In the past month we have seen a new wave of malicious spam which relies on requests for delivery confirmations of unsolicited emails. http://www.scmagazineus.com/Spammer-campaign-exploits-email-read-receipts/article/119130/ This spam has 3 traps in it.
First, if you read the message and allow images to be displayed, the retrieval of the image will cause your email address to be placed in the spammers list of valid addresses.
Second, if you delete the email message, and don't have "ask me before sending a response" or "never send a response" turned on in your email tracking options tools menu, an email return receipt confirmation will be automatically sent to the spammer when you delete the message, verifying the validity of your email address.
Third, if you choose the unsubscribe or opt-out option contained within the email message, you will again cause your email address to be placed in the spammers list of valid addresses.
This highlights how important it is to disable the email preview option of your email application, especially if you don't block images from being loaded. Additionally, check how your email application handles read receipts/confirmations, you may be telling spammers that they have a valid email address simply by deleting the message, which will invite even more spam.
Wednesday, October 8, 2008
Certified Secure Software Lifecycle Professional
The (ISC)² launched a brand new certification program, the Certified Secure Software Lifecycle Professional (CSSLP) www.isc2.org/csslp. The CSSLP is designed to validate secure software development practices and expertise and address the increasing number of application vulnerabilities.
Code-language neutral, it will be applicable to anyone involved in the Systems Development Life Cycle (SDLC), including analysts, developers, software engineers, software architects, project managers, software quality assurance testers and programmers.
The following domains make up the CSSLP Common Body of Knowledge:
Secure Software Concepts - security implications in software development
Secure Software Requirements - capturing security requirements in the requirements gathering phase
Secure Software Design - translating security requirements into application design elements
Secure Software Implementation / Coding - testing for security functionality and resiliency to attack, and developing secure code and exploit mitigation
Secure Software Testing - testing for security functionality and resiliency to attack
Software Acceptance - security implication in the software acceptance phase
Software Deployment, Operations, Maintenance and Disposal - security issues around steady state operations and management of software
The CSSLP certification program joins a number of other existing certification programs:
IEEE:
Certified Software Development Associate (CSDA) and Certified Software Development Professional (CSDP) http://www.computer.org/certification
SANS:
GIAC Secure Software Programmer (GSSP) Certification (Language specific/secure coding, presently Java and C) http://www.sans.org/gssp/
ISSECO:
International Secure Software Engineering Council CSSE Certified Professional for Secure Software Engineering http://www.isseco.org/
When certified professionals are part of an SDLC program that incorporates secure processes and policies, significant progress is made in achieving software assurance.
Subscribe to:
Posts (Atom)
Posts
