-
I think they forgot to open up the blog post with “Cross-site scripting, I’ma let you finish, but …” Seriously, the Veracode State of Software Security report found that XSS was more prevalent in web applications by a wide margin, both in terms of raw flaw count and applications affected by one or more instances of the flaw.
-
Programming an Apple //e through the audio interface by playing the original cassette tape back through the iPad audio interface. Wow.
-
Open source tool to audit compiled software. Rather than doing full on data and control flow modeling, it looks to see if object code resulted from the compilation of specified source code. Could be a good competitor for BlackDuck.
Super powered breadcrumbs
-
Nice approach to combining navigation and “where am I” in UI design.
Grab bag: some history and geography of appsec
-
Interesting article about the evolution of the buffer overflow market. The Wintel platform’s (x86 + Windows) attractiveness to developers appears to have not done it any favors when it came to the evolution of buffer overflow exploits.
-
Interesting findings about relative platform security. This sort of report is always subject to sampling biases but some of the findings (the relative insecurity of Perl, ColdFusion, plain-vanilla JSP, and PHP websites) ring true.
Grab bag: conjoint, convicted coder
-
Nice introduction to one of the more conceptually rigorous concepts in product design.
-
The long, strange journey of Stephen Watt.
Information asymmetry
-
Pandora’s briefcase, or an extended argument on the perils of information asymmetry. Good WWII spycraft read from Gladwell.
Ransom note exploits
-
Even in OSes with fully randomized address spaces and data execution protection, you can use return oriented programming to patch together malicious code from sequences of instructions that are in memory from common executables (“ransom note exploits”). The lesson: shift the game from focusing on injection vulnerabilities to minimizing the damage an attacker can cause. One of the best papers from SOURCE: Boston in 2010.
At the Salt Lick, Driftwood, TX
At the urging of about six Facebook friends, I make the pilgrimage from downtown Austin, where I am on travel for a few days, to Driftwood, Texas, tonight to visit the Salt Lick. It’s a barbecue joint that’s been around for about 43 years. As these things go, it’s commercialized and simple at the same time. Commercialized: mail order menus sit on the table; jars of the sauce line the entrance; there’s a separate function building. Simple: Four meats (brisket, sausage, pork ribs, turkey), three sides (potato salad, cole slaw, baked beans) that all come at once, free “condiments” (pickles, raw onion, white bread), pie, and soft drinks. (Driftwood is in a dry county, but they allow BYOB; I decide not to B my own B, since I have a 25 mile drive each way.)
I order a plate of brisket and sausage and an iced tea, and wait at an otherwise empty table.
The table in front of me is discussing old Texas home construction. “There would be a place in the parlor where you would have the viewings. With a stained glass window. Now it’s just a window seat, but then they assumed you would be hosting a wake. I remember two occasions where they had to open up the windows to get the casket out.” Behind me, a different technology: “So I had to convince them to take our quarter micron process and adapt it to the 3.3v work.”
Of course, Texas is, in terms of high tech, a hardware state. (What else?)
I sit thinking about old technology: cooking meat in smoke.
The food: Brisket is absolutely lean and supple. The sausage is saucy: well spiced, juicy, flavorful. The pecan pie is an inch of custard with a single layer of pecans on top–not at all my grandmother’s recipe–but the pecans are completely evocative of autumn nights with a nutcracker at the dining room table over a layer of newspaper.
As I stand to leave, I get the salty tangy burning in the eyes of the woodsmoke. It conjures other fires, and other cuts of meat with perfect pink rings from the smoke: 12 Bones in Asheville, Big Jim’s in Charlottesville, Dixie’s in Bellevue, WA, Three Pigs in McLean, and of course Pierce’s Pitt Bar-B-Q south of Williamsburg.
And even though I am full to bursting, it all makes me homesick for Carolina pulled pork in a bun.
DRM free video downloads
-
Hmm. Might be worth checking out just on the basis of the titles that are there (“M”, “The 39 Steps”…)
Next week: Austin, TX
You’ll be able to catch me in my professional capability twice next week. I’ll be giving a talk on Tuesday in Austin, TX to the Austin chapter of ISACA (the Information Systems Audit and Control Association) on “Best Practices for Application Risk Management.” The argument: the current frontier in securing sensitive data and systems isn’t the network, it’s the applications securing the data. But just as it’s hard to write secure code, even with conventional testing tools, it’s even harder to get a handle on the risk in code you didn’t write. And, of course, it’s the rare application these days that is 100% code that you wrote. I’ll talk about ways that large and small enterprises can get their arms around the application security challenge.
I’ll also be joining one of our customers to talk in more depth about a key part of Veracode’s application risk management capability, our developer elearning program and platform, in a webinar. If you are interested in learning how to improve application security before the application even gets written, this is a good one to check out.
Grab bag: SharePoint zero day
-
SharePoint Server 2007 has a cross site scripting vulnerability in the Help subsystem which is exploitable on any SharePoint 2007 site.
-
Awesome project: an online archive of the evolution of typography, starting with the incunabula.
Grab bag: Secrets and security
-
Putting the “crypt” in “crypto-Catholic.”
-
A collaborative and informal way to develop “misuse cases” and perform threat modeling.
-
How to think like a hacker–including leveraging social networking to get into your target.
Neverending loop
-
Interesting argument from Dave–big tech companies fail because they try to do all their innovation internally, and eventually they run out of brilliant folks to hire and end up with the “general talent pool.”
Google’s password system was targeted
-
Yet more evidence that perimeter defense systems are flawed. If you can’t secure applications at all layers of the stack, including the end user, you can’t secure your organization.
On the record
The BSO announced two new albums this week. I’m looking forward to hearing the Carter, and am ordering multiple copies of TFC: Celebrating the 40th Anniversary of the Tanglewood Festival Chorus. Not because it’s my chorus (I’m not on the disc–these were small group recordings that went through the year I started with the chorus), but because the repertoire is astonishing. A pair of Bruckner motets, including the Christus factus est, the Lotti Crucifixus, the Frank Martin Mass, and of course Copland’s In the Beginning.
Of course there’s a small irony–the cover photo shows the group holding music! But it’s a great image of a large Prelude concert group in Seiji Ozawa Hall. One of these days I’d love to be in that setting; our Prelude performances have been done by small groups since I joined the chorus, so I’ve never performed in Ozawa.
Grab bag: Monkeybagels!
-
This isn’t a bad description of my job, and my teams’ jobs, on a release to release basis.
-
Makes me wonder what the Boston papers are doing with their comments sections, if Rosenberg’s suggestion is on. Is anyone watching the store?