Secure Coding mailing list archives
SC-L Digest, Vol 3, Issue 81
From: jgrembi at gmail.com (Jason Grembi)
Date: Tue, 24 Apr 2007 23:48:38 -0400
Gary/James As an application developer, who has turned into a secure developer (thanks Ken at Secure University), I can attest that not a whole lot of 'decision makers' understand what they're up against (vulnerability speaking). Most my time is spent training and explaining; then I use tools to verify my lectures. Once the 'decision makers' see the results these tools produce, they usually green light the use of tools and time spent in design/development. In my experience, security issues, so far, have came from the ground up (programmers) because people at the top have a hard time understanding the how-to's. It's going to take a few more years for security factors to rank up there with quality but the industry is moving that way. Keep the movement going, these emails and silverbullet podcasts do help. Jason Grembi Web Developer On 4/24/07, sc-l-request at securecoding.org <sc-l-request at securecoding.org> wrote:
Send SC-L mailing list submissions to sc-l at securecoding.org To subscribe or unsubscribe via the World Wide Web, visit http://krvw.com/mailman/listinfo/sc-l or, via email, send a message with subject or body 'help' to sc-l-request at securecoding.org You can reach the person managing the list at sc-l-owner at securecoding.org When replying, please edit your Subject line so it is more specific than "Re: Contents of SC-L digest..." Today's Topics: 1. Re: How big is the market? (McGovern, James F (HTSC, IT)) 2. Re: How big is the market? (Gary McGraw) 3. Re: How big is the market? (McGovern, James F (HTSC, IT)) 4. Re: How big is the market? (SC-L Subscriber Dave Aronson) 5. NYC Security (McGovern, James F (HTSC, IT)) 6. Magazines (McGovern, James F (HTSC, IT)) 7. MetriCon 2.0 CFP (Gunnar Peterson) ---------------------------------------------------------------------- Message: 1 Date: Tue, 24 Apr 2007 11:17:20 -0400 From: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com> Subject: Re: [SC-L] How big is the market? To: "Gary McGraw" <gem at cigital.com> Cc: SC-L at securecoding.org Message-ID: <773F863A6009244B87E6E866AFC7DB460399994A at AD1HFDEXC309.ad1.prod> Content-Type: text/plain; charset="iso-8859-1" Gary, I do at some level agree in terms of quality of publication. My perspective though is from an large enterprise perspective whose primary business model isn't about technology and the magazines that folks do read especially in the development community. A quick informal survey tells me that absolutely zero of my peers read IEEE (note I am a subscriber). Part of the problem may be the fact that us enterprise folks are bombarded with free magazines and cannot justify spending money to subscribe to ones such as the IEEE. I am merely suggesting some diversification for folks that don't pay for magazines. -----Original Message----- From: Gary McGraw [mailto:gem at cigital.com] Sent: Tuesday, April 24, 2007 10:50 AM To: McGovern, James F (HTSC, IT) Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? I'm sorry James, but I have to respectfully disagree about the vendor thing. Perhaps the tools vendors target the "information protection" people, but at Cigital we sell services to software execs (in huge companies) who are way up the food chain. Software security is small, and we need to emphasize the growth and get people interested. This goes for everyone who reads this list. To continue our impressive growth as a field, we need to continue to build. I do agree with you that people need to write more for developers (but I hope they pick better places than JDJ to publish in). Toward that end, check out the "Building Security In" department in IEEE Security & Privacy magazine <http://www.computer.org/portal/site/security/>. Also check out Brian Chess's new book "Secure Programming with Static Analysis" when it comes out in June. However, for the most part, it's critical to understand that workaday developers can't wrangle enough budget to tackle software security. BTW, I posted a reprise to the darkreading column on justice league today: http://www.cigital.com/justiceleague/ http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1 All told, I am very optimistic about our field, but don't think we can rest on our laurels at all yet. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ------------------------------ Message: 2 Date: Tue, 24 Apr 2007 11:23:51 -0400 From: Gary McGraw <gem at cigital.com> Subject: Re: [SC-L] How big is the market? To: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com> Cc: SC-L at securecoding.org Message-ID: <83B3489DF1064F4E90218770D953D36119737B at va-mail.cigital.com> Content-Type: text/plain; charset="us-ascii" Got it. I like dr. dobbs OK. Do you see that one around? It has software security content every once in a while. What others do you think would be a good target? What do the rest of you guys think? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: McGovern, James F (HTSC, IT) [mailto:James.McGovern at thehartford.com] Sent: Tuesday, April 24, 2007 11:17 AM To: Gary McGraw Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? Gary, I do at some level agree in terms of quality of publication. My perspective though is from an large enterprise perspective whose primary business model isn't about technology and the magazines that folks do read especially in the development community. A quick informal survey tells me that absolutely zero of my peers read IEEE (note I am a subscriber). Part of the problem may be the fact that us enterprise folks are bombarded with free magazines and cannot justify spending money to subscribe to ones such as the IEEE. I am merely suggesting some diversification for folks that don't pay for magazines. -----Original Message----- From: Gary McGraw [mailto:gem at cigital.com] Sent: Tuesday, April 24, 2007 10:50 AM To: McGovern, James F (HTSC, IT) Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? I'm sorry James, but I have to respectfully disagree about the vendor thing. Perhaps the tools vendors target the "information protection" people, but at Cigital we sell services to software execs (in huge companies) who are way up the food chain. Software security is small, and we need to emphasize the growth and get people interested. This goes for everyone who reads this list. To continue our impressive growth as a field, we need to continue to build. I do agree with you that people need to write more for developers (but I hope they pick better places than JDJ to publish in). Toward that end, check out the "Building Security In" department in IEEE Security & Privacy magazine <http://www.computer.org/portal/site/security/>. Also check out Brian Chess's new book "Secure Programming with Static Analysis" when it comes out in June. However, for the most part, it's critical to understand that workaday developers can't wrangle enough budget to tackle software security. BTW, I posted a reprise to the darkreading column on justice league today: http://www.cigital.com/justiceleague/ http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1 All told, I am very optimistic about our field, but don't think we can rest on our laurels at all yet. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ************************************************************************ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************ * ------------------------------ Message: 3 Date: Tue, 24 Apr 2007 11:48:25 -0400 From: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com> Subject: Re: [SC-L] How big is the market? To: "Gary McGraw" <gem at cigital.com> Cc: SC-L at securecoding.org Message-ID: <773F863A6009244B87E6E866AFC7DB4603999953 at AD1HFDEXC309.ad1.prod> Content-Type: text/plain; charset="iso-8859-1" I just conducted a super-official study of what my peers are reading by walking a total of five aisles within a very large building. Here are a list of magazines on folks desk: - Infoworld - Java Developers Journal - Insurance & Technology - DMReview - Intelligent Enterprise - CIO - Insurance Networking News Likewise, I asked several folks as to whether they subscribe to Dr. Dobbs and the answer was zero. Interestingly enough, I also checked with other folks and there seems to be more memberships in our architecture group with the ACM over IEEE. -----Original Message----- From: Gary McGraw [mailto:gem at cigital.com] Sent: Tuesday, April 24, 2007 11:24 AM To: McGovern, James F (HTSC, IT) Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? Got it. I like dr. dobbs OK. Do you see that one around? It has software security content every once in a while. What others do you think would be a good target? What do the rest of you guys think? gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com -----Original Message----- From: McGovern, James F (HTSC, IT) [mailto:James.McGovern at thehartford.com] Sent: Tuesday, April 24, 2007 11:17 AM To: Gary McGraw Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? Gary, I do at some level agree in terms of quality of publication. My perspective though is from an large enterprise perspective whose primary business model isn't about technology and the magazines that folks do read especially in the development community. A quick informal survey tells me that absolutely zero of my peers read IEEE (note I am a subscriber). Part of the problem may be the fact that us enterprise folks are bombarded with free magazines and cannot justify spending money to subscribe to ones such as the IEEE. I am merely suggesting some diversification for folks that don't pay for magazines. -----Original Message----- From: Gary McGraw [mailto:gem at cigital.com] Sent: Tuesday, April 24, 2007 10:50 AM To: McGovern, James F (HTSC, IT) Cc: SC-L at securecoding.org Subject: RE: [SC-L] How big is the market? I'm sorry James, but I have to respectfully disagree about the vendor thing. Perhaps the tools vendors target the "information protection" people, but at Cigital we sell services to software execs (in huge companies) who are way up the food chain. Software security is small, and we need to emphasize the growth and get people interested. This goes for everyone who reads this list. To continue our impressive growth as a field, we need to continue to build. I do agree with you that people need to write more for developers (but I hope they pick better places than JDJ to publish in). Toward that end, check out the "Building Security In" department in IEEE Security & Privacy magazine <http://www.computer.org/portal/site/security/>. Also check out Brian Chess's new book "Secure Programming with Static Analysis" when it comes out in June. However, for the most part, it's critical to understand that workaday developers can't wrangle enough budget to tackle software security. BTW, I posted a reprise to the darkreading column on justice league today: http://www.cigital.com/justiceleague/ http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1 All told, I am very optimistic about our field, but don't think we can rest on our laurels at all yet. gem company www.cigital.com podcast www.cigital.com/silverbullet blog www.cigital.com/justiceleague book www.swsec.com ************************************************************************ * This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************ * ------------------------------ Message: 4 Date: Tue, 24 Apr 2007 17:06:54 +0000 From: "SC-L Subscriber Dave Aronson" <secureCoding2dave at davearonson.com> Subject: Re: [SC-L] How big is the market? To: SC-L at securecoding.org Message-ID: <W343211178558761177434414 at webmail1> Content-Type: text/plain; charset="us-ascii" McGovern, James F \(HTSC, IT\) [mailto:James.McGovern at thehartford.com] writes:I just conducted a super-official study of what my peers are reading by walking a total of five aisles within a very large building. Here are a list of magazines on folks desk: - Infoworld - Java Developers Journal - Insurance & Technology - DMReview - Intelligent Enterprise - CIO - Insurance Networking NewsI'd also suggest Software Development, and maybe Information Security. -Dave -- Dave Aronson "Specialization is for insects." -Heinlein Work: http://www.davearonson.com/ Play: http://www.davearonson.net/ ------------------------------ Message: 5 Date: Tue, 24 Apr 2007 14:27:45 -0400 From: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com> Subject: [SC-L] NYC Security Cc: SC-L at securecoding.org Message-ID: <773F863A6009244B87E6E866AFC7DB460399995F at AD1HFDEXC309.ad1.prod> Content-Type: text/plain; charset="iso-8859-1" FYI. Awhile back I mentioned the Technology Managers Forum in which I am a participant. The agenda is finalized and secure coding practices was the number one topic: http://www.techforum.com/sf2007_1/index.html For product vendors and consulting firms that want access to key decision makers, this would be a great opportunity to get a booth. Anyway, hope to run across folks from this list here. Nothing is better than face-to-face conversations... ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ------------------------------ Message: 6 Date: Tue, 24 Apr 2007 16:26:37 -0400 From: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com> Subject: [SC-L] Magazines Cc: SC-L at securecoding.org Message-ID: <773F863A6009244B87E6E866AFC7DB4603999963 at AD1HFDEXC309.ad1.prod> Content-Type: text/plain; charset="iso-8859-1" FYI. Other magazines read within a large enterprise: - MSDN Magazine - SC Magazine - Oracle's Profit Magazine ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. ************************************************************************* ------------------------------ Message: 7 Date: Tue, 24 Apr 2007 16:45:31 -0500 From: Gunnar Peterson <gunnar at arctecgroup.net> Subject: [SC-L] MetriCon 2.0 CFP To: Secure Mailing List <SC-L at securecoding.org> Message-ID: <C253E4AB.90DA%gunnar at arctecgroup.net> Content-Type: text/plain; charset="ISO-8859-1" Last year's conference, MetriCon 1.0 featured a software security metrics track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0), including: * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk, Fortify * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon * "Good enough" Metrics - Epstein, WebMethods * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven * Code Metrics - Chandra, Secure Software -gp Second Workshop on Security Metrics (MetriCon 2.0) ? Call for Papers MetriCon 2.0 CFP August 7, 2007 Boston, MA Overview Do you cringe at the subjectivity applied to security in every manner? If so, MetriCon 2.0 may be your antidote to change security from an artistic "matter of opinion" into an objective, quantifiable science. The time for adjectives and adverbs has gone; the time for hard facts and data has come. MetriCon 2.0 is intended as a forum for lively, practical discussion in the area of security metrics. It is a forum for quantifiable approaches and results to problems afflicting information security today, with a bias towards practical, specific implementations. Topics and presentations will be selected for their potential to stimulate discussion in the Workshop. MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located with the 16th USENIX Security Symposium in Boston, MA, USA (http://www.usenix.org/events/sec07/). Beginning first thing in the morning, with meals taken in the meeting room, and extending into the evening. Attendance will be by invitation and limited to 60 participants. All participants will be expected to "come with findings" and be willing to address the group in some fashion, formally or not. Preference given to the authors of position papers/presentations who have actual work in progress. Each presenter will have 10-15 minutes to present his or her idea, followed by 15-20 minutes of discussion with the workshop participants. Panels and groups of related presentations may be proposed to present different approaches to selected topics, and will be steered by what sorts of proposals come in response to this Call. Goals and Topics The goal of the workshop is to stimulate discussion of and thinking about security metrics and to do so in ways that lead to realistic, early results of lasting value. Potential attendees are invited to submit position papers to be shared with all. Such position papers are expected to address security metrics in one of the following categories: Benchmarking Empirical Studies Metrics Definitions Financial Planning Security/Risk Modeling Tools, Technologies, Tips, and Tricks Visualization Practical implementations, real world case studies, and detailed models will be preferred over broader models or general ideas. How to Participate Submit a short position paper or description of work done/ongoing. Your submission must be no longer than five(5) paragraphs or presentation slides. Author names and affiliations should appear first in/on the submission. Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must be submitted to MetriCon AT securitymetrics.org. Presenters will be notified of acceptance by June 22, 2007 and expected to provide materials for distribution by July 22, 2007. All slides and position papers will be made available to participants at the workshop. No formal proceedings are intended. Plagiarism constitutes dishonesty. The organizers of this Workshop as well as USENIX prohibit these practices and will take appropriate action if dishonesty of this sort is found. Submission of recent, previously published work as well as simultaneous submissions to multiple venues is acceptable but please so indicate in your proposal. Location MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium (Security ?07). (http://www.usenix.org/events/sec07/) Cost $200 all-inclusive of meeting space, materials preparation, and meals for the day. Important Dates Requests to participate: by May 11, 2007 Notification of acceptance: by June 22, 2007 Materials for distribution: by July 22, 2007 Workshop Organizers Fred Cohen, Fred Cohen & Associates Jeremy Epstein, webMethods Dan Geer, Geer Risk Services Andrew Jaquith, Yankee Group Elizabeth Nichols, ClearPoint Metrics, Co-Chair Gunnar Peterson, Arctec Group, Co-Chair Russell Cameron Thomas, Meritology ------------------------------ _______________________________________________ SC-L mailing list SC-L at securecoding.org http://krvw.com/mailman/listinfo/sc-l End of SC-L Digest, Vol 3, Issue 81 ***********************************
-- THE INFORMATION CONTAINED IN THIS MESSAGE AND ANY ATTACHMENT MAY BE PRIVILEGED, CONFIDENTIAL, PROPRIETARY OR OTHERWISE PROTECTED FROM DISCLOSURE. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify us immediately by replying to the message and permanently delete it from your computer and destroy any printout thereof. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070424/43ac9da4/attachment-0001.html
Current thread:
- SC-L Digest, Vol 3, Issue 81 Jason Grembi (Apr 24)