Re: [SC-L] Secure Coding Standards

, etc. I am open to both publicly available standards as well as commercially available standards. So far, I found 1. www.securecoding.cert.org http://www.securecoding.cert.org/ - thanks to Robert C. Seacord, http://krvw.com/pipermail/sc-l/2008/001401.html 2. http

Re: [SC-L] GCC and pointer overflows [LWN.net]

Ken, Comment below. FYI, here's an interesting article (and follow-on discussions) about a recent bug in the GCC compiler collection. http://lwn.net/Articles/278137/ The bug, which has been documented in a CERT advisory, affects C code in which, under some circumstances, buffer bounds

[SC-L] CERT C Secure Coding Standard - last call for reviewers

We would like to invite the community to review and comment on the current version of the CERT C Secure Coding Standard available online at www.securecoding.cert.org http://www.securecoding.cert.org before Version 1.0 is published. To comment, you can create an account on the Secure Coding wiki

Re: [SC-L] Secure Coding Books

(http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure

Re: [SC-L] Really dumb questions?

available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. ___ -- Robert C. Seacord Senior Vulnerability

Re: [SC-L] University lecture on Sec Sw Eng online

Meunier at Purdue and by Dieter Gollmann at Hamburg-Harburg; if you know of any others, I'd be glad to hear about those, too. Kind regards from Germany, Holger Peine -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989

Re: [SC-L] FW: What's the next tech problem to be solvedin softwaresecurity?

ljknews, Yes, it is virtually impossible to get a serious runtime error in an Ada program. For example: http://www.youtube.com/watch?v=kYUrqdUyEpI rCs At 9:51 PM +0100 6/9/07, David Crocker wrote: If instead we pay people to perform the more skilled tasks of establishing requirements

[SC-L] CFP: CERT Software, System and Information Security Cluster (HICSS-41)

of registration after this date. CO-CHAIRS OF THE CSSIS CLUSTER Guido Schryen (RWTH Aachen University) Jason A. Rafail(CERT/CC) Address email to the Cluster Chairs to [EMAIL PROTECTED] CO-CHAIRS OF THE CSAS MINITRACK Jason A. Rafail (CERT/CC) Robert C. Seacord (CERT/CC) Dan Plakosh (CERT/CC

Re: [SC-L] temporary directories

David, Thanks for the explanation of mkdtemp(). I got confused reading the man page because I wasn't expecting the function to return char *, but I guess that makes sense. I wish that the C standard body would update the C library and add an exclusive create capability for fopen(), so that

[SC-L] temporary directories

I've seen advice here and there to use the mkdtemp() function to create temporary directories, for example: - Kris Kennaway email at http://lwn.net/2000/1221/a/sec-tmp.php3 recommends them - David Wheeler's Secure Programming for Linux and Unix HOWTO at

Re: [SC-L] re-writing college books - erm.. ahm...

Crispin, I think you may have over spoken below: Seeking perfect correctness as an approach to security is a fool's errand. Security is designing systems that can tolerate imperfect software. I could go along with achieving perfect correctness as an approach to security is a fool's belief but

Re: [SC-L] re-writing college books [was: Re: A banner year for software bugs | Tech News on ZDNet]

Coding in C and C++. I'm hoping to take this material and incorporate it into the course. Once I get some experience teaching the material, I could help turn it into a college text. (I've written three books already, so I'm a proven threat. 8^) Thanks, rCs -- Robert C. Seacord Senior

Re: [SC-L] Google code search games

Gadi, Here are some searches from Derek Jones: The new Google source code search page has opened up some interesting research possibilities. How many instances of: if (...) ; are there out there (skip the first half dozen unusual macro uses)?

[SC-L] CERT C Programming Language Secure Coding Standard

2004. ISBN 0 9524156. -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo

Re: [SC-L] secure integer library

. 8^) rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List

[SC-L] managed string library

success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of safe characters. rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268

[SC-L] STL iterator vulnerabilities

Does anyone have any experience of specific examples of vulnerabilities resulting from the use of uninitialized or invalidated STL iterators or other STL related vulnerabilities? I'm doing some research for a new project (which I hope to announce here shortly). Thanks, rCs

Re: [SC-L] HNS - Biggest X Window security hole since 2000

-- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989 ___ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available

[SC-L] Secure Software Architecture, Design, Implementation and Assurance CFP

and maintenance CO-CHAIRS Sven Dietrich CERT[EMAIL PROTECTED] Daniel Plakosh CERT/CC [EMAIL PROTECTED] Robert C. Seacord CERT/CC [EMAIL PROTECTED] PROGRAM COMMITTEE Julia Allen SEI/CMU Hal Burch CERT/CC Brian Chess