Software Integrity Blog

Archive for the 'Software Architecture & Design' Category

 

Navigating responsible vulnerability disclosure best practices

The definition of responsible vulnerability disclosure varies based on who you ask. Tech goliath Microsoft has openly disagreed with Google on this very topic, as outlined by The Verge.

Continue Reading...

Posted in Fuzz Testing, Software Architecture & Design

 

Attacks on TLS vulnerabilities: Heartbleed and beyond

Over the past few years, we’ve seen a variety of TLS vulnerabilities steadily surface. In general, we brand each one as “just another TLS vulnerability,” but the intricacies of each are rather distinct, though not horribly convoluted. Let’s walk through a few together.  2014: Heartbleed and POODLEHeartbleed affects the OpenSSL library’s implementation of a TLS extension—the TLS heartbeat. A TLS heartbeat works as follows: The client (or server) sends some amount of data in a heartbeat request to its peer to verify the peer’s presence or keep the connection alive. The peer then echoes the data back to the sender to verify that the peer is reachable and alive. If you want the nitty-gritty details of the heartbeat extension, feel free to read the IETF’s description. Exploitation of Heartbleed, a faulty heartbeat implementation, can allow an attacker to read up to 64 KB of memory at a time from a peer running a vulnerable version of OpenSSL. Here’s how:

Continue Reading...

Posted in Software Architecture & Design

 

Learning from KRACK and ROCA: Here’s how to equip your firm

Last week’s news introduced us to another pair of vulnerabilities hitting right at the foundation of everything we place our trust in. Named KRACK and ROCA, these flaws target specific facets of Wi-Fi networks and cryptographic keys, meaning that attackers can potentially sneak into networks we consider private, and decipher things we consider secret. Who’s affected? If you’re in enterprise IT, you’re likely familiar with the cycle of waiting for a patch, then planning and coordinating the rollout of the patch across your estate. What’s interesting in this case is that a lot of the space to be covered includes non-PC devices, so you have to figure out how those will get patched too. (Your plan covers that, right?)

Continue Reading...

Posted in Data Breach Security, Security Training & Awareness, Software Architecture & Design

 

KRACK: Examining the WPA2 protocol flaw and what it means for your business

The KRACK vulnerability allows an active adversary to interfere in the conversation between a client and a Wi-Fi access point. What does this mean for you?

Continue Reading...

Posted in Data Breach Security, Software Architecture & Design

 

ROCA: Cryptographic flaws in BitLocker, Secure Boot, and millions of smartcards

CVE-2017-15361, a.k.a. ROCA, is a vulnerability that allows an adversary to use a practical mathematical attack to reveal secret keys on certified devices.

Continue Reading...

Posted in Software Architecture & Design

 

Examining Apache Struts remote code execution vulnerabilities

Apache published details of CVE-2017-12611, the fourth critical Apache Struts remote code execution vulnerability in 2017, the day Equifax announced the breach.

Continue Reading...

Posted in Data Breach Security, Open Source Security, Software Architecture & Design

 

How secure is iPhone X Face ID facial recognition?

Written in coordination with Grant Douglas

Continue Reading...

Posted in Mobile App Security, Software Architecture & Design

 

Attacks on CVE-2017-5638 critical vulnerability escalating

CVE-2017-5638 is a critical vulnerability in the Apache Struts 2 web app framework. Attacks have escalated as hackers exploit this code-execution bug.

Continue Reading...

Posted in Data Breach Security, Open Source Security, Software Architecture & Design

 

“Easy” to hack Apache Struts vulnerability CVE-2017-9805

Dozens of Fortune 100 companies are at risk after researchers at LGTM discovered an easy-to-hack critical Apache Struts security flaw, CVE-2017-9805.

Continue Reading...

Posted in Open Source Security, Software Architecture & Design

 

[Webinar] Systems failure fuels security-focused design practices

One vulnerability in a connected electronic system can lead to widespread compromises. Learn about discuss code quality, code security, and tool automation.

Continue Reading...

Posted in Software Architecture & Design, Webinars