Vulnerabilities Left Unannounced

by Cigital on Monday, January 26, 2015

Post written by William Bengtson, Security Consultant In the fall the headlines were littered with news of the “iCloud Data Breach” which exposed nude photographs of celebrities and potentially left all iCloud accounts vulnerable to exposure. Fingers were pointed and people and/or companies were blamed for the breach, but it all boils down to a… Read More

Medical Device Security: Building It In or Bolting It On?

by Cigital on Monday, January 19, 2015

Post written by Dan Lyon, Senior Consultant Medical device security is making strides, however one area that isn’t being addressed is patching. A webinar I attended described a hospital which performed a reconnaissance of their network and found several hundred Windows XP machines. There was no service pack revision; these machines were running the initial… Read More

5 Security New Year’s Resolutions

by Cigital on Friday, January 9, 2015

Happy 2015! With the dawn of the New Year we are betting you have made some resolutions, like losing weight, getting a promotion, or finally taking the two minutes to delete the unwanted U2 album from your iTunes account, but why not up your security game while you’re at it. Here is a list of… Read More

Making Strides in Medical Device Security

by Chandu Ketkar on Friday, January 2, 2015

Medical device security is hard and there is no denying that most medical devices, especially those connected to the internet, lack adequate security controls. As Dr. Gary McGraw and I discussed in our Search Security article there is a lot of work to be done in the domain of medical device security, but the good… Read More

2014 CTO Year in Review

by gem on Wednesday, December 3, 2014

Somehow I find myself on an airplane today even though it is supposedly “no fly Noel.” I’m on my way to a healthcare and software security summit in San Francisco. Healthcare is an up and coming domain for software security. What’s cool about this airplane is wifi! 2014 was another banner year at Cigital. We… Read More

Understanding Python Pickling and How to Use it Securely

by Cigital on Tuesday, November 18, 2014

Post written by Ashutosh Agrawal, Senior Consultant and Arvind Balaji, Associate Consultant Pickle in python is primarily used in serializing and de-serializing a python object structure. In other words it’s the process of converting a python object into a byte stream in order to store it in a file/database, maintain program state across sessions, or… Read More

Are You Red Team Secure?

by Cigital on Monday, November 10, 2014

Post written by Robert Wood, Technical Manager Data breaches can result in severe damages to an organization’s brand, financial standing, or customer trust. Many of these, including recent breaches in the news, are not the result of a single, easy to find weakness that just happened to be overlooked or the common “low hanging fruit”… Read More

Alphabet Soup: SAST, DAST, IAST, and RASP Explained

by gem on Friday, November 7, 2014

Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they help you fix what you find? And how do they scale? FWIW, tools of all… Read More

Browser Implementations of Content Security Policy Introduce Security Problems

by Cigital on Tuesday, November 4, 2014

Post written by Ksenia Dmitrieva, Senior Consultant In an article from August 2014, Pascal Landau describes how to deanonymize Facebook users by brute forcing Content Security Policy (CSP). The idea is an attacker tricks a user who is currently logged into Facebook to go to the attacker’s page. The attacker page has an iframe pointing… Read More

POODLE – yet another attack on SSLv3 (SSL 3.0)

by Chandu Ketkar on Monday, October 20, 2014

Post written by Chandu Ketkar, Technical Manager and David Johansson, Senior Consultant. POODLE Introduction The POODLE (Padding Attack On Downgraded Legacy Encryption) attack was published by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google in a security advisory last month (September 2014). The attack is on SSL 3.0 (SSLv3), an obsolete and insecure protocol,… Read More

Page 1 of 2512345...1020...Last »