Software Integrity Blog

Author Archive

Mike Pittenger


Mike Pittenger has 30 years of experience in technology and business, more than 25 years of management experience, and 15 years in security. He previously served as Vice President and General Manager of the product division of @stake. After @stake’s acquisition by Symantec, Pittenger led the spin-out of his team to form Veracode. He later served as Vice President of the product and training division of Cigital. For the past several years, he has consulted independently, helping security companies identify, define and prioritize the benefit to customers of their technologies, structure solutions appropriately and bring those offerings to market. Mike earned his AB in Economics from Dartmouth College and an MBA with a finance concentration from Bentley College.

Posts by Mike Pittenger:


What’s happening with the National Vulnerability Database?

The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring System (CVSS).

Continue Reading...

Posted in Security news and research


Hustling and hacking lessons from Paul Newman

Was Equifax first hit with a non-targeted attack? The details of the Equifax breach will unfold slowly over the next several weeks and months. One interesting detail came out recently when the company reported that “an actor interacted with our server on March 10, 2017.” That’s four days after the vulnerability was reported and three days after a researcher released an exploit to the public. So far, it doesn’t look like this was the attack that resulted in the breach. So what happened? Why would a hacker start an attack on Equifax, but not complete it? In this post, I’ll explore some hacking lessons we can take away from the movies. The hustler Think of hacking the way Paul Newman and Jackie Gleason approach pool hustling in the classic film, The Hustler (or Newman and Tom Cruise in the film’s sequel, The Color of Money). The hustler can’t spend every day looking for the richest individual in each town he visits. Instead, he picks a pool hall, loses a couple of games, and sees if he can find a “mark.” In this case, a mark is anyone who appears to have a combination of money and unearned confidence in their pool skills. In other words, someone who is vulnerable to the hustle and worth the hustler’s time in terms of a financial return. The hustler doesn’t care if the mark is a doctor, lawyer, or sanitation engineer. He only wants their money. Finding a mark in the cyber world In the cyber world, finding a mark is a little different. One way is to use a known exploit for a known vulnerability — like the Struts exploit — and simply “point it” at a range of IP addresses to see which, if any, are vulnerable to the exploit. These are non-targeted attacks; no specific victim is in mind, and those vulnerable servers are the hacker’s marks. He’ll then investigate those and learn more about them. Low value marks — such as schools or libraries — may be ignored, exploited to serve malware, or perhaps incorporated into a botnet. If the mark has high value, like a bank or retailer, the attacker invests more time to exploit the target or sells information about the mark to others. Hustlers are rational We often think of attackers selecting high-value targets and focusing their efforts on defeating the target’s defenses. This is undoubtedly true — in many cases. It’s unlikely, for instance, that the Office of Personnel Management breach in 2015 was an accident (the FBI recently arrested a Chinese national in relation to the malware used in the attack) or that Operation Aurora stumbled upon the source code and design documents of leading defense contractors and IT infrastructure providers. In both of these cases, the attacks appear to be directed by nation states for intelligence and industrial/defense espionage. This may be the case with Equifax as well, either through nation states or organized crime.

Continue Reading...

Posted in Open source and software supply chain risks, Open Source Security


Now it’s personal—4 takeaways from the Equifax breach

You’ve probably heard that personal information, including social security numbers, was stolen from Equifax. Here’s what you need to know.

Continue Reading...

Posted in Data Breach Security, Open Source Security, Security news and research


Attacks on CVE-2017-5638 critical vulnerability escalating

CVE-2017-5638 is a critical vulnerability in the Apache Struts 2 web app framework. Attacks have escalated as hackers exploit this code-execution bug.

Continue Reading...

Posted in Security news and research


“Easy” to hack Apache Struts vulnerability CVE-2017-9805

Dozens of Fortune 100 companies are at risk after researchers at LGTM discovered an easy-to-hack critical Apache Struts security flaw, CVE-2017-9805.

Continue Reading...

Posted in Security news and research


6 recommendations for healthcare cybersecurity

Early last year, in response to the Cybersecurity Act of 2015, the US Department of Health and Human Services (HHS) established The Health Care Industry Cybersecurity Task Force. This month the task force published its recommendations to improve healthcare cybersecurity.

Continue Reading...

Posted in Healthcare Security & Privacy, Medical Device Security


4 risks in connected cars

Black Duck (now Synopsys) held its inaugural European user conference this month in Amsterdam. Turnout was great, with almost 100 representatives from European businesses attending our training and presentations. I was privileged to lead a panel discussion on the security implications of open source in connected cars. Gordon Haff, Technology Evangelist at Red Hat, and Simon Gutteridge, Global Information Security Manager at TomTom, joined me to explore the topic.

Continue Reading...

Posted in Automotive Cyber Security


Commercial application security: 6 facts you didn’t know

Our Open Source Security and Risk Assessment report analyzed 1,000 audits. Here are my top 6 takeaways on open source in commercial application security.

Continue Reading...

Posted in Open source and software supply chain risks


Vulnerability remediation: You only have 4 options

In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other measures (compensating controls) to mitigate the risk posed by the vulnerability.

Continue Reading...

Posted in Building secure software


Vulnerability management and triage in 3 steps

Security testing tools can help organizations build better software by identifying vulnerabilities early in the SDLC. For security professionals and developers, however, the hard work begins when the testing is complete. Once you have a list of vulnerabilities across multiple applications, what’s your next step in vulnerability management and triage? And how do you ensure that you maximize your remediation efforts?

Continue Reading...

Posted in Managing security risks