Software Integrity

Archive for 2013

 

Touch ID: Yea or nay?

Unsurprisingly, German hackers were able to produce a fingerprint prosthetic allowing an attacker to defeat Apple’s TouchID within days of the iPhone 5S release. Media coverage abounds, as has reaction to the attack and discussion about biometrics, multi-factor authentication, and-of course-death of the pin/password. Unfortunately, the password’s death has been reported early None of us […]

Continue Reading...

Posted in Mobile Application Security, Threat Modeling | Comments Off on Touch ID: Yea or nay?

 

Mobile: Different or same sh*t different day?

Mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s […]

Continue Reading...

Posted in Mobile Application Security, Threat Modeling | Comments Off on Mobile: Different or same sh*t different day?

 

Business logic: High frequency trading’s security lessons

Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*). This event is instructive to security folk.  Building security in requires understanding it as an emergent property (let’s avoid the often misused term “business logic flaw”). I spent significant time […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Business logic: High frequency trading’s security lessons

 

Threats threatening with threats

By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you commonly see here. The buzz around hundreds of individuals poking […]

Continue Reading...

Posted in Threat Modeling | Comments Off on Threats threatening with threats

 

‘Active defense’ is irresponsible

NPR did a story about the idea of “Active Defense” which basically boils down to attacking the people who (may have) attacked you. (Key question: who is it that REALLY attacked you and how do you know that?)  At Synopsys, we believe this is a recipe for disaster. The last thing we need in computer […]

Continue Reading...

Posted in Software Security Testing | Comments Off on ‘Active defense’ is irresponsible

 

President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

President Obama explicitly mentioned cyber security. He said: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air […]

Continue Reading...

Posted in Software Security Testing | Comments Off on President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

 

Does software security training make economic sense? Yes. It does.

When it comes to computer security, software security training can be a controversial subject.  We’re not sure why. Maybe what we’re seeing is an artificial controversy trumped up by pundits?!  You see, some pundits argue (lamely) that training is completely useless. We disagree. Lets make this as clear as we can: we believe that software security […]

Continue Reading...

Posted in Security Training, Software Security Testing | Comments Off on Does software security training make economic sense? Yes. It does.