Archive for April, 2004

The New Breed of Version Control Systems

Tuesday, April 6th, 2004

ONLamp.com has a short roundup of Open Source Version Control Systems. A useful starting point when deciding on a version control system to use.

Posted in General | No Comments »

Infocus: Host Integrity Monitoring: Best Practices for Deployment

Monday, April 5th, 2004

Infocus: Host Integrity Monitoring: Best Practices for Deployment The purpose of this article is to highlight the important steps and concepts involved in deploying a host integrity monitoring system. These applications can be very helpful with detecting unauthorized change, conducting damage assessment, and preventing future attacks.

[via SecurityFocus News]

Posted in General | Comments Off

Infocus: Dogs of War: Securing Microsoft Groupware Environments with Unix (Part 2)

Monday, April 5th, 2004

Infocus: Dogs of War: Securing Microsoft Groupware Environments with Unix (Part 2) This article discusses the implementation of layered mail security using Unix as an MTA in front of Microsoft groupware products. Part two describes the use of Qmail, Qmail-Scanner, Clam AntiVirus and SpamAssassin.

[via SecurityFocus News]

Posted in General | Comments Off

Processes to Produce Secure Software

Monday, April 5th, 2004

Processes to Produce Secure Software

Gary fired off a message to SC-L pointing out that the National Cyber Security Partnership released a set of reports about the problems with software security today. Included was a report that he co-authored with Mike and a few others on the process of producing secure software.


The principal recommendations in this report are in three categories:


  1. Principal Short-term Recommendations

    • Adopt software development processes that can measurably reduce software specification, design, and implementation defects.

    • Producers should adopt practices for producing secure software

    • Determine the effectiveness of available practices in measurably reducing software security vulnerabilities, and adopt the ones that work.

    • The Department of Homeland Security should support USCERT, IT-ISAC, or other entities to work with software producers to determine the effectiveness of practices that reduce software security vulnerabilities.

  2. Principal Mid-term Recommendations

    • Establish a security verification and validation program to evaluate candidate software processes and practices for effectiveness in producing secure software.

    • Industry and the DHS establish measurable annual security goals for the principal components of the US cyber infrastructure and track progress.

  3. Principal Long-Term Recommendations

    • Certify those processes demonstrated to be effective for producing secure software.

    • Broaden the research into and the teaching of secure software processes and practices.
I took a quick look at it just at the end of lunch, and it looks pretty good. I will take a more thorough read of it this afternoon after I finish up on some threat modeling I am currently doing.


Happy reading!


[via Dana Epp’s ramblings at the Sanctuary ]

Posted in General | Comments Off