A new Synopsys survey reveals that customer-facing web and mobile applications are the top security challenge for IT professionals in Asia.
One of my favorite books, “The Hitchhiker’s Guide to the Galaxy,” describes itself in the introduction like this:
October is Cyber Security Awareness Month.
There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new approaches. A study published earlier this year shows that insecure code samples in tutorials, that are vulnerable to things like SQL injection and cross-site scripting (XSS), manage to find their way into real-world production code. Flawed tutorials leading to large-scale vulnerabilities In April 2017, Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, and Fabian Yamaguchi published “Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery.” They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub.
With just one line of code, a malicious attacker can exploit a recently disclosed seven-year-old vulnerability in SAMBA. Known as CVE-2017-7494, the vulnerability affects Linux and Unix systems that:
In the world of data security, a critical element of working with users is earning their trust. Obtaining, implementing, and properly using an SSL certificate is one way to protect user data. Without a certificate, there is also no easy way to keep the communications between the user and an eCommerce website private from attackers. What is encryption? Encryption protects data and keeps secrets out of reach from eavesdroppers. It seems like the stuff of movies and television dramas. It’s often portrayed in the media as some impenetrable obstacle that can’t be overcome without keys. Or, as an easy challenge to solve with rapid typing and a few progress bars.
During a recent iOS application penetration test, I was attempting to proxy network traffic using the BURP proxy tool. In doing so, I configured my device to use BURP as proxy, and voila, I was able to see the traffic (oh, the joys of certificate pinning).
Posted in Web Application Security | Comments Off on BURP’s proxy tool and the case of the missing cipher suites
Before jumping into the final post within our discussion on vulnerabilities in the MEAN stack, look back at the other four posts within this series discussing MongoDB, Express.js (Core), Express.js (Sessions and CSRF), and AngularJS. Development mode (Node.js/Express.js) By default, Express applications run in development mode unless the NODE_ENV environmental variable is set to another value. In development mode, Express returns more verbose errors which can result in information leakage. For example, the error message below returns the full path to the requested file. This also provides an attacker with information about the host system.
Fault Injection is a podcast from Synopsys that digs into software quality and security issues. Hosts Chris Clark, Principal Security Engineer at Synopsys, and Robert Vamosi, CISSP and Security Strategist at Synopsys, provide a forum for industry experts to talk about software security topics and their intersection with specific verticals such as medical, automotive, and finance.
Posted in Web Application Security | Comments Off on Synopsys launches the Fault Injection Podcast