Software Integrity

Archive for November 2014

 

Understanding Python pickling and how to use it securely

Post written by Ashutosh Agrawal, Senior Consultant and Arvind Balaji, Associate Consultant Pickle in python is primarily used in serializing and de-serializing a python object structure. In other words it’s the process of converting a python object into a byte stream in order to store it in a file/database, maintain program state across sessions, or […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Understanding Python pickling and how to use it securely

 

Are you red team secure?

Data breaches can result in severe damages to an organization’s brand, financial standing, or customer trust. Many of these, including recent breaches in the news, are not the result of a single, easy to find weakness that just happened to be overlooked or the common “low hanging fruit” that is adequately detected by automated scanners […]

Continue Reading...

Posted in Penetration Testing, Red Teaming, Threat Modeling | Comments Off on Are you red team secure?

 

Alphabet soup: SAST, DAST, IAST, and RASP explained

Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they help you fix what you find? And how do they scale? FWIW, tools of all […]

Continue Reading...

Posted in Application Security, Cloud Security, Dynamic Analysis (DAST), Static Analysis (SAST) | Comments Off on Alphabet soup: SAST, DAST, IAST, and RASP explained

 

Browser implementations of content security policy introduce security problems

In an article from August 2014, Pascal Landau describes how to deanonymize Facebook users by brute forcing Content Security Policy (CSP). The idea is an attacker tricks a user who is currently logged into Facebook to go to the attacker’s page. The attacker page has an iframe pointing to https://facebook.com/me with the CSP policy listing […]

Continue Reading...

Posted in Web Application Security | Comments Off on Browser implementations of content security policy introduce security problems

 

Understanding Python bytecode

I’ve been working with Python bytecode recently, and wanted to share some of my experience working with it. To be more precise, I’ve been working exclusively on the bytecode for the CPython interpreter, and limited to versions 2.6 and 2.7. Python is a dynamic language, and running it from the command line essentially triggers the […]

Continue Reading...

Posted in Application Security, Web Application Security | Comments Off on Understanding Python bytecode