Software Integrity Blog

Archive for 2014

 

Fixing cross-site scripting: A developer’s guide (Java edition)

Cross-site scripting (XSS) is a complex problem with many moving parts, but we want to highlight the most important gotchas. These are the top 3.

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design | Comments Off on Fixing cross-site scripting: A developer’s guide (Java edition)

 

Understanding Python pickling and how to use it securely

In Python, you can use pickle to serialize (deserialize) an object structure into (from) a byte stream. Here are best practices for secure Python pickling.

Continue Reading...

Posted in Developer Enablement | Comments Off on Understanding Python pickling and how to use it securely

 

Are you red team secure?

Red teaming provides a new way of thinking about, identifying, and allocating defenses to discover risks and address them. Are you red team secure?

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Are you red team secure?

 

Browser implementations of content security policy introduce security problems

We review how attackers can use a browser’s content security policy to trick users and potentially gather personal information, with a Facebook example.

Continue Reading...

Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems

 

Understanding Python bytecode

I’ve been working with Python bytecode recently, and wanted to share some of my experience working with it. To be more precise, I’ve been working exclusively on the bytecode for the CPython interpreter, and limited to versions 2.6 and 2.7.

Continue Reading...

Posted in Web Application Security | Comments Off on Understanding Python bytecode

 

Poodle: Yet another attack on SSLv3 (SSL 3.0)

Chandu Ketkar reviews the Poodle attack on SSLv3, including the anatomy of the attack, its impact, and how to mitigate it.

Continue Reading...

Posted in Open Source Security, Web Application Security | Comments Off on Poodle: Yet another attack on SSLv3 (SSL 3.0)

 

Red teaming for a holistic view of security

Red teaming is when an independent group tests your system in the same way an attacker would to identify weaknesses that could compromise sensitive data.

Continue Reading...

Posted in Mobile Application Security | Comments Off on Red teaming for a holistic view of security

 

A guide to Gary McGraw’s AppSec USA keynote

Gary McGraw delivered the Friday morning keynote at AppSec USA 2014. Watch “BSIMM: A Decade of Software Security” and read along with his guide.

Continue Reading...

Posted in Maturity Model (BSIMM) | Comments Off on A guide to Gary McGraw’s AppSec USA keynote

 

Minimizing exposure from iCloud and other cloud storage

Even though the 2014 iCloud photo leak can be traced back to personal devices, businesses who use cloud storage for data should take note of a few lessons.

Continue Reading...

Posted in Cloud Security | Comments Off on Minimizing exposure from iCloud and other cloud storage

 

The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has launched and released its first title: Avoiding the Top 10 Software Security Design Flaws.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on The IEEE Computer Society Center for Secure Design