How does your software security initiative stack up against the best? Against others in your market? Against your own goals? A Building Security In Maturity Model (BSIMM) assessment can answer these questions.
Posted in General, Maturity Model (BSIMM) | Comments Off on The BSIMM helps organizations mature software security
It took security researchers only minutes to gain access to more than a dozen voting machines at last month’s DEF CON security conference. The nearly two dozen machines, all purchased from eBay and government auctions, are considered representative of the wide variety of electronic voting systems in use today. One even contained actual voting data from a previous election, exposing another issue: how to delete old data.
Posted in Data Breach, General | Comments Off on DEF CON 25 exposes voting system vulnerabilities
In a survey conducted by Synopsys at this year’s Infosecurity (InfoSec) Europe, almost half of participants said their organizations had not experienced a cyber attack within the last two years. Most attendees surveyed said their organizations had either an internal or external software security group or a combination of both. And the majority indicated their organizations had an incident response plan in place and offered formal cyber security awareness training.
Posted in General | Comments Off on Survey finds organizations better prepared for cyber security threats
New legislation proposed this month in U.S. Congress seeks to mitigate the risk of botnets commandeering Internet of Things (IoT) devices used in the U.S. government. The Internet of Things Cybersecurity Improvement Act of 2017 is a proposal from Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Ron Wyden (D-Wash.) and Steve Daines (R-Mont.). It aims to mitigate risks and increase security in IoT products. The bill is limited to U.S. government-purchased devices. Since the U.S. government is such a large consumer, it is reasonable to assume that these improvements will eventually find their way into commercial products as well.
Posted in General, Internet of Things | Comments Off on How will new IoT legislation strengthen the future of cyber security?
In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial control systems, medical, financial, government, and the Internet of Things (IoT). Check out the State of Fuzzing 2017 report to get all the findings.
Posted in Fuzz Testing | Comments Off on What is the state of fuzz testing in 2017?
Before the public sessions kick off at Black Hat on Wednesday and Thursday, there are four days of training courses. The course I took part in this year was a two-day, hands-on car hacking course. My instructor, Robert Leale, is the founder and coordinator for the car hacking village at DEF CON. Both the weekend and weekday editions of this course were sold out.
Posted in Automotive Security | Comments Off on Are there ever legitimate reasons for hacking a car?
Another week of InfoSec in the desert is history. Black Hat USA started as the Black Hat Briefings in 1997, and has remained mostly corporate. It grew out of the hacker-friendly environment of DEF CON which started as a going away party for a friend of the founder, Jeff Moss, in 1993. Together, the two conference represent the largest annual gathering of InfoSec experts in the world.
Posted in Fuzz Testing, General, Internet of Things | Comments Off on Black Hat USA and DEF CON 2017: And that’s a wrap!
Last week, authorities in multiple countries served warrants to take down a Dark Web site generating a reported $600,000-$800,000 a day in sales of illegal drugs and other products. The clue that led authorities to the real-world admin behind the site was a personal email address used in the site’s early days. It provided a tangible link between the virtual world and the physical world. And, it underscored the many difficulties in truly masking one’s identity online.
Posted in General | Comments Off on What Dark Web failures can teach us about security at Black Hat and DEF CON
A vulnerability in a single software component, found in an internet-connected security camera, may leave thousands of different security camera models (and other Internet of Things devices) at risk. But Devil’s Ivy and other such flaws can be avoided with effective software supply chain management.
Posted in Internet of Things, Software Composition Analysis | Comments Off on Devil’s Ivy security vulnerability leaves IoT devices at risk
This week’s malware outbreak that removed computer data capabilities from large enterprises worldwide is now thought to have been designed to damage, not to earn profit. Therefore, it only masquerades as traditional ransomware. First seen on Tuesday, NotPetya/Petya is like last month’s WannaCry in that it displayed a ransom request of $300 in Bitcoin on compromised machines. However, this time the attacks were not widespread nor intended for individual machines. They were targeted at faulty enterprise networks and the data was generally not recoverable.
Posted in Data Breach | Comments Off on Beyond WannaCry and NotPetya / Petya: What’s next for enterprises?