Software Integrity

Archive for the 'Secure Coding Guidelines' Category

 

LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material […]

Continue Reading...

Posted in Application Security, OWASP, Privacy, Secure Coding Guidelines

 

Remediating XSS: Does a single fix work?

A very common type of injection defect is cross-site scripting (also known as XSS or HTML injection). Many developers struggle with remediation of XSS because of a misunderstanding of the difference between validation, sanitization, and normalization/canonicalization. Lately, even some security vendors have started suggesting “fixing” injection defects close to the source rather than close to […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines

 

Infographic: Set the course for developers to navigate software security

Synopsys recently conducted a survey of 274 respondents to identify the role that security plays within organizational development teams. Participants represented a variety of job functions, including software developers, software engineers, quality assurance, software security, and audit/compliance team members. Responses are equally represented for companies under 1,000 employees and companies with 1,000+ employees. Here are […]

Continue Reading...

Posted in Application Security, Infographic, Secure Coding Guidelines

 

Is your software MISRA clean?

“Scalpel.” “Scalpel.” “Let’s make the incision … There we go …  Spreader.” “Spreader.” “Good. A little wider. Like that. Metzenbaum.” “Metzenbaum.” “There we are. We’re at the DIVIDE_BY_ZERO site. As you can see, it starts here, and follows this path here. We’ll remove it … gently … nice, a clean extraction. Now, let’s graft in […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Security Standards and Compliance, Software Quality, Vulnerability Assessment

 

Meet Auntie MISRA

Seems we all have one: that distant aunt. You know the one I’m talking about. Always dressed to the nines. Always perfectly coiffured. Every detail just so. And that tiny Jack Russell that did tricks on command, never yapped (unless told to “speak”), and was always at her side, springing up to her lap when she pulled out […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Security Standards and Compliance

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new […]

Continue Reading...

Posted in Secure Coding Guidelines, Security Training, Web Application Security

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment

 

Learn defensive programming for HTML5 in a day

HTML5 is the fifth revision of the HTML standard. HTML5 and its integration with JavaScript introduce new security risks that require careful consideration when writing web front-end code. Modern web-based software, including mobile web front-end applications, make heavy use of innovative JavaScript and HTML5 browser support to deliver advanced user experiences. Front-end developers focus their […]

Continue Reading...

Posted in Secure Coding Guidelines, Security Training

 

Fixing cross-site scripting: A developer’s guide (Java edition)

Top 3 things to know about XSS mitigation Cross-site scripting (XSS) is a complex problem with many moving parts, but we want to highlight the most important “gotchas.” These are the Top 3: HTML escaping isn’t enough It is important to understand that HTML escaping (using HTML entities) is not always the right solution to […]

Continue Reading...

Posted in Application Security, Secure Coding Guidelines, Vulnerability Assessment

 

Securing URL redirects

Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side script that constructs the URL being transferred to using data that is received from the client (i.e., something that can be […]

Continue Reading...

Posted in OWASP, Secure Coding Guidelines, Software Security Testing