Software Security

Archive for the 'Software Security Testing' Category

 

BURP’s proxy tool and the case of the missing cipher suites

During a recent iOS application penetration test, I was attempting to proxy network traffic using the BURP proxy tool. In doing so, I configured my device to use BURP as proxy, and voila, I was able to see the traffic (oh, the joys of certificate pinning). However, my excitement was short-lived. I noticed that I […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | No Comments »

 

Synopsys launches the Fault Injection Podcast

Fault Injection is a podcast from Synopsys that digs into software quality and security issues. Hosts Chris Clark, Principal Security Engineer at Synopsys, and Robert Vamosi, CISSP and Security Strategist at Synopsys, provide a forum for industry experts to talk about software security topics and their intersection with specific verticals such as medical, automotive, and […]

Continue Reading...

Posted in Application Security, Ethical Hacking, Network Security, Software Security Testing, Web Application Security | Comments Off on Synopsys launches the Fault Injection Podcast

 

Top 10 free hacking tools for penetration testers

A craftsman requires the appropriate skills and tools to work in tandem in order to create a masterpiece. While tools are an important enabler in the process of creating the best piece of work possible, the process also requires relevant experience and expertise on the part of the craftsman. Much like craftsman’s toolbox, a pen […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | Comments Off on Top 10 free hacking tools for penetration testers

 

What happens when dishwashers attack the network?

Last month a researcher announced that a commercial dishwashing machine contained a dangerous vulnerability allowing a remote attacker to gain access to privileged assets on a connected network. Jens Regel of the German company Schneider-Wulf made the vulnerability public on Full Disclosure after contacting the vendor and waiting the customary 90 days. The vendor, Miele, has […]

Continue Reading...

Posted in Internet of Things, Network Security, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on What happens when dishwashers attack the network?

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them […]

Continue Reading...

Posted in Code Review, Embedded Software Testing, Fuzz Testing, Network Security, Software Security Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

Howard Schmidt, the United States’ first Cybersecurity Czar, has died

Howard A. Schmidt, a friend to many in the security community, has died. A statement on his Facebook page says that he died today “in the presence of his wife and four sons … following a long battle with cancer.” Schmidt served as the White House Cybersecurity Advisor to Presidents Barack Obama and George W. […]

Continue Reading...

Posted in Fuzz Testing, Government Security, Medical Device Security, Network Security, Software Security Testing | Comments Off on Howard Schmidt, the United States’ first Cybersecurity Czar, has died

 

Synopsys named a leader in the Gartner Magic Quadrant for Application Security Testing (AST)

Synopsys has moved into the “Leaders” quadrant for Application Security Testing (AST) in a new report. Five of 18 vendors analyzed were named Leaders in 2017. This move comes shortly after the recent acquisition of Cigital and Codiscope.  “We believe Gartner recognizes the capabilities of the combined companies and the value that we provide to […]

Continue Reading...

Posted in Application Security, Software Security Testing | Comments Off on Synopsys named a leader in the Gartner Magic Quadrant for Application Security Testing (AST)

 

With comparisons to Heartbleed, Cloudbleed may affect millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]

Continue Reading...

Posted in Application Security, Cloud Security, Fuzz Testing, Software Security Testing, Vulnerability Assessment | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, […]

Continue Reading...

Posted in Application Security, Code Review, Fuzz Testing, Software Composition Analysis, Software Security Testing, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis