Software Integrity Blog

Archive for the 'Software Architecture & Design' Category

 

RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

With RSA 2018 behind us, a recap is in order. For any readers who have never attended the RSA Conference (RSA) in North America, it’s worth setting the stage. For practical purposes, RSA is the premier technology security conference. There are tens of thousands of attendees, well over a dozen conference tracks, and the show floor itself spans two buildings. Exhibitors range from the NSA and FBI (love their dogs, by the way), through service providers like CenturyLink and AT&T, major technology vendors like F5 and Trend Micro, to smaller vendors around the edges of the expo halls.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

 

Weighing the pros and cons of open sourcing election software

Open source election software is exposed to many eyes that check it for vulnerabilities. But does that mean it’s more secure? What are the pros and cons of open sourcing election software?

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Weighing the pros and cons of open sourcing election software

 

Detecting Spectre vulnerability exploits with static analysis

We’ve released a static analysis checker that can detect code patterns vulnerable to the Spectre attack. Learn how the checker works and see code examples.

Continue Reading...

Posted in Software Architecture & Design, Static Analysis (SAST) | Comments Off on Detecting Spectre vulnerability exploits with static analysis

 

Closing the CVE gap still a work in progress

It’s hard to think of a better security concept than the CVE (Common Vulnerabilities and Exposures) program. It amounts to crowdsourcing security.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Closing the CVE gap still a work in progress

 

What’s happening with the National Vulnerability Database?

The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring System (CVSS).

Continue Reading...

Posted in Software Architecture & Design | Comments Off on What’s happening with the National Vulnerability Database?

 

Black Duck OpsSight brings open source vulnerability detection to Kubernetes

This week we released a new version of Black Duck OpsSight, a solution for vulnerability detection and alerting in production environments. When we introduced Black Duck OpsSight for OpenShift in November, we made it possible for customers who use Black Duck Hub as an integral part of their SDLC security process to also monitor the open source security of their application deployment environments.

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Black Duck OpsSight brings open source vulnerability detection to Kubernetes

 

Learn how to scale threat modeling with a pattern-based strategy

Performing threat modeling is a difficult and expensive undertaking for most firms. And, understandably. Traditionally, threat modeling requires an experienced security architect with knowledge in three fundamental areas.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Learn how to scale threat modeling with a pattern-based strategy

 

Meltdown, Spectre security flaws “impact everything”

Welcome to 2018, with two major security flaws revealed that makes any computer device that has chips from Intel, AMD and ARM at risk. One security flaw, dubbed Meltdown, impacts Intel semiconductors, enabling enabling bad guys to steal passwords. The other security flaw, Spectre, impacts chips from all three companies. During an interview with CNBC covered by Reuters, Intel’s chief executive noted that “Phones, PCs, everything are going to have some impact, but it’ll vary from product to product.”

Continue Reading...

Posted in Mergers & Acquisitions, Open Source Security, Software Architecture & Design | Comments Off on Meltdown, Spectre security flaws “impact everything”

 

Navigating responsible vulnerability disclosure best practices

The definition of responsible vulnerability disclosure varies based on who you ask. Tech goliath Microsoft has openly disagreed with Google on this very topic, as outlined by The Verge.

Continue Reading...

Posted in Fuzz Testing, Software Architecture & Design | Comments Off on Navigating responsible vulnerability disclosure best practices

 

Attacks on TLS vulnerabilities: Heartbleed and beyond

Over the past few years, we’ve seen a variety of TLS vulnerabilities steadily surface. In general, we brand each one as “just another TLS vulnerability,” but the intricacies of each are rather distinct, though not horribly convoluted. Let’s walk through a few together.  2014: Heartbleed and POODLE Heartbleed affects the OpenSSL library’s implementation of a TLS extension—the TLS heartbeat. A TLS heartbeat works as follows: The client (or server) sends some amount of data in a heartbeat request to its peer to verify the peer’s presence or keep the connection alive. The peer then echoes the data back to the sender to verify that the peer is reachable and alive. If you want the nitty-gritty details of the heartbeat extension, feel free to read the IETF’s description. Exploitation of Heartbleed, a faulty heartbeat implementation, can allow an attacker to read up to 64 KB of memory at a time from a peer running a vulnerable version of OpenSSL. Here’s how:

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Attacks on TLS vulnerabilities: Heartbleed and beyond