Re: [SC-L] The FTC and Software Security

On Wed, Sep 16, 2015 at 2:58 PM, Gary McGraw wrote: > hi sc-l, > > I just posted some thoughts on the FTC and software security. > > Have a look: http://bit.ly/gem-FTC +1, well written. I've kinda ignored the FTC over the years, and focused on the state laws covering data breaches and notificati

Re: [SC-L] [External] Re: SearchSecurity: Medical Devices and Software Security

> Ever since I read an article about the challenges of remote laser surgery > being done by doctors at the Naval Hospital in Bethesda, MD, via satellite > link on wounded soldiers in Iraq, I've been warning for years about the need > to apply software assurance principles to the development and

Re: [SC-L] Sad state of affairs

here since some (many?) argue its a waste of time and money to teach developers; and the money is better spent on building tools that make it hard/difficult to do things incorrectly in the first place. I kind of think its a mixture of both. > - Reply message - > From: "Jeffrey Wa

Re: [SC-L] Sad state of affairs

On Fri, Sep 20, 2013 at 7:47 PM, Bobby G. Miller wrote: > I was just listening to a podcast interviewing a security executive from a > prominent vendor. The response to vulnerabilities was to raise the > cost/complexity of exploiting bugs rather than actually employing secure > coding practices.

Re: [SC-L] OWASP Podcast 95 is live!

Hi Jim, Do you know if there is a slide deck available with the talk? It sounds like there is, but Dr. Bernstein's Talk page (http://cr.yp.to/talks.html) does not list an OWASP talk. Jeff On Wed, Jun 26, 2013 at 12:08 AM, Jim Manico wrote: > I'm very pleased to announce that OWASP Podcast 95 is

Re: [SC-L] Chinese Hacking, Mandiant and Cyber War

On Wed, Feb 20, 2013 at 9:34 AM, Gary McGraw wrote: > hi sc-l, > > No doubt all of you have seen the NY Times article about the Mandiant report > that pervades the news this week. I believe it is important to understand > the difference between cyber espionage and cyber war. Because espionage

Re: [SC-L] CFP: W2SP 2013 - Web 2.0 Security and Privacy workshop

For someone looking for a topic, I would encourage exploration of "Trustworthy cloud-based services" via license agreements and terms of service. If the license agreements or terms of service states a provider is indemnified by the user; or the provider is allowed to loose, sell, or give away your

Re: [SC-L] SearchSecurity: Cyber Security and the Law

Hi Dr. McGraw, > Cyber Intelligence Sharing and Protection Act (CISPA) passed by > there House in April) has very little to say about building security in. I'm convinced (in the US) that users/consumers need a comprehensive set of software liability laws. Consider the number of mobile devices that

Re: [SC-L] Application Security Quiz

Hi Anurag, On Tue, Jun 26, 2012 at 1:53 PM, Anurag Agarwal wrote: > After speaking with a lot of developers we realized they are looking for a > fun, quick way to enhance their knowledge about the secure coding aspects of > development. We have put together a series of interactive quizzes which t

Re: [SC-L] security in open source components

On Tue, Apr 24, 2012 at 4:22 PM, Johan Peeters wrote: > I was very happy to see > http://www.sonatype.com/Products/Sonatype-Insight/Why-Insight/Reduce-Security-Risk/Security-Brief. > Finally some attention to the elephant in the room; what is the use of > secure coding if your software depends on

Re: [SC-L] A new blog on application security - armoredcode.com

On Fri, Mar 16, 2012 at 12:50 PM, Paolo Perego wrote: > Hi list, just 2 lines for promoting my new blog on application security: > http://armoredcode.com > The idea is to talk about appsec using the developers language so talking > about testing frameworks and practices, libraries to enforce secur

Re: [SC-L] informIT: Building versus Breaking

Hi Steve, On Wed, Aug 31, 2011 at 4:45 PM, Steven M. Christey wrote: > > While I'd like to see Black Hat add some more defensive-minded tracks, I > just realized that this desire might a symptom of a larger problem: there > aren't really any large-scale conferences dedicated to defense / software

Re: [SC-L] Java DOS

On Fri, Feb 11, 2011 at 6:21 PM, Brian Chess wrote: > There's a very interesting vulnerability in Java kicking around.  I wrote > about it here: >  http://blog.fortify.com/blog/2011/02/08/Double-Trouble A lot of chatter about it on FD: http://seclists.org/fulldisclosure/2011/Feb/220. DiKKy had a

[SC-L] IPSec Stack Compromise

Hi All, I have been following the allegations of the ipsec stack compromise on a few mailing lists (full disclosure and fun sec). Outside of the initial email's claims, I have not seen anything substantive. There has been some entertaining trolling (http://www.collegehumor.com/video:1926079). Is

[SC-L] Q: SQL Query Sanitizer Library?

Hi All, Is anyone aware of an open source library for sanitizing SQL queries from untrusted sources? Jeff ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List chart