SC-L Digest, Vol 3, Issue 81

[jgrembi at gmail.com (Jason Grembi)]

Gary/James

As an application developer, who has turned into a secure developer (thanks
Ken at Secure University), I can attest that not a whole lot of 'decision
makers' understand what they're up against (vulnerability speaking).  Most
my time is spent training and explaining; then I use tools to verify my
lectures.  Once the 'decision makers' see the results these tools produce,
they usually green light the use of tools and time spent in
design/development.

In my experience, security issues, so far, have came from the ground up
(programmers) because people at the top have a hard time understanding the
how-to's.  It's going to take a few more years for security factors to rank
up there with quality but the industry is moving that way.

Keep the movement going, these emails and silverbullet podcasts do help.


Jason Grembi
Web Developer


On 4/24/07, sc-l-request at securecoding.org <sc-l-request at securecoding.org>
wrote:
> Send SC-L mailing list submissions to
>         sc-l at securecoding.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://krvw.com/mailman/listinfo/sc-l
> or, via email, send a message with subject or body 'help' to
>         sc-l-request at securecoding.org
>
> You can reach the person managing the list at
>         sc-l-owner at securecoding.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of SC-L digest..."
>
>
> Today's Topics:
>
>    1. Re: How big is the market? (McGovern, James F (HTSC, IT))
>    2. Re: How big is the market? (Gary McGraw)
>    3. Re: How big is the market? (McGovern, James F (HTSC, IT))
>    4. Re: How big is the market? (SC-L Subscriber Dave Aronson)
>    5. NYC Security (McGovern, James F (HTSC, IT))
>    6. Magazines (McGovern, James F (HTSC, IT))
>    7. MetriCon 2.0 CFP (Gunnar Peterson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 24 Apr 2007 11:17:20 -0400
> From: "McGovern, James F \(HTSC, IT\)"
>         <James.McGovern at thehartford.com>
> Subject: Re: [SC-L] How big is the market?
> To: "Gary McGraw" <gem at cigital.com>
> Cc: SC-L at securecoding.org
> Message-ID:
>         <773F863A6009244B87E6E866AFC7DB460399994A at AD1HFDEXC309.ad1.prod>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Gary, I do at some level agree in terms of quality of publication. My
> perspective though is from an large enterprise perspective whose primary
> business model isn't about technology and the magazines that folks do read
> especially in the development community. A quick informal survey tells me
> that absolutely zero of my peers read IEEE (note I am a subscriber).
>
> Part of the problem may be the fact that us enterprise folks are bombarded
> with free magazines and cannot justify spending money to subscribe to ones
> such as the IEEE. I am merely suggesting some diversification for folks that
> don't pay for magazines.
>
> -----Original Message-----
> From: Gary McGraw [mailto:gem at cigital.com]
> Sent: Tuesday, April 24, 2007 10:50 AM
> To: McGovern, James F (HTSC, IT)
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
>
> I'm sorry James, but I have to respectfully disagree about the vendor
> thing.  Perhaps the tools vendors target the "information protection"
> people, but at Cigital we sell services to software execs (in huge
> companies) who are way up the food chain.
>
> Software security is small, and we need to emphasize the growth and get
> people interested.  This goes for everyone who reads this list.  To
> continue our impressive growth as a field, we need to continue to build.
>
> I do agree with you that people need to write more for developers (but I
> hope they pick better places than JDJ to publish in).  Toward that end,
> check out the "Building Security In" department in IEEE Security &
> Privacy magazine <http://www.computer.org/portal/site/security/>.  Also
> check out Brian Chess's new book "Secure Programming with Static
> Analysis" when it comes out in June.  However, for the most part, it's
> critical to understand that workaday developers can't wrangle enough
> budget to tackle software security.
>
> BTW, I posted a reprise to the darkreading column on justice league
> today:
> http://www.cigital.com/justiceleague/
> http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1
>
> All told, I am very optimistic about our field, but don't think we can
> rest on our laurels at all yet.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 24 Apr 2007 11:23:51 -0400
> From: Gary McGraw <gem at cigital.com>
> Subject: Re: [SC-L] How big is the market?
> To: "McGovern, James F \(HTSC, IT\)" <James.McGovern at thehartford.com>
> Cc: SC-L at securecoding.org
> Message-ID:
>         <83B3489DF1064F4E90218770D953D36119737B at va-mail.cigital.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Got it.  I like dr. dobbs OK.  Do you see that one around?  It has
> software security content every once in a while.  What others do you
> think would be a good target?
>
> What do the rest of you guys think?
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
>
> -----Original Message-----
> From: McGovern, James F (HTSC, IT)
> [mailto:James.McGovern at thehartford.com]
> Sent: Tuesday, April 24, 2007 11:17 AM
> To: Gary McGraw
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
> Gary, I do at some level agree in terms of quality of publication. My
> perspective though is from an large enterprise perspective whose primary
> business model isn't about technology and the magazines that folks do
> read especially in the development community. A quick informal survey
> tells me that absolutely zero of my peers read IEEE (note I am a
> subscriber).
>
> Part of the problem may be the fact that us enterprise folks are
> bombarded with free magazines and cannot justify spending money to
> subscribe to ones such as the IEEE. I am merely suggesting some
> diversification for folks that don't pay for magazines.
>
> -----Original Message-----
> From: Gary McGraw [mailto:gem at cigital.com]
> Sent: Tuesday, April 24, 2007 10:50 AM
> To: McGovern, James F (HTSC, IT)
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
>
> I'm sorry James, but I have to respectfully disagree about the vendor
> thing.  Perhaps the tools vendors target the "information protection"
> people, but at Cigital we sell services to software execs (in huge
> companies) who are way up the food chain.
>
> Software security is small, and we need to emphasize the growth and get
> people interested.  This goes for everyone who reads this list.  To
> continue our impressive growth as a field, we need to continue to build.
>
> I do agree with you that people need to write more for developers (but I
> hope they pick better places than JDJ to publish in).  Toward that end,
> check out the "Building Security In" department in IEEE Security &
> Privacy magazine <http://www.computer.org/portal/site/security/>.  Also
> check out Brian Chess's new book "Secure Programming with Static
> Analysis" when it comes out in June.  However, for the most part, it's
> critical to understand that workaday developers can't wrangle enough
> budget to tackle software security.
>
> BTW, I posted a reprise to the darkreading column on justice league
> today:
> http://www.cigital.com/justiceleague/
> http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1
>
> All told, I am very optimistic about our field, but don't think we can
> rest on our laurels at all yet.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> ************************************************************************
> *
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution
> is
> strictly prohibited.  If you are not the intended recipient, please
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ************************************************************************
> *
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 24 Apr 2007 11:48:25 -0400
> From: "McGovern, James F \(HTSC, IT\)"
>         <James.McGovern at thehartford.com>
> Subject: Re: [SC-L] How big is the market?
> To: "Gary McGraw" <gem at cigital.com>
> Cc: SC-L at securecoding.org
> Message-ID:
>         <773F863A6009244B87E6E866AFC7DB4603999953 at AD1HFDEXC309.ad1.prod>
> Content-Type: text/plain;       charset="iso-8859-1"
>
> I just conducted a super-official study of what my peers are reading by
> walking a total of five aisles within a very large building. Here are a list
> of magazines on folks desk:
>
> - Infoworld
> - Java Developers Journal
> - Insurance & Technology
> - DMReview
> - Intelligent Enterprise
> - CIO
> - Insurance Networking News
>
> Likewise, I asked several folks as to whether they subscribe to Dr. Dobbs
> and the answer was zero. Interestingly enough, I also checked with other
> folks and there seems to be more memberships in our architecture group with
> the ACM over IEEE.
>
> -----Original Message-----
> From: Gary McGraw [mailto:gem at cigital.com]
> Sent: Tuesday, April 24, 2007 11:24 AM
> To: McGovern, James F (HTSC, IT)
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
>
> Got it.  I like dr. dobbs OK.  Do you see that one around?  It has
> software security content every once in a while.  What others do you
> think would be a good target?
>
> What do the rest of you guys think?
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
>
> -----Original Message-----
> From: McGovern, James F (HTSC, IT)
> [mailto:James.McGovern at thehartford.com]
> Sent: Tuesday, April 24, 2007 11:17 AM
> To: Gary McGraw
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
> Gary, I do at some level agree in terms of quality of publication. My
> perspective though is from an large enterprise perspective whose primary
> business model isn't about technology and the magazines that folks do
> read especially in the development community. A quick informal survey
> tells me that absolutely zero of my peers read IEEE (note I am a
> subscriber).
>
> Part of the problem may be the fact that us enterprise folks are
> bombarded with free magazines and cannot justify spending money to
> subscribe to ones such as the IEEE. I am merely suggesting some
> diversification for folks that don't pay for magazines.
>
> -----Original Message-----
> From: Gary McGraw [mailto:gem at cigital.com]
> Sent: Tuesday, April 24, 2007 10:50 AM
> To: McGovern, James F (HTSC, IT)
> Cc: SC-L at securecoding.org
> Subject: RE: [SC-L] How big is the market?
>
>
> I'm sorry James, but I have to respectfully disagree about the vendor
> thing.  Perhaps the tools vendors target the "information protection"
> people, but at Cigital we sell services to software execs (in huge
> companies) who are way up the food chain.
>
> Software security is small, and we need to emphasize the growth and get
> people interested.  This goes for everyone who reads this list.  To
> continue our impressive growth as a field, we need to continue to build.
>
> I do agree with you that people need to write more for developers (but I
> hope they pick better places than JDJ to publish in).  Toward that end,
> check out the "Building Security In" department in IEEE Security &
> Privacy magazine <http://www.computer.org/portal/site/security/>.  Also
> check out Brian Chess's new book "Secure Programming with Static
> Analysis" when it comes out in June.  However, for the most part, it's
> critical to understand that workaday developers can't wrangle enough
> budget to tackle software security.
>
> BTW, I posted a reprise to the darkreading column on justice league
> today:
> http://www.cigital.com/justiceleague/
> http://www.darkreading.com/document.asp?doc_id=122253&WT.svl=column1_1
>
> All told, I am very optimistic about our field, but don't think we can
> rest on our laurels at all yet.
>
> gem
>
> company www.cigital.com
> podcast www.cigital.com/silverbullet
> blog www.cigital.com/justiceleague
> book www.swsec.com
>
>
> ************************************************************************
> *
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution
> is
> strictly prohibited.  If you are not the intended recipient, please
> notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> ************************************************************************
> *
>
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 24 Apr 2007 17:06:54 +0000
> From: "SC-L Subscriber Dave Aronson"
>         <secureCoding2dave at davearonson.com>
> Subject: Re: [SC-L] How big is the market?
> To: SC-L at securecoding.org
> Message-ID: <W343211178558761177434414 at webmail1>
> Content-Type: text/plain; charset="us-ascii"
>
> McGovern, James F \(HTSC, IT\) [mailto:James.McGovern at thehartford.com]
> writes:
>
> > I just conducted a super-official study of what my peers are reading by
> > walking a total of five aisles within a very large building. Here are a
> > list of magazines on folks desk:
> >
> > - Infoworld
> > - Java Developers Journal
> > - Insurance & Technology
> > - DMReview
> > - Intelligent Enterprise
> > - CIO
> > - Insurance Networking News
>
> I'd also suggest Software Development, and maybe Information Security.
>
> -Dave
>
> --
> Dave Aronson
> "Specialization is for insects."  -Heinlein
> Work: http://www.davearonson.com/
> Play: http://www.davearonson.net/
>
>
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 24 Apr 2007 14:27:45 -0400
> From: "McGovern, James F \(HTSC, IT\)"
>         <James.McGovern at thehartford.com>
> Subject: [SC-L] NYC Security
> Cc: SC-L at securecoding.org
> Message-ID:
>         <773F863A6009244B87E6E866AFC7DB460399995F at AD1HFDEXC309.ad1.prod>
> Content-Type: text/plain; charset="iso-8859-1"
>
> FYI. Awhile back I mentioned the Technology Managers Forum in which I am a
> participant. The agenda is finalized and secure coding practices was the
> number one topic: http://www.techforum.com/sf2007_1/index.html For product
> vendors and consulting firms that want access to key decision makers, this
> would be a great opportunity to get a booth.
>
> Anyway, hope to run across folks from this list here. Nothing is better
> than face-to-face conversations...
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
>
>
>
> ------------------------------
>
> Message: 6
> Date: Tue, 24 Apr 2007 16:26:37 -0400
> From: "McGovern, James F \(HTSC, IT\)"
>         <James.McGovern at thehartford.com>
> Subject: [SC-L] Magazines
> Cc: SC-L at securecoding.org
> Message-ID:
>         <773F863A6009244B87E6E866AFC7DB4603999963 at AD1HFDEXC309.ad1.prod>
> Content-Type: text/plain; charset="iso-8859-1"
>
> FYI. Other magazines read within a large enterprise:
>
> - MSDN Magazine
> - SC Magazine
> - Oracle's Profit Magazine
>
>
> *************************************************************************
> This communication, including attachments, is
> for the exclusive use of addressee and may contain proprietary,
> confidential and/or privileged information.  If you are not the intended
> recipient, any use, copying, disclosure, dissemination or distribution is
> strictly prohibited.  If you are not the intended recipient, please notify
> the sender immediately by return e-mail, delete this communication and
> destroy all copies.
> *************************************************************************
>
>
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 24 Apr 2007 16:45:31 -0500
> From: Gunnar Peterson <gunnar at arctecgroup.net>
> Subject: [SC-L] MetriCon 2.0 CFP
> To: Secure Mailing List <SC-L at securecoding.org>
> Message-ID: <C253E4AB.90DA%gunnar at arctecgroup.net>
> Content-Type: text/plain;       charset="ISO-8859-1"
>
> Last year's conference, MetriCon 1.0 featured a software security metrics
> track ( http://securitymetrics.org/content/Wiki.jsp?page=Metricon1.0),
> including:
>
> * A Metric for Evaluating Static Analysis Tools - Chess & Tsipenyuk,
> Fortify
> * An Attack Surface Metric - Manadhata & Wing, Carnegie-Mellon
> * "Good enough" Metrics - Epstein, WebMethods
> * Software Security Patterns and Risk - Heyman & Huygens, U of Leuven
> * Code Metrics - Chandra, Secure Software
>
> -gp
>
> Second Workshop on Security Metrics (MetriCon 2.0) ? Call for Papers
> MetriCon 2.0 CFP
>
> August 7, 2007 Boston, MA
>
> Overview
>
> Do you cringe at the subjectivity applied to security in every manner? If
> so, MetriCon 2.0 may be your antidote to change security from an artistic
> "matter of opinion" into an objective, quantifiable science. The time for
> adjectives and adverbs has gone; the time for hard facts and data has
> come.
>
> MetriCon 2.0 is intended as a forum for lively, practical discussion in
> the
> area of security metrics. It is a forum for quantifiable approaches and
> results to problems afflicting information security today, with a bias
> towards practical, specific implementations. Topics and presentations will
> be selected for their potential to stimulate discussion in the Workshop.
>
> MetriCon 2.0 will be a one-day event, Tuesday, August 7, 2007, co-located
> with the 16th USENIX Security Symposium in Boston, MA, USA
> (http://www.usenix.org/events/sec07/). Beginning first thing in the
> morning,
> with meals taken in the meeting room, and extending into the evening.
> Attendance will be by invitation and limited to 60 participants. All
> participants will be expected to "come with findings" and be willing to
> address the group in some fashion, formally or not. Preference given to
> the
> authors of position papers/presentations who have actual work in progress.
>
> Each presenter will have 10-15 minutes to present his or her idea,
> followed
> by 15-20 minutes of discussion with the workshop participants. Panels and
> groups of related presentations may be proposed to present different
> approaches to selected topics, and will be steered by what sorts of
> proposals come in response to this Call.
>
>
> Goals and Topics
>
> The goal of the workshop is to stimulate discussion of and thinking about
> security metrics and to do so in ways that lead to realistic, early
> results
> of lasting value. Potential attendees are invited to submit position
> papers
> to be shared with all. Such position papers are expected to address
> security
> metrics in one of the following categories:
>
> Benchmarking
> Empirical Studies
> Metrics Definitions
> Financial Planning
> Security/Risk Modeling
> Tools, Technologies, Tips, and Tricks
> Visualization
> Practical implementations, real world case studies, and detailed models
> will
> be preferred over broader models or general ideas.
>
> How to Participate
>
> Submit a short position paper or description of work done/ongoing. Your
> submission must be no longer than five(5) paragraphs or presentation
> slides.
> Author names and affiliations should appear first in/on the submission.
> Submissions may be in PDF, PowerPoint, HTML, or plaintext email and must
> be
> submitted to MetriCon AT securitymetrics.org.
>
> Presenters will be notified of acceptance by June 22, 2007 and expected to
> provide materials for distribution by July 22, 2007. All slides and
> position
> papers will be made available to participants at the workshop. No formal
> proceedings are intended. Plagiarism constitutes dishonesty. The
> organizers
> of this Workshop as well as USENIX prohibit these practices and will take
> appropriate action if dishonesty of this sort is found. Submission of
> recent, previously published work as well as simultaneous submissions to
> multiple venues is acceptable but please so indicate in your proposal.
>
> Location
>
> MetriCon 2.0 will be co-located with the 16th USENIX Security Symposium
> (Security ?07). (http://www.usenix.org/events/sec07/)
> Cost
>
> $200 all-inclusive of meeting space, materials preparation, and meals for
> the day.
> Important Dates
>
> Requests to participate: by May 11, 2007
> Notification of acceptance: by June 22, 2007
> Materials for distribution: by July 22, 2007
> Workshop Organizers
>
> Fred Cohen, Fred Cohen & Associates
> Jeremy Epstein, webMethods
> Dan Geer, Geer Risk Services
> Andrew Jaquith, Yankee Group
> Elizabeth Nichols, ClearPoint Metrics, Co-Chair
> Gunnar Peterson, Arctec Group, Co-Chair
> Russell Cameron Thomas, Meritology
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> SC-L mailing list
> SC-L at securecoding.org
> http://krvw.com/mailman/listinfo/sc-l
>
>
> End of SC-L Digest, Vol 3, Issue 81
> ***********************************



-- 
THE INFORMATION CONTAINED IN THIS MESSAGE AND ANY ATTACHMENT MAY BE
PRIVILEGED, CONFIDENTIAL, PROPRIETARY OR OTHERWISE PROTECTED FROM
DISCLOSURE. If the reader of this message is not the intended recipient, you
are hereby notified that any dissemination, distribution, copying or use of
this message and any attachment is strictly prohibited. If you have received
this message in error, please notify us immediately by replying to the
message and permanently delete it from your computer and destroy any
printout thereof.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070424/43ac9da4/attachment-0001.html