Software Integrity Blog

Archive for 2013

 

Remote code execution in Apache Roller via OGNL injection

Advisory From the Roller website: Apache Roller is a full-featured, multi-user and group-blog server suitable for blog sites large and small. It runs as a Java web application that should be able to run on most any Java EE server and relational database. Roller, starting with version 4, uses Struts2 as its web MVC. Struts2 itself utilizes OGNL as a templating / expression language. The Coverity SRL team previously found a remote code execution issue in how Struts2 evaluated tainted data via its configuration files. Refer to that blog entry for background on Struts2 and OGNL.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Remote code execution in Apache Roller via OGNL injection

 

2 path traversal defects in Oracle’s JSF2 implementation

Advisory From Oracle’s site:

Continue Reading...

Posted in Software Architecture and Design | Comments Off on 2 path traversal defects in Oracle’s JSF2 implementation

 

Touch ID: Yea or nay?

Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Touch ID: Yea or nay?

 

Gimme a break

Recently, Linux kernel developers have picked up use of Coverity Scan by addressing new defects found in recently submitted patches. One developer, Dave Jones, noticed a change to remove a fall through comment on a switch case: > case MPOL_BIND: > – /* Fall through */ > case MPOL_INTERLEAVE: > nodes = pol->v.nodes; > break;

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Gimme a break

 

Making the Struts2 app more secure: Don’t include Config Browser

Struts2 allows a developer to include other Struts2 applications via the Plugin architecture. From the site:

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Making the Struts2 app more secure: Don’t include Config Browser

 

Mobile: Different or same sh*t different day?

Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Mobile: Different or same sh*t different day?

 

Business logic: High frequency trading’s security lessons

Associated Press’s Twitter feed was hacked a posted tweet indicated that the president was injured in an explosion. The market momentarily lost $136 billion (*).

Continue Reading...

Posted in Uncategorized | Comments Off on Business logic: High frequency trading’s security lessons

 

Threats threatening with threats

By now, everyone has heard of the Mandiant report. Many of you have taken the time to read it. This report and the discussion it generated refers to ‘threat’ so frequently that it’s worth discussing how its use of the word differs from what you commonly see here.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Threats threatening with threats

 

President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

The President’s Executive Order acknowledges the need to secure our critical infrastructure. But cyber security is more than “information sharing” and “frameworks.”

Continue Reading...

Posted in Maturity Model (BSIMM) | Comments Off on President Obama acknowledges cyber threat and signs executive order for improving critical infrastructure cybersecurity

 

Who’s afraid of GPL3?

Adoption of the new GPL3 license was gradual, and many companies put the new license on their open source policy black lists. How scary is GPL v3?

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security | Comments Off on Who’s afraid of GPL3?