Minimizing Exposure from the iCloud

by Cigital on Wednesday, September 3, 2014

Post written by Jamie Boote, Associate Consultant This Labor Day weekend, a number of photographs of a personal nature were released to the public. The data leak can be traced back to personal devices and the Apple iCloud, but even though businesses aren’t usually the target of this kind of leak, there are still lessons… Read More

The IEEE Computer Society Center for Secure Design

by Jim DelGrosso on Thursday, August 28, 2014

The IEEE Computer Society Center for Secure Design (CSD) has officially launched! The initial document created by the center is called “Avoiding the Top 10 Software Security Design Flaws”. This document represents the most common flaws identified at the initial CSD workshop held earlier this year. Everyone remember the difference between bugs and flaws? If… Read More

Mobile Single Sign-On (SSO) Questions Answered

by scott on Wednesday, August 13, 2014

One of the things I like about working at Cigital is that our folks are self-motivated, intellectually curious and into sharing with others. One of our guys (and I like to think of him as a friend), Jake Ewers, was getting pinged about mobile single sign-on. After answering the question a couple of times, Jake… Read More

Why I’m Not at Black Hat or DEFCON

by paco on Wednesday, August 6, 2014

Making software do things for us is a lot like stringing words together to make coherent and interesting sentences. We know how to gather, record, and reason over data. We know efficient and proven algorithms for all sorts of interesting problems. We’re getting good at some amazingly complicated problems (computer vision, robot planning, natural language… Read More

Associating Security Responsibilities Within Development Frameworks

by jOHN on Monday, July 28, 2014

Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a foundation for technology knowledge — Instructors must speak developers’ language when training; frameworks form the vernacular. When assessing software, one needs to know where in the haystack to look for… Read More

On Optimism and Software Security

by paco on Friday, July 25, 2014

If you have watched the 100th Episode of The Silver Bullet podcast, you’ll see that Gary McGraw and I were the only two out of 6 people who were optimistic about software security and the future. I thought I’d take a minute to talk about why I am optimistic. I believe that all the hard… Read More

Why Aren’t We Learning From (Defect) History?

by Jim DelGrosso on Wednesday, July 23, 2014

I was recently part of Silver Bullet 100 where I was asked “How much progress have we made in the last ten years with Architecture Risk Analysis (that is, finding and fixing flaws in software design)?” My response surprised some folks here at Cigital when I explained that for the most part, I did not… Read More

Standard versus Proprietary Security Protocols

by Chandu Ketkar on Wednesday, May 28, 2014

Standard Security Protocols An encyclopedia defines a security protocol as “a sequence of operations that ensure protection of data. Used with an underlying communication protocol, it provides secure delivery of data between two parties.” We use security protocols in everyday computing. For example, when we use our domain credentials to login to a Microsoft Windows… Read More

Cordova InAppBrowser Remote Privilege Escalation

by Neil Bergman on Tuesday, May 20, 2014

Earlier this year, I identified an interesting vulnerability (CVE-2014-0073) in one of Apache Cordova’s core plug-ins (InAppBrowser). Cordova, also sometimes referred to as PhoneGap, is a popular cross-platform mobile framework that allows developers to write mobile applications in JavaScript and HTML. The JavaScript and HTML code executes within the Cordova WebView and has access to… Read More

Recent Fixes in IBMSecureRandom

by Amit Sethi on Tuesday, May 6, 2014

I’ve written about several SecureRandom implementations in the past. While analyzing the default SecureRandom implementation in IBM JCE (v1.7) on *nix, I came across several weaknesses. IBM recently released a patch to fix the issues. Let’s take a look at how this SecureRandom implementation works as well as the issues that were recently patched. Note… Read More

Page 1 of 2412345...1020...Last »