Software Security

Archive for March 2014

 

Book review: Reading Shostack’s ‘Threat Modeling’

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. More generally, “How can I help developers think about our systems’ security properties?” Synopsys has published a bunch of valuable threat modeling material but the biggest single body of work continues to come […]

Continue Reading...

Posted in Software Security Program Development, Threat Modeling | Comments Off on Book review: Reading Shostack’s ‘Threat Modeling’

 

Understanding the GnuTLS certificate verification bug

Recently, Apple released a patch for a bug in its SSL handshake implementation on iOS and Mac OS X that allowed attackers to intercept SSL traffic originating from vulnerable devices. It turns out that the GnuTLS library also contained a bug that was patched on February 27, 2014; this bug also allows attackers to intercept […]

Continue Reading...

Posted in Mobile Application Security, Software Security Testing | Comments Off on Understanding the GnuTLS certificate verification bug