Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

Howard Schmidt, the United States’ first Cybersecurity Czar, has died

Howard A. Schmidt, a friend to many in the security community, has died. A statement on his Facebook page says that he died today “in the presence of his wife and four sons … following a long battle with cancer.” Schmidt served as the White House Cybersecurity Advisor to Presidents Barack Obama and George W. […]

Continue Reading...

Posted in General | Comments Off on Howard Schmidt, the United States’ first Cybersecurity Czar, has died

 

Responsible disclosure on a timetable

In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is […]

Continue Reading...

Posted in Healthcare Security, Software Architecture and Design | Comments Off on Responsible disclosure on a timetable

 

With comparisons to Heartbleed, Cloudbleed may affect millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]

Continue Reading...

Posted in Cloud Security, Fuzz Testing, Software Architecture and Design | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds a Ph.D. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, Black Hat, ToorCon, […]

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Internet of Things (IoT): Rethinking the threat model

On February 4, 2017, a Saturday night, a high-school student in the U.K. realized he wasn’t going to university to study computer science so he wrote a short program in C, and within a few hours had 150,000 internet-connected printers across the world spitting out ASCII art and messages. All this was harmless although the […]

Continue Reading...

Posted in Internet of Things, Software Architecture and Design, Software Composition Analysis | Comments Off on Internet of Things (IoT): Rethinking the threat model

 

RSA Conference 2017: An ecosystem of security events

With the ongoing expansion of the Moscone Conference Center in downtown San Francisco, the RSA Conference planners had to be creative this year. To some degree they were successful (perhaps too successful) in breaking old habits and re-directing people to new locations, including new related events nearby. This pattern shift underscores how, at the end […]

Continue Reading...

Posted in Events, Webinars | Comments Off on RSA Conference 2017: An ecosystem of security events

 

Ticketbleed: The next black swan

Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, […]

Continue Reading...

Posted in Fuzz Testing, Software Composition Analysis | Comments Off on Ticketbleed: The next black swan

 

Gary McGraw’s Shmoocon keynote recaps security career with advice

Gary McGraw provided this year’s keynote address at Shmoocon, held January 13-15 at the Washington Hilton in Washington, D.C. His talk, Seven Things: Frank Zappa, T. Coraghessan Boyle, and 21 Years in Security” touches upon valuable insights gleaned over his more than 21 years in software security. It also reflects his many interests. Watch the […]

Continue Reading...

Posted in Security Training, Software Architecture and Design, Software Security Initiative (SSI), Webinars | Comments Off on Gary McGraw’s Shmoocon keynote recaps security career with advice

 

Minecraft and the Mirai IoT botnet connection

Gamers, warring over turf, may have launched the Mirai botnet, according to research by KrebsonSecurity. On Wednesday, Brian Krebs published a long and detailed article explain his month’s long investigation into the author of the Mirai botnet which was used to darken the internet for much of North America for several hours in October. The […]

Continue Reading...

Posted in Internet of Things, Software Architecture and Design | Comments Off on Minecraft and the Mirai IoT botnet connection

 

Researcher finds some airline infotainment systems vulnerable

The inflight services that allow passengers to enjoy movies and music on their flights might also allow clever individuals to change cabin lighting. In an article in the Telegraph Ruben Santamarta, principle security consultant at IOActive, said he could access the in-flight system from Panasonic Avionics. He claimed he could hack its on-board displays. He […]

Continue Reading...

Posted in Internet of Things | Comments Off on Researcher finds some airline infotainment systems vulnerable