Hello Jim,
I tend to disagree with your statement that security requirements should be
part of contractual agreements or added to a purchase order. In the Real World
(™ ☺) this does not work. Once signed, contracts are never looked at again,
unless the shit hits the fan and someone must be
Steven,
There are more than several managers of application security programs
for F-100 companies that have written security requirements into their
SLA's with outsourced development firms. One example uses application
penetration testing and vulnerability assessment findings to enforce
SLA
Hello Marcin,
I agree with your statement that many companies have some requirements in their
SLA's with outsourced development firms. However, if these are really F-100
businesses they usually have all non-core processes out-sourced (because a Big4
company told them that would reduce costs),
At 9:03 PM -0500 11/26/08, Mark Rockman wrote:
OK. So you decide to outsource your programming assignment to Asia and
demand that they deliver code that is so locked down that it cannot
misbehave. How can you tell that what they deliver is truly locked down?
Will you wait until it gets hacked?
Asking about security in terms of an RFP is a big joke and reminds me
of tactics I used in sixth grade when I used to figure out creative ways
of answering a question by turning the question into an answer. One has
to acknowledge that RFPs are not authoratative and are usually completed
by sales
I think adding clear security requirements at the contractual level is
*fundamental and necessary* when yes?
yesworking with vendors who are writing software for you.
Don't we talk about software security as being just another integrated
part of writing software, not as an external activity?
I'm
I am of the belief that the examples you provided are more requirements
for your own staff. For example, shouldn't your business analysts define
regular expressions and include them as functional requirements where
the firm simply calls them?
If you want regex's externalized into properties
Some other thoughts that I haven't heard others mention?
1. OK, if you find that they didn't meet all the security requirements,
will your business customers still want you to put it into production
anyway? If the answer is yes, do you still want them to support it? How
do we quantify who is
Hi Gary,
I think you were on the right path describing software security and
illustrating the difference between software security and web app
security (even though I don't think it was intentional) when you
talked about Pervasive Computing in a BankInfoSecurity podcast
(starting at 5 min 10
Hi,
I did an OWASP Summer of Code 2008 project, Securing WebGoat using
ModSecurity (actually, it expanded into a Fall of Code project too
:-)
First, the project should have been named Protecting WebGoat using
ModSecurity but by the time I figured it out, it was too late to
change the title.
The
OK. So you decide to outsource your programming assignment to Asia and demand
that they deliver code that is so locked down that it cannot misbehave. How
can you tell that what they deliver is truly locked down? Will you wait until
it gets hacked? What simple yet thorough inspection process
Whenever I speak with a customer or any software decision makers, I
implore them, before buying another vendor's software, or
hiring/contracting a 3rd party development firm, to ask a couple of
simple questions: What do you do for software security?, and Can
you send me some documents about your
I'll preface what I'm going to say with:
- I don't work in the financial vertical or government defense, but
from conversations with colleagues, I think that they get it (they
have to)
- My sphere of experience excludes Australia, India, and Japan:
- Oz has on average a high skill set of s/w
... and demand that they deliver code that is so locked down that it
cannot misbehave.
Your premise is so incorrect that I advise that if you are truly
interested in answering your questions (as opposed to a purely
academic or other exercise), then you should hire a security
specialist to help
OK. So you decide to outsource your programming assignment to Asia
and demand that they deliver code that is so locked down that it cannot
misbehave. How can you tell that what they deliver is truly locked
down? Will you wait until it gets hacked? What simple yet thorough
inspection process
Hi Gunnar,
I apologize to everybody if I have come across as being harsh.
From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional Developer Evangelist in 2001 to recently at
Symantec as the
With all due respect, I think this is where the process of secure coding
fails. I think it stems from poor education, but its compounded by an
arrogant cop out that developers have no power. Your view is not alone. I
hear it a lot. And I think its an easy out.
I agree with you that buy in for
At 9:32 PM -0800 11/25/08, Brian Chess wrote:
Larry, I'm not sure I get your meaning. You say you don't think it's a
dry well, but then you say programmers ignore the privilege management
facilities at their disposal.
I mean they ignore it until security overseers (800.53a, PCI DSS,
8500.2
Hi Stephen (et al),
I think this idea of regional differences is worth exploring a bit. In my work
at cigital I have come to believe that there is a difference in approach
between the east coast of the US and the west coast. The east coast led by
financial services firms in NY and Boston has
There is a lot of USA firm coding done outside our shores. Thus the
attitude you are reporting impacts the software I am buying both for my
desktop as well as the upcoming cloud applications.
This is the part that concerns me. As a consumer of code when it's in
my possession I am then able
On Nov 26, 2008, at 3:05 AM, Stephen Craig Evans wrote:
Hi Gunnar,
I apologize to everybody if I have come across as being harsh.
From my 8 years of experience of living in Asia and being actively
involved as a developer and working with developers (at Microsoft as
its first .NET Regional
Sadly this non-adoption of privileged/managed code (filled with blank stares)
has been the case ever since the Java security days a decade ago. One of the
main challenges is that developers have a hard time thinking about the
principle of least privilege and its implications regarding the
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
4. apply all settings
5. figure out how to keep 1-4 in synch all the time
do all of this
Sorry I didn't realize developers is an offensive ivory tower in
other parts of the world, in my world its a compliment.
-gunnar
On Nov 25, 2008, at 10:30 AM, Stephen Craig Evans wrote:
HI,
maybe the problem with least privilege is that it requires that
developers:...
IMHO, your US/UK
HI,
maybe the problem with least privilege is that it requires that developers:...
IMHO, your US/UK ivory towers don't exist in other parts of the world.
Developers have no say in what they do. Nor, do they care about
software security and why should they care?
So, at least, change your
Gunnar,
Developers have no power. You should be talking to the decision makers.
As an example, to instill the importance of software security, I talk
to decision makers: project managers, architects, CTOs (admittedly,
this is a blurred line - lots of folks call themselves architects). If
I go to
Greetings SC-L,
I've been asked to allow a job posting here on SC-L. It certainly
doesn't violate anything I've written in the group's charter (http://www.securecoding.org/list/charter.php
), but then again, we've generally not used SC-L for job listings.
And then again++, with the
And don't forget the Paul Karger paper from Oakland, which applies access
controls to executables and effectively provides implementations for
Saltzer-Schroeder's least privilege and more:
@InProceedings{Karger87,
Key=Karger, Author=P.A. Karger,
Title=Limiting the Damage Potential of
Hi Stephen,
I don't think I belong in the dog house with gunnar on this one (though if I
have to share the dog house gunnar would be a decent compatriot). Please
re-read my post and you will see that I gave up on the Dinis quest though I
have lots of respect for what Dinis wants to
It's a real cop-out for you guys, as titans in the industry, to go
after developers. I'm disappointed in both of you. And Gary, you said
One of the main challenges is that developers have a hard time
thinking about the principle of least privilege .
Developers are NEVER asked to think about the
Hi all!
I agree with Gunnar on this one.
2008-11-25 18.00, Gunnar Peterson wrote:
maybe the problem with least privilege is that it requires that
developers:
1. define the entire universe of subjects and objects
2. define all possible access rights
3. define all possible relationships
On Tue, 25 Nov 2008, Mark Rockman wrote:
Assuming this is repeated for every use case, the resulting
reports would be a very good guide to how CAS settings should be
established for production. Of course, everytime the program is changed
in any way, the process would have to be repeated.
DREAM
It seems we've come full circle, because what you are describing is managed
code (or privileged code depending on your Java vs .NET vocabulary). In full
on managed code, the code describes what it needs and the machine decides
whether that coheres with local policy.
/DREAM
gem
At 12:26 PM -0500 11/25/08, Mark Rockman wrote:
It be difficult to determine a priori the settings for all the access
control lists and other security parameters that one must establish for
CAS to work. Perhaps a software assist would work according to the
following scenario. Run the program
Aaron Margosis' Non-Admin WebLog : LUA Buglight 2.0, second preview:
http://blogs.msdn.com/aaron_margosis/archive/2008/11/06/lua-buglight-2-0-second-preview.aspx
Mark Rockman wrote:
It be difficult to determine /a priori/ the settings for all the
access control lists and other security
Has anyone had experience using Sword4J to determine permissions?
http://www.alphaworks.ibm.com/tech/sword4j
From the site: The Authorization Analysis functionality determines
which authorizations are needed in order to run Java code when a
SecurityManager is enabled. The Privilege Code Analysis
Why shouldn't they be asked to think about it? Especially now.
I do. I install Vista and find out how many of my apps don't like it.
Go grab a copy of Luabuglight and watch Aaron Margosis' stuff. Why
should I as an Admin have to care about this stuff after Developers
that don't care about
On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson [EMAIL PROTECTED]wrote:
but actually the main point of my post and the one i would like to
hear people's thoughts on - is to say that attempting to apply
principle of least privilege in the real world often leads to drilling
dry wells. i am
Security is a tradeoff game between risk and cost in my experience. So
the least privilege question comes down to practical matters like
knowing the execution environment, knowing the requirements of the tasks
being executed, and knowing where those intersect with the ability of
the user or
So does this mean that the NSA is recommending .NET applications to be
develop so that they can be executed in partially trusted environments?
(i.e. not in full trust?)
Last time I check just about everybody was developing Full Trust .NET
applications (did this change in the last year?)
Don't
Dinis Cruz wrote:
Don't get me wrong, this is a great document if one is interested in
writing applications that use CAS (Code Access Security), I would love
for this to be widely used.
When we recommended recommending CAS during a review of the U.S. Defense
Information System Agency's new
All,
The NSA has just unclassified a 300 pages document about .NET 2.0 security
http://www.nsa.gov/snac/app/I731-008R-2006.pdf
I think it can be interesting resource,
--Romain
Romain Gaucher
Security Consultant
Cigital, http://www.cigital.com
Software Confidence. Achieved.
Hi All
Thank you for your replies, they have been very useful and will
certainly help identifying things that need to appear in the standard.
We're trying to make the standard something that is easily auditable,
and have decided to further split items into two categories, those that
should
I'd like to mention that OWASP is about to release a Beta version of its
Application Security Verification Standard (ASVS) - Web Application
Edition.
This standard (which is language agnostic) provides a checklist of
security requirements that web applications should meet and it is
organized into
The CWE Research view (CWE-1000) is language-neutral at its higher-level
nodes, and decomposes in some areas into language-specific constructs.
Early experience suggests that this view is not necessarily
developer-friendly, however, because it's not organized around the types
of concepts that
Pete,
I think your best bet is the work being done by ISO/IEC JTC 1/SC 22/ WG 23
Programming Language Vulnerabilities. The website for this work is
http://www.aitcnet.org/isai/.
The latest Editor's draft of PDTR 24772, prepared by John Benito, is N0138
which can be found here:
Pete Werner:
I've been tasked with developing a secure coding standard for my
employer. everything i've found is mostly focussed on web
applications or language/platform specific. Does anyone know of
something that may be what I'm looking for?
It's not exactly what you're looking for, but
hi sc-l,
Episode 32 of the Silver Bullet Security Podcast went live last night. This
episode features a chat with Web security guru Jeremiah Grossman. Among other
things, we talk about the relationship between Web app security and software
security:
http://www.cigital.com/silverbullet/
Hi all
I've been tasked with developing a secure coding standard for my
employer. This will be a policy tool used to get developers to fix
issues in their code after an audit, and also hopefully be of use to
developers as they work to ensure they are compliant. The kicker is it
needs to cover
Pete Werner wrote:
Hi all
I've been tasked with developing a secure coding standard for my
employer. This will be a policy tool used to get developers to fix
issues in their code after an audit, and also hopefully be of use to
developers as they work to ensure they are compliant. The kicker
Awhile back, I got asked the same question and realized that at some
level the question is flawed. Many large enterprises have standards
documents that sit on the shelf and the need to create more didn't feel
right. Instead, we feel to the posture that we should inverse the
problem and instead
The OWASP materials are fairly language neutral. The closest document
to your current requirements is the Developer Guide.
I am also developing a coding standard for Owasp with a likely
deliverable date next year. I am looking for volunteers to help with
it, so if you want a document that
All,
James McGovern hits the core issue with his post, though I'm not sure how many
organizations are self-aware enough to realize it. In practice, his
philosophical quandary plays out through a few key questions. Do I:
1) Write technology-specific best-practices or security policy?
2) Couch
On Tue, 4 Nov 2008, Benjamin Tomhave wrote:
An interesting read. Not much to really argue with, I don't think.
http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/
Agree. But, just to bolster (if it's relevant) I'll expand on my comment
to that
*UPDATED SUMMIT INFORMATION: Day 2 Wednesday *(
https://www.owasp.org/index.php/OWASP_EU_Summit_2008)
The summit is current under way in Portugal and today's agenda (Wednesday)
can be downloaded from
herehttps://www.owasp.org/images/c/cb/Summit_Agenda_-_Wed.pdf(the
full agenda is
here
An interesting read. Not much to really argue with, I don't think.
http://www.veracode.com/blog/2008/11/we%e2%80%99ve-reached-the-application-security-tipping-point/
--
Benjamin Tomhave, MS, CISSP
[EMAIL PROTECTED]
LI: http://www.linkedin.com/in/btomhave
Blog: http://www.secureconsulting.net/
Gary McGraw [EMAIL PROTECTED] wrote:
Here is a pointer to an article...
I'm getting 404 errors? I backed up the chain of directories in the URL
and the link is broken on the page:
http://www.cigital.com/papers/
http://www.cigital.com/papers/download/dec08-static-software-gem.pdf
(I also get
At 11:09 AM -0600 10/30/08, Jonathan Leffler wrote:
Content-Type: multipart/signed; protocol=application/x-pkcs7-signature;
micalg=sha1; boundary=---z22511_boundary_sign
Gary McGraw [EMAIL PROTECTED] wrote:
Here is a pointer to an article...
I'm getting 404 errors? I backed up
This has been fixed. We just moved our web server and launched a redesigned
website. The paper url fell through the cracks. My apologies.
gem
company www.cigital.com
podcast www.cigital.com/silverbullet
blog www.cigital.com/justiceleague
book www.swsec.com
- Original Message -
From:
http://validator.w3.org shows that page has 25 HTML errors.
fwiw, mac.com has 28 errors and 1 warning
-gunnar
p.s. my domain has 42 otoh i wrote the whole design from scratch in vi
___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List
It's almost hereone of the most important events in OWASP history,
the 2008 Summit!
http://www.owasp.org/index.php/OWASP_EU_Summit_2008
OWASP Summit EU 2008 is a worldwide gathering of OWASP leaders and key
industry players to present and discuss the latest OWASP tools and
documentation
hi sc-l,
Here is a pointer to an article that will appear in the December issue of
Computer magazine. It's an introduction to code review with a static analysis
tool for the How things work department.Should be useful for people just
getting started thinking about code review automation.
The CERT C Secure Coding Standard has been published by Addison-Wesley. More
information is available at:
http://www.informit.com/store/product.aspx?isbn=0321563212
Thanks to all the lurkers on SC-L who helped us develop and review the
content.
Thanks,
rCs
Greetings SC-L,
I thought I'd chime in on this, as it very closely relates to my
current book project.
On Oct 15, 2008, at 8:31 AM, Gary McGraw (via Kenneth Van Wyk) wrote:
Brian Chess and I have been working hard on a software security
framework that we are using in a scientific study of
[Posted on behalf of Gary McGraw, who is without comms right now but
wanted this to go out today. KRvW]
hi sc-l,
Brian Chess and I have been working hard on a software security
framework that we are using in a scientific study of many of the top
software security initiatives. Our plan of
The framework that Pravir put together is pretty good. Brian and I did
have a conversation awhile back regarding donating it to OWASP for
continuation. I plan on making our firm one of the public case studies
once they contribute.
-Original Message-
From: [EMAIL PROTECTED]
Super. Glad to hear that. We made some adjustments to pub's draft, but he
definitely got the ball rolling. See what you think of our adjustments.
gem
http;//www.cigital.com/~gem
- Original Message -
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: SecureMailing List
Hello everyone,
Cigital and Safelight Security Advisors are conducting a survey to understand
the practices organizations are using to deal with some of the human elements
surrounding software security risk. We'd sincerely appreciate participation by
this audience and invite you to take that
At 8:40 PM -0400 10/8/08, Sammy Migues wrote:
JavaScript is required on SurveyMonkey.
Thank you for the warning. It is amazing the number of
people who presume that security people are willing to
go to a website enabling cookies or JavaScript or worse.
Of course it is also amazing the number
http://www.adacore.com/home/gnatpro/tokeneer/
Excerpt:
Project Summary
In order to demonstrate that developing highly secure systems to the
level of rigor required by the higher assurance levels of the Common
Criteria is possible, the NSA (National Security Agency) asked Praxis
High
Hi,
Something you may want to consider is how you plan on rolling this out
within your organisation, where I work we have a strong culture of using
and following coding standards and guidelines, so rolling out secure
coding guidelines was not that difficult.
That said we started small with a
Jim
Thanks. I will add that to the list.
An0n S3c
On Sun, Sep 28, 2008 at 1:45 PM, Jim Manico [EMAIL PROTECTED] wrote:
Andrew van der Stock is also approaching this issue from a high level at
http://www.greebo.net/2008/09/24/coding-standard/
His list looks rather complete.
- Jim
My
An0n S3c,
i see you have already found our site, but i should probably take this
opportunity to provide a couple of updates.
first of all, CERT has released the Java Secure Coding Standard in
addition to existing secure coding standards for the C and C++
programming languages. CERT invites the
Good idea James. If you take a look at the list of victims, you'll see a mix
of academics, gurus, and CSOs. My next victim (Matt Bishop) is already slated.
After that I will see what I can do to get a CIO for November.
BTW, if anyone has suggestions along those lines, I'm all ears. I would
As a compliment to coding standards you may want to consider using the
Common Weakness Enumeration (CWE) as a target list of coding, design and
implementation issues you are trying to minimize through use of those
coding standards.
Using the CWEs can also help you to drive and correlate your
Most of the SANS classes are network/infrastructure related, but some
of them are made specifically for secure coding in a particular
language. I'm an instructor and courseware developer for Security 541,
the secure coding in Java / JEE class
(http://www.sans.org/ns2008/description.php?tid=1937).
Thanks Gunnar. I'm scheming schemes that you guys may like...hold that thought!
gem
On 9/29/08 2:52 PM, Gunnar Peterson [EMAIL PROTECTED] wrote:
I strongly agree with James' ask. Its nice to hear from gurus, but we need to
hear about real world tradeoffs too. Sausage making aint pretty (ask
I strongly agree with James' ask. Its nice to hear from gurus, but we need to
hear about real world tradeoffs too. Sausage making aint pretty (ask Hank and
Ben), but its the real world and I for one am always fascinated with what
choices organizations make and why.
I am also very excited to
Mary ann has already been a victim. Do analysts count as practitioners??
gem
- Original Message -
From: [EMAIL PROTECTED] [EMAIL PROTECTED]
To: SecureMailing List SC-L@securecoding.org
Sent: Mon Sep 29 15:08:55 2008
Subject: Re: [SC-L] Silver Bullet
Women to include are:
Diana Kelley
The ones I know of from the OWASP (may not be called standard, not sure);
http://www.owasp.org/index.php/Category:OWASP_Guide_Project (a little bit old,
new version
pending)http://www.owasp.org/index.php/OWASP_Backend_Security_Project (an owasp
SoC '08 project, not finished yet but seems
Thanks. The OWASP Developer Guide Version 3 looks promising.
Thanks again
An0n S3c
http://an0ns3c.blogspot.com
On Sun, Sep 28, 2008 at 10:23 AM, Bedirhan Urgun [EMAIL PROTECTED] wrote:
The ones I know of from the OWASP (may not be called standard, not sure);
Andrew van der Stock is also approaching this issue from a high level at
http://www.greebo.net/2008/09/24/coding-standard/
His list looks rather complete.
- Jim
My thoughts...
You standards really need more context - the standards for Java thick
client vs Java server/web code would be
hi sc-l,
As many of you know, I have been writing a security column since October 2004.
I started with Network Magazine, and stayed with CMP through the launch of
darkreading.com. In April, I moved the column to informIT. All of the
columns can be found here:
hi sc-l,
Some number of years ago I started giving talks at SD West in order to up the
level of exposure that software security gets at actual development
conferences. After a few years of that, I helped to rejigger the entire
security track to be about software security. These days the
Hi SC-L,
We put out a little freebie here that you might find useful in your dev shop if
you are subject to PCI. Feedback is welcome:
Foundstone Professional Services, a Division of McAfee, has recently released a
free 2-hour computer based training entitled PCI DSS v1.1 Compliance for
hi sc-l,
It's a busy week for announcements of some things that have been brewing at
Cigital for a while. The first and most relevant to sc-l is a set of Fortify
rules that we released today. We've been building and using custom rules for
many of the code scanning tools for a while now, and
RUXCON 2008 FINAL CALL FOR PAPERS
Ruxcon would like to announce the final call for papers for the fifth annual
Ruxcon conference.
This year the conference will take place over the weekend of
29th to the 30th of November.
As with previous years, Ruxcon will be held at the University of
Ken van Wyk and I are teaching Building Secure Web Applications in Java/J2EE in
Minneapolis, September 30 - October 2. The summary is below, if you would like
more info please let me know. More details to follow.
Building Secure Web Applications in Java/J2EE
Course Description
This course
At 7:21 PM -0400 8/24/08, [EMAIL PROTECTED] wrote:
The publisher of the web page is not in the security business,
they are in the publishing business. But how can I respect
their publishing expertise if they fail a simple automatic
test.
Well, I guess that most of web developers are not
ljknews wrote:
My experience is that browsers succeed on standards-compliant
pages. Standard compliance should be the first test. If it
subsequently fails on a particular browser, it is a browser
defect which may or may not be of interest to the publisher.
Agreed that, talking only about
How does xHTML help stop access control vulnerabilities? Authorization
issues? CSRF problems?
And who is to say that an attacker cannot still do server side injection
(sql injection, ldap injection) or timing attacks?
I'm just getting started. xHTML is only one tiny piece of the outbound
At 9:12 AM -1000 8/26/08, Jim Manico wrote:
How does xHTML help stop access control vulnerabilities?
Authorization issues? CSRF problems?
It is indicative of the caliber of the people who built
the site.
My immediate interest is that validation combats browser crashes.
I am not interested
Hi SC-Lers,
With these last 2 messages, let's kill off the survey thread, please.
I allowed it to continue on--probably longer than I should have--
because there seemed to be valid and interesting points being made on
both sides of the debate. But that seems to have run its course, so
On 8/26/08 3:03 PM, ljknews [EMAIL PROTECTED] wrote:
I am not interested in dealing with people who cannot get
the simple things right.
Right. Because we all know that the HTML, xHTML, DHTML, CSS, and the related
standards are really simple. Nothing to it. Writing valid HTML in our
Making a very complex Ajax rich-client web applications perfectly xHTML
valid is not easy. Most of the enterprise world goes way beyond simple
flat file xHTML. Add in (the real reality of) highly database-drive
dynamically generated javascript/ajax heavy pages, and I continue to
conjecture that
Clearly the survey's content is only of interest if the HTML validates.
On Aug 24, 2008, at 9:47 AM, ljknews [EMAIL PROTECTED] wrote:
At 2:43 PM -0400 8/22/08, Gary McGraw wrote:
BankInfoSecurity is running a survey on software security that some
of you may be interested in participating in.
hi sc-l,
BankInfoSecurity is running a survey on software security that some of you may
be interested in participating in. Try it yourself here:
http://www.bankinfosecurity.com/surveys.php?surveyID=1
I just ran through the survey. All told it only takes a couple of minutes. I
found the
hi sc-l,
The current episode of Silver Bullet was just released today.
http://www.cigital.com/silverbullet/show-029/
In this episode, I chat with Dennis Fisher who has been covering security for
many many years. I've known Dennis for a long time, and he has always been
very good at his job.
hi sc-l,
Techtarget just launched a podcast series (if you can call one podcast a
series!) hosted by Dennis Fisher. Dennis conned me into being the first
victim. We spent the entire episode talking about software security.
The OWASP 2008 Application Security Conference is September 24th 25th 2008
in New York City. (Less than 60 days away)
With over 50 APPSEC speakers, 6 training classes and a Capture the Flag
event. This event is the largest web application security focused conference
anywhere, don't miss it!
1001 - 1100 of 2400 matches
Mail list logo
