Software Integrity Blog

Archive for the 'Security Standards and Compliance' Category

 

Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

The Consumer Data Protection Act (as outlined in the CDPA draft circulated in early November by Sen. Ron Wyden) might not send CEOs to jail, but it will certainly help protect Americans’ data.

Continue Reading...

Posted in General, Security Standards and Compliance | Comments Off on Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

 

Better passwords in California won’t help much

California is all done with weak passwords.

Continue Reading...

Posted in General, Internet of Things, Security Standards and Compliance | Comments Off on Better passwords in California won’t help much

 

LifeLock lesson—Third party security is your security

On July 25, on his blog Krebs on Security, Brian Krebs covered a flaw in how LifeLock processed “unsubscribe” information related to its marketing activities. For those unfamiliar with LifeLock, it is a subsidiary of Symantec offering identity monitoring and protection services in the U.S. market. Brian outlined an issue impacting recipients of LifeLock marketing material who wished to opt out of further email communications by clicking on a “please remove me from this list” style link within the marketing material. Unfortunately, there was a flaw in that process that allowed anyone to discover email addresses associated with other users. In Symantec’s response, they indicate the issue was limited to the use of a third-party marketing platform used to process marketing communications, not the core LifeLock service, and that with the exception of the security researchers’ efforts, there was no indication of other access attempts. The areas we can all learn from With this as background, we can see several activities occurring here:

Continue Reading...

Posted in General, Security Standards and Compliance | Comments Off on LifeLock lesson—Third party security is your security

 

Remediating XSS: Does a single fix work?

A very common type of injection defect is cross-site scripting (also known as XSS or HTML injection). Many developers struggle with remediation of XSS because of a misunderstanding of the difference between validation, sanitization, and normalization/canonicalization. Lately, even some security vendors have started suggesting “fixing” injection defects close to the source rather than close to the sink. This seems appealing because a fix close to the source has the potential to fix many defects with only a single code change. However, this suggestion suffers from two painful deficiencies. The first is confusion between validation and sanitization. The second is a misunderstanding of the regression risk associated with broad-impact changes. Once those items are better understood, it’s possible to formulate a viable plan for defect remediation. Validation isn’t enough for XSS Input validation involves ensuring that “input data falls within the expected domain of valid program input.” As an example, if we are expecting a dollar amount as input, only numerals and a decimal point are acceptable input characters. In some cases, validation of input data ensures that there are no special characters in the input and, as a side effect, will indeed prevent an injection attack.

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on Remediating XSS: Does a single fix work?

 

Hackers target cryptocurrency exchange, new Spectre vulnerabilities, and healthier healthcare

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup. Watch the episode below:

Continue Reading...

Posted in General, Medical Device Security, Security Standards and Compliance, Webinars | Comments Off on Hackers target cryptocurrency exchange, new Spectre vulnerabilities, and healthier healthcare

 

GDPR raises the stakes on data breaches

Another week, another list of data breaches resulting from vulnerabilities in third-party contractors for high-profile companies.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on GDPR raises the stakes on data breaches

 

Timehop breach provides GDPR response template

The Timehop breach disclosed 21 million individuals’ account information. And now we know what public disclosure of a breach might look like under GDPR.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Timehop breach provides GDPR response template

 

Data breaches and more data breaches—oh my!

It’s been quite an interesting few weeks in the land of data breach disclosures. We started with Under Armour disclosing a breach in their MyFitnessPal application that impacted 150 million users. A few days later, Lord & Taylor and Saks Fifth Avenue disclosed a breach impacting millions of their in-store shoppers. Later the same day, we learned that Panera Bread had been leaking private user details for its millions of online users for eight months. Three days later we had yet another breach disclosure from Delta Airlines and Sears Holdings, who were using third-party chat services from [24]7.ai. The [24]7.ai breach then expanded to include Kmart and Best Buy a few days later.

Continue Reading...

Posted in Data Breach, Security Standards and Compliance | Comments Off on Data breaches and more data breaches—oh my!

 

What you need to know about the Singapore Cybersecurity Bill

The newly ratified Singapore Cybersecurity Bill is Singapore’s answer to securing critical information infrastructure (CII) providers, minimizing threats from malicious actors. But now that the bill has been signed into law, analysts and practitioners alike are raising concerns about the high costs and logistic challenges of enforcing it.

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on What you need to know about the Singapore Cybersecurity Bill

 

U.K. threatens to force IoT security by design

Securing the Internet of Things (IoT) seems like an endless reality version of “Mission Impossible”—really impossible. Many have tried—with lists of best practices and standards, exhortations, and warnings—but none has succeeded.

Continue Reading...

Posted in Internet of Things, Security Standards and Compliance | Comments Off on U.K. threatens to force IoT security by design