At Synopsys, our R&D teams routinely organize internal hackathons to verify the Synopsys Software Integrity Portfolio’s performance in real-world environments. During one hackthon, focused on open source software, Tuomas Haanpää, from the Synopsys Fuzz Testing (Defensics) R&D group, ran our NFSv3 test suite against the Linux kernel and found several interesting errors. Initial analysis found that anomalized […]
Continue Reading...
Posted in Application Security, Featured, Fuzz Testing, Open Source Security | Comments Off on Synopsys finds 3 Linux kernel vulnerabilities
In a new report, Synopsys examines new insights into areas of software development where further testing remains. By analyzing over 4.8 billion protocol-based tests, the Synopsys State of Fuzzing 2017 report qualifies the relative levels of maturity in terms of quality and security across more than 250 protocols found in industry verticals such as industrial […]
Continue Reading...
Posted in Fuzz Testing | Comments Off on What is the state of fuzz testing in 2017?
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. This week, hosts Robert Vamosi, CISSP and Security Strategist at Synopsys, and Chris Clark, Principal Security Engineer at Synopsys, go into detail about the value of fuzz testing and the findings from a new report from Synopsys on the State […]
Continue Reading...
Posted in Fuzz Testing | Comments Off on Fault Injection Podcast: Where the zero days are
Another week of InfoSec in the desert is history. Black Hat USA started as the Black Hat Briefings in 1997, and has remained mostly corporate. It grew out of the hacker-friendly environment of DEF CON which started as a going away party for a friend of the founder, Jeff Moss, in 1993. Together, the two […]
Continue Reading...
Posted in Fuzz Testing, Internet of Things, Security Conference or Event | Comments Off on Black Hat USA and DEF CON 2017: And that’s a wrap!
Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them […]
Continue Reading...
Posted in Code Review, Embedded Software Testing, Fuzz Testing, Network Security, Software Security Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities
Howard A. Schmidt, a friend to many in the security community, has died. A statement on his Facebook page says that he died today “in the presence of his wife and four sons … following a long battle with cancer.” Schmidt served as the White House Cybersecurity Advisor to Presidents Barack Obama and George W. […]
Continue Reading...
Posted in Fuzz Testing, Government Security, Medical Device Security, Network Security, Software Security Testing | Comments Off on Howard Schmidt, the United States’ first Cybersecurity Czar, has died
A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]
Continue Reading...
Posted in Application Security, Cloud Security, Fuzz Testing, Software Security Testing, Vulnerability Assessment | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions
When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, […]
Continue Reading...
Posted in Application Security, Code Review, Fuzz Testing, Software Composition Analysis, Software Security Testing, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis
Last week a researcher disclosed a software vulnerability in a feature of the TLS/SSL stack that allowed a remote attacker to extract sensitive information. Sound familiar? In 2014, the Heartbleed vulnerability in the OpenSSL implementation of the heartbeat function in SSL affected some 600,000 websites worldwide and risked exposing passwords and other private keys. Ticketbleed, […]
Continue Reading...
Posted in Application Security, Fuzz Testing, Software Composition Analysis, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Ticketbleed: The next black swan
On Tuesday, researchers at Synopsys were credited in an Apple Update with finding a Bluetooth vulnerability in its operating system. The Cupertino-based computer company disclosed a memory corruption issue as one of three affecting its Bluetooth stack. The effect of this specific unpatched vulnerability is that an application may be able to execute arbitrary code […]
Continue Reading...
Posted in Fuzz Testing, Vulnerability Assessment | Comments Off on Synopsys finds bluetooth memory vulnerability in MacOS/OS X