Heartbleed Vulnerability: What Should You Do?

by Amit Sethi on Wednesday, April 9, 2014

By now, you’ve surely heard about the Heartbleed vulnerability (CVE-2014-0160) in OpenSSL 1.0.1 through 1.0.1f (inclusive). The vulnerability has been present in OpenSSL since December 2011. Many websites have discussed the details of the bug, and I will not go into the deep technical details here. I will describe the bug at a high level,… Read More

OpenSSL: Fix or Rewrite?

by Aaron Bedra on Tuesday, April 8, 2014

Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question. Serious question: is it better to rewrite a library that's had a lot of implementation problems, or is it better to keep hardening… Read More

Dr. McGraw talks Software Security on Security Weekly

by gem on Friday, March 21, 2014

Software Security on Security Weekly (with paul dot com) Episode 366 of Security Weekly features a conversation with Gary McGraw. Watch the whole thing here Here is a quick viewer’s guide to skipping around. SKIP to 5:02 Cigital principal Aaron Bedra (Ruby/brakeman) and the challenge of dynamic languages 10:35 Cigital Secure Assist 19:23 (download a… Read More

Book Review: Reading Shostack’s Threat Modeling

by jOHN on Monday, March 17, 2014

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. more generally, “How can I help developers think about our systems’ security properties?” Cigital has published a bunch of valuable threat modeling material but the biggest single body of work continues to come… Read More

Understanding the GnuTLS Certificate Verification Bug

by Amit Sethi on Friday, March 7, 2014

Recently, Apple released a patch for a bug in its SSL handshake implementation on iOS and Mac OS X that allowed attackers to intercept SSL traffic originating from vulnerable devices. It turns out that the GnuTLS library also contained a bug that was patched on February 27, 2014; this bug also allows attackers to intercept… Read More

Understanding the Apple ‘goto fail;’ Vulnerability

by Amit Sethi on Tuesday, February 25, 2014

You may have heard about the recently publicly disclosed vulnerability (http://support.apple.com/kb/HT6147) in Apple iOS. Let’s take a look at the goto fail details as well as at who is affected. Vulnerability Details As the code at http://opensource.apple.com/source/Security/Security-55471/libsecurity_ssl/lib/sslKeyExchange.c shows, there is a bug in the implementation of the SSLVerifySignedServerKeyExchange function. Although the goto fail has been… Read More

Kickstarter Password Breach … #FTW?

by jOHN on Sunday, February 16, 2014

Last Wednesday I spoke about password storage security in a Cigital at the WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, I was a bit self-conscious. Cue… Read More

UK National Health Service (NHS) Infected – with a Typo

by paco on Tuesday, February 4, 2014

The UK’s NHS web site (http://www.nhs.uk/), or to be precise, links embedded in it, have been infecting visitors with malware. At the end of the day, it was probably a straightforward typo in the coding of the web page. What lessons can we learn here? How could we have stopped that? Sadly, there’s not much… Read More

SecureRandom Implementation (sun.security.provider.NativePRNG)

by Amit Sethi on Wednesday, January 29, 2014

My previous blog entry on SecureRandom was SecureRandom Implementation (sun.security.provider.SecureRandom – SHA1PRNG). This week, I’m going to write about another implementation – the default in Oracle JRE installations on *nix. Instantiation This implementation is only available on *nix. On default *nix installations of Oracle JRE, this is the default SecureRandom implementation. If it is not… Read More

SHA2 “vs.” SHA1

by jOHN on Tuesday, January 21, 2014

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help… Read More

Page 1 of 2212345...1020...Last »