Software Security

Archive for February 2017

 

Responsible disclosure on a timetable

In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is […]

Continue Reading...

Posted in Ethical Hacking, Healthcare Security, Vulnerability Assessment | Comments Off on Responsible disclosure on a timetable

 

With comparisons to Heartbleed, Cloudbleed may affect millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]

Continue Reading...

Posted in Application Security, Cloud Security, Fuzz Testing, Software Security Testing, Vulnerability Assessment | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions

 

AngularJS security series part 1: Angular $http service

Welcome to the first part in our AngularJS Security Series. Here, we’ll discuss the various solutions to write more secure applications. Our goal is simple: to help developers better understand Angular and embrace the practice of writing more secure code. – Stephen Teilhet, Lewis Ardern, & David Johansson The AngularJS Module is the basic building block of […]

Continue Reading...

Posted in Application Security, JavaScript Security | Comments Off on AngularJS security series part 1: Angular $http service

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, […]

Continue Reading...

Posted in Application Security, Code Review, Fuzz Testing, Software Composition Analysis, Software Security Testing, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Embedded World and CodenomiCON Europe 2017 will kick your IoT security into high gear

Each year the Embedded World Exhibition and Conference in Nuremberg offers the embedded community an opportunity to gather information about new products and innovations, and to develop valuable contacts with others in the industry. An estimated 930 exhibitors will be presenting state-of-the-art embedded technologies at this year’s event. Embedded World Conference 2017 Join us in […]

Continue Reading...

Posted in Embedded Software Testing, Internet of Things, Security Conference or Event | Comments Off on Embedded World and CodenomiCON Europe 2017 will kick your IoT security into high gear

 

Hands-on strategies to counter common web application attacks

We’re excited to announce a new addition to our eLearning library: Attack & Defense. What’s this course all about? Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their “street cred.” There is no shortage of publicly known attack tools and techniques, and software developers are outnumbered at the […]

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on Hands-on strategies to counter common web application attacks

 

Internet of Things (IoT): Rethinking the threat model

On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science so he wrote a short program in C, and within a few hours had 150,000 internet-connected printers across the world spitting out ASCII art and messages. All this was harmless although the […]

Continue Reading...

Posted in Internet of Things, Software Composition Analysis, Software Security Testing, Threat Modeling | Comments Off on Internet of Things (IoT): Rethinking the threat model

 

7 ways financial services firms can protect themselves

In 2014, remote attackers hit J.P. Morgan Chase and the associated website of the J.P. Morgan Corporate Challenge, affecting 76 million households and 7 million small businesses. Financial services are high value targets. Even when collecting only the name and address of a high-asset account holder, that information can still be profitable on the black […]

Continue Reading...

Posted in Application Security, Financial Services Security | Comments Off on 7 ways financial services firms can protect themselves

 

Moving beyond ‘moving left’: The case for developer enablement

Originally posted on SecurityWeek.  For far too long software security has been comprised of a curious bifurcation of roles. Developers develop and IT security testers test for security issues. Fortunately, a confluence of circumstances has forced a recalibration of the developer’s role in software security. In fact, I think we are about to see a new […]

Continue Reading...

Posted in Security Training, Software Development Life Cycle (SDLC), Software Security Program Development, Static Analysis (SAST) | Comments Off on Moving beyond ‘moving left’: The case for developer enablement

 

RSA Conference 2017: An ecosystem of security events

With the ongoing expansion of the Moscone Conference Center in downtown San Francisco, the RSA Conference planners had to be creative this year. To some degree they were successful (perhaps too successful) in breaking old habits and re-directing people to new locations, including new related events nearby. This pattern shift underscores how, at the end […]

Continue Reading...

Posted in Application Security, Security Conference or Event | Comments Off on RSA Conference 2017: An ecosystem of security events