The Consumer Data Protection Act (as outlined in the CDPA draft circulated in early November by Sen. Ron Wyden) might not send CEOs to jail, but it will certainly help protect Americans’ data.
California is all done with weak passwords.
On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:
A very common type of injection defect is cross-site scripting (also known as XSS or HTML injection). Many developers struggle with remediation of XSS because of a misunderstanding of the difference between validation, sanitization, and normalization/canonicalization. Lately, even some security vendors have started suggesting “fixing” injection defects close to the source rather than close to the sink. This seems appealing because a fix close to the source has the potential to fix many defects with only a single code change. However, this suggestion suffers from two painful deficiencies. The first is confusion between validation and sanitization. The second is a misunderstanding of the regression risk associated with broad-impact changes. Once those items are better understood, it’s possible to formulate a viable plan for defect remediation. Validation isn’t enough for XSS Input validation involves ensuring that “input data falls within the expected domain of valid program input.” As an example, if we are expecting a dollar amount as input, only numerals and a decimal point are acceptable input characters. In some cases, validation of input data ensures that there are no special characters in the input and, as a side effect, will indeed prevent an injection attack.
Posted in Security Standards and Compliance | Comments Off on Remediating XSS: Does a single fix work?
Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. Watch the episode below:
Another week, another list of data breaches resulting from vulnerabilities in third-party contractors for high-profile companies.
The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.
It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from 7.ai. The 7.ai breach then expanded to include Kmart and Best Buy a few days later.
The newly ratified Singapore Cybersecurity Bill is Singapore’s answer to securing critical information infrastructure (CII) providers, minimizing threats from malicious actors. But now that the bill has been signed into law, analysts and practitioners alike are raising concerns about the high costs and logistic challenges of enforcing it.
Posted in Security Standards and Compliance | Comments Off on What you need to know about the Singapore Cybersecurity Bill
Securing the Internet of Things (IoT) seems like an endless reality version of “Mission Impossible”—really impossible. Many have tried—with lists of best practices and standards, exhortations, and warnings—but none has succeeded.