-----Original Message-----
From: Damhuis Anton [mailto:DamhuisA (at) aforbes.co (dot) za [email concealed]]
Sent: dinsdag 4 januari 2005 10:53
To: secprog (at) securityfocus (dot) com [email concealed]
Cc: Michael Howard
Subject: RE: Microsoft Writing Secure Code

I have read the book "Designing Secure Web-based Applications", found it
quite informativ

[ more ]  [ reply ]

If you want a book on writing secure code then, "designing secure web
apps" is *Not* the book you need (hence the title!) you need "Writing
Secure Code 2nd Ed", (hence the title :)

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.com/prote

[ more ]  [ reply ]

I have read the book "Designing Secure Web-based Applications", found it quite informative but also somewhat disappointing.

I was (at the time) looking for a book that assists with "writing secure code". Thus how code should be written, not the way code interfaces with security components.

Exampl

[ more ]  [ reply ]

Hello List,
I published a couple papers that I hope you?ll find interesting.  This
particular group will probably find the first one more interesting than the
PDA one. I?d also welcome any constructive criticism (nicely worded :-) )
that you may have.

There are two of them:
Advances in Software B

[ more ]  [ reply ]

The latest article in my "Secure Programmer" series is now available! This
series is a developerWorks series on how to develop
secure programs for Linux/Unix.

Article #7 is Secure programmer: Call Components Safely.
The posted date is 16 December 2004, but it's only been
available since around 23

[ more ]  [ reply ]

Hi,

I'm using MD5 for SNMPv3 authentication. I'm using net-snmp agent.
I am running the SNMP agent on a powerpc (motorol processor). When I send a request from an intel processor pc (linux) to this agent, EVP_md5() (called from HMAC ()) hash function generates a wrong code. The only difference bein

[ more ]  [ reply ]

Re-sending as plain text...

I'll admit to spreading propaganda for the cause of getting developers
to write secure code. I take extreme exception to any charge of the
book's being an extension of our marketing department. They siezed on it
AFTER we wrote it <g>. No one except ourselves had any say

[ more ]  [ reply ]

In the simpler dictionary definitions of propaganda, "information that
is spread for the purpose of promoting some cause" or "material
disseminated by the advocates or opponents of a doctrine or cause", of
course this book fits (as do most). But, this is a semantically
charged word with other conno

[ more ]  [ reply ]

There is certainly no "propaganda" in the book. David and I were given
freedom to say what we wanted, and we did, there are lots of Microsoft
vuln examples and internal Microsoft stories.

[Writing Secure Code] http://www.microsoft.com/mspress/books/5957.asp
[Protect Your PC] http://www.microsoft.c

[ more ]  [ reply ]

I have read about the first third after finding it in a used book store (I am a CISSP with a focus on secure programming and always look for books like this). I was very happy with the writing and the code examples. My interest is in platform independant programming which is why I left off at that

[ more ]  [ reply ]

Hi!

I was looking for some opinions about the book "Writing Secure Code"
from Microsoft press. The book is already "old" but I only got to read
it now... well.... some of it. I searched the mailing list archive for
"microsoft writing secure code" but didn't find anything related so I
guess it hasn'

[ more ]  [ reply ]

For resetting passwords, one technique is to leave the password
information on that user's voicemail. Ok, there's the chance that
their voicemail could be compromised too, but it does add a level of
difficulty for the attacker.

Andy

-----Original Message-----
From: Skander Ben Mansour [mailto:se

[ more ]  [ reply ]

Hi All, I think the idea of using SIRDS to visually 'encode' the numerals is really good. I had considered writing software to do exactly this several years ago. Sort of like a pseudo-holographic signature. The problem with this method though is that most people can't see sirds. I wrote a SIRDS g

[ more ]  [ reply ]

> From: The Amazing Dragon [mailto:ehem (at) cs.pdx (dot) edu [email concealed]]
> Sent: Monday, 06 December, 2004 01:22

> Using SIRDS as a transformation might be pretty effective against current
> recognizers.

I've never had any luck at seeing SIRDS pseudo-images, and I know other
people who've had similar difficulty. I s

[ more ]  [ reply ]

David A. Wheeler [mailto:dwheeler (at) ida (dot) org [email concealed]] said:

> Watch out for parallel logins, though.
This can still mean that an attacker can always lock out
everyone, but only during the duration of an attack;
halt the attack & the lockouts cease quickly.

That's something that goes back to my

[ more ]  [ reply ]

Web Application Security Consortium
Guest Articles Call for Papers

The Web Application Security Consortium (WASC) is seeking contributed
'Guest Articles' by industry professionals on the latest in trends, techniques,
defenses, best practices and lessons learned relevant to the field of web
appli

[ more ]  [ reply ]

Mark,

Re: "Long term strategy".

Sure, maybe they aren't a long term strategy, but of course any
security measures you implement should be reviewed at appropriate
intervals to see if it is still adequate. If this was inplace there
would be no problem.

Anyway, there are other things that aren't

[ more ]  [ reply ]