Sophia Goreczky, Senior User Interface Design Engineer at Synopsys Software Integrity Group, is the recipient of 2017 YWCA Emerging Leader Award. She will be honored, along with four other award honorees, at an awards dinner on May 11, 2017 at the Fairmont Hotel in San Jose.
Posted in Uncategorized | Comments Off on Sophia Goreczky is the recipient of the 2017 YWCA Emerging Leader Award
Howard A. Schmidt, a friend to many in the security community, has died. A statement on his Facebook page says that he died today “in the presence of his wife and four sons … following a long battle with cancer.”
Posted in Application Security | Comments Off on Howard Schmidt, the United States’ first Cybersecurity Czar, has died
In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is the day before was the end of a 90-day window that Google had established as part of its disclosure policy and so the security researchers at Google Project Zero went ahead and released details of the still open vulnerability.
Posted in Healthcare Security & Privacy, Software Architecture & Design | Comments Off on Responsible disclosure on a timetable
The new Cloudbleed vulnerability, like Heartbleed, was discovered through routine fuzz testing and may affect 5.5 million websites and millions of users.
Posted in Cloud Security, Fuzz Testing | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, GrrCON, and HITB. He is currently the co-founder of VDA Labs.
Posted in Fuzz Testing, Software Composition Analysis (SCA), Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis
On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science. So he wrote a short program in C, and within a few hours, 150,000 internet-connected printers across the world were spitting out ASCII art and messages. All this was harmless, although the messages did say the compromise was the result of a botnet (there was no botnet). That said, what if such a botnet had been a real threat? How many organizations today include printers—or any aspect of the Internet of Things (IoT)—in their current threat models?
Posted in IoT Security, Software Architecture & Design | Comments Off on Internet of Things (IoT): Rethinking the threat model
Ticketbleed is a software vulnerability in a feature of the TLS/SSL stack that allows a remote attacker to extract sensitive information.
Posted in Fuzz Testing, Software Composition Analysis (SCA) | Comments Off on Ticketbleed: The next black swan
Gary McGraw provided this year’s keynote address at Shmoocon, held January 13-15 at the Washington Hilton in Washington, D.C. His talk, Seven Things: Frank Zappa, T. Coraghessan Boyle, and 21 Years in Security” touches upon valuable insights gleaned over his more than 21 years in software security. It also reflects his many interests.
Podcast: Play in new window | Download
Posted in Security Training & Awareness, Software Architecture & Design | Comments Off on Gary McGraw’s Shmoocon keynote recaps security career with advice
Gamers, warring over turf, may have launched the Mirai botnet, according to research by Brian Krebs at Krebs on Security.
Posted in IoT Security | Comments Off on Minecraft and the Mirai IoT botnet connection
Standards. Whether they are advisory or compulsory, standards developed for code development promote safety, quality, and security. This is especially important in life-critical industries such as automotive and medical. One example is MISRA C which provides software development guidelines for the C programming language.
Posted in Static Analysis (SAST) | Comments Off on Podcast: MISRA and software testing
