Software Integrity Blog

Archive for the 'Software Architecture & Design' Category

 

RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

The message at RSA 2018 was clear: stronger regulations and stiffer penalties haven’t slowed data breaches. It’s time to look at the cost of noncompliance.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

 

Weighing the pros and cons of open sourcing election software

Open source election software is exposed to many eyes that check it for vulnerabilities. But does that mean it’s more secure? What are the pros and cons of open sourcing election software?

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Weighing the pros and cons of open sourcing election software

 

Detecting Spectre vulnerability exploits with static analysis

We’ve released a static analysis checker that can detect code patterns vulnerable to the Spectre attack. Learn how the checker works and see code examples.

Continue Reading...

Posted in Software Architecture & Design, Static Analysis (SAST) | Comments Off on Detecting Spectre vulnerability exploits with static analysis

 

Closing the CVE gap still a work in progress

It’s hard to think of a better security concept than the CVE (Common Vulnerabilities and Exposures) program. It amounts to crowdsourcing security.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Closing the CVE gap still a work in progress

 

What’s happening with the National Vulnerability Database?

The image below is what you saw if you search the National Vulnerability Database (NVD) on February 16. As you can see, vulnerabilities are being added on a daily basis. The far right column, however, is blank. None of the vulnerabilities are being scored using NIST’s Common Vulnerability Scoring System (CVSS).

Continue Reading...

Posted in Software Architecture & Design | Comments Off on What’s happening with the National Vulnerability Database?

 

Black Duck OpsSight brings open source vulnerability detection to Kubernetes

This week we released a new version of Black Duck OpsSight, a solution for vulnerability detection and alerting in production environments. When we introduced Black Duck OpsSight for OpenShift in November, we made it possible for customers who use Black Duck Hub as an integral part of their SDLC security process to also monitor the open source security of their application deployment environments.

Continue Reading...

Posted in Open Source Security, Software Architecture & Design | Comments Off on Black Duck OpsSight brings open source vulnerability detection to Kubernetes

 

Learn how to scale threat modeling with a pattern-based strategy

Performing threat modeling is a difficult and expensive undertaking for most firms. And, understandably. Traditionally, threat modeling requires an experienced security architect with knowledge in three fundamental areas.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Learn how to scale threat modeling with a pattern-based strategy

 

Navigating responsible vulnerability disclosure best practices

The definition of responsible vulnerability disclosure varies based on who you ask. Tech goliath Microsoft has openly disagreed with Google on this very topic, as outlined by The Verge.

Continue Reading...

Posted in Fuzz Testing, Software Architecture & Design | Comments Off on Navigating responsible vulnerability disclosure best practices

 

Attacks on TLS vulnerabilities: Heartbleed and beyond

Over the past few years, we’ve seen a variety of TLS vulnerabilities steadily surface. In general, we brand each one as “just another TLS vulnerability,” but the intricacies of each are rather distinct, though not horribly convoluted. Let’s walk through a few together.  2014: Heartbleed and POODLEHeartbleed affects the OpenSSL library’s implementation of a TLS extension—the TLS heartbeat. A TLS heartbeat works as follows: The client (or server) sends some amount of data in a heartbeat request to its peer to verify the peer’s presence or keep the connection alive. The peer then echoes the data back to the sender to verify that the peer is reachable and alive. If you want the nitty-gritty details of the heartbeat extension, feel free to read the IETF’s description. Exploitation of Heartbleed, a faulty heartbeat implementation, can allow an attacker to read up to 64 KB of memory at a time from a peer running a vulnerable version of OpenSSL. Here’s how:

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Attacks on TLS vulnerabilities: Heartbleed and beyond

 

Learning from KRACK and ROCA: Here’s how to equip your firm

Last week’s news introduced us to another pair of vulnerabilities hitting right at the foundation of everything we place our trust in. Named KRACK and ROCA, these flaws target specific facets of Wi-Fi networks and cryptographic keys, meaning that attackers can potentially sneak into networks we consider private, and decipher things we consider secret. Who’s affected? If you’re in enterprise IT, you’re likely familiar with the cycle of waiting for a patch, then planning and coordinating the rollout of the patch across your estate. What’s interesting in this case is that a lot of the space to be covered includes non-PC devices, so you have to figure out how those will get patched too. (Your plan covers that, right?)

Continue Reading...

Posted in Data Breach Security, Security Training & Awareness, Software Architecture & Design | Comments Off on Learning from KRACK and ROCA: Here’s how to equip your firm