of a way to place some kind of security control over his software vendors (they are ramping up their software security initiative at JPMC this year but also use plenty of COTS and third-party software). The issue is how to get to an SDL-level discussion with vendors instead of languishing in the OWASP-top-ten for one particular app space. Here is an article about Vendor Control and the BSIMM that introduces a very simple attestation-based scheme Sammy and I have developed called vBSIMM. Jim has been in the loop throughout ideation and writing and endorses the approach: http://www.informit.com/articles/article.aspx?p=1703668 Two things to note: 1) the vBSIMM bar is very low, but the working theory is that three sets of vendors will emerge once we try this out: some vendors (including those who participate in the BSIMM Community) will be well past these simple activities, some will be mealy-mouthed about exactly what they are doing, and some will be clueless. We believe that the vBSIMM will be able to distinguish between those three sets rather easily. 2) beginning with the vBSIMM may encourage smaller vendors to develop more mature software security initiatives. The notion of self-scoring and attestation works for very easy activities such as those included in the vBSIMM. A complete BSIMM score makes much better sense for vendors who are well ahead of the curve (e.g., BSIMM participants). Don't forget to compare this in your mind to the alternative which seems to be looking for certain bugs in a particular app, one app at a time. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
[SC-L] Adobe
I’ve been pretty brutal with my opinions on Adobes security posture lately (an opinion that is far from unique in our industry). However, recent releases of PDF reader give me hope for the future. http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html I think this bodes very well. Does flash offer the same kind of protection, and if not, will we see this protection in the future? Is this a big of a deal as I think it is? Will protected mode really reduce the risk of malformed PDF attacks as significantly as it appears? Thanks and Cheers, Jim ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Java: the next platform-independent target
Ben, These threats are only relevant for client-side Java, for the most part. It's my opinion that all enterprises should remove Java from all clients. Java is most commonly deployed server-side which has a completely different threat model than client side Java. A lot of smart people disagree with me here - but the history of Java sandbox problems, data theft though reflection, the weak security policy mechanism, etc, backs up my recommendation. Oracle is one of the most irresponsible large technical companies from a product security perspective, so I have no hope that this will get better. Abort Java on the client, and please support forking Java. - Jim -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Benjamin Tomhave Sent: Wednesday, October 20, 2010 7:24 PM To: SC-L@securecoding.org Subject: [SC-L] Java: the next platform-independent target All these platform-independent attacks are starting to get exhausting, no? Now that Adobe has come up with sandboxing for Reader and actually started responding to threats, it seems that the smart adversaries have moved to a new platform: Java. Stories are below, mostly deriving from Microsoft's latest Intelligence Report (this one has a botnet focus - a topic on which they've invested a ton of resources). If I understand this all correctly (never a safe bet), it seems these are actual attacks on Java, not on coding with Java. Ergo, this isn't something ESAPI can fix, but rather fundamental problems. What do you think? Overblown? Legit? Solutions forthcoming? The rise of Java exploits http://www.net-security.org/secworld.php?id=10014 Have you checked the Java? http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-ja va.aspx Java: A Gift to Exploit Pack Makers http://krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/ Announcing Microsoft Security Intelligence Report version 9 http://blogs.technet.com/b/mmpc/archive/2010/10/13/announcing-microsoft-se curity-intelligence-report-version-9.aspx cheers, -ben -- Benjamin Tomhave, MS, CISSP tomh...@secureconsulting.net Blog: http://www.secureconsulting.net/ Twitter: http://twitter.com/falconsview LI: http://www.linkedin.com/in/btomhave [ Random Quote: ] I ran into Isosceles. He had a great idea for a new triangle! Woody Allen ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___ ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates ___
Re: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog
Hello Matt, Java EE still has NO support for escaping and lots of other important security areas. You need something like OWASP ESAPI to make a secure app even remotely possible. I was once a Sun guy, and I'm very fond of Java and Sun. But JavaEE 6 does very little to raise the bar when it comes to Application Security. - Jim On Tue, Jan 5, 2010 at 3:30 PM, Matt Parsons mparsons1...@gmail.com wrote: From what I read it appears that this Java EE 6 could be a few rule changers. It looks like to me, java is checking for authorization and authentication with this new framework. If that is the case, I think that static code analyzers could change their rule sets to check what normally is a manual process in the code review of authentication and authorization. Am I correct on my assumption? Thanks, Matt Matt Parsons, MSM, CISSP 315-559-3588 Blackberry 817-294-3789 Home office mailto:mparsons1...@gmail.com http://www.parsonsisconsulting.com http://www.o2-ounceopen.com/o2-power-users/ http://www.linkedin.com/in/parsonsconsulting -Original Message- From: sc-l-boun...@securecoding.org [mailto:sc-l-boun...@securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Tuesday, January 05, 2010 8:59 AM To: Secure Coding Subject: [SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog Happy new year SC-Lers. FYI, interesting blog post on some of the new security features in Java EE 6, by Ramesh Nagappan. Worth reading for all you Java folk, IMHO. http://www.coresecuritypatterns.com/blogs/?p=1622 Cheers, Ken - Kenneth R. van Wyk SC-L Moderator ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- -- Jim Manico, Application Security Architect jim.man...@aspectsecurity.com | j...@manico.net (301) 604-4882 (work) (808) 652-3805 (cell) Aspect Security™ Securing your applications at the source http://www.aspectsecurity.com ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP Podcast August Update
Hello SC-L! The OWASP Podcast Series continues to accelerate! We released 5 podcasts this month which I hope you find to be of value. 39August 25, 2009Listen Nowhttp://www.owasp.org/download/jmanico/owasp_podcast_39.mp3 | Show Notes /index.php/Podcast_39Interview with Gunnar Peterson (Webservices)38August 25, 2009Listen Nowhttp://www.owasp.org/download/jmanico/owasp_podcast_38.mp3 | Show Notes /index.php/Podcast_38Interview with the OWASP Global Education Committee37August 22, 2009*Listen Nowhttp://www.owasp.org/download/jmanico/owasp_podcast_37.mp3 * | Show Notes /index.php/Podcast_37Interview with Jason Lam and Johannes Ullrich (SANS Institute)36August 15, 2009Listen Nowhttp://www.owasp.org/download/jmanico/owasp_podcast_36.mp3 | Show Notes /index.php/Podcast_36May 2009 News Commentary Recorded July 23 with Boaz Gelbord, Andre Gironda, Jason Lam, Jim Manico, Alex Smolen, Ben Tomhave, Andrew van der Stock and Jeff Williams (part 2)35August 4, 2009Listen Now http://www.owasp.org/download/jmanico/owasp_podcast_35.mp3 | Show Notes /index.php/Podcast_35Interview with Anton Chuvakin, Ph.D (PCI) Faster than a speeding bullet *winks*, the OWASP Podcast Serieshttp://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Showsis bringing on 2 additional hosts, is spawning a Spanish AppSec podcast series, and will be releasing interviews from Andy Steingruebl (PayPal), David Rice (Geekonomics), and the DC AppSec crowd (Acronyms) in September. Ken, please forgive me for ignoring your advice to slow down. ;D Aloha to all of SC-L and thank you for listening. -- Jim Manico jim.man...@aspectsecurity.com jim.man...@owasp.org ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___
[SC-L] OWASP Podcast Series Update
Hello SC-L, We've been rather busy at the OWASP Podcast Series lately! Since June 1st the OWASP Podcast Team has released 9 Podcasts! Please take a look at our show list at http://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Shows Recent features Podcasts include 1. An interview with *Mark Curphey*, the founder of the OWASP Project and currently the director of the security tools team at Microsoft. http://www.owasp.org/download/jmanico/owasp_podcast_31.mp3 2. *Billy Hoffman and Matt Wood*, the HP WebAppSec research team http://www.owasp.org/download/jmanico/owasp_podcast_30.mp3 3. An interview with *Ross Anderson* from OWASP EU Poland (Matt Tesauro is the interviewer) http://www.owasp.org/download/jmanico/owasp_podcast_28.mp3 Other excellent interviews this month include Rafal Loshttp://www.owasp.org/download/jmanico/owasp_podcast_28.mp3and Justin Clarke http://www.owasp.org/download/jmanico/owasp_podcast_29.mp3. Our audience has exploded; it's really a honor and a pleasure to produce this podcast series. We will be slowing down in August to give everyone a chance to catch up, but will surely kick it back in gear in September as additional OWASP volunteershttp://www.owasp.org/index.php/OWASP_Podcast#tab=Latest_Showsjoin the team. Much Aloha, Jim Manico OWASP Podcast Series Host ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___