Software Security

Archive for March 2016

 

New hospital ransomware targets JBoss flaws

Ransomware is malicious software that encrypts data until a ransom is paid. Recently there has been a spate of attacks against healthcare organizations. On Monday, Washington-based Medstar Health had to shut down operations because of ransomware. One variation of ransomware, Samsam, stands out because it skips the user and focuses directly on the network under […]

Continue Reading...

Posted in Healthcare Security, Medical Device Security | Comments Off on New hospital ransomware targets JBoss flaws

 

Synopsys finds 1,418 medical device vulnerabilities in 1 product

Back in my Codenomicon days security researcher Billy Rios and I began looking at software running on medical devices using our Appcheck product (now known as Synopsys Protecode SC). We were hoping to find a few software vulnerabilities to determine how effective our product was at finding such bugs. Once we began investigating we were […]

Continue Reading...

Posted in Medical Device Security | Comments Off on Synopsys finds 1,418 medical device vulnerabilities in 1 product

 

Improving applications with secure software design

An often overlooked aspect of software development is secure software design. With rapidly changing technologies, tight release schedules, and sloppy architecting to begin with, finding a securely designed application is too rare of an occurrence. Additionally, the application security community has not done a great job at providing meaningful guidance around secure software design. Fortunately, […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Improving applications with secure software design

 

How to avoid the blind spot in static analysis tools caused by frameworks

More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of […]

Continue Reading...

Posted in Code Review, Software Security Testing, Static Analysis (SAST) | Comments Off on How to avoid the blind spot in static analysis tools caused by frameworks

 

Synopsys at Black Hat Asia 2016

This year’s Black Hat Asia will be held March 29-April1 at the Marina Bay Sands hotel in Singpapore. The event will include two days of training followed by two days of briefings. In the Business Hall, Synopsys will be at booth B07. The keynote will be given by respected researcher Dino Dai Zovi. He’ll be […]

Continue Reading...

Posted in Security Conference or Event | Comments Off on Synopsys at Black Hat Asia 2016

 

Supply chain firmware weakens surveillance camera security

According to a researcher at RSA, the software running on closed circuit camera used by over 70 different vendors may be vulnerable to “root” access to the affected device. In this case the new attack vector compromises the Digital Video Recorder boxes, the part of the camera that stores the images for later viewing. In […]

Continue Reading...

Posted in Internet of Things, Network Security | Comments Off on Supply chain firmware weakens surveillance camera security

 

Early notice of Badlock Bug draws criticism

Engineers at Microsoft and the Samba Team have put system administrators on notice — without providing much detail. Call it an awareness campaign that something serious will be disclosed mid-April. But some in the security community are questioning the need for the early notice. On Wednesday the site Badlock Bug went live three weeks early […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment | Comments Off on Early notice of Badlock Bug draws criticism

 

Hospitals under attack from ransomware

Are computer criminals drawn to hospital networks by the lure of valuable patient health data? Or is it perhaps because hospitals and healthcare providers appear to be the least secure kids on the Internet these days? On Monday, a Henderson, Kentucky-based healthcare facility said it was experiencing an “internal state of emergency” after an outbreak […]

Continue Reading...

Posted in Healthcare Security, Network Security | Comments Off on Hospitals under attack from ransomware

 

Agile software development tricks for the security savvy

Are you tired of waiting for the agile fad to pass so you can go back to doing security slow and steady? You might find yourself waiting for a long time. Agile software development is here to stay and is being adopted by organizations of all sizes. Firms are increasingly moving toward incremental development that […]

Continue Reading...

Posted in Agile Methodology, Application Security, Security Training | Comments Off on Agile software development tricks for the security savvy

 

Bangladesh Bank security breach prompts U.S. probe

The SWIFT secure financial messaging system is under U.S. government scrutiny after last week’s disclosure of the theft of millions from a Bangladesh Central Bank account at the Federal Reserve Bank of New York. Although smaller transfers between the Bangladesh bank and the federal reserve did go through, a large transfer of between $850-$870 million […]

Continue Reading...

Posted in Application Security, Data Breach, Financial Services Security | Comments Off on Bangladesh Bank security breach prompts U.S. probe