Dana Epp wrote...
[...snip...]
> For those of us who write kernel mode / ring0 code, what language are
> you suggesting we write in? Name a good typesafe language that you have
> PRACTICALLY seen to write kernel mode code in. Especially on Windows and
> the Linux platform. I am not trying to fue
Kenneth R. van Wyk wrote...
> FYI, there's an ACM Queue issue out that focuses on security -- see
> http://acmqueue.com/modules.php?name=Content&pa=list_pages_issues&issue_id=14
>
> Two articles there that should be of interest to SC-L readers include
> Marcus Ranum's "Security: The root of the p
In Ken van Wyk's cited article at
http://www.esecurityplanet.com/views/article.php/3377201
he writes...
> As I said above, user awareness training is a fine practice
> that shouldn't be abandoned. Users are our first defense
> against security problems, and they should certainly be
> educa
Fernando Schapachnik wrote...
> I've considered 'secure coding' courses, and the idea always
> look kind oversized. How much can you teach that students can't read
> themselves from a book? Can you fill a semester with that? I'm
> interested in people's experiences here.
I suppose that depends
I think the discussion regarding the thread
Re: [SC-L] Education and security -- another perspective
(was "ACMQueue - Content")
is in part becoming a debate of language X vs language Y. Instead,
I'd like to take this thread off into another direction (if Ken
thinks it's appropriate to
David Crocker wrote...
> There is a tendency to regard every programming problem as an
> O-O problem. Sometime last year I read a thread on some
> programming newsgroup in which contributors argued about the
> correct way to write a truly O-O "Hello world" program. All
> the solutions provided we
David Crocker wrote...
> I think there are two other questions that should be asked before
> trying to answer this:
>
> 1. Is it appropriate to look for a single "general purpose" programming
> language? Consider the following application areas:
>
> a) Application packages
> b) Operating systems
and/or wrote a few toy
programs. ;-)
My impression always has always been that a declarative programming
language is a high-level language that describes a problem rather
than defining a solution, but that pretty much sounds like your
definition of a specification language.
-kevin wall
---
Kevin
ing, etc.), in my small sample of the world,
that number has been closer to 20-25%. (But that could be because
we develop in Java or C#; no more C or C++.)
But, numbers such of these, in absence of any context of how the
figures were derived are IMHO, close to meaningless.
-kevin wall
---
Kevin W
based on how they support (or fail to support--whoa,
really big list ;-) secure programming? If so, I can see how
we might all learn some lessons from that. If not, I guess I'm
missing the whole point this thread was started, so please
enlighten me.
Thanks,
-kevin wall
---
Kevin W. Wall
Matt Setzer wrote...
> It's been kind of quiet around here lately - hopefully just because everyone
> is off enjoying a well deserved summer (or winter, for those of you in the
> opposite hemisphere) break. In an effort to stir things up a bit, I thought
> I'd try to get some opinions about good
Joel Kamentz wrote...
> Also, shouldn't it be easy enough to steal one of these and lift a fingerprint
> from it with scotch tape and then be able to get at all of the passwords in the
> device?
If that didn't work, the "gummy bear" approach probably would.
---
Kevin W. Wall Qwest Information T
You wrote...
> Does anyone have any comments about this book? I have read some
> reviews but it is on the site advertising the book for sale They
> stated that this book is a must for anyone wanting to harden code
> in programs, softwares and hardwares but then that could just be
> a sales pitc
ow it fits along side other similar attempts.
Also, one last thing... not to nitpick, but it seems that your 48 attack
patterns can be grouped into a few broader categories? Does your book
do this as well?
Thanks in advance for your response,
-kevin wall
---
Kevin W. Wall Qwest Informatio
Jeff Williams wrote...
> I think we're focused on different aspects of 'important.'
> The sheer number of web applications does make concurrency
> in that environment an important issue for this list.
> Concurrency used to be the province of a relatively
> small number of developers who understo
John Steven wrote:
...
> 2) Flaws are different in important ways bugs when it comes to presentation,
> prioritization, and mitigation. Let's explore by physical analog first.
Crispin Cowan responded:
> I disagree with the word usage. To me, "bug" and "flaw" are exactly
> synonyms. The distincti
Dinis,
Dinis Cruz wrote...
Finally, you might have noticed that whenever I talked
about 'managed code', I mentioned 'managed and verifiable code',
the reason for this distinction, is that I discovered recently
that .Net code executed under Full Trust can not be (or
[Moderator: Feel free to discard some or all of Dinis' original post
below.
I wasn't sure how much to trim because I don't know how
much people have been paying attention to this particular
discussion and I didn't want them to loose context and have
t
David Eisner wrote...
> Wall, Kevin wrote:
The correct attribution for bring this up (and the one whom you are
quoting) is Dinis Cruz.
> >> same intuition about the verifier, but have just tested
> >> this and it is not the case. It seems that the -noverify is the
> &g
Dinis Cruz writes...
> Stephen de Vries wrote:
> > Java has implemented this a bit differently, in that the byte code
> > verifier and the security manager are independent. So you could for
> > example, run an application with an airtight security policy (equiv
to
> > partial trust), but it co
Kenneth Van Wyk writes...
> http://www.ddj.com/dept/architect/189401902
> ...
> Put another way, how does a team hold onto its good practices (not
> just security reviews) when they're in crisis mode? I'm sure that
> the answer varies a lot by team, priorities, etc., but I'd welcome
> any comme
Crispin Cowan writes...
> IMHO, bumper sticker slogans are necessarily short and glib.
> There isn't room to put in all the qualifications and caveats
> to make it a perfectly precise statement. As such, mincing
> words over it is a futile exercise.
>
> Or you could just print a technical paper
Dana,
Regarding your remarks about writing perfectly secure code...
well put.
And your remarks about Ross Anderson...
> Ross Anderson once said that secure software engineering is about
> building systems to remain dependable in the face of malice, error,
> or mischance. I think he has something
First a bit of background and a confession.
The background: I recently attended a local 4 hr
Microsoft training seminar called "Get Connected with the
.NET Framework 2.0 and Visual Studio(c) 2005". However, I
want to clarify that this example is NOT just a Microsoft
issue. It's an industry-wide is
Tim Hollebeek writes...
> Really, the root of the problem is the fact that the simple version
> is short and easy to understand, and the secure version is five
> times longer and completely unreadable. While there always is some
> additional complexity inherent in a secure version, it is nowhere
In response to a post by Jerry Leichter, Gadi Evron wrote...
> A bridge is a single-purpose device. A watch is a simple
> purpose computer, as was the Enigma machine, if we can call
> it such.
>
> Multi-purpose computers or programmable computers are where
> our problems start. Anyone can DO and
Crispin Cowan wrote...
> mikeiscool wrote:
...
> > True, but that doesn't mean runtime portability isn't a
> good thing to aim for.
> >
> It means that compromising performance to obtain runtime portability
> that does not actually exist is a poor bargain.
To me, the bigger loss than performance
Larry Kilgallen wrote:
> At 8:18 PM -0600 11/14/06, Wall, Kevin wrote:
>
> > That makes a Java inappropriate for a lot of
> > system-level programming tasks. Simple example: There's no
> > way in pure Java that I can lock a process in memory. Wrt this
> &g
Benjamin Tomhave wrote...
> This is completely unsurprising. Apparently nobody told the agile
> dev community that they still need to follow all the secure coding
> practices preached at the traditional dev folks for eons. XSS,
> redirects, and SQL injection attacks are not revolutionary, are not
James McGovern apparently wrote...
> The uprising from customers may already be starting. It is
> called open source. The real question is what is the duty of
> others on this forum to make sure that newly created software
> doesn't suffer from the same problems as the commercial
> closed sour
James McGovern wrote...
> Maybe folks are still building square windows because we haven't
> realized how software fails and can describe it in terms of a pattern.
> The only pattern-oriented book I have ran across in my travels is the
> Core Security Patterns put out by the folks at Sun. Do you t
Ken,
You wrote...
> Mind you, the overrun can only be exploited when specific characters
> are used as input to the loop in the code. Thus, I'm inclined to
> think that this is an interesting example of a bug that would have
> been extraordinarily difficult to find using black box testing,
Andy,
You wrote...
> I have been working on developing a series of documents to turn the
> ideas encompassed on this list and in what I can find in books &
> articles. I am not finding, and it may just be I am looking in the
> wrong places, for any information on how people are actually
> implem
Jim,
In response to Stephen's question, you wrote...
>> What does 'green technology' have to do with infosec?
>
> Data centerers worldwide use at least 3% of all global electricity. With
> the growing cost of oil/power - most large corporations are looking for
> ways to reduce power consumptio
Gary McGraw wrote:
> We had a great time writing this one. Here is my favorite
> paragraph (in the science versus alchemy vein):
> "Both early phases of software security made use of any sort
> of argument or 'evidence' to bolster the software security
> message, and that was fine given the start
Larry Kilgallen wrote...
> So tell me what you think is easier in C/C++.
Well, just from a pure language POV, in comparing C++ with Java (sorry,
not qualified to comment on Ada), there is one advantage to C/C++ over
Java and that is in C++ I have a much higher level of confidence of
doing things t
In a message dated July 30, 2009 10:09 AM EDT, Paco Hope wrote...
> The Java Virtual Machine is a theoretical machine, and Java
> code is compiled
> down to Java bytecode that runs on this theoretical machine.
> The Java VM is
> the actual Windows EXE that runs on the real hardware. It reads these
Arian J. Evans wrote...
> The problem I had in the past with benchmarks was the huge degree of
> customization in each application I would test. While patterns emerge
> that are almost always automatable to some degree, the technologies
> almost always require hand care-and-feeding to get them to
Karen Goertzel wrote...
> I'm more devious. I think what needs to happen is that we
> need to redefine what we mean by "functionally correct" or
> "quality" code. If determination of functional correctness
> were extended from "must operate as specified under expected
> conditions" to "must operat
Karen Goertzel wrote...
> I think we need to start indoctrinating kids in the womb. Start selling Baby
> Schneier CDs alongside Baby Mozart. :)
Yeah, I can hardly wait to hear Schneier's remake of that Dr. Seuss children's
classic
One Fish, Twofish, Red Fish, Blowfish
-kevin
--
Kevin W.
James McGovern wrote...
> - Taking this one step further, how can we convince
> professors who don't
> teach secure coding to not accept insecure code from their students.
> Professors seed the students thinking by accepting anything
> that barely
> works at the last minute. Universities need to b
Brad Andrews writes...
> I had proofs in junior high Geometry too, though I do not recall using
> them outside that class. I went all the way through differential
> equations, matrix algebra and probability/statistics and I don't
> recall much focus on proofs. This was in the early 1980s in a go
> Actually, I'm not teaching my 1 yo toddler much of anything about
> traffic right now. I'm more playing guardian when she runs around the
> house and making sure she doesn't get into situations for which she
> would be completely and totally unprepared (and in serious
> danger). She lacks the lan
Ben Tomhave wrote:
> Wall, Kevin wrote:
> >
> > I don't mean to split hairs here, but I think "fundamental concept"
> > vs "intermediate-to-advanced concept" is a red herring. In your case
> > of you teaching a 1 yr old toddler, "NO" i
> Interesting approach. Curious to know if this will satisfy a
> PCI auditor as a compensating control (section 6)
I think that's presently untested and therefore likely unknown.
I would guess it depends on the auditor's perspective. On one
had, having a separate WAF appliance provides you with se
Thought there might be several on this list who might appreciate
this, at least from a theoretical perspective but had not seen
it. (Especially Larry Kilgallen, although he's probably already seen it. :)
In
http://www.unsw.edu.au/news/pad/articles/2009/sep/microkernel_breakthrough.html,
"Pro
Steve Christy wrote...
> I wonder what would happen if somebody offered $1 to the first applied
> researcher to find a fault or security error. According to
> http://ertos.nicta.com.au/research/l4.verified/proof.pml, buffer
> overflows, memory leaks, and other issues are not present. Maybe p
Stephen Craig Evans wrote...
> Looks like there's another one:
>
> Symantec Y2K10 Date Stamp Bug Hits Endpoint Protection Manager
> http://www.eweek.com/c/a/Security/Symantec-Y2K10-Date-Stamp-Bu
g-Hits-Endpoint-Protection-Manager-472518/?> kc=EWKNLSTE01072010STR1
>
> I am VERY curious to learn how
Larry Kilgallen wrote...
> At 10:43 AM -0600 1/7/10, Stephen Craig Evans wrote:
>
> > I am VERY curious to learn how these happened... Only using the last
> > digit of the year? Hard for me to believe. Maybe it's in a
> single API
> > and somebody tried to be too clever with some bit-shifting.
>
>
On Thu, 28 Jan 2010 10:34:30 -0500, Gary McGraw wrote:
> Among other things, David [Rice] and I discussed the difference between
> descriptive models like BSIMM and prescriptive models which purport to
> tell you what you should do. I just wrote an article about that for
> informIT. The title is
Benjamin Tomhave wrote:
> ... we're looking for hard research or
> numbers that covers the cost to catch bugs in code pre-launch and
> post-launch. The notion being that the organization saves itself money
> if it does a reasonable amount of QA (and security testing)
> up front vs trying to chase t
Gary McGraw wrote...
> Way back on May 9, 2007 I wrote my thoughts about
> certifications like these down. The article, called
> "Certifiable" was published by darkreading:
>
> http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=208803630
I just reread your Dark Reading
Jeremiah Heller writes...
> do security professionals really want to wipe hacking
> activity from the planet? sounds like poor job security to me.
Even though I've been involved in software security for the
past dozen years or so, I still think this is a laudable goal,
albeit a completely unreali
Dana Epp wrote:
> Not sure that would work either though.
Dana,
My comment was meant tongue-in-cheek. Guess I used the wrong
emoticon. Figured that ';-)' would work 'cuz I never can remember
the one for "tongue-in-cheek". I've seen several variations of the
latter...
:-? :-Q :-J
On Sep 10, 2010, at 5:34 PM, smurray1 wrote:
> Hello,
>
> I have been discussing an issue with an organization that is having
> an issue with malware on it's customer's clients that is intercepting
> user credentials and using them to create fraudulent transactions.
> (man-in-the-browser type atta
On October 20, 2010, Benjamin Tomhave wrote:
>
> If I understand this all correctly (never a safe bet), it seems these
> are actual attacks on Java, not on coding with Java. Ergo, this isn't
> something ESAPI can fix, but rather fundamental problems. What do you
> think? Overblown? Legit? Solutio
Jim Manico wrote...
> Rafal,
>
> It's not that tough to blacklist this vuln while you are waiting for your
> team to patch your JVM (IBM and other JVM's have not even patched yet).
> I've seen three generations of this filter already. Walk with me, Rafal and
> I'll show you. :)
>
> 1) Generation 1
On Feb 15, 2011, at 12:06 AM, Chris Schmidt wrote:
> On Feb 14, 2011, at 8:57 AM, "Wall, Kevin" wrote:
[snip[
>> So on a somewhat related note, does anyone have any idea as to how common it
>> is for
>> application developers to call ServletRequest.getLocale() o
Chris,
On Feb 15, 2011, 8:20 AM, Kevin Wall wrote:
> On Feb 15, 2011, at 12:06 AM, Chris Schmidt wrote:
>> On Feb 14, 2011, at 8:57 AM, "Wall, Kevin" wrote:
>>> [snip]
>>> So on a somewhat related note, does anyone have any idea as to how
>>> c
Rohit,
You wrote:
> Has anyone had to deal with the following HIPAA compliance requirements
> within a custom application before:
>
> §164.312(c)(2)
> Implement electronic mechanisms to corroborate that electronic
> protected health information has not been altered or destroyed in
> an unauthorized
On Tue 4/26/2011 11:13 AM, Rohit Sethi wrote:
> It sounds like people generally deal with this through techniques
> outside of the application logic itself such as checksums and/or
> digital signatures on files / database values that contain protected
> health information. My initial thought was
Jim Manico wrote...
> The most cost-effective way to handle these requirements is to get
> your HIPPA auditor drunk nightly.
Uh..., the old bribery and extortion approach. ;-)
> I'm being partially serious here because these and other HIPPA
> requirements are:
>
> (1) Technically ambiguous
> (2)
Gary McCraw wrote:
> This month's informIT article covers the zombies:
[snip]
> * Software security defects come in two main flavors—bugs at the
> implementation level (code) and flaws at the architectural level (design)
So, two questions:
1) How is this (software *security* defects) different th
Rohit Sethi wrote:
> Recently I sent a note about the Organic Progression of the Secure SDLC.
> One of the major points that we raise in that model is the difficulty with
> "Climbing the Wall": Getting the lines of business to commit resource
> to application/software security. This is one of the
64 matches
Mail list logo