Software Security

Archive for August 2016

 

SWIFT discloses additional bank hacking thefts

Months after February’s high-profile $81 million heist at Bangladesh Bank, the global financial messaging system known as SWIFT said it has faced additional attempts to steal money starting in June. SWIFT messaging services are used and trusted by more than 11,000 financial institutions in more than 200 countries and territories around the world, according to […]

Continue Reading...

Posted in Data Breach, Financial Services Security | Comments Off on SWIFT discloses additional bank hacking thefts

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the […]

Continue Reading...

Posted in Code Review, Software Security Testing, Threat Modeling | Comments Off on Goal-oriented security threat modeling approaches

 

Dangerous iOS flaws patched in emergency update

iPhone and iPad users should update their iOS software to the latest release version as soon as possible following the disclosure of three dangerous vulnerabilities on Thursday. Researchers from Toronto-based Citizens Lab, working with Lookout, said they had discovered three zero days, vulnerabilities not previously known to Apple or others, which could allow third parties […]

Continue Reading...

Posted in Mobile Application Security | Comments Off on Dangerous iOS flaws patched in emergency update

 

Pseudorandom number generation means pseudosecurity

In 2014 an exploit was discovered in Firefox for Android that allowed malicious applications access to sensitive user data. The cause? An unfortunately predictable PRNG called Math.random(). If you’re using NodeJS (or any other JavaScript environment) in your stack today, the same Math.random() function is your default PRNG. Don’t worry, though. We’ve got your back. Here’s […]

Continue Reading...

Posted in Application Security | Comments Off on Pseudorandom number generation means pseudosecurity

 

4 ineffective security controls that leave you with a false sense of security

Secure coding practices are a trending topic in a variety of industries these days. And for good reason. With online attacks and data breaches at an all-time high, firms are scrambling to secure their applications. However, there are certain practices that give a false sense of security by introducing weak security controls. Are you sure […]

Continue Reading...

Posted in Application Security, Software Security Testing, Vulnerability Assessment | Comments Off on 4 ineffective security controls that leave you with a false sense of security

 

Analysts find that apps run in containers more secure than not

Two analyst firms have concluded that running apps in containers is more secure than alternatives. Gartner analyst Joerg Fritsch stated in a new research note “How to Secure Docker Containers in Operation”. In a follow-up blog post, he said: “… despite the challenges, Gartner believes that one of the biggest benefits of containers is security. […]

Continue Reading...

Posted in Application Security | Comments Off on Analysts find that apps run in containers more secure than not

 

How can social media help with your software security job search?

More and more job seekers are utilizing social media. Unfortunately, there seems to be a disconnect regarding how best to use social media while on the job hunt. In order to make a true impact, and attract the attention of recruiters in top companies and niche fields such as software security, it’s important to consider a […]

Continue Reading...

Posted in Application Security, Software Security Testing | Comments Off on How can social media help with your software security job search?

 

U.S. government stresses security in procurement and acquisitions

U.S. National Counterintelligence and Security Center (NSCS) will soon supply specific critical U.S. telecommunications, energy and financial organizations with classified supply chain threat reports. Last Thursday, the NSCS released a video highlighting the need for greater security around the supply chain. The video points out that during the Cold War, one could protect secrets by […]

Continue Reading...

Posted in Application Security, Vendor Risk Management | Comments Off on U.S. government stresses security in procurement and acquisitions

 

Study finds security warnings ignored 90% of the time

A new study finds that people ignore security warnings from software up to 90% of the time. In a paper, More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable PDF, researchers from BYU, in collaboration with Google Chrome engineers, found that if a security warning appears while people are typing, watching a […]

Continue Reading...

Posted in Application Security, Security Risk Assessment | Comments Off on Study finds security warnings ignored 90% of the time

 

What is security assertion markup language (SAML)?

Let’s take a closer look at Security Assertion Markup Language or more commonly known as SAML. Have you been wondering what the fuss is about and whether this protocol can work for you? Let’s begin. SAML (Security Assertion Markup Language) is an XML-based, open standard data format for exchanging authentication and authorization data between parties. It’s a powerful tool for identity and […]

Continue Reading...

Posted in Application Security | Comments Off on What is security assertion markup language (SAML)?