Software Security

Archive for April 2016

 

ISA 62443 SDLC requirements heads to IEC for confirmation

A draft of ISA 62443-4-1 has been approved and now heads to IEC for final confirmation. Known officially as ISA-62443-4-1 Security for industrial automation and control systems Part 4-1: Secure product development life-cycle requirements, the document is part of a certification program which assesses a supplier’s product development lifecycle processes for industrial automation control systems. […]

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on ISA 62443 SDLC requirements heads to IEC for confirmation

 

German nuclear plant finds PCs full of viruses

More than a dozen common computer viruses have been found on PCs at one nuclear plant in Germany, according to its operator. The German utility RWE, which runs the Gundremmingen plant, located about 75 miles northwest of Munich, said it found the malware “W32.Ramnit” and “Conficker,” among others, in a computer system the company retrofitted […]

Continue Reading...

Posted in Industrial Control System Security | Comments Off on German nuclear plant finds PCs full of viruses

 

Mythbusting: How good security practices complement developer productivity

Originally posted on SecurityWeek I coded my first program in the late 70’s on tape and wrote a macro-assembler on punch cards with extra credit for completing the task with a single box of cards. Since those bygone days, development has gone through an endless series of massive, convulsive change. But one thing has remained […]

Continue Reading...

Posted in Agile Methodology, Software Development Life Cycle (SDLC), Static Analysis (SAST) | Comments Off on Mythbusting: How good security practices complement developer productivity

 

Man in the middle: When Bob met Alice, and Eve heard everything

Earlier this year, we did some research on Socket.IO and evaluate the overall security of the framework. David Johannson of Synopsys took a deep dive into the code and discovered an interesting flaw in Socket.IO that resulted in the ability for an attacker to get in the middle of a secure connection between a Socket.IO server and client allowing […]

Continue Reading...

Posted in Vulnerability Assessment, Web Application Security | Comments Off on Man in the middle: When Bob met Alice, and Eve heard everything

 

The open perimeter: Is your internal network protected?

Large enterprises in the past relied on perimeter security to ensure their services were protected from the outside world. This idea of a trusted firewall has eroded over the years, and is considered an outdated approach to security. However, it is incorrect to assume that a firewall is useless despite the fact that the definition of […]

Continue Reading...

Posted in Internet of Things, Network Security, Red Teaming, Software Security Testing | Comments Off on The open perimeter: Is your internal network protected?

 

Connected car security and privacy questioned

A new report due out on Monday from U.S. senator finds that the auto makers attempts to prevent hackers from gaining control of a vehicle’s electronics are “inconsistent and haphazard,” while the companies collect driver histories, and other personal data, often without customer consent. “Drivers have come to rely on these new technologies, but unfortunately […]

Continue Reading...

Posted in Automotive Security, Embedded Software Testing, Internet of Things | Comments Off on Connected car security and privacy questioned

 

Node.js and Socket.IO: How security fails when ‘null’ is ‘false’

I recently discovered an important security issue in Socket.IO—a zero-day vulnerability that allows a man-in-the-middle attack on TLS-protected communication between a Socket.IO client and a Socket.IO server. I find this issue rather interesting because it shows how unfortunate design decisions can unintentionally lead to insecure default configuration. This also highlights the dangers of not following […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Vulnerability Assessment | Comments Off on Node.js and Socket.IO: How security fails when ‘null’ is ‘false’

 

SWIFT interbank network patches software vulnerabilities

SWIFT, the Society for Worldwide Interbank Financial Telecommunication, has issued a patch after identifying a vulnerability that may have lead to last month’s theft of theft of $81 million from a Bangladesh Bank account at the New York Federal Reserve Bank. “SWIFT is aware of a number of recent cyber incidents in which malicious insiders […]

Continue Reading...

Posted in Financial Services Security, Software Security Testing, Vulnerability Assessment | Comments Off on SWIFT interbank network patches software vulnerabilities

 

As FDA medical device comment period ends, 2 healthcare organizations call for more standards

Two healthcare executive organizations are calling on the Food & Drug Administration (FDA) and the Department of Health and Human Services (HHS) to produce more guidance for medical device manufacturers. In seeking to clarify the need for greater collaboration among medical device manufacturers around cybersecurity in general, the Food & Drug Administration (FDA) last January […]

Continue Reading...

Posted in Medical Device Security, Security Standards and Compliance | Comments Off on As FDA medical device comment period ends, 2 healthcare organizations call for more standards

 

The complete web application security testing checklist

Did you know that the web is the most common target for application-level attacks? That being said, if you have ever been tasked with securing a web application for one reason or another, then you know it’s not a simple feat to accomplish. When securing your applications, it’s critical to take a strategic approach. This web application […]

Continue Reading...

Posted in Application Security, Web Application Security | Comments Off on The complete web application security testing checklist