Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

Dan Geer explores the DevOps ‘Law of the Jungle’ dilemma

Faced with the constant threat of cyber attack, software security is evolving at an unprecedented rate. DevOps must ask itself, What’s more likely to lead to long-term survival: investing in better cyber security or reducing the number of software components it must struggle to secure?

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on Dan Geer explores the DevOps ‘Law of the Jungle’ dilemma

 

Hajime and Mirai locked in an IoT botnet turf war

Last fall, someone released a benign worm looking to protect Internet of Things (IoT) devices from more dangerous worms. Known as Hajime, the vigilante malware appears to be designed to block another IoT worm, Mirai. The two are chasing each other around the world. Each are locked in a weird internet turf war seemingly bent on IoT domination and we have already seen collateral damage from it. Virus vs worm First, some basic terminology here.

Continue Reading...

Posted in Internet of Things | Comments Off on Hajime and Mirai locked in an IoT botnet turf war

 

Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

Legacy vulnerabilities are often old “features” that weren’t designed for modern use. Since every new day brings a new attack, it’s time to secure them.

Continue Reading...

Posted in General, Software Architecture and Design | Comments Off on Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

 

Secure automotive software at any speed

The features that drive new car sales today are increasingly based on software. Drivers want their own music. They want to stay connected with their digital world. They want digital assistants to help park or even drive autonomously.

Continue Reading...

Posted in Automotive Security | Comments Off on Secure automotive software at any speed

 

What happens when dishwashers attack the network?

Last month a researcher announced that a commercial dishwashing machine contained a dangerous vulnerability allowing a remote attacker to gain access to privileged assets on a connected network. Jens Regel of the German company Schneider & Wulf made the vulnerability public on Full Disclosure after contacting the vendor and waiting the customary 90 days. The vendor, Miele, has yet to respond.

Continue Reading...

Posted in Internet of Things | Comments Off on What happens when dishwashers attack the network?

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is hard to fix something on another planet. In the latter example both quality and security are important, with security perhaps paramount.

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design, Software Composition Analysis | Comments Off on Does software quality equal software security? It depends.

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them — to surveil targets by activating microphones and receivers as well as eavesdropping on communications.

Continue Reading...

Posted in Fuzz Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

Sophia Goreczky is the recipient of the 2017 YWCA Emerging Leader Award

Sophia Goreczky, Senior User Interface Design Engineer at Synopsys Software Integrity Group, is the recipient of 2017 YWCA Emerging Leader Award. She will be honored, along with four other award honorees, at an awards dinner on May 11, 2017 at the Fairmont Hotel in San Jose.

Continue Reading...

Posted in Uncategorized | Comments Off on Sophia Goreczky is the recipient of the 2017 YWCA Emerging Leader Award

 

Howard Schmidt, the United States’ first Cybersecurity Czar, has died

Howard A. Schmidt, a friend to many in the security community, has died. A statement on his Facebook page says that he died today “in the presence of his wife and four sons … following a long battle with cancer.”

Continue Reading...

Posted in General | Comments Off on Howard Schmidt, the United States’ first Cybersecurity Czar, has died

 

Responsible disclosure on a timetable

In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is the day before was the end of a 90-day window that Google had established as part of its disclosure policy and so the security researchers at Google Project Zero went ahead and released details of the still open vulnerability.

Continue Reading...

Posted in Healthcare Security, Software Architecture and Design | Comments Off on Responsible disclosure on a timetable