Software Integrity

Archive for April 2014

 

Understanding fragment injection

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to […]

Continue Reading...

Posted in Mobile Application Security, Web Application Security | Comments Off on Understanding fragment injection

 

What the Heartbleed bug should be teaching us

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we […]

Continue Reading...

Posted in Fuzz Testing, Web Application Security | Comments Off on What the Heartbleed bug should be teaching us

 

On detecting Heartbleed with static analysis

Many of our customers have asked whether Coverity can detect Heartbleed. The answer is not yet – but we’ve put together a new analysis heuristic that works remarkably well and does detect it (UPDATE: the Coverity platform now detects the Heartbleed defect). We wanted to tell our customers and readers about this heuristic and what […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST) | Comments Off on On detecting Heartbleed with static analysis

 

Heartbleed vulnerability: What should you do?

By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level, […]

Continue Reading...

Posted in Fuzz Testing, Software Security Testing, Web Application Security | Comments Off on Heartbleed vulnerability: What should you do?

 

OpenSSL: Fix or rewrite?

Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question. Serious question: is it better to rewrite a library that’s had a lot of implementation problems, or is it better to keep hardening […]

Continue Reading...

Posted in Application Security, Software Security Testing | Comments Off on OpenSSL: Fix or rewrite?