Software Integrity

Archive for 2013

 

Remote code execution in Apache Roller via OGNL injection

Advisory From the Roller website: Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database. Roller, starting with version 4, uses Struts2 as its web MVC. Struts2 itself utilizes OGNL as a templating […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Vulnerability Assessment | Comments Off on Remote code execution in Apache Roller via OGNL injection

 

2 path traversal defects in Oracle’s JSF2 implementation

Advisory From Oracle’s site: Developed through the Java Community Process under JSR – 314, JavaServer Faces technology establishes the standard for building server-side user interfaces. With the contributions of the expert group, the JavaServer Faces APIs are being designed so that they can be leveraged by tools that will make web application development even easier Oracle has […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Vulnerability Assessment | Comments Off on 2 path traversal defects in Oracle’s JSF2 implementation

 

Touch ID: Yea or nay?

Unsurprisingly, German hackers were able to produce a fingerprint prosthetic allowing an attacker to defeat Apple’s TouchID within days of the iPhone 5S release. Media coverage abounds, as has reaction to the attack and discussion about biometrics, multi-factor authentication, and-of course-death of the pin/password. Unfortunately, the password’s death has been reported early None of us […]

Continue Reading...

Posted in Mobile Application Security, Threat Modeling | Comments Off on Touch ID: Yea or nay?

 

Gimme a break

Recently, Linux kernel developers have picked up use of Coverity Scan by addressing new defects found in recently submitted patches. One developer, Dave Jones, noticed a change to remove a fall through comment on a switch case: > case MPOL_BIND: > – /* Fall through */ > case MPOL_INTERLEAVE: > nodes = pol->v.nodes; > break; […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST) | Comments Off on Gimme a break

 

Making the Struts2 app more secure: Don’t include Config Browser

Struts2 allows a developer to include other Struts2 applications via the Plugin architecture. From the site: Struts2 plugins contain classes and configuration that extend, replace, or add to existing Struts framework functionality. A plugin can be installed by adding its JAR file to the application’s class path, in addition to the JAR files to fulfill whatever dependencies […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment | Comments Off on Making the Struts2 app more secure: Don’t include Config Browser

 

Mobile: Different or same sh*t different day?

Mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s […]

Continue Reading...

Posted in Mobile Application Security, Threat Modeling | Comments Off on Mobile: Different or same sh*t different day?

 

Business logic: High frequency trading’s security lessons

Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*). This event is instructive to security folk.  Building security in requires understanding it as an emergent property (let’s avoid the often misused term “business logic flaw”). I spent significant time […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Business logic: High frequency trading’s security lessons

 

Threats threatening with threats

By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you commonly see here. The buzz around hundreds of individuals poking […]

Continue Reading...

Posted in Threat Modeling | Comments Off on Threats threatening with threats

 

‘Active defense’ is irresponsible

NPR did a story about the idea of “Active Defense” which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?)  At Synopsys, we believe this is a recipe for disaster. The last thing we need in computer […]

Continue Reading...

Posted in Software Security Testing | Comments Off on ‘Active defense’ is irresponsible

 

President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

President Obama explicitly mentioned cyber security. He said: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air […]

Continue Reading...

Posted in Software Security Testing | Comments Off on President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity