Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

Podcast: The good and the bad of Heartbleed, Part 2

Two years after the vulnerability in OpenSSL known as Heartbleed there remain valuable lessons still to be learned both about how vulnerabilities are discovered and how the security community should respond.

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Podcast: The good and the bad of Heartbleed, Part 2

 

Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1

Two years after its disclosure, the vulnerability in OpenSSL known as Heartbleed remains significant. There are valuable lessons still to be learned both about how the vulnerability was initially discovered and how the security community has responded over time.

Continue Reading...

Posted in Fuzz Testing, IoT Security, Open Source Security | Comments Off on Podcast: Billy Rios on the good and the bad of Heartbleed, Part 1

 

Irongate attacks ICS Siemens Step 7 PLCs—Similar to Stuxnet

A new family of ICS-focused malware, dubbed Irongate, interferes with industrial process running within a simulated Siemens control system environment.

Continue Reading...

Posted in Application Security | Comments Off on Irongate attacks ICS Siemens Step 7 PLCs—Similar to Stuxnet

 

How Distributed Weakness Filing might help MITRE’s CVE

Complaints about the current Common Vulnerabilities and Exposures (CVE) system from the MITRE organization have advanced a new community-powered Distributed Weakness Filing (DWF) system. DWF is available on GitHub.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on How Distributed Weakness Filing might help MITRE’s CVE

 

For want of a CVE: MITRE’s ongoing CVE backlog

At a security conference this week, researchers complained about the CVE backlog at MITRE, related to the organization’s handling of new vulnerabilities, and the difficulties of getting a CVE assigned.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on For want of a CVE: MITRE’s ongoing CVE backlog

 

Podcast: ISO 26262 compliance through software testing

Standards are, without a doubt, important in any industry. Swipe your credit card at the cash register, and behind scenes there’s PCI DSS safeguarding how the credit card information is processed and stored. For wireless communications, there’s IEEE 802. And for the automotive industry, there’s ISO 26262, a standard which covers electronic systems in automobiles and road vehicles.

Continue Reading...

Posted in Software Compliance, Quality & Standards | Comments Off on Podcast: ISO 26262 compliance through software testing

 

Podcast: Software security and the connected car

Today the average new car has more lines of software code than has the Hubble Space Telescope, a Boeing 787 Dreamliner, and all the source code on your favorite social media app, Facebook, combined. And that’s just the beginning. In the not so distant future, your car will become no less than a mobile data center, capable of supporting a variety of new protocols.

Continue Reading...

Posted in Automotive Cyber Security | Comments Off on Podcast: Software security and the connected car

 

6 years later, ‘Stuxnet’ vulnerability remains exploited

In a recent report, Microsoft found that among the exploit-related malware families it detected during 2015 was a six-year vulnerability that was well-publicized.

Continue Reading...

Posted in IoT Security | Comments Off on 6 years later, ‘Stuxnet’ vulnerability remains exploited

 

Podcast: Securing the supply chain through procurement language, Part 2

Until recently, there has not been real pressure to have supply chain software vendors attest to the validity of their wares. But with the introduction of software into automobiles, television sets, and medical devices, software integrity has taken on greater meaning. Many industries have specific hardware procurement requirements for parts introduced into their supply chains, but what about software?

Continue Reading...

Posted in Software Architecture & Design, Web Application Security | Comments Off on Podcast: Securing the supply chain through procurement language, Part 2

 

Podcast: Securing the supply chain through procurement language, Part 1

Procurement language in software. The concept of holding someone contractually liable for the statements they make about the quality, reliability, and—most of all—security of the software they are providing. Many industries have specific hardware procurement requirements for parts introduced into their supply chains, but what about software? Until recently, there has not been real pressure to have supply chain software vendors attest to the validity of their wares. But with the introduction of software into automobiles, television sets, and medical devices, software integrity has taken on greater meaning.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Podcast: Securing the supply chain through procurement language, Part 1