Software Security

Archive for the 'Application Security' Category

 

Hajime and Mirai locked in an IoT botnet turf war

Last fall, someone released a benign worm looking to protect Internet of Things (IoT) devices from more dangerous worms. Known as Hajime, the vigilante malware appears to be designed to block another IoT worm, Mirai. The two are chasing each other around the world. Each are locked in a weird internet turf war seemingly bent on […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Threat Intelligence | No Comments »

 

Swift: Close to greatness in programming language design, Part 3

Welcome back Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. Before digging into Part 3, I recommend reading Part 1 and Part 2 in this series if you have not already. Defect patterns part […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 3

 

Swift: Close to greatness in programming language design, Part 2

Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 2

 

How to benchmark your software security strategies

Evaluating the progress of your software security journey is essential, but it can be a considerable challenge. Tracking operational metrics doesn’t tell you whether you are doing the right things. Analyst reports are often too general to provide tactical direction. And companies hold their security plans so close to the vest, it makes competitive research […]

Continue Reading...

Posted in Application Security, Maturity Model (BSIMM), Threat Modeling | Comments Off on How to benchmark your software security strategies

 

Forging a SHA-1 MAC using a length-extension attack in Python

SHA-1 (Secure Hash Algorithm 1) is broken. It has been since 2005. And yet, that hasn’t stopped its continued use. For example, until early 2017 most internet browsers still supported SHA-1. As though to confirm that SHA-1 was really, truly dead, researchers from CWI Amsterdam and Google announced at the end of February 2017 they […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment, Web Application Security | Comments Off on Forging a SHA-1 MAC using a length-extension attack in Python

 

Sophia Goreczky is the recipient of the 2017 YWCA Emerging Leader Award

Sophia Goreczky, Senior User Experience Designer within Synopsys’ Software Integrity Group, is the recipient of 2017 YWCA Emerging Leader Award. She will be honored, along with 4 other award honorees, at an awards dinner on May 11, 2017, at the Fairmont Hotel in San Jose. Since 1984, the YWCA Silicon Valley Tribute to Women Awards […]

Continue Reading...

Posted in Application Security | Comments Off on Sophia Goreczky is the recipient of the 2017 YWCA Emerging Leader Award

 

The connected toy conundrum is beginning to boil

Originally posted on SecurityWeek.  The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong–up until the moment you are right. When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked […]

Continue Reading...

Posted in Application Security, Internet of Things | Comments Off on The connected toy conundrum is beginning to boil

 

Swift: Close to greatness in programming language design, Part 1

As we are taking our first steps toward a Coverity Static Analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 1

 

How to create clean images for corporate hardware

Planning an IT initiative can present many challenges, one of which being the choice of software in the organization’s base computer images. When starting out small, it may make sense to buy machines off the shelf if expansion is not anticipated in the near future. However, choosing to do so often includes unwanted programs that add […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST), Security Risk Assessment | Comments Off on How to create clean images for corporate hardware

 

New Apache Struts 2 zero-day vulnerability: What you need to know

It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]

Continue Reading...

Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know