On Optimism and Software Security

by paco on Friday, July 25, 2014

If you have watched the 100th Episode of The Silver Bullet podcast, you’ll see that Gary McGraw and I were the only two out of 6 people who were optimistic about software security and the future. I thought I’d take a minute to talk about why I am optimistic. I believe that all the hard… Read More

Why Aren’t We Learning From (Defect) History?

by Jim DelGrosso on Wednesday, July 23, 2014

I was recently part of Silver Bullet 100 where I was asked “How much progress have we made in the last ten years with Architecture Risk Analysis (that is, finding and fixing flaws in software design)?” My response surprised some folks here at Cigital when I explained that for the most part, I did not… Read More

Standard versus Proprietary Security Protocols

by Chandu Ketkar on Wednesday, May 28, 2014

Standard Security Protocols An encyclopedia defines a security protocol as “a sequence of operations that ensure protection of data. Used with an underlying communication protocol, it provides secure delivery of data between two parties.” We use security protocols in everyday computing. For example, when we use our domain credentials to login to a Microsoft Windows… Read More

Cordova InAppBrowser Remote Privilege Escalation

by Neil Bergman on Tuesday, May 20, 2014

Earlier this year, I identified an interesting vulnerability (CVE-2014-0073) in one of Apache Cordova’s core plug-ins (InAppBrowser). Cordova, also sometimes referred to as PhoneGap, is a popular cross-platform mobile framework that allows developers to write mobile applications in JavaScript and HTML. The JavaScript and HTML code executes within the Cordova WebView and has access to… Read More

Recent Fixes in IBMSecureRandom

by Amit Sethi on Tuesday, May 6, 2014

I’ve written about several SecureRandom implementations in the past. While analyzing the default SecureRandom implementation in IBM JCE (v1.7) on *nix, I came across several weaknesses. IBM recently released a patch to fix the issues. Let’s take a look at how this SecureRandom implementation works as well as the issues that were recently patched. Note… Read More

Security Conference Explores New Crypto Algorithm

by paco on Friday, April 25, 2014

The 2014 InfoSec Security Conference in London has put the name and affiliation of every attendee in an easy to scan QR code on every badge. They have protected that data with a cipher we’ve never seen in the wild before. For simplicity we’ve nicknamed it Rarely Observed Technique 1 (ROT-1). Let’s take a look… Read More

Understanding Fragment Injection

by Neil Bergman on Friday, April 25, 2014

A colleague asked me about an Android vulnerability called fragment injection because of an article he read [1] and I think its worth diving into the details of the vulnerability. Fragment injection is a classic example of using reflection in an unsafe way (CWE-470) [2]. As in untrusted data from an Intent is used to… Read More

What The Heartbleed Bug Should Be Teaching Us

by Jim DelGrosso on Saturday, April 19, 2014

What a difference a few weeks makes in the software security world. When the Heartbleed bug was publicly disclosed a short while ago, the reaction was swift and fairly consistent. It was identified as a real problem, not FUD, and systems were being patched VERY quickly. Often time when a security vulnerability is announced we… Read More

Heartbleed Vulnerability: What Should You Do?

by Amit Sethi on Wednesday, April 9, 2014

By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level,… Read More

OpenSSL: Fix or Rewrite?

by Aaron Bedra on Tuesday, April 8, 2014

Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question. Serious question: is it better to rewrite a library that's had a lot of implementation problems, or is it better to keep hardening… Read More

Page 1 of 2312345...1020...Last »