POODLE – yet another attack on SSLv3 (SSL 3.0)

by Chandu Ketkar on Monday, October 20, 2014

Post written by Chandu Ketkar, Technical Manager and David Johansson, Senior Consultant. POODLE Introduction The POODLE (Padding Attack On Downgraded Legacy Encryption) attack was published by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google in a security advisory last month (September 2014). The attack is on SSL 3.0 (SSLv3), an obsolete and insecure protocol,… Read More

Software Security and the User Interface

by Jim DelGrosso on Wednesday, October 8, 2014

We had an internal discussion the other day about the pros and cons of connecting professionally with random folks. During that discussion a separate thread was started about how to hide who you are connected to from your other connections. The idea was that it is OK to connect with someone but not allow that… Read More

Red Teaming a Holistic View of Security

by Cigital on Wednesday, October 1, 2014

Post written by Aladdin Elston, Consultant Software pervades our everyday lives: cellphones, tablets, fitness monitors, websites, networked home appliances, medical equipment, drones and automated vehicles. We expect software to work, often overlooking the need for the software running these systems to be secure. While Cigital stresses the importance of building security in throughout the SDLC… Read More

A Guide to Gary McGraw’s AppSecUSA Keynote

by gem on Monday, September 22, 2014

I had a blast delivering the Friday morning keynote at AppSecUSA this year. The only uncomfortable part was the 8am start. Whose idea was that?! You can watch the keynote here on YouTube or download the audio only version from SoundCloud. I watched the keynote myself this morning (which for what it’s worth is a… Read More

Minimizing Exposure from the iCloud

by Cigital on Wednesday, September 3, 2014

Post written by Jamie Boote, Associate Consultant This Labor Day weekend, a number of photographs of a personal nature were released to the public. The data leak can be traced back to personal devices and the Apple iCloud, but even though businesses aren’t usually the target of this kind of leak, there are still lessons… Read More

The IEEE Computer Society Center for Secure Design

by Jim DelGrosso on Thursday, August 28, 2014

The IEEE Computer Society Center for Secure Design (CSD) has officially launched! The initial document created by the center is called “Avoiding the Top 10 Software Security Design Flaws”. This document represents the most common flaws identified at the initial CSD workshop held earlier this year. Everyone remember the difference between bugs and flaws? If… Read More

Mobile Single Sign-On (SSO) Questions Answered

by scott on Wednesday, August 13, 2014

One of the things I like about working at Cigital is that our folks are self-motivated, intellectually curious and into sharing with others. One of our guys (and I like to think of him as a friend), Jake Ewers, was getting pinged about mobile single sign-on. After answering the question a couple of times, Jake… Read More

Why I’m Not at Black Hat or DEFCON

by paco on Wednesday, August 6, 2014

Making software do things for us is a lot like stringing words together to make coherent and interesting sentences. We know how to gather, record, and reason over data. We know efficient and proven algorithms for all sorts of interesting problems. We’re getting good at some amazingly complicated problems (computer vision, robot planning, natural language… Read More

Associating Security Responsibilities Within Development Frameworks

by jOHN on Monday, July 28, 2014

Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a foundation for technology knowledge — Instructors must speak developers’ language when training; frameworks form the vernacular. When assessing software, one needs to know where in the haystack to look for… Read More

On Optimism and Software Security

by paco on Friday, July 25, 2014

If you have watched the 100th Episode of The Silver Bullet podcast, you’ll see that Gary McGraw and I were the only two out of 6 people who were optimistic about software security and the future. I thought I’d take a minute to talk about why I am optimistic. I believe that all the hard… Read More

Page 1 of 2412345...1020...Last »