Software Security

Archive for December 2015

 

A look at the U.S. smart grid security posture

There are three main components of any energy network: generation, transmission, and distribution. The modern energy industry has come a long way since it was a simple web of electrical devices. The system, now called a ‘smart grid,’ involves a highly integrated network of hardware and software components performing high-end computing and decision-making activities with […]

Continue Reading...

Posted in Smart Grid Security, Software Security Testing | Comments Off on A look at the U.S. smart grid security posture

 

How to mitigate your third-party mobile keyboard risk

What is the best form of cyber security defense? Well, as I always maintain, it’s user awareness! The implementation of a comprehensive user awareness policy carries a lot of weight and, when abided by, effectively complements the many technological solutions available. Mobile devices are used regularly within enterprise operations, and by nearly all consumers. The […]

Continue Reading...

Posted in Mobile Application Security, Security Risk Assessment, Vendor Risk Management | Comments Off on How to mitigate your third-party mobile keyboard risk

 

Android WebViews and the JavaScript to Java Bridge

Introduction It’s been several months since I presented on Android WebViews at OWASP AppSec EU 2015 in Amsterdam, and I finally have the chance to put the content into a series of posts. In this first part of the series,  I’ll briefly introduce WebViews and discuss the first of several topics, namely the JavaScript bridge. […]

Continue Reading...

Posted in Mobile Application Security, Software Security Testing | Comments Off on Android WebViews and the JavaScript to Java Bridge

 

The top hacking techniques of 2015 and how they work

This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year. Reflected file download (RFD) Let’s say that one […]

Continue Reading...

Posted in Mobile Application Security, Software Security Testing, Vulnerability Assessment, Web Application Security | Comments Off on The top hacking techniques of 2015 and how they work

 

Software security myth #7: Only high-risk applications need to be secured

Our seventh and last myth of software security is about scale. Today’s application portfolios are often quite large—thousands of apps. Getting started back in the day meant identifying those apps that carried the most risk and focusing all of the attention on them. However, those days are over. Today it’s about securing the entire portfolio—the […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Web Application Security | Comments Off on Software security myth #7: Only high-risk applications need to be secured

 

Cross-site scripting (XSS) vulnerabilities

What is cross-site scripting? Cross-site scripting (XSS) attacks are a type of injection attack. They occur when an attacker uses a trusted web site to send malicious code to an unsuspecting user, generally in the form of a JavaScript or HTML browser-side script. Why cross-site scripting is bad The user’s browser has no way to […]

Continue Reading...

Posted in Application Security, Software Security Testing, Vulnerability Assessment | Comments Off on Cross-site scripting (XSS) vulnerabilities

 

Securing the Internet of ALL THE THINGS: Understanding the problem

Introducing the Internet-connected refrigerator We used to joke that the only thing the Java Intelligent Network Infrastructure (JINI) specification was good for was running Java on your toaster (a hat tip to John Romkey’s Internet Toaster, no doubt). We’d all get a good laugh at poor Bill Joy’s expense when the subject of writing autonomous […]

Continue Reading...

Posted in Application Security, Internet of Things | Comments Off on Securing the Internet of ALL THE THINGS: Understanding the problem

 

What are cryptographic hash functions?

A cryptographic hash function is an algorithm that takes an arbitrary amount of data input—a credential—and produces a fixed-size output of enciphered text called a hash value, or just “hash.” That enciphered text can then be stored instead of the password itself, and later used to verify the user. Certain properties of cryptographic hash functions […]

Continue Reading...

Posted in Software Security Testing, Vulnerability Assessment | Comments Off on What are cryptographic hash functions?

 

What is cross-site request forgery (CSRF)?

Cross-site request forgery (CSRF) is an attack in which a malicious web site, email, blog, instant message, or other program makes the victim’s web browser perform a function without the victim’s initial knowledge, on a trusted site where the user is currently authenticated. Cross-site request forgery or CSRF attacks are also sometimes known as “confused […]

Continue Reading...

Posted in Software Security Testing, Vulnerability Assessment | Comments Off on What is cross-site request forgery (CSRF)?

 

What is a static analysis tool?

A static analysis tool is an automated tool used to perform static analysis, also known as static application security testing (SAST). SAST is the process of assessing software without executing it.  SAST is most commonly performed on source code, but can also be performed on compiled binaries or object code produced for interpreted languages. Static analysis is used in three […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on What is a static analysis tool?