Software Security

Archive for the 'Security Risk Assessment' Category

 

Hajime and Mirai locked in an IoT botnet turf war

Last fall, someone released a benign worm looking to protect Internet of Things (IoT) devices from more dangerous worms. Known as Hajime, the vigilante malware appears to be designed to block another IoT worm, Mirai. The two are chasing each other around the world. Each are locked in a weird internet turf war seemingly bent on […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Threat Intelligence | No Comments »

 

How to mitigate third-party security risks

Third-party products and services are an integral part of business operations. Organizations depend heavily on optimizing their solutions by reducing costs; thus, bringing about the need for external expertise. Third-party organizations promise timely delivery of products and services, meeting compliance requirements, and optimizing the organization’s overall business performance. Reasons for bringing in a third party […]

Continue Reading...

Posted in Maturity Model (BSIMM), Security Risk Assessment, Vendor Risk Management | No Comments »

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

How to create clean images for corporate hardware

Planning an IT initiative can present many challenges, one of which being the choice of software in the organization’s base computer images. When starting out small, it may make sense to buy machines off the shelf if expansion is not anticipated in the near future. However, choosing to do so often includes unwanted programs that add […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST), Security Risk Assessment | Comments Off on How to create clean images for corporate hardware

 

How to assess the risk of seemingly correct software

As the prevalence of software continues to trend upwards with time, a common assumption is that it is becoming more feature-rich and reliable. However, most in the software industry wouldn’t hesitate to point out how difficult it actually is to achieve fully-working software. In fact, when calculating software risk, a key assumption is that it […]

Continue Reading...

Posted in Security Risk Assessment, Software Security Testing | Comments Off on How to assess the risk of seemingly correct software

 

Vulnerability management: Designing severity risk ranking systems

One of the first challenges most security teams tackle is defect discovery. Soon afterwards, the bugs start piling up. I often work with organizations struggling to consistently risk rank issues into severity categories. There are many factors to consider in this process, not to mention the amount of brain power going into devising the perfect […]

Continue Reading...

Posted in Security Risk Assessment, Software Security Testing, Vulnerability Assessment | Comments Off on Vulnerability management: Designing severity risk ranking systems

 

IoT fueling larger DDoS attacks

Hacked internet-connected cameras and digital video recorders are to blame for a series of DDoS attacks that took down KrebsonSecurity last week. The attacks were first reported on September 19 by Octave Klaba, the founder and CTO of OVH. According to Ars Technica Klaba reported that more than 6,800 new cameras had joined the botnet […]

Continue Reading...

Posted in Internet of Things, Security Risk Assessment | Comments Off on IoT fueling larger DDoS attacks

 

OMB issues supply chain risk management (SCRM) guidance

New guidance for US government suppliers includes requirements for software testing. In the Office of Management and Budget (OMB) Circular A-130, published July 28, 2016, requirements for Supply Chain Risk Management (SCRM) were specified for those selling to any US Government organizations, including sub-tier suppliers. This means that suppliers of IoT/ICT components and services, either […]

Continue Reading...

Posted in Government Security, Security Risk Assessment | Comments Off on OMB issues supply chain risk management (SCRM) guidance

 

Study finds security warnings ignored 90% of the time

A new study finds that people ignore security warnings from software up to 90% of the time. In a paper, More Harm Than Good? How Messages That Interrupt Can Make Us Vulnerable PDF, researchers from BYU, in collaboration with Google Chrome engineers, found that if a security warning appears while people are typing, watching a […]

Continue Reading...

Posted in Application Security, Security Risk Assessment | Comments Off on Study finds security warnings ignored 90% of the time

 

Flaw in ASN.1 code library could impact every form of communications

A code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones contains a flaw that makes it possible to eavesdrop or disrupt entire networks. An advisory published Monday evening describes a flaw in the way most systems implement […]

Continue Reading...

Posted in Security Risk Assessment, Threat Intelligence | Comments Off on Flaw in ASN.1 code library could impact every form of communications