Software Security

Archive for the 'Vulnerability Assessment' Category

 

Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

Increasingly, computer hacking is leaving the traditional network and reaching out into the physical world. So it shouldn’t be too surprising that two recent well-publicized hacks were accomplished using non-traditional ways. One, the sounding of all 100+ civil defense sirens in Dallas, Texas (for 90 minutes during the night) most likely used only sound waves […]

Continue Reading...

Posted in Security Architecture, Threat Modeling, Vulnerability Assessment | No Comments »

 

Swift: Close to greatness in programming language design, Part 3

Welcome back Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. Before digging into Part 3, I recommend reading Part 1 and Part 2 in this series if you have not already. Defect patterns part […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 3

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

Swift: Close to greatness in programming language design, Part 2

Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 2

 

Forging a SHA-1 MAC using a length-extension attack in Python

SHA-1 (Secure Hash Algorithm 1) is broken. It has been since 2005. And yet, that hasn’t stopped its continued use. For example, until early 2017 most internet browsers still supported SHA-1. As though to confirm that SHA-1 was really, truly dead, researchers from CWI Amsterdam and Google announced at the end of February 2017 they […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment, Web Application Security | Comments Off on Forging a SHA-1 MAC using a length-extension attack in Python

 

Swift: Close to greatness in programming language design, Part 1

As we are taking our first steps toward a Coverity Static Analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 1

 

New Apache Struts 2 zero-day vulnerability: What you need to know

It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]

Continue Reading...

Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | Comments Off on New Apache Struts 2 zero-day vulnerability: What you need to know

 

How secure is AngularJS?

Synopsys Principal Security Consultant, Ksenia Dmitrieva-Peguero, recently posed the question at the information security conference, Securi-Tay: How secure is AngularJS? With seven years of experience in the AppSec space, and five years of software development experience, Ksenia’s current concentration centers on the analysis of JavaScript frameworks–researching their security implications, vulnerability discovery, and remediation. In her latest […]

Continue Reading...

Posted in Application Security, Security Conference or Event, Security Training, Vulnerability Assessment | Comments Off on How secure is AngularJS?

 

Responsible disclosure on a timetable

In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is […]

Continue Reading...

Posted in Ethical Hacking, Healthcare Security, Vulnerability Assessment | Comments Off on Responsible disclosure on a timetable

 

With comparisons to Heartbleed, Cloudbleed may affect millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]

Continue Reading...

Posted in Application Security, Cloud Security, Fuzz Testing, Software Security Testing, Vulnerability Assessment | Comments Off on With comparisons to Heartbleed, Cloudbleed may affect millions