Software Integrity

Archive for November 2016

 

If you’re only as strong as your allies, should you trust third-party code?

Originally posted on SecurityWeek Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Vendor Risk Management | Comments Off on If you’re only as strong as your allies, should you trust third-party code?

 

Mirai botnet targets Deutsche Telekom routers, causing outages

Over the weekend, around 1 million Deutsche Telekom customers experienced interruptions in their Internet services, a denial of service that has now been traced to the Mirai botnet. Mirai leverages flaws in Internet of Things devices to create a compromised network or botnet. The source code for Mirai botnet went public in early October, allowing […]

Continue Reading...

Posted in Data Breach, Internet of Things | Comments Off on Mirai botnet targets Deutsche Telekom routers, causing outages

 

Here are the top 10 best practices for securing Android apps

Smartphone, tablet, and other hand-held device sales have skyrocketed in recent years. It’s now critical for businesses to provide a mobile option or experience to customers. Additionally, many companies are even created for the sole purpose of making services and entertainment available to their customers’ fingertips—literally. At the same time, software security initiatives must fall […]

Continue Reading...

Posted in Mobile Application Security, Security Training | Comments Off on Here are the top 10 best practices for securing Android apps

 

5 reasons to outsource your authentication like you do your credit card processing

You may have noticed that we don’t create credit card processing solutions here. We use what already exists, as we do for authentication services, and there are some good reasons for that: Designing these systems is not our core competency – we’re good at researching languages and frameworks to design static analysis tools that help […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST) | Comments Off on 5 reasons to outsource your authentication like you do your credit card processing

 

Get executive support for your software security journey

According to Osterman Research, 60% of IT and security leaders say that the information they provide on cyber risk is NOT actionable. To add to that alarming finding, SearchSecurity reports that 12% of CISOs include NO metrics in their reports to senior executives. Software security is one of many competing priorities demanding the attention of […]

Continue Reading...

Posted in Application Security, Security Metrics | Comments Off on Get executive support for your software security journey

 

Sweet32: Time to retire 3DES?

The DES encryption algorithm was designed in the early 1970s by researchers at IBM. It was adopted as a FIPS standard in 1977. The algorithm uses 56-bit keys, which were long enough to be secure at the time. However, as it became feasible to brute force 56-bit keys, 3DES was adopted as a standard in the […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Sweet32: Time to retire 3DES?

 

Java platform security: Session state management explained

Applications have continued to evolve from desktop to enterprise, the cloud, and laterally into the Internet of Things and embedded devices. Each evolution increases business benefit and, conversely, creates more opportunity for successful exploitation. Further, traditional security infrastructure like firewalls are proving less effective at defending applications. Few companies have a handle on their Java […]

Continue Reading...

Posted in Application Security | Comments Off on Java platform security: Session state management explained

 

Getting to the bottom of the top 5 vendor risk management best practices

“We cannot enter into alliances until we are acquainted with the designs of our neighbors.” – Sun Tzu Opening this post with an Art of War quote may seem a bit cliché. At the same time, it really hits the nail on the head when discussing vendor risk management. After all, the best way to […]

Continue Reading...

Posted in Software Security Testing, Vendor Risk Management | Comments Off on Getting to the bottom of the top 5 vendor risk management best practices

 

‘PoisonTap’ steals network passwords

A new exploit tool requires only 30 seconds to install a privacy-invading backdoor on a previously locked computer. Dubbed “PoisonTap” the exploit can be run from a Raspberry Pi Zero device plugged into any USB port. From there it intercepts all unencrypted Web traffic. In particular PoisonTap captures any authentication cookies being used to log […]

Continue Reading...

Posted in Network Security | Comments Off on ‘PoisonTap’ steals network passwords

 

Philips honors Synopsys researcher with responsible disclosure honor

On Wednesday, Philips named Mike Ahmadi, Global Director of Critical Systems Security for Synopsys Software Integrity Group, to its Responsible Disclosure Hall of Honors. Responsible Disclosure, also known as Coordinated Vulnerability Disclosure, means that the first reporter of a new vulnerability has chosen to work with the vendor to demonstrate the validity of the finding […]

Continue Reading...

Posted in Medical Device Security | Comments Off on Philips honors Synopsys researcher with responsible disclosure honor