Software Integrity

Archive for April 2014

 

Understanding fragment injection

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to […]

Continue Reading...

Posted in Mobile Application Security, Web Application Security | Comments Off on Understanding fragment injection

 

What the Heartbleed bug should be teaching us

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we […]

Continue Reading...

Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us

 

Heartbleed vulnerability: What should you do?

By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level, […]

Continue Reading...

Posted in Fuzz Testing, Software Security Testing, Web Application Security | Comments Off on Heartbleed vulnerability: What should you do?

 

OpenSSL: Fix or rewrite?

Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question. Serious question: is it better to rewrite a library that’s had a lot of implementation problems, or is it better to keep hardening […]

Continue Reading...

Posted in Application Security, Software Security Testing | Comments Off on OpenSSL: Fix or rewrite?