Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

All, I'll address Jim's questions, each in turn: [Adapters] Adapters can take a few forms, but let's address three specific scenarios that fan-in to an assessment results/presentation step and a few that fan-out. [Fan in] Fan in typically comes from three sources: 1) static tools, 2) testing to

Re: [SC-L] SC-L Digest, Vol 5, Issue 50

"The core problem is that the language/format mixes code and data with no way to differentiate between them." I'm with you on this one. smime.p7s Description: S/MIME cryptographic signature ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org

[SC-L] SAMM 1.0 Released! | OpenSAMM

Good news today from the Software Assurance Maturity Model (SAMM) group. http://www.opensamm.org/2009/03/samm-10-released/ Their release says: "The Beta release has been out for quite a while now (since August 2008) and lots of organizations and individuals have provided excellent feedback

[SC-L] Online Secure Development Training?

Does anyone know of any good CBT training on secure development, especially covering higher level issues and secure code review? Brad ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/ma

Re: [SC-L] SAMM 1.0 Released! | OpenSAMM

Hey Ken. Thanks for sending this out. I've mentioned it before, but today I'm proud to announce that the Software Assurance Maturity Model (SAMM) version 1.0 has been released and is freely available for download from http://www.opensamm.org For those unfamiliar, SAMM is an open framework to help

Re: [SC-L] Online Secure Development Training?

My company, Aspect Security, is producing a full line of secure coding CBTs based on our large curriculum of live application security training courses that we have. I am not aware of any other initiatives like this, but there might be others. -Dave -Original Message- From: sc-l-boun...@

Re: [SC-L] Online Secure Development Training?

Brad, take a peek at http://denimgroup.com/service_sec_training.html On Wed, Mar 25, 2009 at 11:21 AM, Brad Andrews wrote: > > Does anyone know of any good CBT training on secure development, > especially covering higher level issues and secure code review? > > Brad >

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

Ok, so your point then is that a desire for type-safety influenced the hardware architecture of these machines. Fair enough, though I don't know enough of the history of these machines to know how accurate it is. But how can I doubt you Gary? :) I was mainly reflecting in my comments though that

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

Hi Andy, The code/data mix is certainly a problem. Also a problem is the way stacks grow on many particular machines, especially with common C/C++ compilers. You noted a Burroughs where things were done better. There are many others. C is usually just a sloppy mess by default. Language cho

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

At 11:42 AM -0400 3/25/09, Gary McGraw wrote: > The code/data mix is certainly a problem. Also a problem > is the way stacks grow on many particular machines, especially > with common C/C++ compilers. You noted a Burroughs where > things were done better. There are many others. C is > usually

Re: [SC-L] Online Secure Development Training?

Thanks for all the replies. I did want to emphasize that I am specifically looking for CBT versions of courses, not the instructor-led variety. Someone asked me about what was available and I said I would ask around. I have only seen the instructor-led ones myself. Thanks for all the r

[SC-L] OWASP Podcast #14 - Pravir Chandra and OpenSAMM

I just pushed OWASP Podast #14 live, an interview with Pravir Chandra. Pravir talks about the OWASP OpenSAMM project and software maturity models in general. Pravir has been deep in this space for some time and even provides us with the inside scoop as to how OpenSAMM relates to BSIMM. To liste

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

On Wed, Mar 25, 2009 at 10:18 AM, ljknews wrote: > > Worry about enforcement by the hardware architecture after > you have squeezed out all errors that can be addressed by > software techniques.\ Larry, Given the focus we've seen fro Microsoft and protecting developers from mistakes through th

Re: [SC-L] BSIMM: Confessions of a Software SecurityAlchemist(informIT)

At 1:00 PM -0700 3/25/09, Andy Steingruebl wrote: > On Wed, Mar 25, 2009 at 10:18 AM, ljknews ><ljkn...@mac.com> wrote: > > > Worry about enforcement by the hardware architecture after > you have squeezed out all errors that can be addressed by > software techniques.\ > > >