[SC-L] CFP - Secure Software Engineering (SecSE 2010)

[Martin Gilje Jaatun]

Fourth International Workshop on Secure Software Engineering (SecSE2010)
http://www.sintef.org/secse

In conjunction with ARES 2010
http://www.ares-conference.eu/conf/

February, 15th - 18th 2010
Andrzej Frycz Modrzewski Cracow College, Krakow, Poland

Call for Papers
===

Software is an integral part of everyday life, and we expect and
depend upon software systems to perform correctly. Software security
is about ensuring that systems continue to function correctly also
under malicious attack. As most systems now are web-enabled, the
number of attackers with access to the system increases dramatically
and thus the threat scenario changes. The traditional approach to
secure a system includes putting up defence mechanisms like IDS and
firewalls, but such measures are no longer sufficient by
themselves. We need to be able to build better, more robust and more
secure systems. Even more importantly, however, we should strive to
achieve these qualities in all software systems, not just the ones
that need special protection. This workshop will focus on techniques,
experiences and lessons learned for building secure and dependable
software.

Topics
==
Suggested topics include, but are not limited to:
-Secure architecture and design
-Security in agile software development
-Aspect-oriented software development for secure software
-Security requirements
-Risk management in software projects
-Secure implementation
-Secure deployment
-Testing for security
-Quantitative measurement of security properties
-Static and dynamic analysis for security
-Verification and assurance techniques for security properties
-Lessons learned
-Security and usability
-Teaching secure software development
-Experience reports on successfully attuning developers to
   secure software engineering

Important dates:
-Submission Deadline:  September  30th 2009
-Author Notification:  November 1st 2009
-Author Registration:  November 11th 2009
-Proceedings Version:  November 11th 2009
-Conference/ Workshop: February, 15th - 18th 2010

Submission Guidelines
=

Authors are invited to submit papers in IEEE Computer Society
Proceedings Manuscripts style (two columns, single-spaced, including
figures and references, using 10 pt fonts, and number each
page). Please consult the IEEE CS Author Guidelines at the following
web page: http://www2.computer.org/portal/web/cscps/formatting

We solicit the submission of academic workshop papers (6 pages)
representing original, previously unpublished work. Submitted papers
will be carefully evaluated based on originality, significance,
technical soundness, and clarity of exposition.

Duplicate submissions are not allowed. A submission is considered to
be a duplicate submission if it is submitted to other
conferences/workshops/journals or if it has been already accepted to
be published in other conferences/workshops/journals. Duplicate
submissions thus will be automatically rejected without review.

Contact author must provide the following information: Paper title,
authors' names, affiliations, postal address, phone, fax, and e-mail
address of the author(s), about 200-250 word abstract, and about five
keywords. Paper registration and submission is done through the ARES &
CISIS 2010 Paper Management System at the following address:
https://stdev.ifs.tuwien.ac.at/ares2010/ Submission of a paper implies
that should the paper be accepted, at least one of the authors will
register for the ARES conference and present the paper in the
workshop. Accepted papers will be given guidelines in preparing and
submitting the final manuscript(s) together with the notification of
acceptance. Note that SecSE 2010 does not require anonymized
submissions.

Publication
===

All accepted papers will be published as ISBN proceedings by the IEEE
Computer Society, and will be available online through IEEE Xplore (EI
indexing).

Journal special issue: Distinguished papers submitted to SecSE will be
invited for possible publication in the
International Journal of Secure Software Engineering
(ISSN 1947-3036 - http://www.igi-global.com/ijsse).

Organizing committee:
====

Martin Gilje Jaatun, SINTEF ICT, Norway
Torbjørn Skramstad, Norwegian University of Science and Technology (NTNU)
Lillian Røstad, Norwegian University of Science and Technology (NTNU)

Enquiries to the organizing committee may be sent to:  SecSE "replace 
with at-character" sislab.no


Program committee (to be confirmed)
===
Rubén Alonso, Visual Tools, Spain
Sergey Bratus, Dartmouth College, USA
Ana Cavalli, GET/INT, France
Estibaliz Delgado, European Software Institute, Spain
Ivan Flechais, University of Oxford, UK
Khaled M. Khan,Qatar University, Qatar
Andrea Lanzi, Institute Eurecom, France
Per Håkon Meland, SINTEF ICT, Norway
Khalid Mu

Re: [SC-L] What is the size of this list?

[Martin Gilje Jaatun]

Rafael Ruiz wrote:

I am a lurker (I think), I am an embedded programmer and work at
Lowrance (a brand of the Navico company), and I don't think I can't
provide too much to security because embedded software is closed per se.
  
IMHO, it is very dangerous to assume that "since it is embedded, nobody 
has the source code". This "security through obscurity" approach was 
employed by the Bell telephone system in th 70's and 80's, but it turned 
out that there was no limit to what Phone Phreaks and their kin could 
dig up of supposedly secret information, including schematics and 
instruction manuals.


In more recent times, reverse engineering of the DVD Content Scrambling 
System (CSS) and various RFID electronic fare cards has proven that if 
someone has physical access to a device, you must also assume that they 
can access the software.


-Martin

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Security as a part of code quality (Was: Re: Where Does Secure Coding Belong In the Curriculum?)

[Martin Gilje Jaatun]

Karen, Matt & all,

Goertzel, Karen [USA] wrote:
> I'm more devious. I think what needs to happen is that we need to redefine 
> what we mean by "functionally correct" or "quality" code. If determination of 
> functional correctness were extended from "must operate as specified under 
> expected conditions" to "must operate as specified under all conditions", 
> functional correctness would necessarily require security, safety, fault 
> tolerance, and all those other good things that make software dependable 
> instead of just correct.
>   
I couldn't agree more!

However, I have had several discussions with a colleague who is fairly
well known in the"Software Process Improvement Mafia" on the topic of
how to ensure that security requirements are considered for _all_ kinds
of code, not just "security software". Particularily in the context of
agile development techniques, security keeps getting the short end of
the stick, losing every time to "working features". His stance on this
is that "if security were important to the customer, the customer would
provide and prioritize security requirements". To me, this is a bit like
saying "If the customer doesn't explicitly state that the software
should be Y2k-proof, he/she is not really bothered about it".

If we can "brainwash" the coming generations of programmers into
accepting Karen's definition of "quality code", we might finally be
getting somewhere.

-Martin

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

[SC-L] Deadline extended to Oct. 7 - SecSE 2010

[Martin Gilje Jaatun]

We've extended the submission deadline of the Fourth International 
Workshop on Secure Software Engineering (in conjunction with ARES 2010) 
to October 7th.


For more information, see http://sintef.org/secse
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] academics do software security too

[Martin Gilje Jaatun]

 Hi SC-L,

Since Gary has been plugging ESSoS, I thought I'd let you know that the 
5th annual International Workshop on Secure Software Engineering (SecSE 
2011) will be organized as part of the ARES conference in Vienna, 
Austria next summer. This year the conference has been shifted 6 months 
or so, and thus we are no longer competing directly with ESSoS for 
papers - feel free to submit to both events :-)


Important dates:
- Submission Deadline:   March 1st, 2011
- Author Notification:April 18th 2011
- Author Registration:  June 1st 2011
- Proceedings Version:  June 1st 2011
- Conference/ Workshop:August 22nd -26th 2011

For more information, see the workshop page at http://sintef.org/secse

Yours,

Martin

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Java: the next platform-independent target

[Martin Gilje Jaatun]

On 2010-10-22 04:51, Kevin W. Wall wrote:

In a large part, I think that people fail to patch Flash or Acrobat
Reader for the same reason they forget about Java...out of sight, out of
mind.* I think they believe that Windows Update solves (or should solve)
*all* their patching needs.  I think many of the Linux distros have it
right in that respect...one-stop patching pretty much for whatever you
have installed from your Linux provider's distribution channel.
There are third-party vendors who do offer this as a service to Windows 
users - I know about the Danish company Secunia and their Corporate 
Software Inspector (CSI) service; there may be others out there.


-Martin
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Experiences from engineering secure web applications

[Martin Gilje Jaatun]

Hi SC-L,

We're planning a Special Issue of the International Journal of Secure 
Software Engineering (IJSSE) titled "Lessons learned in engineering 
secure & dependable Web applications". The submission deadline is March 
7th - see http://www.sislab.no/ijsse for more details.


Cheers,

Martin



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: SecSE Deadline extended to April 4th

[Martin Gilje Jaatun]

Hi SC-L,

For the first time ever, we will have an invited talk specifically for 
the International Workshop on Secure Software Engineering (SecSE) in 
Vienna this summer - Gary McGraw will talk about  BSIMM2 (see below for 
an abstract) and lead the ensuing discussion.


If you always wanted to know what BSIMM(2) is all about, you now have a 
chance to hear it directly from Gary. So, it's time to take all those 
insights and ideas you have accumulated during your many years in the 
secure coding universe, and hammer out your own paper to the SecSE 
workshop - if you start now, you have almost three weeks at your 
disposal. See http://sintef.org/secse for more information!


Cheers,

Martin Gilje Jaatun

PS:
BSIMM2: The Building Security In Maturity Model http://bsimm2.com

Software security has made great progress over the last decade.  The 
Building Security In Maturity Model (BSIMM, pronounced ³bee simm²) is 
designed to help understand, measure, and plan a software security 
initiative.  Of the sixty large-scale software security initiatives we 
are aware of, thirty-two---all household names---are currently included 
in the BSIMM study. Those companies among the thirty who graciously 
agreed to be identified include: Adobe, Aon, Bank of America, Capital 
One, The Depository Trust & Clearing Corporation (DTCC), EMC, Google, 
Intel, Intuit, McKesson, Microsoft, Nokia, QUALCOMM, Sallie Mae, SAP, 
Standard Life, SWIFT, Symantec, Telecom Italia, Thomson Reuters, VMware, 
and Wells

Fargo.   The BSIMM was created by observing and analyzing real-world data
from thirty-two leading software security initiatives. The BSIMM can 
help a firm determine how its organization compares to other real-world 
software security initiatives and what steps can be taken to make its 
approach more effective.  The most important use of the BSIMM is as a 
measuring stick to determine where a particular approach to software 
security currently stands relative to others.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] informIT: Modern Malware

[Martin Gilje Jaatun]

On 2011-03-23 00:57, Andy Steingruebl wrote:

On Tue, Mar 22, 2011 at 8:41 AM, Gary McGraw  wrote:

[...]

malware" as the AT&T guys sometimes think…you use it to find the kinds of bugs 
that malware exploits to get a toehold on target servers.  One level removed, but a 
clear causal effect.

Interestingly, your article only covers malware that gets installed by
exploiting a technical vulnerability, not malware that gets installed
by exploiting a human vulnerability (social engineering).  I've been

[...]

As someone once said: Idiot-proofing is difficult because the idiots are 
so ingenious...


I'm not sure if we really can protect ourselves against "stupid users" 
through secure coding. Marcus Ranum opined 5 years ago that even 
educating users is pointless, opting for some way of punishing them 
instead:
http://www.ranum.com/security/computer_security/editorials/point-counterpoint/users.html 



Can we idiot-proof computer systems without crippling them for the rest 
of us?


-Martin
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] "Building" conferences (was: informIT: Building versus Breaking)

[Martin Gilje Jaatun]

Karen Goertzel wrote:


 There are these:







 ISC(2) Secure Software Conference Series - >



 https://www.isc2.org/PressReleaseDetails.aspx?id=650







 ESSoS - http://distrinet.cs.kuleuven.be/events/essos/2012/







 SecSE - http://www.sintef.org/secse







 SSIRI - http://paris.utdallas.edu/ssiri11/



All conferences are not created equal - ESSOS, SecSE and SSIRI are all 
academic, peer-reviewed conferences/workshops, and probably do not have 
the same "sex appeal" as BlackHat. Even in academic communities it seems 
that there are few that appreciate the difference between "security 
features" and "secure features" (judging by some submissions we get to 
SecSE).



[...]

 conferences. I'm in the process of updating some research on how and



 where software security assurance is being taught by colleges and



 universities, and what I'm finding is that the topic has been pretty



 much marginalised into an aspect of information assurance - i.e., it's



 being taught mostly to postgraduates who are majoring in IA and



I think you're right - to take our local university, NTNU; they have a 
course on software security, but it's an elective offered to 
postgraduates in the final year before they start their MSc thesis, 
which probably means that only those students who already have a special 
interest in security will choose it.


-Martin
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: IJSSE Special Issue on Security Modeling

[Martin Gilje Jaatun]

The International Journal of Secure Software Engineering is planning a 
special issue on security modeling. Submission deadline is October 30th 
- see


http://www.igi-global.com/bookstore/titledetails.aspx?titleid=1159&detailstype=callforpapersspecial 



for more details.


-Martin


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: SecSE 2012

[Martin Gilje Jaatun]

Hi SC-L,

We are organizing the Sixth International Workshop on Secure Software 
Engineering (SecSE 2012), in conjunction with ARES 2012, 20-24 August 
2012 in Prague, Czech Republic. We welcome both original research papers 
and more practical experience reports. The submission deadline is March 
30th, 2012; for more details see the workshop website:


 http://www.sintef.org/secse

Cheers,

Martin Gilje Jaatun
Organizing Chair
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

[Martin Gilje Jaatun]

Hi SC-L,

I would have hoped that "Software Security" should have been a topic 
area in SWEBOK, right alongside "Software Quality", but it doesn't look 
like it...


-Martin

 Opprinnelig melding 
Emne:   [SEWORLD] SWEBOK Version 3 Call for Reviewers
Dato:   Fri, 2 Mar 2012 10:53:26 -0700
Fra:Dick Fairley 
Til:sewo...@sigsoft.org



*Call for Reviewers of Three New Knowledge Area Descriptions for the*

*Guide to the Software Engineering Body of Knowledge*

The IEEE Computer Society is now soliciting public review comments on three
knowledge areas (KAs) for Version 3 of the Guide to the Software
Engineering Body of Knowledge (SWEBOK V3).  SWEBOK V3 is an update to the
2004 version of the SWEBOK Guide, which is also known as Technical Report
ISO/IEC TR 19759.  The 15 KAs in SWEBOK V3 are being published
incrementally as they become available for review.

The purposes of the SWEBOK Guide are: to characterize the contents of the
software engineering discipline; to promote a consistent view of software
engineering worldwide; to clarify the place of, and set the boundary of
software engineering with respect to other disciplines; to provide a
foundation for training materials and curriculum development; and to
provide a basis for certification and licensing of software engineers.

Three new KAs are now available for review (Software Engineering Methods
and Models; Software Maintenance; and Mathematical Foundations). These KAs
can be reviewed and comments can be submitted at:

computer.centraldesktop.com/swebokv3review/

The review period for these KAs extends from March 2 to March 31, 2012.

Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction,
and Software Configuration Management) have been reviewed and the review
period is closed; the KA editors are resolving the public review
comments.  Resolution
of submitted comments for all KAs will be displayed on the SWEBOK V3 Web
site as they become available.  All review comments, as well the names and
countries of the reviewers providing the comments, will be made public.  Email
addresses, affiliations, and other identifying information of reviewers
will not be made public.

Present and potential reviewers will be notified when additional KAs become
available for review.  Each KA, when posted, will be available for review
for 30 calendar days from the date of posting.

 For further information or help please contact Dick Fairley, chair of the
SWEBOK V3 Change Control Board at d.fair...@computer.org.


To contribute to SEWORLD, send your submission to
mailto:sewo...@sigsoft.org

http://www.sigsoft.org/seworld provides more
information on SEWORLD as well as a complete archive of
messages posted to the list.



___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

Re: [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

[Martin Gilje Jaatun]

Agreed, but can you make secure code without thinking about security at 
all? I don't think so - it's a bit like the safety vs. security debate; 
in the latter case the human attacker with hostile intent tends to 
invalidate your assumptions...


-Martin

Den 07.03.2012 22:27, skrev James Manico:
Karen is of course right. At the very least, high quality source code 
design and software is a lot easier to assess and secure than the 
alternative.


--
Jim Manico
VP, Security Architecture
WhiteHat Security
(808) 652-3805

On Mar 7, 2012, at 4:09 PM, "Goertzel, Karen [USA]" 
mailto:goertzel_ka...@bah.com>> wrote:


Unfortunately, it seems like the SWEBOK folks still believe that if 
you have high-quality software, that will be sufficient to assure 
robustness against intentional threats. It also shows a touching lack 
of faith that there will never be an malicious participant in the 
SDLC intentionally sabotaging or subverting the code, test results, etc.


===
Karen Mercedes Goertzel, CISSP
Lead Associate
Booz Allen Hamilton
703.698.7454
goertzel_ka...@bah.com <mailto:goertzel_ka...@bah.com>

"I love deadlines. I like the whooshing sound they make as they fly by."
- Douglas Adams

*From:* sc-l-boun...@securecoding.org 
<mailto:sc-l-boun...@securecoding.org> [sc-l-boun...@securecoding.org 
<mailto:sc-l-boun...@securecoding.org>] on behalf of Martin Gilje 
Jaatun [secse-ch...@sislab.no <mailto:secse-ch...@sislab.no>]

*Sent:* 05 March 2012 07:02
*To:* Secure Coding
*Subject:* [SC-L] Fwd: [SEWORLD] SWEBOK Version 3 Call for Reviewers

Hi SC-L,

I would have hoped that "Software Security" should have been a topic 
area in SWEBOK, right alongside "Software Quality", but it doesn't 
look like it...


-Martin

 Opprinnelig melding 
Emne:   [SEWORLD] SWEBOK Version 3 Call for Reviewers
Dato:   Fri, 2 Mar 2012 10:53:26 -0700
Fra:Dick Fairley 
Til:sewo...@sigsoft.org



*Call for Reviewers of Three New Knowledge Area Descriptions for the*

*Guide to the Software Engineering Body of Knowledge*

The IEEE Computer Society is now soliciting public review comments on three
knowledge areas (KAs) for Version 3 of the Guide to the Software
Engineering Body of Knowledge (SWEBOK V3).  SWEBOK V3 is an update to the
2004 version of the SWEBOK Guide, which is also known as Technical Report
ISO/IEC TR 19759.  The 15 KAs in SWEBOK V3 are being published
incrementally as they become available for review.

The purposes of the SWEBOK Guide are: to characterize the contents of the
software engineering discipline; to promote a consistent view of software
engineering worldwide; to clarify the place of, and set the boundary of
software engineering with respect to other disciplines; to provide a
foundation for training materials and curriculum development; and to
provide a basis for certification and licensing of software engineers.

Three new KAs are now available for review (Software Engineering Methods
and Models; Software Maintenance; and Mathematical Foundations). These KAs
can be reviewed and comments can be submitted at:

computer.centraldesktop.com/swebokv3review/  
<http://computer.centraldesktop.com/swebokv3review/>

The review period for these KAs extends from March 2 to March 31, 2012.

Three of the SWEBOK V3 KAs (Computing Foundations, Software Construction,
and Software Configuration Management) have been reviewed and the review
period is closed; the KA editors are resolving the public review
comments.  Resolution
of submitted comments for all KAs will be displayed on the SWEBOK V3 Web
site as they become available.  All review comments, as well the names and
countries of the reviewers providing the comments, will be made public.  Email
addresses, affiliations, and other identifying information of reviewers
will not be made public.

Present and potential reviewers will be notified when additional KAs become
available for review.  Each KA, when posted, will be available for review
for 30 calendar days from the date of posting.

  For further information or help please contact Dick Fairley, chair of the
SWEBOK V3 Change Control Board atd.fair...@computer.org.


To contribute to SEWORLD, send your submission to
mailto:sewo...@sigsoft.org

http://www.sigsoft.org/seworld  provides more
information on SEWORLD as well as a complete archive of
messages posted to the list.


___
Secure Coding mailing list (SC-L) SC-L@securecoding.org 
<mailto:SC-L@securecoding.org>
List information, subscriptions, etc - 
http://krvw.com/mailman/listinfo/sc-l

List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC 
(http://www.KRvW.c

Re: [SC-L] SearchSecurity: Mobile Security = Software Security

[Martin Gilje Jaatun]

Hi Gary,

I agree with everything you write in the article (although I was a bit 
peeved at having to register to read it...). It ties nicely in with a 
related topic that is being discussed a lot recently: "The danger of QR 
codes", where people argue that you shouldn't scan QR codes with your 
smartphone, since you don't know where they take you, and you might get 
infected with something (as allegedly carried out by "Th3 J35t3r" a few 
months back). Again, this is discussing the wrong problem - why are we 
accepting to use smartphone browsers that fall over at the merest whiff 
of an attack?


-Martin

On 07/06/2012 02:29 PM, Gary McGraw wrote:

hi sc-l,

In April, my monthly [in]security column moved over to SearchSecurity 
(TechTarget).  This month's installation appears in Information Security 
magazine as well as on the usual websites.

Because of all of the great work Cigital has done in mobile security, there was 
plenty of fodder to draw from for a pithy article on mobile security.  Take 
home message?  Build security in!  Every software security Touchpoint is 
relevant and useful when it comes to mobile security.

Have a read, and pass it on.  Pile on the hits:
http://searchsecurity.techtarget.com/magazineContent/Gary-McGraw-on-mobile-security-Its-all-about-mobile-software-security

Your feedback is always welcome.

gem

company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiaceleague
book www.swsec.com

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___




___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___

[SC-L] CFP: International Workshop on Secure Software Engineering (SecSE-13@AReS)

[Martin Gilje Jaatun]

Hi SC-L,

Just a short mail to remind you that we are organizing SecSE for the 
seventh time - this year on September 3rd in historic Regensburg, 
Germany. As an added bonus, Gary McGraw has agreed to give an invited 
talk on BSIMM4, in addition to the tutorial on software security he will 
give at the main conference (http://ares-conference.eu).


We welcome all kinds of papers on techniques, experiences and lessons 
learned for engineering secure and dependable software - see the 
workshop webpage at http://sintef.org/secse (which forwards to our new 
fancy page hosted by KU Leuven) for more information. Submit your papers 
by March 30th at https://confdriver.ifs.tuwien.ac.at/ares2013.


Cheers,

Martin Gilje Jaatun
SecSE organizing chair

___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
___