Software Integrity

Archive for the 'Vulnerability Assessment' Category

 

VPNFilter, BMW connected car vulnerability, and Nest IoT devices go offline

Taylor Armerding, Synopsys Software Integrity Group senior strategist, gives you the scoop on application security and insecurity in this week’s Security Mashup episode. What’s in this week’s episode, you ask? Russia vs. Ukraine, Beemer as the ultimate hackable machine, and Nest “smart home” devices. Learn more by watching the full episode below:   New VPNFilter […]

Continue Reading...

Posted in Application Security, Automotive Security, Internet of Things, Vulnerability Assessment, Weekly Security Mashup

 

How does the TeenSafe data leak present a classic false sense of security?

Security researcher Robert Wiggins recently uncovered a serious security issue in the TeenSafe “secure” monitoring product for Android and iOS platforms. The app allows users (typically parents) to monitor devices (typically their children’s) to view location, text messages, calls, browsing history, and more. TeenSafe claims the technology can and will help protect your child. There […]

Continue Reading...

Posted in Application Security, Data Breach, Vulnerability Assessment

 

Bad Signal gets quick fix

It looked like a bright spot in a gloomy week for the encrypted messaging app Signal. And it was, in fact, a positive thing—a patch for a serious XSS (cross-site scripting) vulnerability that the company made available only hours after a public report of the problem. It just wasn’t quite as bright a moment as […]

Continue Reading...

Posted in Vulnerability Assessment

 

Examining Spectre and Meltdown attacks

As you have no doubt heard, Spectre and Meltdown aren’t software bugs that can be fixed in a few days or weeks when a company pushes out a patch. They are part of the architecture of hardware – the chips that run your computer. And you don’t just roll out a patch for hardware. Chips […]

Continue Reading...

Posted in Static Analysis (SAST), Vulnerability Assessment

 

Verizon DBIR puts security burden on users

The 2018 Verizon Data Breach Investigations Report (DBIR)—the 11th annual exhaustive collection of good advice and (mostly) bad news—which dropped a couple of weeks ago, doesn’t contain any major surprises about the state of online security. The number of confirmed breaches—at least the ones reported by 67 contributors globally—was 2,216, among 53,308 “real-world incidents.” In […]

Continue Reading...

Posted in Application Security, Data Breach, Maturity Model (BSIMM), Vulnerability Assessment

 

RSA 2018 recap: Detecting vulnerabilities and avoiding snake oil

With RSA 2018 behind us, a recap is in order. For any readers who have never attended the RSA Conference (RSA) in North America, it’s worth setting the stage. For practical purposes, RSA is the premier technology security conference. There are tens of thousands of attendees, well over a dozen conference tracks, and the show […]

Continue Reading...

Posted in Security Conference or Event, Vendor Risk Management, Vulnerability Assessment

 

Weighing the pros and cons of open sourcing election software

The drama around Russian meddling with the US elections has pushed election security into the spotlight. There have been many ideas of how to prevent such tampering in the future, including a New York Times Op-Ed by R. James Woolsey and Brian Fox about the security benefits of open sourcing election software. They assert that […]

Continue Reading...

Posted in Open Source Security, Vulnerability Assessment

 

Detecting Spectre vulnerability exploits with static analysis

Written by Charles-Henri Gros, Liana Hadarean, and Mandar Satam. Since this article was posted, we have made several improvements to our capability of detecting code patterns vulnerable to Spectre. Details on the latest enhancements can be found here. In the last few months, Spectre (CVE-2017-5753 and CVE-2017-5715) has emerged as a new kind of vulnerability. […]

Continue Reading...

Posted in Software Security Testing, Static Analysis (SAST), Vulnerability Assessment

 

Closing the CVE gap still a work in progress

It’s hard to think of a better security concept than the CVE (Common Vulnerabilities and Exposures) program. It amounts to crowdsourcing security. The idea is that everybody who finds an exploitable flaw or bug in software or firmware notifies a single organization—in this case, the nonprofit, federally funded MITRE Corp.—which maintains a database in which […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment

 

SEC and CyberSec risks, GDPR looms, what’s going on with the NVD?

In this week’s open source security and cybersecurity news: Free software comes with a price. Learn how a PE firm wraps open source due diligence into its tech investing. The SEC provides guidance on public cybersecurity. The Defense Department (re)launches its open source portal. A look at cybersecurity through the (virtual) lens of video gaming. […]

Continue Reading...

Posted in GDPR, Vulnerability Assessment