Software Security

Archive for October 2016

 

A spell check equivalent for building security in

Originally posted on SecurityWeek I can honestly say that spell check is the reason I now know how to spell “separate.” It only took about 20 years of patient and faithful repetition from Microsoft Word. The concept of spell check is intriguing when considered in the context of security. There is a significant benefit to […]

Continue Reading...

Posted in Agile Methodology, Security Training, Static Analysis (SAST) | Comments Off on A spell check equivalent for building security in

 

Handle with care: You have my vulnerability assessment report!

Does your organization rely heavily on vendor products or applications for streamlining processes? Do you wonder what threats your data is being exposed to while it’s handled by these applications? Are you a vendor trying to assure clients that your applications are secure—without divulging too much information? Have you faced situations where your client demands […]

Continue Reading...

Posted in Application Security, Software Security Testing, Vulnerability Assessment | Comments Off on Handle with care: You have my vulnerability assessment report!

 

Securing IoT devices in the wake of last week’s Mirai malware attack

Last Friday, two major Distributed Denial of Service (DDoS) attacks on Dyn’s Managed DNS infrastructure brought down the websites of over 80 Internet giants including Amazon, PayPal, and Twitter. The sophisticated attack involved tens of millions of IP addresses. Many of these addresses were associated with the open source Mirai botnet. The attack leveraged Internet of […]

Continue Reading...

Posted in Application Security, Internet of Things, Network Security | Comments Off on Securing IoT devices in the wake of last week’s Mirai malware attack

 

A software glitch may have crashed the European mars lander

The European Mars lander, Schiaparelli, destroyed last week on the surface of Mars, may have been the victim of a software error, according preliminary data reviewed by researchers. Last Wednesday, at approximately four minutes and 41 seconds into its entry, descent, and landing (EDL) sequence, the European Mars lander suffered a software glitch. According to […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST) | Comments Off on A software glitch may have crashed the European mars lander

 

BSIMM7 explores emerging software security trends and evolution

BSIMM7 was released October 4th, 2016. That’s just a few weeks before the seventh annual BSIMM Community Conference convened on Amelia Island, Florida. This year’s BSIMM conference was well attended, with 160 participants representing 60 of 95 BSIMM firms from across the globe. The energy and enthusiasm at the conference was palpable. There is nothing […]

Continue Reading...

Posted in Maturity Model (BSIMM), Security Conference or Event, Software Security Testing | Comments Off on BSIMM7 explores emerging software security trends and evolution

 

The pursuit of hapi-ness: 5 must-have hapi security plugins

hapi is best known for being a scalable, community-centric framework, but it’s clear that security is also a priority for the team behind it. hapi makes it easy for developers to validate configurations quickly and without having to perform (many) workarounds, making for a clean, secure code base. hapi relies on community-approved plugins to help […]

Continue Reading...

Posted in Vulnerability Assessment, Web Application Security | Comments Off on The pursuit of hapi-ness: 5 must-have hapi security plugins

 

U.S. bank regulators want higher cybersecurity standards

On Wednesday three U.S. bank regulators issued an advance notice of proposed rulemaking (ANPR) calling on banks to do more with their cybersecurity programs. The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have proposed a set of standards. The standards, which are open to discussion […]

Continue Reading...

Posted in Financial Services Security | Comments Off on U.S. bank regulators want higher cybersecurity standards

 

Brace yourselves: Application transport security is coming

HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. […]

Continue Reading...

Posted in Mobile Application Security, Software Security Testing | Comments Off on Brace yourselves: Application transport security is coming

 

Vulnerability management: Designing severity risk ranking systems

One of the first challenges most security teams tackle is defect discovery. Soon afterwards, the bugs start piling up. I often work with organizations struggling to consistently risk rank issues into severity categories. There are many factors to consider in this process, not to mention the amount of brain power going into devising the perfect […]

Continue Reading...

Posted in Security Risk Assessment, Software Security Testing, Vulnerability Assessment | Comments Off on Vulnerability management: Designing severity risk ranking systems

 

Flaw in Intel chips might allow ALSR bypass

A flaw in chip hardware might allow attackers to circumvent ALSR protection in operating systems and applications. Running a recent version of Linux on top of a Haswell processor from Intel, researchers from the State University of New York at Binghamton were able to exploite a flaw in the part of the CPU known as […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment | Comments Off on Flaw in Intel chips might allow ALSR bypass