Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

How Distributed Weakness Filing might help MITRE’s CVE

Complaints about the current Common Vulnerabilities and Exposures (CVE) system from the MITRE organization have advanced a new community-powered Distributed Weakness Filing (DWF) system. DWF is available on GitHub.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on How Distributed Weakness Filing might help MITRE’s CVE

 

For want of a CVE: MITRE’s ongoing CVE backlog

At a security conference this week, researchers complained about the CVE backlog at MITRE, related to the organization’s handling of new vulnerabilities, and the difficulties of getting a CVE assigned.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on For want of a CVE: MITRE’s ongoing CVE backlog

 

Podcast: ISO 26262 compliance through software testing

Standards are, without a doubt, important in any industry. Swipe your credit card at the cash register, and behind scenes there’s PCI DSS safeguarding how the credit card information is processed and stored. For wireless communications, there’s IEEE 802. And for the automotive industry, there’s ISO 26262, a standard which covers electronic systems in automobiles and road vehicles.

Continue Reading...

Posted in Software Compliance, Quality & Standards | Comments Off on Podcast: ISO 26262 compliance through software testing

 

Podcast: Software security and the connected car

Today the average new car has more lines of software code than has the Hubble Space Telescope, a Boeing 787 Dreamliner, and all the source code on your favorite social media app, Facebook, combined. And that’s just the beginning. In the not so distant future, your car will become no less than a mobile data center, capable of supporting a variety of new protocols.

Continue Reading...

Posted in Automotive Cyber Security | Comments Off on Podcast: Software security and the connected car

 

6 years later, ‘Stuxnet’ vulnerability remains exploited

In a recent report, Microsoft found that among the exploit-related malware families it detected during 2015 was a six-year vulnerability that was well-publicized.

Continue Reading...

Posted in IoT Security | Comments Off on 6 years later, ‘Stuxnet’ vulnerability remains exploited

 

Podcast: Securing the supply chain through procurement language, Part 2

Until recently, there has not been real pressure to have supply chain software vendors attest to the validity of their wares. But with the introduction of software into automobiles, television sets, and medical devices, software integrity has taken on greater meaning. Many industries have specific hardware procurement requirements for parts introduced into their supply chains, but what about software?

Continue Reading...

Posted in Software Architecture & Design, Web Application Security | Comments Off on Podcast: Securing the supply chain through procurement language, Part 2

 

Podcast: Securing the supply chain through procurement language, Part 1

Procurement language in software. The concept of holding someone contractually liable for the statements they make about the quality, reliability, and—most of all—security of the software they are providing. Many industries have specific hardware procurement requirements for parts introduced into their supply chains, but what about software? Until recently, there has not been real pressure to have supply chain software vendors attest to the validity of their wares. But with the introduction of software into automobiles, television sets, and medical devices, software integrity has taken on greater meaning.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Podcast: Securing the supply chain through procurement language, Part 1

 

Podcast: Rauli Kaksonen on discovering Heartbleed

It’s been two years since a critical vulnerability, CVE-2014-0160 better known as Heartbleed, was first disclosed. The flaw, found in certain older versions of OpenSSL, did not properly handle Heartbeat Extension packets, protocol is to determine the persistence of the another machine in a transaction, in this case the encryption between a client and a server. It affected hundreds of thousands of popular websites, and allowed an attacker to request more than a simple response; it could allow for the leakage of passphrases and encryption keys.

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Podcast: Rauli Kaksonen on discovering Heartbleed

 

Early notice of Badlock bug draws criticism

The Badlock bug website went live three weeks ahead of full disclosure and software updates. But some practitioners question the need for the early notice.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Early notice of Badlock bug draws criticism

 

Backdoor found in government AV equipment

A supplier for audio-visual equipment to the US federal government on Thursday issued an update to its products that removed a potential backdoor that could allow “higher privileges than even administrative access to the system via the backdoor,” according to the researchers who first reported it.

Continue Reading...

Posted in Uncategorized | Comments Off on Backdoor found in government AV equipment