[SC-L] OWASP iGoat 1.2 released

[Kenneth Van Wyk]

Greetings SC-L folks,

I thought some of you might find our project announcement (below) interesting. 
If you're an iOS developer or know any iOS developers, I'd like to encourage 
you to check out the OWASP iGoat project. It's modeled after its namesake, 
WebGoat, and is intended to be a tool for iOS developers to learn about the 
major security pitfalls when developing on iOS.


FYI, we released iGoat version 1.2 yesterday. The primary change over 1.1 is 
the addition of a new keychain exercise, contributed by a newcomer to the team, 
Mansi Sheth.

Thanks Mansi and Sean for pulling this together.

It's great to see some external participation on the project, of course. We'd 
love to see more -- any time!

Cheers,

Ken van Wyk
iGoat Project Leader



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] ANNOUNCEMENT: SecAppDev 2012, Leuven, Belgium

[Kenneth Van Wyk]

We are pleased to announce SecAppDev 2012, an intensive one-week
course in secure application development. The course is organized by
secappdev.org, a non-profit organization that aims to broaden security
awareness in the development community and advance secure software
engineering practices. The course is a joint initiative with K.U.
Leuven and Solvay Brussels School of Economics and Management.

SecAppDev 2012 is the 8th edition of our widely acclaimed course, 
attended by an international audience from a broad range of industries
including financial services, telecom, consumer electronics and media
and taught by leading software security experts including

+ Prof. dr. ir. Bart Preneel who heads COSIC, the renowned crypto lab.
+ Ken van Wyk, co-founder of the CERT Coordination Center and widely
  acclaimed author and lecturer.
+ Dr. Steven Murdoch of the University of Cambridge Computer 
  Laboratory's security group, well known for his research in
  anonymity and banking system security.
+ Jim Manico, founder, producer and host of the OWASP Podcast Series.

When we ran our first annual course in 2005, emphasis was on awareness
and security basics, but as the field matured and a thriving security
training market developed, we felt it was not appropriate to compete
as a non-profit organization. Our focus has hence shifted to providing
a platform for leading-edge and experimental material from thought
leaders in academia and industry. We look toward academics to provide
research results that are ready to break into the mainstream and 
attract people with an industrial background to try out new content
and formats.

We cover a wide range of facets of secure software engineering
including

+ threat modeling
+ architecture
+ design
+ coding
+ testing
+ cryptography
+ web applications
+ mobile applications
+ economic/business aspects

The course takes place from March 5th to 9th in the Irish College,
Leuven, Belgium.

For more information visit the web site: http://secappdev.org.

Places are limited, so do not delay registering to avoid 
disappointment. Registration is on a first-come, first-served basis.
A 25% discount is available for Early Bird registration until January
15th. Public servants and independents receive a 50% discount.

I hope that we will be able to welcome you or your colleagues to our
course.

Cheers,

Ken van Wyk (and the rest of the SecAppDev organizers)


P.S. I apologize if you have already received this announcement via
another channel. If you do not wish to receive future secappdev.org
announcements, please unsubscribe by replying to this email.

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Announcing the first Mobile App Sec Triathlon, 2-4 Nov 2011, San Jose, CA

[Kenneth Van Wyk]

Greetings SC-L,

I'll keep this announcement real short...

Gunnar Peterson and I are teaming up to present our Mobile App Sec Triathlon -- 
3 days of training, heavily laden with hands-on exercises -- to San Jose, 
California on 2-4 November 2011. Details available at: 
http://mobileappsectriathlon.com, or email us for more info.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

We're on Facebook now at: http://facebook.com/KRvW.Associates



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] ANNOUNCING: OWASP iGoat initial public release, version 1.0

[Kenneth Van Wyk]

Greetings all.

Yesterday, we put out the first public release of the OWASP iGoat project. This 
message is a brief description and call for participants in the project.


Background

The iGoat tool is a learning tool, primarily meant for iOS developers (but also 
useful to IT security practitioners, security architects, and others who simply 
want to learn about iOS security). It takes its name and inspiration from the 
venerable OWASP WebGoat tool. 

Like WebGoat, iGoat users explore a number of security weaknesses in iOS by 
exploiting them first. Then, once each weakness has been explored, the iGoat 
user must implement a remediation to protect against each weakness and validate 
that the remediation was successful--similar to the WebGoat Developer Edition.

Hints and other background information are provided, right down to commented 
solutions in the source code, so that developers can use iGoat as a self-study 
learning tool to explore and understand iOS weaknesses and how to avoid them.

Further, the iGoat platform was specifically designed and built to be as easily 
extensible as possible, so that new exercises can be easily built and 
integrated over time.

iGoat was sponsored and initially developed by KRvW Associates, LLC 
(www.krvw.com), and is being released under GPLv3 licensing to the community.



Status

With the first public release, we've included several initial exercises and 
exercise categories. These include such well known topics as SQL Injection, 
secure communications, etc. We plan to further integrate another handful of 
exercises in the short term, as well as make several improvements to the user 
interface.

In the short term, we'll also be adding more documentation in the form of HOWTO 
documents that will cover how to install and use iGoat, as well as how to add 
new exercises to it.

No doubt, further improvements will quickly surface as the community starts 
using the tool...


Project Site

iGoat can be found at: https://www.owasp.org/index.php/OWASP_iGoat_Project

All releases and source code are on Google Code. See the project home page 
above for further details.



Call for Participation

The iGoat team would like to invite anyone interested to participate and 
contribute to iGoat's further development. Please contact the project leader, 
Ken van Wyk (k...@krvw.com) if you wish to contribute to the project.



Mailing List

An open, unmoderated forum has been set up for the iGoat project. To subscribe, 
see https://lists.owasp.org/mailman/listinfo/owasp-igoat-project



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] OPINION column re mobile security

[Kenneth Van Wyk]

Greetings SC-L,

It occurred to me that I neglected to send a pointer here to my latest 
Computerworld column. The general topic is mobile device security, but more to 
the point, it's about trying to do (security) things differently in the mobile 
world, so we don't have to re-live all our mistakes of the past. Let's at least 
find some _new_ mistakes... ;-)

http://www.computerworld.com/s/article/9216996/Kenneth_van_Wyk_Mobile_security_isn_t_going_to_just_happen

Cheers,

Ken van Wyk
SC-L Moderator




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] SC-L Administrative FAQ

[Kenneth Van Wyk]

Greetings SC-L Subscribers,

I'm in an airport lounge on the other side of the planet (from my home), and I 
thought I'd take a few moments to jot down some answers to SC-L administrative 
issues that come up from time to time here on SC-L. I hope you find them 
helpful.

I try to keep the administrative traffic here to a bare minimum, so you don't 
often hear from me. But I do moderate and approve every single posting that 
goes to the list, so I'm always actively involved here. And I deal with quite a 
fair share of administrative issues. So, I thought it would be worth taking a 
few minutes and recording some of the things that people ask me from time to 
time.

Your feedback is always appreciated. Please contact me at ken _at_ krvw.com if 
you have any questions or issues re SC-L.

Cheers,

Ken van Wyk
SC-L Moderator

===

SC-L Administrative FAQ



Q: What is SC-L?

A: SC-L is a moderated mailing list whose mission is to further the state of 
the practice of developing secure software, by providing a free and open, 
objectively moderated, forum for the discussion of issues related to secure 
coding practices throughout a software development lifecycle process (including 
architecture, requirements and specifications, design, implementation, 
deployment, and operations). 

---

Q: Who runs SC-L?

A: I do. I'm Ken van Wyk, and I run the list as a free, non-commercial service 
to the software security community. If you have questions/issues, you can 
contact me at ken _at_ krvw.com.



Q: How do I subscribe to the list?

A: The URL for the Mailman interface to subscribe or unsubscribe is 
http://www.krvw.com/mailman/listinfo/sc-l



Q: What sort of things are allowed and not allowed on SC-L?

A: Basically, my primary rule is civility. You can agree or disagree with 
others to your heart's content, but keep a civil tone and you're likely to have 
your submissions approved. For more details on what I allow and don't allow on 
the list, see the list charter at: http://www.securecoding.org/list/charter.php



Q: How about job postings?

A: So long as they're tasteful and not shotgunned to the list frequently, I'm 
happy to accept the occasional job posting from people within the software 
security community.



Q: Announcements about conferences and training events?

A: Similar to my policy re job postings, I'll accept them if they're not overly 
commercial and if they're occasional. This goes for commercial as well as 
non-commercial events.



Q: Advertisements?

A: No. I do not accept advertisements on SC-L. There are more than plenty 
places on the net to advertise your products and services; just not here.



Q: The moderator has rejected my posting, and I believe the decision was 
unfair. What is my recourse?

A: Well, this isn't a democracy... But, if you feel your submission should have 
been approved, email me and state your case. I'm a reasonable man and I'm 
willing to hear you out -- and admit when I'm wrong.



Q: There seems to be a LOT of traffic from a small vocal minority here. What's 
up with that?

A: The group is what the group makes of it. If you want to see more diverse 
traffic here, post it. I'm don't take a position on who may and may not submit 
to the list. If you're subscribed and your posting conforms to my guidelines, 
then I'll most likely approve your posting.



Q: I'm a subscriber to SC-L, and I submitted a message to the list, but it 
never showed up and I never got any notification. Did the moderator ignore me? 
Why?

A: Perhaps you submitted your email using an email address that isn't itself 
subscribed? To reduce the spams that show up in my inbox, I have configured 
SC-L to discard (without notification) any submissions from email addresses 
that are not subscribed to the list. So, if you subscribed from (say) your 
personal address but are posting from your work address, your submission would 
get discarded.



Q: But I use multiple email addresses regularly. What can I do so I can submit 
from any of them without getting duplicate copies of SC-L in all my inboxes?

A: That's easy to do. Just contact me off-list (ken _at_ krvw.com) and tell me 
which of your email addresses you want to submit from. I can "subscribe" them 
to the list but have them not get duplicate copies of the list traffic. No 
problem.






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associat

[SC-L] CERT/CC Blog: Announcing the CERT Basic Fuzzing Framework 2.0

[Kenneth Van Wyk]

FYI, new version of Basic Fuzzing Framework released by CERT/CC.

http://www.cert.org/blogs/certcc/2011/02/cert_basic_fuzzing_framework_b.html



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] New Safecode doc released

[Kenneth Van Wyk]

Greets all.  FYI:

"SAFECode has released, “Fundamental Practices for Secure Software Development 
2nd Edition: A Guide to the Most Effective Secure Development Practices in Use 
Today.” The report is intended to help others in the industry initiate or 
improve their own software security programs and encourage the industry-wide 
adoption of fundamental secure development methods. "

Doc can be found at: 
http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf
 
Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] ISO/IEC 27034 application security guideline

[Kenneth Van Wyk]

Greetings SC-L folks,

I don't participate in standards bodies, so I'm not very familiar with their 
inner workings and such.  However, a colleague has pointed me to an ISO 
standard under development that will describe an application security 
development process.

I visited the site (http://www.iso27001security.com/html/27034.html) and didn't 
find much in the way of documentation, other than a list of really ambitious 
plans for the future.

So my question here is this: anyone here involved in this standards effort?  If 
so, would you mind sharing with us a high level overview of where they are in 
their efforts and when the world is likely to start seeing output from the 
effort?

Much appreciated.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Apple's iOS app review guidelines

[Kenneth Van Wyk]

Greetings SC-L,

I read the news this morning with a lot of hope -- that Apple has finally 
published their app review guidelines for iOS app developers.  But then I read 
the document.

For starters, I did a quick grep for: security, secure, crypt, safe.  Nothing.  
Nada.

The document is essentially a big long black list of what things not to do.  
There seems to be nothing in the way of prescriptive guidance on what TO do.

Not inspiring...  :-\  I was really hoping Apple would take this opportunity to 
include some actionable security guidance, but that wasn't the case.  Of 
course, they did say that they don't want any more "Fart apps"...  Great.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Building Real Software: Has Static Analysis reached its limits?

[Kenneth Van Wyk]

FYI, nice write-up on the Fortify acquisition as well as the static code 
analysis space here:

http://swreflections.blogspot.com/2010/08/has-static-analysis-reached-its-limits.html



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Computerworld: Opinion - Making apps secure is hard work

[Kenneth Van Wyk]

I figured this was relevant here, so here's a link to my August column for 
Computerworld.

Excerpt:

'What's that you say? All the app vetting you've been doing to date consists 
only of verifying that the apps play by the rules? That is, that they use only 
published APIs and such? Well, then, you really have your work cut out for you, 
because that's not all that your customers expect.'

To read the complete article see:
http://www.computerworld.com/s/article/9180579/Making_apps_safe_is_hard_work?taxonomyId=17


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Static code review for iPhone developers?

[Kenneth Van Wyk]

On Jul 29, 2010, at 10:41 AM, Kenneth Van Wyk wrote:
> Anyone know of any static code analysis tools that can scan an iPhone app 
> package?  Something that integrates with the Xcode SDK and can at the very 
> least scan through all of the Objective C in the src tree is what I'm looking 
> for.  Any SCA product vendors currently doing this?  Please contact me on or 
> off list.

Thanks to all who responded.  Great suggestions.

Most focused on the (now) built-in Clang analysis engine (and front-end for 
LLVM ) that Dan Cornell cited here.  
(http://developer.apple.com/mac/library/featuredarticles/StaticAnalysis/index.html)

Clang looks like a useful starting point, as it looks for all sorts of common 
mistakes found in the C family, including C++ and Objective C.  Memory leaks, 
uninitialized variables, type mismatches, and that sort of thing should be 
pretty easy to spot using Clang.

I'm hoping also for something that goes beyond that.  How about analysis of 
static code for use of secure network connections, session management (for 
client-server apps), protection of sensitive data (at rest and in transit), and 
that sort of thing.  These are relatively language-agnostic needs, but would be 
extremely useful in a static analysis tool, IMHO.

I'll bet the folks who coded the Citi banking app could have made good use of 
something like that...  :-\

In any case, thanks again for all the responses.  Speaks volumes for the 
quality of folks we have here in the SC-L community.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Static code review for iPhone developers?

[Kenneth Van Wyk]

Greetings SC-L folks.  Hey, I have a quick question I'd like to submit to this 
group.

Anyone know of any static code analysis tools that can scan an iPhone app 
package?  Something that integrates with the Xcode SDK and can at the very 
least scan through all of the Objective C in the src tree is what I'm looking 
for.  Any SCA product vendors currently doing this?  Please contact me on or 
off list.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Vulnerability Analysis Blog: CERT Basic Fuzzing Framework

[Kenneth Van Wyk]

New fuzzing framework released from the folks up at CMU, FYI.

https://www.cert.org/blogs/vuls/2010/05/cert_basic_fuzzing_framework.html 


Aloha,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Web Application Exploits and Defenses

[Kenneth Van Wyk]

The folks at Google have released some web app training, along with a 
vulnerable web app sandbox to play in.  The tool is called Jarlsberg.  Anyone 
here take a look at it yet, and have an opinion about it?

The description (see below) sounds kinda sorta like OWASP's WebGoat, except 
that the vulnerable app itself is written in Python.  Oh, and the app is 
available on the web, as well as in source code (under Creative Commons).

http://jarlsberg.appspot.com/ 

There's also an instructor's guide available at:

http://code.google.com/edu/submissions/jarlsberg/Jarlsberg_Instructor_Guide.pdf


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

Follow us on Twitter at: http://twitter.com/KRvW_Associates







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] The International Secure Systems Development Conference

[Kenneth Van Wyk]

I saw this event announcement today and thought some SC-L folks might find it 
of interest, FYI.

"The International Secure Systems Development Conference addresses the key 
issues around designing-in security for standard and web-based software and 
systems, both in terms of developing new applications securely and also in 
adding security to legacy applications. The aim of the event is to help change 
the balance away from a repeated and ever more costly focus on securing ever 
more insecure infrastructures, to one which focuses on the creation of 
inherently secure systems through the introduction of verifiable, secure 
development methodologies and coherent security architectures."

http://www.issdconference.com/ 


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Expert in Application Security — ENISA

[Kenneth Van Wyk]

FYI, the European Network and Information Security Agency (ENISA) is looking 
for an application security expert.  See link below:

http://www.enisa.europa.eu/about-enisa/recruitment/vacancies/expert-in-application-security
 


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Thread is dead -- Re: BSIMM update (informIT)

[Kenneth Van Wyk]

OK, so this thread has heated up substantially and is on the verge of flare-up. 
 So, I'm declaring the thread to be dead and expunging the extant queue.

If anyone has any civil and value-added points to add, feel free to submit 
them, of course.  As always, I encourage free and open debate here, so long as 
it remains civil and on topic.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] BSIMM update (informIT)

[Kenneth Van Wyk]

On Jan 28, 2010, at 10:34 AM, Gary McGraw wrote:
> Among other things, David and I discussed the difference between descriptive 
> models like BSIMM and prescriptive models which purport to tell you what you 
> should do. 

Thought I'd chime in on this a bit, FWIW...  From my perspective, I welcome 
BSIMM and I welcome SAMM.  I don't see it in the least as a "one or the other" 
debate.

A decade(ish) since the first texts on various aspects of software security 
started appearing, it's great to have a BSIMM that surveys some of the largest 
software groups on the planet to see what they're doing.  What actually works.  
That's fabulously useful.  On the other hand, it is possible that ten thousand 
lemmings can be wrong.  Following the herd isn't always what's best.

SAMM, by contrast, was written by some bright, motivated folks, and provides us 
all with a set of targets to aspire to.  Some will work, and some won't, 
without a doubt.

To me, both models are useful as guide posts to help a software group--an SSG 
if you will--decide what practices will work best in their enterprise.

But as useful as both SAMM and BSIMM are, I think we're all fooling ourselves 
if we consider these to be standards or even maturity models.  Any other 
engineering discipline on the planet would laugh us all out of the room by the 
mere suggestion.  There's value to them, don't get me wrong.  But we're still 
in the larval mode of building an engineering discipline here folks.  After 
all, as a species, we didn't start (successfully) building bridges in a decade.

For now, my suggestion is to read up, try things that seem reasonable, and 
build a set of practices that work for _you_.  

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] 2010 bug hits millions of Germans | World news | The Guardian

[Kenneth Van Wyk]

FYI, below is a link to an article with some additional impact details of the 
"2010 bug" that's been cropping up in various places.  Still no light being 
shed on the actual programming error, though.  I think it would make a 
fascinating case study, or at least discussion, here.

http://www.guardian.co.uk/world/2010/jan/06/2010-bug-millions-germans 


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from CAcert. If 
you're unable to verify the signature, try getting their root CA certificate at 
http://www.cacert.org -- for free.)







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] FT.com / UK - 'Year 2010' software glitch hits German bank cards

[Kenneth Van Wyk]

Greetings SC-L,

There have been several reports in the last few days of various devices being 
hit with a so-called "year 2010" software glitch.  Several bank ATMs, mobile 
devices, etc., have reportedly been hit.  Below is a link to one such story.

My question for SC-L is: anyone here aware of the actual underlying software 
problems willing to share?  Source examples would be most appreciated.

http://www.ft.com/cms/s/0/00da0e24-fa63-11de-beed-00144feab49a.html?nclick_check=1
 


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Ramesh Nagappan Blog : Java EE 6: Web Application Security made simple ! | Core Security Patterns Weblog

[Kenneth Van Wyk]

Happy new year SC-Lers.

FYI, interesting blog post on some of the new security features in Java EE 6, 
by Ramesh Nagappan.  Worth reading for all you Java folk, IMHO.

http://www.coresecuritypatterns.com/blogs/?p=1622 


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] tweetup Thurs PM for AppSec DC?

[Kenneth Van Wyk]

On Nov 10, 2009, at 6:27 AM, Kenneth Van Wyk wrote:
> In any case, I'm not sure of the lay of the land at the conference site, but 
> I'm betting there's a bar in or near the site.  Let's plan on meeting up 
> there immediately following the day's sessions on Thursday.  As soon as I can 
> pinpoint the actual bar name/location, I'll post it here.

OK, so I did fail at getting the word out--sorry.  However, it was nice to see 
at least a few SC-Lers notice the sponsored cocktail hour on the conference 
agenda.  Great to meet some of you face to face.  And thanks to Cenzic for 
hosting the cocktail hour, by the way.

For those of you who weren't there, if you work with web apps at all, you 
really ought to put OWASP on your radar.  Great community of people, and these 
events are a fabulous time to chat with some of the brightest software security 
people on the planet.  Thanks, OWASP!

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] tweetup Thurs PM for AppSec DC?

[Kenneth Van Wyk]

On Nov 9, 2009, at 9:27 AM, Benjamin Tomhave wrote:
Just a quick note, for those coming into DC for AppSec DC, rumor has  
it

that a social gathering is brewing for Thurs PM. Let's hope so as I'd
love to put faces with names! :) If I hear details, I'll be sure to  
pass

along (feel free to ping me or reply with the 411)


Well, I got a few responses to my note about meeting up there  
(although I doubt I'd ever use the word "tweetup" except in the  
context of saying I wouldn't use it...).  :-)


In any case, I'm not sure of the lay of the land at the conference  
site, but I'm betting there's a bar in or near the site.  Let's plan  
on meeting up there immediately following the day's sessions on  
Thursday.  As soon as I can pinpoint the actual bar name/location,  
I'll post it here.


Hope to see some SC-L folks there.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Microsoft releases security guidelines for Agile - agile, Microsoft, security, software development - CIO

[Kenneth Van Wyk]

Hey, now you agile folks can't any longer feel left out by the various  
security development processes that bypass you:


http://www.cio.com.au/article/325501/microsoft_releases_security_guidelines_agile?eid=-1050

On a somewhat related note, a client of mine referred to their process  
recently as "scrummerfall"...  That certainly drew a few laughs.



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] OWASP AppSec DC this coming week!

[Kenneth Van Wyk]

Greetings SC-Lers,

This next week is OWASP's AppSec DC conference.  I imagine quite a few  
SC-L subscribers will be there.  I'll only be there one day (Thurs)  
due to a client engagement, but I hope to see a few SC-L friends  
there.  If you're in town and care to meet up for a chat/beer (after  
my session...), just drop me a line.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Automatic Generation of Control Flow Hijacking, Exploits for Software Vulnerabilities

[Kenneth Van Wyk]

Hi SC-L,

I figured the referenced dissertation below would be of some interest  
here.  Interesting reading, IMHO.


Cheers,

Ken van Wyk

Begin forwarded message:

From: Ian Cook 
Date: September 27, 2009 5:06:51 AM EDT
Subject: [1st NEWS] [DNB] Automatic Generation of Control Flow  
Hijacking, Exploits for	Software Vulnerabilities


Title: Automatic Generation of Control Flow Hijacking
Exploits for Software Vulnerabilities
Author: Sean Heelan
Source: University of Oxford
Date Published: 3rd September 2009

Excerpt:

'

Software bugs that result in memory corruption are a common and
dangerous feature of systems developed in certain programming
languages. Such bugs are security vulnerabilities if they can be
leveraged by an attacker to trigger the execution of malicious code.
Determining if such a possibility exists is a time consuming process
and requires technical expertise in a number of areas. Often the
only way to be sure that a bug is in fact exploitable by an attacker
is to build a complete exploit. It is this process that we seek to
automate.

We present a novel algorithm that integrates data-flow analysis and
a decision procedure with the aim of automatically building
exploits. The exploits we generate are constructed to hijack the
control flow of an application and redirect it to malicious code.
Our algorithm is designed to build exploits for three common classes
of security vulnerability; stack-based buffer overflows that corrupt
a stored instruction pointer, buffer overflows that corrupt a
function pointer, and buffer overflows that corrupt the destination
address used by instructions that write to memory. For these
vulnerability classes we present a system capable of generating
functional exploits in the presence of complex arithmetic
modification of inputs and arbitrary constraints. Exploits are
generated using dynamic data-flow analysis in combination with a
decision procedure. To the best of our knowledge the resulting
implementation is the first to demonstrate exploit generation using
such techniques. We illustrate its effectiveness on a number
of benchmarks including a vulnerability in a large, real-world
server application..'

To read the complete article see:
http://seanhn.files.wordpress.com/2009/09/thesis1.pdf

For more Security News see: www.team-cymru.org/News
   www.team-cymru.org/News/secnews.rss

The opinions expressed in the posted news items do not
necessarily reflect the views of Team Cymru.

The appearance of hyperlinks does not constitute endorsement
by Team Cymru of an external Web site, or any commercial
company, information, products or services contained therein.

Dragon News Bytes is a Private and Restricted mailing
list.

To subscribe to this mailing list, please signup at
https://cymru.com/mailman/listinfo/ians_dragon_newsbytes and
then send an email to: outre...@cymru.com providing some personal
background and two references, preferably from FIRST.ORG
www.first.org/members/teams


  _   //` `\
_,-"\%   // /``\`\
~^~ >__^  |% // /  } `\`\Team Cymru
  )  )%// / }  } }`\`\  Dragon News Bytes
 /  (%/`/.\_/\_/\_/\`/
(` `-._`
 \   , (  \   _`-.__.- %>
/_`\ \  `\ \." `-..- `
   ``` /_/`"-=-``/_/
   ```   ```

For more Security News see:
www.team-cymru.org/News
www.youtube.com/teamcymru
http://twitter.com/teamcymru

_

Ian Cook
Security Evangelist
Team Cymru
www.cymru.com/contact.html

'To communicate simply you must understand profoundly'




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Another WAF in town

[Kenneth Van Wyk]

FYI, some activity in the open source WAF space:

http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=220100630

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Unicode Security : Microsoft releases BinScope and MiniFuzz to the public

[Kenneth Van Wyk]

FYI, a couple of interesting developments in the software security  
tool space:


http://www.lookout.net/2009/09/16/microsoft-releases-binscope-and-minifuzz-to-the-public/

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Where Does Secure Coding Belong In the Curriculum?

[Kenneth Van Wyk]

On Aug 25, 2009, at 8:16 PM, Olin Sibert wrote:

Exploits are FUN.


I agree, at least to a point.  Whenever I work exploits into my  
workshops, the results are right on the mark.  So long as the exploits  
are balanced with just the right amount of remediations, it works great.


The key is to hook the students with the exploits, and then sprinkle  
in a "now here's how to do it _right_" discussion while they're still  
paying attention.  ;-)


And FWIW, I've found OWASP's WebGoat to be phenomenally effective at  
doing just that.  There are other similar tools out there as well, but  
the point is to give the class a safe sandbox to play in.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] What is the size of this list?

[Kenneth Van Wyk]

On Aug 18, 2009, at 2:21 PM, Arian J. Evans wrote:
Jeremiah Grossman and I were both pondering the size of the SCL  
recently.

Is the list size public?


It's not public per se, but only in the sense that the number isn't  
directly available--unless you ask for it.


The list has pretty consistently hovered around 1000 subscribers since  
pretty shortly after I launched it in late 2003.



I am curious why I don't see many new names on SC-L. Lots of lurkers?


We do seem to have a high percentage of lurkers, but I always like to  
encourage newcomers as well as new active participants.  I do my best  
to keep my moderating light, and I welcome all perspectives and  
opinions on the topics we discuss here.


My primary moderating criteria are ensuring submissions are relevant  
to the list charter and keep a civil tone.  Beyond that, everyone on  
the list is largely free to say/discuss whatever suits.


Plain and simple: the list is what the members make of it.


btw// SCL has always been a great place for academic and
progressive-minded folks to talk about state of the art, and future
ideas for secure coding. I have always recommended it to developers
looking for new places to learn as a "best and brightest" haunt. So
thanks for running it guys,


Thanks.  I've consistently found over the years that efforts like this  
are worth the effort in a myriad of ways, and it's something that I  
gladly take on.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Static Vs. Binary

[Kenneth Van Wyk]

On Jul 30, 2009, at 10:57 PM, Pravir Chandra wrote:
First, I generally agree that there are many factors that make the  
true and factual fidelity of static analysis really REALLY difficult.


All good points, to be sure.

I'm a pragmatist, perhaps at times to a fault.  Let's not overlook in  
this debate the perspective of the practitioner.  Often, analysis of  
"binaries" (and I'm including here bytecode of various types), is done  
because the practitioner lacks access to the src (e.g., third party  
libraries and such).  I expect that anyone analyzing a system would at  
least _want_ to analyze the src code if it is available.  That is,  
among the various things one would want to look at, including dynamic  
analysis of binaries.


I'm sure this is all glaringly obvious, but what the heck.

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] CERIAS : Beware SQL injections due to missing prepared statement support

[Kenneth Van Wyk]

Here's one for the daily UGH!

Great points raised by Pascal Meunier (see below) about poorly  
implemented language support for Prepared Statement SQL calls.  In  
particular, Python's pyPGSQL actually takes its prepared statement and  
translates internally to an old-style concatenated string query,  
thereby opening itself up to various SQL injection vulnerabilities.


http://www.cerias.purdue.edu/site/blog/post/beware_sql_injections_due_to_missing_prepared_statement_support/#When 
:16:32:23Z


Interesting article, Pascal.  Thanks!

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Source or Binary

[Kenneth Van Wyk]

On Jul 29, 2009, at 4:17 PM, Brad Andrews wrote:
Realizing that java "binaries" hold a lot more is a mental shift  
that probably must be actively kept in mind.  Those with only Java  
experience may think it is obvious, but how many developers did not  
start with Java and have not purged this concept from their mind.


Fair enough, but understand too that a Java class file (like those in  
a typical jar file, which is just a fancy word for ZIP format) can be  
trivially decompiled into quite legible Java source.  Numerous open  
source Java decompilers (e.g., Jode, Jad) exist that make this  
extremely easy.


And FWIW, that's exactly how the Etisalat Blackberry software "update"  
was analyzed and proven to contain spyware last week.


Note that, there are many options to distributing these trivially  
decompiled class files...


Cheers,

Ken van Wyk




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] IBM Acquires Ounce Labs, Inc.

[Kenneth Van Wyk]

Wow, big acquisition news in the static code analysis space announced  
today:


http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/07-28-2009/0005067166&EDATE=


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)








smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Usability News - Why Security and Usability don't go hand in hand

[Kenneth Van Wyk]

FYI, a short but interesting read on usability vs. security in software.

http://www.usabilitynews.com/news/article5692.asp


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)








smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Cigital news (European market)

[Kenneth Van Wyk]

On May 20, 2009, at 12:34 AM, Gary McGraw wrote:
We believe that the European software security market is 2-3 years  
behind the US market, but poised for rapid growth that will align it  
with the US market in a much shorter period.  From what I can tell,  
the European market is 14-20% the size of the US market.



My experience there tells me that's an over-simplification of the  
situation.


On one hand, some of the OWASP chapter meetings I've gone to in Europe  
have been as well or even better attended than their counterparts I've  
gone to in the US -- primarily in the DC metro area.  And not just in  
terms of quantity.  Many of the folks I've spoken with and worked with  
have been in many cases as well or even better clued than their US  
counterparts.  So there's clearly an eagerness and awareness among the  
practitioners and academics, which is good.


European enterprises, on the other hand, tend to be quite conservative  
in taking to new practices.  They want to see clear justifications  
before diving in.


But I just don't get the feeling that they're trying in any way to  
"align themselves with the US market".  They'll do their own thing in  
their own time, which is as it should be.


From my own little "nanocosm" perspective, I continue to see the bulk  
of my consulting engagements coming out of Europe and Southeast Asia.   
I've found both markets to be quite receptive to software security  
efforts for the past several years.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com

(This email is digitally signed with a free x.509 certificate from  
CAcert. If you're unable to verify the signature, try getting their  
root CA certificate at http://www.cacert.org -- for free.)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Application Security Starts in the Development Lifecycle

[Kenneth Van Wyk]

FYI, some eWeek coverage of application security and how it is being  
taken more seriously in the enterprise these days.  No big surprises  
for long-time SC-L folks, but still an interesting read from a fairly  
mainstream IT Security outlet.


http://www.eweek.com/c/a/Security/Application-Security-Starts-in-the-Development-Lifecycle-792076/?kc=rss


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] SAMM 1.0 Released! | OpenSAMM

[Kenneth Van Wyk]

Good news today from the Software Assurance Maturity Model (SAMM) group.

http://www.opensamm.org/2009/03/samm-10-released/

Their release says:

"The Beta release has been out for quite a while now (since August  
2008) and lots of organizations and individuals have provided  
excellent feedback to help improve the model. I’ve heard lots of  
stories from people using SAMM (some are consulting firms, and some  
are development organizations) and that feedback has been some of the  
most valuable. This release marks the official 1.0 version of SAMM and  
there’s a few new pieces added:


* Executive summary and introduction to the model
* Improved details on applying the model to solve problems
* Assessment worksheets for evaluating existing programs
* Roadmaps for financial services and government organizations
* Improvements and refinements to the model (I’ll cover changes  
individually in separate posts)


Many thanks to the individual reviewers and the organizations that  
have volunteered time to help improve SAMM. I look forward to more  
active participants as we push forward with some of the future  
development plans for SAMM."




Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Rigged podcasts can leak your iTunes username/password | Zero Day | ZDNet.com

[Kenneth Van Wyk]

Hello SC-Lers,

I saw this blog and thought it may be of interest here:

http://blogs.zdnet.com/security/?p=2861

According to the blog, there's a design issue (read: flaw) in iTunes  
that can allow a maliciously formed podcast to cause a user to get  
prompted for a username/password -- to iTunes itself.  That dialog box  
can then be hijacked and the victim's credentials stolen.


What made it interesting to me was a couple things: first, the cited  
advisory from Apple (http://support.apple.com/kb/HT3487) clearly says  
it's a design issue.  Tells me we're not likely to see a real fix for  
a while, IMHO.  Indeed, Apple's initial "fix" to this design issue is,  
"This update addresses the issue by clarifying the origin of the  
authentication request in the dialog."  That doesn't sound like much  
of a fix at all, and I'd expect a lot of users will still fall for the  
dialog box ruse.  Sigh...


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







PGP.sig
Description: This is a digitally signed message part
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Reality Check: EMC Eric Baize

[Kenneth Van Wyk]

On Mar 3, 2009, at 10:11 AM, Gary McGraw wrote:
Our fearless leader Ken gave a nice presentation on software  
security methodologies yesterday at secappdev.  I wonder what he  
says about the Touchpoints when I'm not in the room?!



Thanks for the kind words.  What I say about the Touchpoints,  
Microsoft's SDL, or OWASP's CLASP remains the same whether you're in  
the room or not.  They all offer good points and bad points.  I tend  
to favor a hybrid approach that works well for me, which is what I  
always recommend to my customers.


More importantly, though, I am eager to update the message with what  
the companies who participated in the BSIMM are actually doing in  
practice.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Web Applications: Achilles' Heel Of Corporate Security -- Security -- InformationWeek

[Kenneth Van Wyk]

No big surprises for SC-L readers, I'm sure, but it's still an  
interesting read:


http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=213000162


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] OWASP interviews McGraw (oh my)

[Kenneth Van Wyk]

On Jan 26, 2009, at 12:58 PM, Gary McGraw wrote:
OWASP just posted an interview with me as part of their budding  
podcast series.


Looking forward to it, thanks.  I've been quite impressed with their  
first couple podcasts.  Packed with useful info.  After hearing the  
second one, I grabbed their LiveCD image, which I've found to be  
extremely useful.


Just about anyone using the OWASP tools could benefit from the livecd,  
in my opinion.  Just having a read-to-fly WebGoat/WebScarab is worth  
the effort all by itself.  Great stuff!



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] InternetNews Realtime IT News - New York Plans Application Security Program

[Kenneth Van Wyk]

Now here's an interesting development in the software security space.   
Seems that New York State is going to start requiring contracted  
application developers to conform with a minimum set of practices (as  
covered in the SANS "Application Security Procurement Language", http://www.sans.org/appseccontract/) 
.


http://www.internetnews.com/dev-news/article.php/3796091

IMHO, putting things like this into contract language is a good  
thing.  Even if the SANS list isn't the right one for everyone, it's a  
starting point.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] SANS Institute - CWE/SANS TOP 25 Most Dangerous Programming Errors

[Kenneth Van Wyk]

FYI, a top 25 programming errors list from the folks at SANS has been  
released.  See the following for details:


http://www.sans.org/top25errors/


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] top 10 software security surprises

[Kenneth Van Wyk]

On Dec 16, 2008, at 1:25 PM, Gary McGraw wrote:
Using the software security framework introduced in October (A  
Software Security Framework: Working Towards a Realistic Maturity  
Model ), we  
interviewed nine executives running top software security programs  
in order to gather real data from real programs.


Wow, this is great stuff.  Kudos to Gary, Sammy, and Brian.

I have a couple comments/observations on some of your conclusions:

- You obviously wrote the top-10 list in C, since it went from 9 to  
0.  :-)


- "Not only are there are no magic software security metrics, bad  
metrics actually hurt."  This is an excellent point.  I think it's  
also worth noting that it's important to carefully consider what  
metrics make sense for an organization _as early as possible_ in the  
life of their software security efforts.  Trying to retro-engineer  
some metrics into a program after the fact is not a fun thing.


- "Secure-by-default frameworks can be very helpful, especially if  
they are presented as middleware classes (but watch out for an over  
focus on security "stuff"). "  Yes yes yes!  I've found significantly  
more "traction" to prescriptive guidance vs. a "don't do this" list of  
bad practices.  Plus, it inherently supports a mindset of positive  
validation instead of negative.  It's important to look for common  
mistakes, but if you really want your devs to follow, give them clear  
coding guidelines with annotated descriptions of how to follow them.   
Efforts like OWASP's ESAPI are indeed a great starting point here for  
plugging in things like strong positive input validation and such.


- "Web application firewalls are not in wide use, especially not as  
Web application firewalls. "  I can't say I'm much surprised by this  
one.  Even with PCI-DSS driving people to WAFs (or do external  
independent code reviews), I just don't often see them often.  But you  
go on to say, "But even these two didn't use them to block application  
attacks; they used them to monitor Web applications and gather data  
about attacks."--but you don't come back to this point.  One serious  
benefit to WAFs can be enhancing the ability to do monitoring,  
especially of legacy apps.  Adding one network choke point WAF can  
quickly add an app-level monitoring capability that few organizations  
considered when rolling the apps out in the first place.


- "Though software security often seems to fit an audit role rather  
naturally, many successful programs evangelize (and provide software  
security resources) rather than audit even in regulated industries"   
This one too is very encouraging to see.


- "Architecture analysis is just as hard as we thought, and maybe  
harder." And this one is very discouraging.  I've seen good results in  
doing architectural risk analyses, but the ones that produce useful  
results tend to be the more ad hoc ones -- and NOT the ones that  
follow rigorous processes.


- "All nine programs we talked to have in-house training curricula,  
and training is considered the most important software security  
practice in the two most mature software security initiatives we  
interviewed. "  That explains the quarter-million miles in my United  
account this year alone.  :-) Ugh.


- "Though all of the organizations we talked to do some kind of  
penetration testing, the role of penetration testing in all nine  
practices is diminishing over time. "  Hallelujah!



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Fwd: ESSoS'09: Call for Participation

[Kenneth Van Wyk]

FYI, see Call for Participation below.

Cheers,

Ken van Wyk

Begin forwarded message:


From: Bart De Win <[EMAIL PROTECTED]>
Date: December 9, 2008 8:22:14 AM EST
To: [EMAIL PROTECTED]
Subject: ESSoS'09: Call for Participation

CALL FOR PARTICIPATION

International Symposium on
 Engineering Secure Software and Systems (ESSoS'09)
  In collaboration with ACM SIGSAC/SIGSOFT and IEEE TCSE

http://distrinet.cs.kuleuven.be/events/essos2009/
   February 04-06, 2009Leuven, Belgium

You are cordially invited to attend ESSoS, a conference-level event  
that
provides a unique research and practitioners' view on the state of  
the art

in secure software engineering. There are many good reasons for you to
participate (and ditto arguments to convince your supervisor or  
boss). The

program includes invited talks by two renowned researchers, as well as
technical papers on a variety of topics ranging from program
transformation to testing and assurance. Being the first edition in a
future series, this is the time to join this growing community, meet  
new
people and interact with peers. As an industry representative, you  
might

be especially interested in the tutorials, which address current
challenges and best practices in secure software construction. And  
last
but not least, the symposium takes place in Leuven, a very enjoyable  
and

historic city with a strong tradition in beer brewing.

The program consists of three days, one day of tutorials and two  
days of

technical program, including among others:
 * Invited talks:
   - Elaborating Security Requirements by Analysis of Malicious
Anti-Models
   (Axel van Lamsweerde, Université Catholique de Louvain)
   - Automating Software Testing Using Program Analysis
   (Wolfram Schulte, Microsoft Research)

 * Tutorials:
   - Security by Construction
   (Rod Champan, Praxis)
   - Risk Management in Practice: Model Based Security Risk Analysis  
with

the CORAS Method
   (Heidi Dahl and Mass Lund, SINTEF)
   - Inside the Biggest of the OWASP Top-10 Issues
   (Kenneth R. van Wyk, KRvW Associates)
   - Security: Philosophy, Patterns and Practices
   (Munawar Hafiz, University of Illinois at Urbana-Champaign)

 * Technical program:
   - a list of accepted papers is available at
 http://distrinet.cs.kuleuven.be/events/essos2009/papers

EARLY REGISTRATION DEADLINE: January 6, 2009

We're looking forward to meeting you all there !

Bart De Win (General Chair)
Fabio Massacci and Samuel Redwine (PC co-Chairs)




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Regional differences in software security

[Kenneth Van Wyk]

On Nov 26, 2008, at 9:19 AM, Gary McGraw wrote:
I think this idea of regional differences is worth exploring a bit.   
In my work at cigital I have come to believe that there is a  
difference in approach between the east coast of the US and the west  
coast.


I completely agree here.  Stephen raises a fascinating point.

I don't know what I did {right|wrong}, but the vast majority of my  
clients are in Europe or Southeast Asia right now.  (I'm a dual EU/US  
citizen, which perhaps helps.)  Apart from all the air miles, I've  
seen vast differences that seem--at least on the surface via casual  
observation--to have a regional component.  Contrasting US East, West,  
EU, and Asia, there are big differences in such areas as:


- Software process.  I see more process-heavy dev in US East and  
Europe, with far less of it in US West and Asia, for instance.


- Security teams.  I see a pretty solid line between IT security and  
software dev teams in US East and Asia, with lines being more blurred  
in US West and EU.  This seems to be central to Stephen's point, if I  
understand correctly.  And it's a good point to consider.


- Security testing.  ...

The list goes on.  Unfortunately, all I have are casual observations,  
but the "climate differences" seem palpable to me.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Opportunity at DTCC

[Kenneth Van Wyk]

Greetings SC-L,

I've been asked to allow a job posting here on SC-L.  It certainly  
doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php 
), but then again, we've generally not used SC-L for job listings.   
And then again++, with the economy such as it is, perhaps this sort of  
thing is a good community service.


So, below is the job listing I was asked to post.  If anyone here on  
SC-L has strong feelings for or against future job postings here,  
please let me know.  I'm always happy to take your opinions into  
consideration!


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com

===

The Depository Trust and Clearing Corporation (DTCC) is the premier  
global
financial institution responsible for clearing and settling many types  
of

financial transactions between banks and brokerage firms for the United
States and many foreign markets.  These include stock, bond, fixed  
income,

government, mortgage, and insurance transactions.

DTCC has an exciting position in Application Security based in Tampa,
Florida.  The position is responsible for leading a highly successful  
and
innovative Application Security Program across the DTCC enterprise.   
This

includes driving security in our SDLC, as well as ensuring products and
services procured are also built with security in mind.  The successful
candidate will find the challenges of our leading edge environment, to  
be

very stimulating.

We are looking for a candidate that has knowledge of SDLC's, Java, C++,
and secure coding practices.  The successful candidate will be able to
interface and speak to programmers in our Development organization about
secure programming, as well as be able to present to senior leadership
including the CIO, CTO, and CDO.  The successful candidate will also
understand the value of KPIs to determine what new controls might be
needed, and to lead the implementation of these.  In addition to the
technical skills above, thought leadership, communication , and
relationship management skills are critical qualities of the successful
candidate.

Qualified candidates should contact Mike Longo, Director (HR) at
[EMAIL PROTECTED]

==






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Educational web site "hack this" announced

[Kenneth Van Wyk]

Greetings SC-Lers,

FYI, I just learned of an educational web site called "Hack This" (http://www.hackthis.co.uk/ 
) that sounds interesting to me.  I haven't tried it yet, but I'm sure  
I will soon.  From their description, it sounds a bit like an on-line  
version of OWASP's WebGoat -- which is IMHO one of the most powerful  
learning tools I've ever encountered.  Hack This describes themselves  
as follows:


"Hackthis, an innovative, educational and entertaining new website  
where you can learn the tricks and tips of website security. This well  
designed and well executed concept has proven to be a huge success and  
will only advance further. Attracting audiences to promote the  
importance of keeping your website secure, Hackthis is educating the  
internet for a more safer and secure tomorrow. Whilst education is  
commonly considered boring, Hackthis teaches you by putting you in the  
place of the hacker, exploiting websites to gain access to information  
required to advance to the next level. If that's not enough Hackthis  
also includes a great, friendly support and community forum where you  
can get help with problems, meet new people and help others with their  
problems.


We highly recommend this site for website developers to ensure your  
site is safe and secure. Also, if you're bored, hacking is a great way  
to pass the time!


Remember, Hackthis is completely legal and 100% awesome!"


Has anyone here tried it out?  Any opinions, good bad or otherwise?

Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] (fwd) informIT: A Software Security Framework

[Kenneth Van Wyk]

Greetings SC-L,

I thought I'd chime in on this, as it very closely relates to my  
current book project.


On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
Brian Chess and I have been working hard on a software security  
framework that we are using in a scientific study of many of the top  
software security initiatives.


Great work, guys.  In some areas, I think it's probably overly  
simplistic, as some of the practices span more than one domain.   
(Notably, penetration testing can and should be part of a security  
testing regimen as well as a deployment testing regimen, IMHO.)  But  
it's a great starting point for going out and gathering real world  
data on what's being done in the field.  More importantly, it's useful  
at defining what practices should be assessed for a maturity model.


 Our plan of action is to interview the people running the top ten  
large-scale software security initiatives over the next few weeks  
and then build a maturity model with the resulting data.



Our discipline stands to gain significantly from having a maturity  
model in place, if for no other reason than to help dev organizations  
set goals and objectives in their software security efforts.


Pravir et al at OWASP have done a great job at getting one started  
over there.  I also love the idea of using real world data as an  
initial set of measurements for each maturity level, especially for  
early version(s) of a maturity model.  I think that goes a long way to  
helping development organizations realistically know what to aspire  
to--and how to get there--for each maturity level.


In time, however, I'd sure like to see the maturity model advance  
beyond that and set the bars higher than "just" what's currently being  
done in practice, and define what *should* be done.  That said,  
starting with a solid framework of practices to measure for each  
maturity level is the right way to do things.


IMHO, it'll probably be a few years before these efforts bear  
significant fruit in terms of advancing what is being practiced in the  
field, but we've got to start somewhere.  Kudos.


Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] (fwd) informIT: A Software Security Framework

[Kenneth Van Wyk]

[Posted on behalf of Gary McGraw, who is without comms right now but  
wanted this to go out today. KRvW]


hi sc-l,

Brian Chess and I have been working hard on a software security  
framework that we are using in a scientific study of many of the top  
software security initiatives.  Our plan of action is to interview the  
people running the top ten large-scale software security initiatives  
over the next few weeks and then build a maturity model with the  
resulting data.


That's right, we're actually using real data from real software  
security programs.


Brian and I co-authored my informIT column this month, which just so  
happens to be about the software security framework.  Please check it  
out, we're interested to know what you think!


http://www.informit.com/articles/article.aspx?p=1271382

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] AdaCore - Home > GNAT Pro > The Tokeneer Project

[Kenneth Van Wyk]

http://www.adacore.com/home/gnatpro/tokeneer/

Excerpt:

"Project Summary

In order to demonstrate that developing highly secure systems to the  
level of rigor required by the higher assurance levels of the Common  
Criteria is possible, the NSA (National Security Agency) asked Praxis  
High Integrity Systems to undertake a research project to develop part  
of an existing secure system (the Tokeneer System) in accordance with  
Praxis’ Correctness by Construction development process.


This development and research work has now been made available by the  
NSA to the software development and security communities in an effort  
to prove that it is possible to develop secure systems rigorously in a  
cost effective manner."



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Survey thread killer

[Kenneth Van Wyk]

Hi SC-Lers,

With these last 2 messages, let's kill off the survey thread, please.   
I allowed it to continue on--probably longer than I should have-- 
because there seemed to be valid and interesting points being made on  
both sides of the debate.  But that seems to have run its course, so  
let's please let it die out.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Administrivia

[Kenneth Van Wyk]

Greetings SC-L folks,

A couple things re the mailing list...

- It's been a couple months since I asked for your opinions regarding  
accepting sponsorships here on SC-L.  Although the opinions I received  
were almost entirely in favor or neutral -- all but one -- I haven't  
decided to pull that trigger in any case.  I do appreciate your  
inputs, as always, however.


- I'd also like to clarify a posting policy here.  The list gets, from  
time to time, conference announcements, CfPs, and such.  I want to be  
explicit here that I fully encourage that, and would like to take it  
one step further.  Training events that are open to the public may  
also be announced here, once per event.  This includes commercial  
events.  As always, ASCII text is preferred, and no HTML please.  But  
I feel this policy is in line with what I see on other groups.  Full  
disclosure: my own company does do occasional public training events  
from time to time and I'd like to be able to let folks know about it  
here.  Again, one posting per event announcement.


Your opinions, as always, are appreciated.  Feel free to contact me  
on- or off-list about either of these policies.  My goal here remains  
to keep the list a free and open forum for us to discuss matters  
related to software security.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Google opens RatProxy security code - SC Magazine US

[Kenneth Van Wyk]

FYI, there's a new web app proxy testing tool out there, RatProxy.  I  
saw it announced a couple days ago and here's another story on it:


http://www.scmagazineus.com/Google-opens-RatProxy-security-code/article/112074/

Anyone here tried it out yet?  How is it any different than WebScarab  
or Paros Proxy?  Worth keeping in one's web app testing arsenal?


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] InternetNews Realtime IT News - Merchants Cope With PCI Compliance

[Kenneth Van Wyk]

Happy PCI-DSS 6.6 day, everyone.  (Wow, that's a sentence you don't  
hear often.)


http://www.internetnews.com/ec-news/article.php/3755916

In talking with my customers over the past several months, I always  
find it interesting that the vast majority would sooner have root  
canal than submit their source code to anyone for external review.   
I'm betting PCI 6.6 has been a boon for the web application firewall  
(WAF) world.



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com





smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Any SC-Lers going to FIRST in Vancouver next week?

[Kenneth Van Wyk]

Subject says it all.  Any of you going to be at the FIRST conference?   
If you are and want to hook up for a chat--perhaps over a beer--then  
drop me a note.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Security Bonuses for Vista Programmers

[Kenneth Van Wyk]

FYI, interesting eWeek article on some of Vista's security features  
that are provided to developers.  (I misinterpreted the article's  
title a bit, but it quickly becomes clear in the article.  At first, I  
thought it was about giving $$ bonuses to vista programmers -- it  
reminded me of an old Dilbert where the company was offering cash  
bonuses for finding bugs, and Wally was "coding himself a  
minivan"... :-)  Anyway, don't let that stop you from reading this  
interesting article.


http://www.eweek.com/c/a/Security/Security-Bonuses-For-Vista-Programmers/


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] DistriNet Research Group

[Kenneth Van Wyk]

FYI, interesting announcement out of KU Leuven in Belgium and the SANS  
institute:


http://distrinet.cs.kuleuven.be/news/2008/2008-05-09%20SANSandDistriNetUnite.jsp


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Coverity to Buy Codefast

[Kenneth Van Wyk]

FYI, a bit of M&A activity going on in the software security (product)  
space:


http://www.eweek.com/c/a/Application-Development/Coverity-to-Buy-Codefast/


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] GCC and pointer overflows [LWN.net]

[Kenneth Van Wyk]

FYI, here's an interesting article (and follow-on discussions) about a  
recent bug in the GCC compiler collection.


http://lwn.net/Articles/278137/

The bug, which has been documented in a CERT advisory, affects C code  
in which, under some circumstances, buffer bounds checking can be  
optimized out to produce binaries that are susceptible to buffer  
overflows.  The article includes a couple examples that really help  
illustrate the issue -- very interesting reading, IMHO.


Of course, many/most SC-Lers will no doubt jump on this as another  
example of why C is such a dangerous language to write (secure) code  
in, and that's fine.  But, I see the issue at least a little  
differently: a compiler making decisions for the programmer and  
producing executable code that does not accurately conform to what the  
programmer coded.  We've all heard of security-related optimizing  
issues for years, right?  Well, here's a prime example of one in action.



Cheers,

Ken

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Lateral SQL injection paper

[Kenneth Van Wyk]

Greetings SC-Lers,

Things have been pretty quiet here on the SC-L list...

I hope everyone saw David Litchfield's recent announcement of a new  
category of SQL attacks.  (Full paper available at http://www.databasesecurity.com/dbsec/lateral-sql-injection.pdf)


He refers to this new category as "lateral SQL injection" attacks.   
It's very different than conventional SQL injection attacks, as well  
as quite a bit more limited.  In the paper, he writes:


"Now, whether this becomes "exploitable" in the "normal" sense, I  
doubt it... but in very
specific and limited scenarios there may be scope for abuse, for  
example in cursor
snarfing attacks - http://www.databasesecurity.com/dbsec/cursor-snarfing.pdf 
.


In conclusion, even those functions and procedures that don’t take  
user input can be
exploited if SYSDATE is used. The lesson here is always, always  
validate and don’t let
this type of vulnerability get into your code. The second lesson is  
that no longer should
DATE or NUMBER data types be considered as safe and not useful as  
injection vectors:

as this paper has proved, they are. "


It's definitely an interesting read, and anyone doing SQL coding  
should take a close look, IMHO.  It's particularly interesting to see  
how he alters the DATE and NUMBER data types so that they can hold SQL  
injection data.  Yet another demonstration of the importance of doing  
good input validation  -- preferably positive validation.  As long as  
you're doing input validation, I'd think there's probably no need to  
back through your code and audit it for lateral SQL injection vectors.


Anyone else have a take on this new attack method?  (Note that I don't  
normally encourage discussions of specific product vulnerabilities  
here, but most certainly new categories of attacks--and their impacts  
on secure coding practices--are quite welcome.)



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] InformIT: budgeting for software security

[Kenneth Van Wyk]

On Apr 13, 2008, at 6:23 AM, Stephen Craig Evans wrote:
Wow, that's a flimsy connect-the-dots if I've ever seen one :-)  We  
could have fun with this but I don't want to stray 100% off-topic  
(if we not there already).


Let's let this thread die away, please folks.  Unless any replies are  
directly tied to the topic of software/application security, they'll  
be dispatched directly to /dev/null.  Thanks!


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] quick question - SXSW

[Kenneth Van Wyk]

Ben,

Your point is a good one -- the software security community needs to  
be vigilant in reaching out to developers and spreading "the word".


FWIW, some dev conferences have done this.  I spoke at SD West in  
2006, and there was a significant security track there.  Still, it'd  
be great to see that sort of thing at more dev-specific conferences.


Cheers,

Ken van Wyk
SC-L Moderator

On Mar 12, 2008, at 5:31 PM, Benjamin Tomhave wrote:

First, thanks for that Bill, it exemplifies my point perfectly. A  
couple

thoughts...

one, targeting designers is just as important as reaching out to the
developers themselves... if the designers can ensure that security
requirements are incorporated from the outset, then we receive an  
added

benefit...

two, a re-phrasing around my original thought... somehow we need to  
get
security thinking and considerations encoded into the DNA of  
everyone in

the business, whether they be designers, architects, coders, analysts,
PMs, sysadmins, etc, etc, etc. Every one of those topics you mention
could (should!) have had implicit and explicit security attributes
included... yet we're still at the point where secure coding has to be
explicitly requested/demanded (often as an afterthought or bolt-on)...

How do we as infosec professionals get people to the next phase of
including security thoughts in everything they do... with the end-goal
being that it is then integrated fully into practices and processes  
as a

bona fide genetic mutation that is passed along to future generations?

To me, this seems to be where infosec is stuck as an industry. There
seems to be a need for a catalyst to spur the mutation so that it can
have a life of its own. :)

fwiw.

-ben

--
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Photos: http://photos.secureconsulting.net/
Web: http://falcon.secureconsulting.net/

[ Random Quote: ]
Augustine's Second Law of Socioscience: "For every scientific (or
engineering) action, there is an equal and opposite social reaction."
http://globalnerdy.com/2007/07/18/laws-of-software-development/

William L. Anderson wrote:
Dear Ben, having just been at SXSW Interactive (I live in Austin,  
TX) I

did not see many discussions that pay attention to security, or any
other software engineering oriented concerns, explicitly.

There was a discussion of scalability for web services that  
featured the
developers from digg, Flickr, WordPress, and Media Temple. I got  
there

about half-way through but the discussion with the audience was about
tools and methods to handle high traffic loads. There was a question
about build and deployment strategies and I asked about unit testing
(mixed answers - some love it, some think it's strong-arm micro-mgt  
(go

figure)).

There was a session on OpenID and OAuth (open authorization)  
standards
and implementation. These discussions kind of assume the use of  
secure

transports but since I couldn't stay the whole time I don't know if
secure coding was addressed explicitly.

The main developer attendees at SXSW would call themselves  
designers and
I would guess many of them are doing web development in PHP, Ruby,  
etc.

I think the majority of attendees would not classify themselves as
software programmers.

To me it seems very much like at craft culture. That doesn't mean  
that a
track on how to develop secure web services wouldn't be popular. In  
fact

it might be worth proposing one for next year.

If you want to talk further, please get in touch.

-Bill Anderson
praxis101.com

Benjamin Tomhave wrote:

I had just a quick query for everyone out there, with an attached
thought.

How many security and/or secure coding professionals are prevalently
involved with the SXSW conference this week? I know, I know...  
it's a big
party for developers - particularly the Web 2.0 clique - but I'm  
just

curious.

Here's why: I'm increasingly frustrated by the disconnect between
business/dev and security. I don't feel like we're being largely
successful in getting the business and developers to include  
security as

part of their standard operating procedures. Developers are still
oftentimes lazy and sloppy, creating XSS and CSRF and SQL injection
holes.

I then look at SXSW from afar and think: a) shouldn't I be there
evangelizing security? and, b) shouldn't a major thread to all these
conferences be about how security is integrating with dev  
processes and

practices, making it better?

Maybe I'm just too idealist. I'm curious what everyone else thinks.

cheers,

-ben



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a 

[SC-L] PCI: Boon or bust for software security?

[Kenneth Van Wyk]

Greetings SC-L,

So here's a question to ponder.  Now that PCI DSS 1.1 is out there  
(save a couple June 2008 deadlines still looming), has it been good or  
bad for software security as a whole?


It does require secure development processes (as prescribed by OWASP).

It does require sensitive cardholder data to be encrypted at rest and  
in transit.


Has it improved the overall state of affairs, worsened it, or have  
things pretty much remained the same.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] SC-L Administrivia: How does the readership feel about sponsorships?

[Kenneth Van Wyk]

Greetings SC-L,

So, I've always done my best to keep SC-L non-commercial since its  
inception in 2003.  I'm curious, though, how you the readers would  
react to accepting sponsorships in the form of "sponsored by: "  
banners at the bottom of each posting.


The banner presently points to the list, the list charter, along with  
a note saying that the list is hosted and moderated by my company.


So, my question is this: could/should I accept sponsorships where the  
sponsor would get (say) two or three lines of text saying who they are  
and pointing to their web page?


I welcome your candid/serious feedback on this.

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] SDLCs and x.509 at OWASP Belgium, 4 March 2008

[Kenneth Van Wyk]

During the SecAppDev (http://www.secappdev.org) class next month in  
Leuven, Belgium, there's also going to be a regional OWASP meeting.   
I've been asked to join in and present a short session comparing  
various secure development methodologies (Microsoft's SDL, Cigital's  
"Touchpoints", and OWASP's own CLASP, mainly).  If you're in the area,  
I hope you'll join us.  Local details are available on OWASP's site at http://www.owasp.org/index.php/Belgium 
.


While I'm there, I'll also be doing a CAcert/Thawte x.509 "signing".   
So, if you're using either of these free x.509 certificate services,  
and are still trying to get the 50 assurance points necessary to have  
your real name on your certificates, stop by with two forms of  
government-issued ID (and photocopies, if using Thawte -- not  
necessary for CAcert).  I'll be happy to help out with either/both 10  
Thawte points or 35 CAcert points.  No charge, of course.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Michael Howard's Web Log : Introducing SAFECode

[Kenneth Van Wyk]

FYI, from Michael Howard's blog:

"Today SAFECode, the Software Assurance Forum for Excellence in Code,  
introduced its first white paper, "Software Assurance: An Overview of  
Current Industry Best Practices."


The organization was founded by Microsoft, Symantec, EMC, SAP and  
Juniper to advance understanding and practices related to secure  
development and integrity controls. Our goal is to raise the security  
bar across the software industry to reduce vulnerabilities."


Complete blog text, along with links to SAFECode and the white paper  
can be found here:


http://blogs.msdn.com/michael_howard/archive/2008/02/14/introducing-safecode.aspx


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Tech Insight: The Buzz Around Fuzzing - Application and Perimeter Security News Analysis - Dark Reading

[Kenneth Van Wyk]

FYI, for those who are interested in fuzz testing tools, here's an  
interesting article URL from Dark Reading.


http://www.darkreading.com/document.asp?doc_id=144773&f_src=darkreading_section_296

Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Open Source Code Contains Security Holes -- Open Source -- InformationWeek

[Kenneth Van Wyk]

SC-L,

I imagine many of you have seen the results of Coverity's DHS-funded  
scan of a *bunch* of open source projects:


http://www.informationweek.com/story/showArticle.jhtml?articleID=205600229&cid=RSSfeed_IWK_All

The stats are interesting, I suppose.  I don't see any prioritization  
of the defects, but I imagine those were provided to the various open  
source project leaders.


The question that isn't addressed here, and I'm sure was well outside  
of the scope of the project, is what each open source project *did*  
with the vulnerability information BEYOND just fixing the bugs?  Did  
they merely fix the problems and move on?  Or, did they use the  
defects as an opportunity to educate their team members on how to  
avoid these same sorts of things from creeping back in to the src  
tree?  If they simply treated the vul lists as checklists of things to  
fix, then I'd expect a similar study in (say) five years to be just as  
bad as the recent Coverity study.


I think it's important to learn from mistakes, not just fix them and  
get on with things.  I sure hope the open source teams in this study  
did some of that.  If any SC-Lers have insight here, please share.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] ENISA issue on Software Security

[Kenneth Van Wyk]

Greetings all,

FYI, the European Network and Information Security Agency (ENISA) has  
just published their latest edition of ENISA Quarterly.  This edition  
focuses on the issue of software security.  You can download a PDF  
copy of EQ from: http://www.enisa.europa.eu/doc/pdf/publications/enisa_quarterly_12_07.pdf


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Code Testing Tools Could Be Acquisition Targets in '08

[Kenneth Van Wyk]

New Year's greetings, SC-Lers,

FYI, here's an interesting article about the application security  
testing space, from eWeek.


http://www.eweek.com/article2/0,1759,2242973,00.asp?kc=EWRSS03119TX1K594

The author sort of compares apples and oranges a bit, IMHO, in  
comparing recent acquisitions of security testing product firms (e.g.,  
SPI and WatchFire) with potential future acquisitions of source code  
analysis tool companies, but it's still worth a quick read.  The good  
news in the article is, "The acquisitions, coupled with an increase in  
the number of providers offering vulnerability assessments, are  
indicators of a growing emphasis on increasing security in the  
development process."



Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator

KRvW Associates, LLC
http://www.KRvW.com







smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Redmond Developer News | Best Defense?

[Kenneth Van Wyk]

FYI, interesting article on sandboxing of applications, with quotes  
from a few SC-L regulars.  Enjoy!


http://reddevnews.com/features/article.aspx?editorialsid=2386

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Fwd: SCARE metrics and tool release

[Kenneth Van Wyk]

Reposted with permission, FYI...

Cheers,

Ken
SC-L Moderator

Begin forwarded message:


From: Pete Herzog <[EMAIL PROTECTED]>
Date: November 30, 2007 10:30:18 AM EST
To: [EMAIL PROTECTED]
Subject: SCARE metrics and tool release

Hi,

Scare, the Source Code Analysis Risk Evaluation tool for measuring  
security complexity in C source code is now available.  The tool is  
written to support the OpenTC project (opentc.net) as the SCARE  
methodology project available at:


http://www.isecom.org/scare

We have done some test cases with the tool already do track trends  
in Xen and are now working on measuring trends in the Linux Kernel.


USE
The SCARE analysis tool is run against source code.  Currently only  
C code is supported.  The ouput file will contain all operational  
interactions possible which need controls (the current version does  
not yet say if and what controls are already there).  At the bottom  
of the list are three numbers: Visibilities, Access, and Trusts.   
These 3 numbers can be plugged into the RAV Calculation spreadsheet  
available at isecom.org/ravs.  The Delta value is then subtracted  
from 100 to give the SCARE percentage which indicates the complexity  
for securing this particular application.  The lower the value, the  
worse the SCARE.


Trends in Xen:

XEN ver. VisAccessesTrustsSCAREDelta

3.0.3_0   1   3142857758.26-41.74
3.0.4_1   1   3113106057.79-42.21
3.1.0 1   3163313957.43-42.57

As you can see, the security complexity of Xen is getting worse due  
to the increased numbers of Trusts (reliance on external variables  
which a user can manipulate as an input). Trust attacks can be  
tested according to the 4th point of the 4 Point test process in the  
OSSTMM 3: Intervention - changing resource interactions with the  
target or between targets.


At this stage, the tool cannot yet tell which interactions have  
controls already or if those controls are applicable however once  
that is available it will change the RAV but not the SCARE.  The  
SCARE will also not yet tell you where the bugs are in the code  
however if you are bug hunting, it will extract all the places where  
user inputs and trusts with user-accessible resources can be found  
in the code.



We need help!  We are looking for people to help us complete the  
SCARE methodology, add new programming languages to the tool, as  
well as even making a windows binary version for those who do not  
code in Linux. Contact me if you can do this.


Sincerely,
-pete.

--
Pete Herzog - Managing Director - [EMAIL PROTECTED]
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
---
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

[Kenneth Van Wyk]

On Nov 29, 2007, at 6:35 PM, Leichter, Jerry wrote:
So he's not completely naive, though the history of security metrics  
and

standards - which tend to produce code that satisfies the standards
without being any more secure - should certainly give on pause.

One could, I suppose, give rebates based on actual field experience:
Look at the number of security problems reported per year over a two-
year period and give rebates to sellers who have low rates.



Right, so this is where I believe the entire idea would fall apart.  I  
don't think we have adequate metrics today to measure products  
fairly.  Basing the tax on field experience would also be problematic  
to measure well, although I could see this leading to development  
organizations getting some sort of actuarial score.


But the real problem with it, as I said, is metrics.  Should it be  
based on (say) defect density per thousand lines of code as reported  
by (say) 3 independent static code analyzers?  What about design  
weaknesses that go blissfully unnoticed by code scanners?  (At least  
the field experience concept could begin to address these over time,  
perhaps.)


I do think that software developers who produce bad (security) code  
should be penalized, but at least for now, I still think the best way  
of doing this is market pressure.  I don't think we're ready for more,  
on the whole, FWIW.  But _consumers_ wield more power than they  
probably realize in most cases.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Insecure Software Costs US $180B per Year - Application and Perimeter Security News Analysis - Dark Reading

[Kenneth Van Wyk]

FYI, there's a provocative article over on Dark Reading today.

http://www.darkreading.com/document.asp?doc_id=140184

The article quotes David Rice, who has a book out called   
"Geekconomics: The Real Cost of Insecure Software".  In it, he tried  
to quantify how much insecure software costs the public and, more  
controversially, proposes a "vulnerability tax" on software  
developers.  He believes such a tax would result in more secure  
software.


IMHO, if all developers paid the tax, then I can't see it resulting in  
anything other than more expensive software...  Perhaps I'm just  
missing something, though.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Fwd: People in glass houses shouldn't brick phones

[Kenneth Van Wyk]

SC-L,

FYI, some of you might find my column this month on eSecurityPlanet to  
be interesting:


http://www.esecurityplanet.com/article.php/3709301   (free, no  
registration required)


In it, I talk about some of the software security lessons to be  
gleamed from Apple's iPhone bricking debacle.  Enjoy...


Cheers,

Ken


-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] COBOL Exploits

[Kenneth Van Wyk]

On Nov 2, 2007, at 12:13 AM, Mark Rockman wrote:
I'm sure you can write COBOL programs that crash, but it must be  
hard to make them take control of the operating system.


If software exploits were "only" isolated to OS compromise, that'd be  
just fine.  But let's not forget that an application can be thoroughly  
compromised by an attacker who never leaves the realm of the  
application -- e.g., providing spoofed credentials to read another  
user's customer data in a database app.  The business logic data  
access control (authorization) is just one area of an app that  
transcends implementation language.  A poorly design authorization  
model can be implemented in pretty much anything, I believe.


Let's get past the simple buffer overflow exploit to get OS access.   
IMHO, it's right to consider mainframe/COBOL apps carefully.  Although  
we likely won't find a buffer overflow "smoking gun", I'll bet we are  
likely to find examples of bad security logic that can lead to app  
compromise.  Plus, let's face it, modern attacks are moving more and  
more towards the pure application layer (think XSS, SQL/XML injection,  
cross-site request forgery, etc.), AND they're increasingly  
financially motivated.


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Mainframe Security

[Kenneth Van Wyk]

On Nov 1, 2007, at 4:16 PM, Johan Peeters wrote:

sSince so much of the financial
services industry is powered by COBOL, I would have thought that
someone would have done a thorough study of COBOL's security posture.

I certainly have not found one. Anyone else?


Just a couple random(ish) observations here...

1) I believe that COBOL is still behind the *vast* majority of  
financial transactions today.  I don't know the %, but I'd bet it to  
be close to 100%.


2) It's been my experience that COBOL folks (read: "mainframe  
programmers") tend to frown on the Internet, the web, and such.   
However, in talking with them, it's often useful to say that they're  
likely to have to interface with "internet folks" via SOA and other  
mechanisms, so it's worth their while to understand the security  
problems that "those guys" face, such as XSS and SQL/XML injection (a  
handy tip I picked up from Andrew van der Stock -- thanks Andrew!).


So what's my point?  It's this: I've often found the "mainframe crowd"  
to be reluctant to even talk about software security because there  
seems to be a pervasive attitude that it's not their problem.  After  
all, the mainframe architectures they're familiar with have had  
secure, trustworthy networks and such for decades, right?  Well,  
easing them into a discussion by simply pointing out that they should  
be aware of the issues that the "internet folks" have to deal with  
because they *need* to interface with them can help things along.


Lastly, I noticed that at least one static code analysis tool  
(Fortify) now supports COBOL.  I'm not yet sure what things they scan  
for, and I'm *far* from COBOL literate myself, but I figure it's got  
to be good news re James's point.


Cheers,

Ken


-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] IT industry creates secure coding advocacy group

[Kenneth Van Wyk]

Saw this story via Gunnar's blog (thanks!):

http://www.gcn.com/online/vol1_no1/45286-1.html

Any thoughts on new group, which is calling itself SAFEcode?  Anyone  
here involved in its formation and care to share with us what's the  
driving force behind it?


Cheers,

Ken

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Microsoft Pushes Secure, Quality Code

[Kenneth Van Wyk]

SC-Lers,

Hey, here's some good news out of Microsoft.  According to EWeek,  
"Now for Visual Studio 2008, Microsoft's code analysis team is adding  
some new features, including Code Metrics, a new tool window "that  
allows you to not only get an overall view of the health [code-wise]  
of your application, but also gives you the ability to dig deep to  
find those unmaintainable and complex hotspots," Somasegar said.


For Visual Studio 2008, Code Metrics will ship with five metrics:  
Cyclomatic Complexity, Depth of Inheritance, Class Coupling, Lines of  
Code and Maintainability Index, he said. "


The full story is here http://www.eweek.com/ 
article2/0,1895,2192515,00.asp


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] CERT Advances Secure Coding Standards - Desktop Security News Analysis - Dark Reading

[Kenneth Van Wyk]

Here's some good news from CERT and Fortify.  Shortly, CERT will be  
generating Fortify SCA rules to help automate reviewing C/C++ source  
code against their secure coding standards.


http://www.darkreading.com/document.asp?doc_id=135352&WT.svl=news1_2

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Fwd: [1st-t] Vancouver 2008 First Conference - Call for Papers

[Kenneth Van Wyk]

SC-L,

I'm forwarding the following Call for Papers (see below) for next  
year's FIRST conference here.  Now, I recognize that FIRST (the Forum  
of Incident Response and Security Teams) is NOT a software security  
conference.  But, over the past few years, I've started bringing some  
software security related sessions to the conference, and they've  
been well received.  I'm a big believer in reaching out to other  
communities, and if ever there were two groups that should be talking  
and working together more than they currently do (IMHO), it's  
software developers and information security folks.


Disclaimer: I currently sit on FIRST's steering committee, although I  
have nothing to do with accepting/rejecting conference sessions.   
That said, if any of you ARE interested in reaching out to FIRST a  
bit and would like to chat, please drop me a line.


Cheers,

Ken van Wyk

-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com
SC-L Moderator


Begin forwarded message:


From: Reneaué Railton <[EMAIL PROTECTED]>
Date: September 20, 2007 1:20:29 PM EDT
To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
Subject: [1st-t] Vancouver 2008 First Conference - Call for Papers

FIRST 20th Annual Conference, June 22nd – 27th, 2008, Hyatt Regency  
Vancouver British Columbia, Canada


 Crossing Borders: Towards the Globalization of Security

 Call for Papers
 - - - - ---
 This is a call for papers and tutorials for the 20th Annual FIRST
 Conference. This text is also available at:
 http://www.first.org/conference/2008/papers.html


 Overview
 - - - - -
 The Forum of Incident Response and Security Teams (FIRST,
 http://www.first.org/) is a global non-profit organization dedicated
 to bringing together computer security incident response teams
 (CSIRT's) and includes response teams from 180 corporations,
 government bodies, universities and other institutions spread across
 the Americas, Asia, Europe and Oceania.

 The annual FIRST conference not only provides a setting for
 participants to attend tutorials and hear presentations by leading
 experts in the CSIRT community, it also creates opportunities for
 networking, collaboration, and sharing technical information. Just as
 importantly, the conference enables attendees to meet their peers and
 build confidential relationships across corporate disciplines and
 geographical boundaries.

 FIRST conference participants include not only CSIRT staff, but also
 IT managers, network and system administrators, software and hardware
   vendors, law enforcement representatives, security solutions
 providers, telecommunications organizations, ISPs, and general
   computer and network security personnel. FIRST conferences cover a
 broad range of security related topics such as (but not limited to):
 . Advanced techniques in security incident prevention, detection and
 response. . Latest advances in computer and network security tools .
 Shared views, experiences, and resolutions in the computer security
 incident response field.


 The Conference
 - - - 
 The conference is a five-day event, comprised of two days of
 Tutorials, three days of Plenary Sessions focused on either Business
 or Technical issues. These include paper presentations, keynote
 speeches, Panel discussions and Birds-of-a-Feather Sessions.

 Features planned for this year's conference include:

Geek Zone - Presentations with a Hands On Format aimed at smaller,  
more technical audiences of up to 30 people
Case Studies – Lessons learned in dealing with real events, from  
discovery to remediation.  Share practical experiences in dealing  
with cyber incidents along with the tools that provided most valuable.

SIG (Special Interest Group) meetings
Beer 'n Gear where vendors demonstrate their equipment .
Security Challenge

 The theme for the 2008 conference is ‘Crossing Borders: Towards  
the Globalization of Security '.


 The conference language is English.

 Call for Papers
 - - - ---
 The FIRST program committee solicits original contributions for this
 conference, which are broadly based on the theme of ‘Crossing  
Borders: Towards the Globalization of Security'.


 All submissions must reflect original work and must adequately
 document any overlap with previously published or simultaneously
 submitted papers from any of the authors. If authors have any doubts
 regarding whether such overlap exists, they should contact the
 program chairs prior to submission.

 Papers will be scheduled as part of the Main Conference.

 Timeslots are available in three lengths:
 a) 50 Minutes, with 10 minutes question time
 b) 40 minutes, with 10 minutes question time
 c) 25 Minutes, with 5 minutes question time.

 The program committee is also looking for contributions to the 'Geek
 Zone Sessions', where presentations may last for up to three hours  
and which are aimed

 at a smaller more technical audience of up to 30 people. These
 presentations are intende

[SC-L] Fwd: Announcement: Releasing CORE GRASP for PHP. An open source, dynamic web application protection system.

[Kenneth Van Wyk]

FYI, I saw the following tool release announcement over on bugtraq,  
and thought it might be of interest to some of you here.  I know the  
terms "PHP" and "security" in the same sentence often are met with  
laughter here, but what the heck.  If the tool helps a few PHP  
developers write PHP apps that are hardened against SQL injection  
attacks, then why not.


Cheers,

Ken van Wyk
SC-L Moderator

Begin forwarded message:


From: Ezequiel Gutesman <[EMAIL PROTECTED]>
Date: August 22, 2007 12:26:55 PM EDT
To: [EMAIL PROTECTED]
Subject: Announcement: Releasing CORE GRASP for PHP. An open  
source, dynamic web application protection system.


CORE GRASP for PHP is a web-application protection software aimed at
detecting and blocking injection vulnerabilities and privacy  
violations.

As mentioned during its presentation at Black Hat USA 2007, GRASP is
being released as open source under the Apache 2.0 license and can be
obtained from http://gasp.coresecurity.com/.

The present implementation protects PHP 5.2.3 against SQL-injection
attacks for the MySQL engine, it can be installed with almost the same
effort as the PHP engine, both in Unix and Windows systems, and
protection is immediate with any PHP web application running in the
protected server.

CORE GRASP works by enhancing the PHP execution engine (VM) to permit
byte-level taint tracking and analysis for all the user-controlled or
otherwise untrustable variables of the web application. Tainted bytes
are then tracked and their taint marks propagated throughout the web
application's runtime. Whenever the web application tries to interact
with an DB backend using SQL statements that contain tainted bytes,
GRASP analyzes the statment and detects and prevents attacks or  
abnormal

actions.

CORE GRASP was developed by CoreLabs, the research unit of Core  
Security

Technologies. At CoreLabs, we plan to improve the tool and include new
protections shortly. However, the invitation to collaborate with the
project is open. If you would like to collaborate, please go to the
GRASP website and subscribe to our mailing list.

Project home: http://grasp.coresecurity.com/
Documentation, presentation and papers:
http://grasp.coresecurity.com/index.php?m=doc
Download: http://grasp.coresecurity.com/index.php?m=dld



-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Opera Uses Mozilla Fuzzer Tool To Find 'Highly Severe' Bug -- Browser -- InformationWeek

[Kenneth Van Wyk]

Greetings SC-Lers,

Here's a great success story regarding Mozilla's new open source  
fuzzer that they just released during the blackhat conference:


http://www.informationweek.com/story/showArticle.jhtml? 
articleID=201800584&cid=RSSfeed_IWK_News


Kudos to the Opera team!

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Software process improvement produces secure software?

[Kenneth Van Wyk]

On Aug 7, 2007, at 7:01 AM, Francisco Nunes wrote:

During our conversation, I made a question to Mr.
Hayes similar to this: "Is it possible that only
software development process improvements can produce
secure software?"

The scenario was only based on CMMI without security
interference.


All that follows is IMHO, of course...  I would have to agree with  
you, Francisco, that process improvements "without security  
interference" are unlikely to produce significant changes in the  
security of the software produced.


That said, I am a believer in somewhat more rigorous security-based  
software process.  In particular, I think it's worth spending  
additional time/effort delving into the non-functional aspects of  
software, from requirements gathering through design as well as  
during the implementation/coding phases.  I think that solutions that  
focus solely on implementation improvement are not sufficient.  To  
me, a vital component in improving throughout the dev process must  
focus on process improvement.


That is, process improvement based not (necessarily) on CMMI, and  
_with_ "security interference".  :-)  But I also don't like to see  
process for the sake of _process_.  I'm fine with intelligently  
applied ad hoc processes, if that's not too much of a contradiction  
in terms.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] how far we still need to go

[Kenneth Van Wyk]

On Jul 25, 2007, at 9:36 AM, William L. Anderson wrote:
Well after a few attempts to install it on a Mac OS X system I  
finally dope out
that it only seems to install and run as admin. That is, I not only  
need to
install it as admin (that's OK, ordinary users can't write to the / 
Applications

area), but I need to run it as admin.


Maddening, isn't it?  I maintain that this is a software issue,  
insofar as how the software is bolted into its operating  
environment.  Many disagree with that point of view, which I can  
accept, but I believe that to pass this off to the "ops guys" is a  
bad practice that borders on negligence.  Even for those who disagree  
with me, I still would argue that it's largely under the control of  
the developer to be able to bolt the code into a safe operating  
environment -- that promotes the principle of least privilege  
effectively.


One of my customers uses -- and hence, so do I -- VPN software and a  
software one-time token ("SoftToken") that requires the SoftToken.app  
software to have read/write access to its folder under /Applications  
on OS X.  The presumption was that it would always be run as root.   
Well, I've gone out of my way to run my desktop OS X user without  
privs, which broke SoftToken (it would generate the same token EVERY  
time it was invoked).  I still wouldn't accept running it as root,  
however, and was able to circumvent the problem by only giving my  
desktop user read/write to the one data file that SoftToken needed to  
write to.  Still not as good as designing it properly in the first  
place, but it was an acceptable compromise for me to be able to do  
what I need to do.  FWIW...


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Interesting tidbit in iDefense Security Advisory 06.26.07

[Kenneth Van Wyk]

SC-L

I'm not quite so sure why this one (below) caught my eye -- we _all_  
get tons of product advisories -- but it did.  In particular, two  
things jump out at me:


1) the original author of the defect thought that s/he was doing  
things correctly in using strncpy (vs. strcpy).
2) the original author had apparently been doing static source  
analysis using David Wheeler's Flawfinder tool, as we can tell from  
the comments.


Yet, a simple coding mistake was made in calculating the length of a  
buffer and passing that incorrect length to strncpy.  The result was  
a buffer overrun on the stack, just like the millions that we've all  
seen.


Mind you, the overrun can only be exploited when specific characters  
are used as input to the loop in the code.  Thus, I'm inclined to  
think that this is an interesting example of a bug that would have  
been extraordinarily difficult to find using black box testing, even  
fuzzing.  The iDefense team doesn't say how the (anonymous) person  
who reported it found it, but I for one would be really curious to  
hear that story.


Just some random thoughts this afternoon...  Perhaps I'm still  
getting over the jet lag after returning from the FIRST conference in  
Seville.


Cheers,

Ken van Wyk
SC-L Moderator


Begin forwarded message:


From: iDefense Labs <[EMAIL PROTECTED]>
Date: June 26, 2007 3:53:46 PM EDT
To: [EMAIL PROTECTED], [EMAIL PROTECTED],  
[EMAIL PROTECTED]
Subject: iDefense Security Advisory 06.26.07: RealNetworks  
RealPlayer/HelixPlayer SMIL wallclock Stack Overflow Vulnerability


RealNetworks RealPlayer/HelixPlayer SMIL wallclock Stack Overflow
Vulnerability

iDefense Security Advisory 06.26.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jun 26, 2007

I. BACKGROUND

RealPlayer is an application for playing various media formats,
developed by RealNetworks Inc. HelixPlayer is the open source version
of RealPlayer. More information can be found at the URLs shown below.

http://www.real.com/realplayer.html
http://helixcommunity.org/

Synchronized Multimedia Integration Language (SMIL) is a markup  
language

used to specify the use of several multi-media concepts when rendering
media. Some such concepts are timing, transitions, and embedding. More
information is available from WikiPedia at the following URL.

http://en.wikipedia.org/wiki/ 
Synchronized_Multimedia_Integration_Language


II. DESCRIPTION

Remote exploitation of a buffer overflow within RealNetworks'  
RealPlayer
and HelixPlayer allows attackers to execute arbitrary code in the  
context

of the user.

The issue specifically exists in the handling of HH:mm:ss.f time  
formats

by the 'wallclock' functionality within the code supporting SMIL2. An
excerpt from the code follows.

   924HX_RESULT
   925SmilTimeValue::parseWallClockValue(REF(const char*) pCh)
   926{
   ...
   957char buf[10]; /* Flawfinder: ignore */
   ...
   962while (*pCh)
   963{
   ...
   972 else if (isspace(*pCh) || *pCh == '+' || *pCh ==  
'-'

|| *pCh == 'Z')
   973 {
   974 // this will find the last +, - or Z...  
which is

what we want.
   975 pTimeZone = pCh;
   976 }
   ...
   982 ++pCh;
   983}
   ...
  1101if (pTimePos)
  1102{
  1103//HH:MM...
  
  1133  if (*(pos-1) == ':')
  1134  {
  
  1148if (*(pos-1) == '.')
  1149{
  1150// find end.
  1151UINT32 len = 0;
  1152if (pTimeZone)
  1153{
  1154len = pTimeZone - pos;
  1155}
  1156else
  1157{
  1158len = end - pos;
  1159}
  1160strncpy(buf, pos, len); /* Flawfinder: ignore */

The stack buffer is declared to be 10 bytes on line 957. You can see
that it has a comment which will cause the FlawFinder program to  
ignore

this buffer.

The loop, which begins on line 962, runs through the parameter to the
function looking for characters that denote different sections of the
time format. When it encounters white space, or the +, -, or Z
characters it will record the location for later use. If a time was
located and it contains both a colon and a period the vulnerable code
will be reached.

The length of data to copy into the stack buffer is calculated  
either on
line 1154 or line 1158 depending on whether or not a timezone is  
present.
Neither calculations take into consideration the constant length of  
the

'buf' buffer and therefore a stack-based buffer overflow can occur on
line 1160. Again, notice that this unsafe use of strncpy() is also
marked with a FlawFinder ignore comment.

III. ANALYSIS

Exploitation requires that an attacker persuade a user to supply
RealPlayer or HelixPlayer with a maliciously crafted SMIL file. For
example, this can be accomplished by convincing them to visit a
malicious web pag

Re: [SC-L] Harvard vs. von Neumann

[Kenneth Van Wyk]

On Jun 14, 2007, at 3:51 PM, Gary McGraw wrote:
I am in complete agreement with your thinking, which is why one of  
the touchpoints (and chapter 9 of "Software Security" is about  
operations.  Ken knows more about this than any of us, but he's on  
a plane now...right Ken?


Wow, I'd stop far short of such strong words, but I have spent a  
great deal of time in operations land, and I am convinced we're (all)  
missing out on significant opportunities to enhance our software  
security by better making use of deployment security, for lack of a  
better term.  I've seen far too many "one size fits all" approaches  
to software deployments that fall far short of adequately protecting  
the app, much less enabling the detection and response of issues when  
they come up.


Cheers,

Ken

P.S. And yes, I was on a plane.  Greetings from Lisbon, en route to  
Sevilla, Spain for the FIRST conference.  I'll again toss out the  
offer to meet with any SC-Lers who are at the conference.

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] What's the next tech problem to be solved in software security?

[Kenneth Van Wyk]

First off, many thanks to all who've contributed to this thread.  The  
responses and range of opinions I find fascinating, and I hope that  
others have found value in it as well.  Great stuff, keep it coming.


That said, I see us going towards that favorite of rat-holes here,  
namely the "my programming language is better than yours, nyeah!"  
path.  Let's please avoid that.  I'm confident that we've seen it  
enough times to know that it ends with no clear winners (but plenty  
of losers).


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] IBM to catch Watchfire security technology | Tech News on ZDNet

[Kenneth Van Wyk]

FYI, yet another acquisition in the security world...  This time it's  
IBM buying up Watchfire (makers of AppScan).


http://news.zdnet.com/2100-1009_22-6188999.html? 
part=rss&tag=feed&subj=zdnet


Kind of reminds me of something Chef Jacques Pepin said in an  
interview with Terry Gross on NPR's "Fresh Air" some time back  
(IIRC).  He said when he was growing up, leftover food never went to  
waste.  They always took yesterday's leftovers and made something  
completely new with it the next day -- NEVER simply re-heating it to  
serve the same thing again, which always ends up being bland.  By the  
time the "last" of the real food was gone, nobody remembered what the  
original recipe even was.  That kept them interested in the food even  
as it went through several transformations.


Not sure why this comes to mind now...  ;-\

Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] What's the next tech problem to be solved in software security?

[Kenneth Van Wyk]

Hi SC-L,

[Hmmm, this didn't make it out to the list as I'd expected, so here's  
a 2nd try. Apologies for any duplicates. KRvW]


At the SC-L BoF sessions held to date (which admittedly is not  
exactly a huge number, but I'm doing my best to see them continue), I  
like to ask those that attend what we can be doing to make SC-L more  
useful and meaningful to the subscribers.  Of course, as with all  
mailing lists, SC-L  will always be what its members make of it.   
However, at one recent SC-L BoF session, it was suggested that I pose  
periodic questions/issues for comment and discussion.  As last week  
was particularly quiet here with my hiatus and all, this seems like a  
good opportunity to give that a go, so...


What do you think is the _next_ technological problem for the  
software security community to solve?  PLEASE, let's NOT go down the  
rat hole of senior management buy-in, use [this language], etc.  (In  
fact, be warned that I will /dev/null any responses in this thread  
that go there.)  So, what technology could/would make life easier for  
a secure software developer?  Better source code analysis?  High(er)  
level languages to help automate design reviews?  Better security  
testing tools?  To any of these, *better* in what ways, specifically?


Any takers?

Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Who's To Blame For Insecure Software? Maybe You

[Kenneth Van Wyk]

Some interesting (IMHO) stats coming out of Gartner security summit.   
One that jumped off the page at me was that 57% of the attendees  
believe that independent security "research labs" are providing a  
useful and valuable service.  Whether you agree or not, the article  
below is an interesting read.


http://www.informationweek.com/security/showArticle.jhtml? 
articleID=199901402&pgno=1&queryText=


Cheers,

Ken

P.S. I'm surprised to say that I've so far had no takers on my  
question yesterday -- what is the next technology hurdle for us to  
clear?  Perhaps everyone is off enjoying their summer breaks like I  
was last week...

-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com



smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Administrivia: Moderator is in, and SC-L BoF in Spain?

[Kenneth Van Wyk]

SC-Lers,

FYI, back from a few days in the sun.  It was a quiet week in any  
case here on SC-L, but I am indeed back at the moderator's (virtual)  
desk now.


Anyone here attending the FIRST conference in Sevilla, Spain later  
this month?  Any interest in an SC-L BoF session?  I'll be there all  
week and would be happy to meet with any SC-L folks who'll be there.   
Drop me a line and say hi.  First Rioja Crianza and jambon Iberia is  
on me.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Administrivia: Moderator on hiatus

[Kenneth Van Wyk]

SC-L,

After an insane travel schedule over the last several months, the  
moderator is taking some much-needed time to relax on the beach while  
sipping boat drinks.  I'll be checking the SC-L queue over the next  
week at least once daily, but if you submit something, please be a  
bit patient.  It'll go out, but might take a little while.  Sorry for  
the inconvenience.


Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] 1 Raindrop: Common Attack Pattern Enumeration and Classification (CAPEC)

[Kenneth Van Wyk]

SC-L,

Saw this via Gunnar Peterson's blog (http://1raindrop.typepad.com/ 
1_raindrop/2007/05/common_attack_p.html)...  Check out Mitre's first  
draft of CAPEC, the Common Attack Pattern Enumeration and  
Classification database (http://capec.mitre.org).  It complements the  
existing CVE (http://cve.mitre.org) and CWE (http://cwe.mitre.org)  
efforts by presenting the attack patterns used to exploit the various  
vulnerabilities.


Great stuff that should be of interest to our readers here at SC-L,  
though the site itself does require Javascript to work -- boo hiss! :-)


Cheers,

Ken
-
Kenneth R. van Wyk
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] Stakes are High for Vista Security

[Kenneth Van Wyk]

On Apr 9, 2007, at 11:12 AM, Kenneth Van Wyk wrote:

http://www.esecurityplanet.com/article.php/11162_3670486_2


Sorry folks -- I inadvertently posted the URL to page 2 of the  
column.  Page 1 is at http://www.esecurityplanet.com/article.php/3670486


Sorry for the inconvenience (and the list clutter).  Mea culpa++

Cheers,

Ken van Wyk




smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Stakes are High for Vista Security

[Kenneth Van Wyk]

I hope that some of you will find my April column over on  
eSecurityPlanet interesting.  It can be found (for free) at the link  
below.  If not, just press the old delete key.


http://www.esecurityplanet.com/article.php/11162_3670486_2



Cheers,

Ken
-
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com






smime.p7s
Description: S/MIME cryptographic signature
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___