Software Security

Archive for the 'Vulnerability Assessment' Category

 

NodeJS: Preventing common vulnerabilities in the MEAN stack

Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, ExpressJS (Core), ExpressJS (Sessions and CSRF), and AngularJS. Development mode (NodeJS/ExpressJS) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express […]

Continue Reading...

Posted in Open Source Security, Vulnerability Assessment, Web Application Security | No Comments »

 

Learn how to customize the OWASP Top 10 to fit your firm

A list of critical web application security vulnerabilities is a necessary risk management tool. Equally true is that each organization has a different set of vulnerabilities plaguing their applications. To complete a trifecta of fundamental truths, crowdsourced lists such as the OWASP Top 10 rarely reflect an individual organization’s priorities. Given all that, many organizations […]

Continue Reading...

Posted in OWASP, Security Risk Assessment, Threat Intelligence, Vulnerability Assessment | No Comments »

 

AngularJS: Preventing common vulnerabilities in the MEAN stack

Before jumping into the latest post within our discussion on vulnerabilities in the MEAN stack, look back at the first three posts discussing MongoDB, ExpressJS (Core), and ExpressJS (Sessions and CSRF). AngularJS disabled SCE service Angular 1.2 and greater include the built-in Strict Contextual Escaping service ($sce) by default. This service strips malicious HTML tags (e.g., <script>, etc.), attributes (e.g., […]

Continue Reading...

Posted in Vulnerability Assessment, Web Application Security | Comments Off on AngularJS: Preventing common vulnerabilities in the MEAN stack

 

DoublePulsar continues to expose older Windows boxes: What you need to know

A hacking tool leaked in April by a mysterious organization is attacking older Windows boxes, exposing gaps in organizational update and upgrade policies. One researcher estimates that between 100K and 200K boxes may already be compromised worldwide. What’s particularly interesting is that Microsoft issued a patch for the underlying vulnerabilities in March. Shadow Brokers Several […]

Continue Reading...

Posted in Application Security, Data Breach, Vulnerability Assessment | Comments Off on DoublePulsar continues to expose older Windows boxes: What you need to know

 

Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

Increasingly, computer hacking is leaving the traditional network and reaching out into the physical world. So it shouldn’t be too surprising that two recent well-publicized hacks were accomplished using non-traditional ways. One, the sounding of all 100+ civil defense sirens in Dallas, Texas (for 90 minutes during the night) most likely used only sound waves […]

Continue Reading...

Posted in Security Architecture, Threat Modeling, Vulnerability Assessment | Comments Off on Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

 

Swift: Close to greatness in programming language design, Part 3

Welcome back Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. Before digging into Part 3, I recommend reading Part 1 and Part 2 in this series if you have not already. Defect patterns part […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 3

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

Swift: Close to greatness in programming language design, Part 2

Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 2

 

Forging a SHA-1 MAC using a length-extension attack in Python

SHA-1 (Secure Hash Algorithm 1) is broken. It has been since 2005. And yet, that hasn’t stopped its continued use. For example, until early 2017 most internet browsers still supported SHA-1. As though to confirm that SHA-1 was really, truly dead, researchers from CWI Amsterdam and Google announced at the end of February 2017 they […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment, Web Application Security | Comments Off on Forging a SHA-1 MAC using a length-extension attack in Python

 

Swift: Close to greatness in programming language design, Part 1

As we are taking our first steps toward a Coverity Static Analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 1