Software Integrity

Archive for 2014

 

Fixing cross-site scripting: A developer’s guide (Java edition)

Top 3 things to know about XSS mitigation Cross-site scripting (XSS) is a complex problem with many moving parts, but we want to highlight the most important “gotchas.” These are the Top 3: HTML escaping isn’t enough It is important to understand that HTML escaping (using HTML entities) is not always the right solution to […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Vulnerability Assessment | Comments Off on Fixing cross-site scripting: A developer’s guide (Java edition)

 

McGraw asks who’s in charge of medical device security

In his latest SearchSecurity article, Gary McGraw discusses the risks behind medical devices that are deeper than patient data, including patient safety risk and in worst cases, death, which can result in the corruption from devices used to preserve patient life. All of these risks around medical devices are caused by the simple fact that […]

Continue Reading...

Posted in Financial Services Security, Healthcare Security, Mobile Application Security, Network Security, Software Security Testing | Comments Off on McGraw asks who’s in charge of medical device security

 

Understanding Python pickling and how to use it securely

Post written by Ashutosh Agrawal, Senior Consultant and Arvind Balaji, Associate Consultant Pickle in python is primarily used in serializing and de-serializing a python object structure. In other words it’s the process of converting a python object into a byte stream in order to store it in a file/database, maintain program state across sessions, or […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Understanding Python pickling and how to use it securely

 

Are you red team secure?

Data breaches can result in severe damages to an organization’s brand, financial standing, or customer trust. Many of these, including recent breaches in the news, are not the result of a single, easy to find weakness that just happened to be overlooked or the common “low hanging fruit” that is adequately detected by automated scanners […]

Continue Reading...

Posted in Penetration Testing, Red Teaming, Threat Modeling | Comments Off on Are you red team secure?

 

Alphabet soup: SAST, DAST, IAST, and RASP explained

Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they help you fix what you find? And how do they scale? FWIW, tools of all […]

Continue Reading...

Posted in Application Security, Cloud Security, Dynamic Analysis (DAST), Static Analysis (SAST) | Comments Off on Alphabet soup: SAST, DAST, IAST, and RASP explained

 

Browser implementations of content security policy introduce security problems

In an article from August 2014, Pascal Landau describes how to deanonymize Facebook users by brute forcing Content Security Policy (CSP). The idea is an attacker tricks a user who is currently logged into Facebook to go to the attacker’s page. The attacker page has an iframe pointing to https://facebook.com/me with the CSP policy listing […]

Continue Reading...

Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems

 

Understanding Python bytecode

I’ve been working with Python bytecode recently, and wanted to share some of my experience working with it. To be more precise, I’ve been working exclusively on the bytecode for the CPython interpreter, and limited to versions 2.6 and 2.7. Python is a dynamic language, and running it from the command line essentially triggers the […]

Continue Reading...

Posted in Application Security, Web Application Security | Comments Off on Understanding Python bytecode

 

POODLE: Yet another attack on SSLv3 (SSL 3.0)

POODLE Introduction The POODLE (Padding Attack On Downgraded Legacy Encryption) attack was published by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google in a security advisory last month (September 2014). The attack is on SSL 3.0 (SSLv3), an obsolete and insecure protocol, and allows an attacker to decrypt authentication cookies for websites. To exploit […]

Continue Reading...

Posted in Software Security Testing | Comments Off on POODLE: Yet another attack on SSLv3 (SSL 3.0)

 

Software security and the user interface

We had an internal discussion the other day about the pros and cons of connecting professionally with random folks. During that discussion a separate thread was started about how to hide who you are connected to from your other connections. The idea was that it is OK to connect with someone but not allow that […]

Continue Reading...

Posted in Software Security Testing, Web Application Security | Comments Off on Software security and the user interface

 

Red teaming a holistic view of security

Software pervades our everyday lives: cellphones, tablets, fitness monitors, websites, networked home appliances, medical equipment, drones and automated vehicles. We expect software to work, often overlooking the need for the software running these systems to be secure. While we stress the importance of building security in throughout the SDLC there are outside vehicles like rogue wireless […]

Continue Reading...

Posted in Mobile Application Security, Red Teaming, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Red teaming a holistic view of security