Software Security

Archive for January 2014

 

Insight into scaling automated code review

Nearly every organization tackling software security today is working on automating code review. However, the challenge most firms are running into now is how to scale this process with industrial-strength static analysis code review tools like HP Fortify, IBM AppScan, and Coverity. The latest SearchSecurity article from Gary McGraw, Synopsys, and Jim Routh, CISO, Global […]

Continue Reading...

Posted in Agile Methodology, Code Review, Financial Services Security, Software Security Testing, Static Analysis (SAST) | Comments Off on Insight into scaling automated code review

 

SecureRandom implementation (sun.security.provider.NativePRNG)

My previous blog entry on SecureRandom was SecureRandom Implementation (sun.security.provider.SecureRandom – SHA1PRNG). This week, I’m going to write about another implementation – the default in Oracle JRE installations on *nix. Instantiation This implementation is only available on *nix. On default *nix installations of Oracle JRE, this is the default SecureRandom implementation. If it is not […]

Continue Reading...

Posted in Software Security Testing | Comments Off on SecureRandom implementation (sun.security.provider.NativePRNG)

 

SHA2 ‘vs.’ SHA1

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help […]

Continue Reading...

Posted in OWASP, Threat Modeling | Comments Off on SHA2 ‘vs.’ SHA1

 

Don’t forget the flaws: Why architecture analysis matters and what to do about it

Ever since the publication of Building Secure Software in 2001 (and really even before that), we have emphasized the importance of focusing on software security design flaws (in the architecture). Of course finding bugs in code is lots easier, and we have made some great progress with static analysis in the last decade. (Don’t forget […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Don’t forget the flaws: Why architecture analysis matters and what to do about it

 

FS-ISAC recommended controls for addressing third-party software security

All businesses depend on software; some software is developed internally while the rest comes from third-party software service providers and commercial off-the-shelf software (COTS) vendors. While organizations can hope the software from third parties is built securely, hope isn’t a viable security strategy—which means firms need to develop an effective 3rd party security strategy to reduce […]

Continue Reading...

Posted in Financial Services Security, Software Security Testing, Vendor Risk Management | Comments Off on FS-ISAC recommended controls for addressing third-party software security

 

SecureRandom implementation (sun.security.provider.SecureRandom – SHA1PRNG)

My previous blog entry on SecureRandom was Issues to be aware of when using Java’s SecureRandom. Today, I’ll write about the most complex SecureRandom implementation I’ve seen so far. Instantiation This implementation is the default SecureRandom implementation in Oracle JRE installations on Windows. If it is configured to not be the default, it can be […]

Continue Reading...

Posted in Software Security Testing | Comments Off on SecureRandom implementation (sun.security.provider.SecureRandom – SHA1PRNG)

 

Issues to be aware of when using Java’s SecureRandom

During a recent application assessment at Synopsys, a question came up regarding whether calls to SecureRandom can ever block. This led me to look into several SecureRandom implementations (four in Oracle JRE, and six in IBM JRE) in more detail, and I discovered some interesting facts. There seem to be at least three security issues […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Issues to be aware of when using Java’s SecureRandom