Defects, Bugs, and Flaws
Open Source and Software Maturity Models
I’m at the BSIMM3 Conference, in an open source breakout session. The context: you’re an organization with a reasonable application security program. The question, “How to apply that same process maturity to open source where no ‘throat to choke’ exists?” Your organization and its software-providing vendors may not be perfect but at least you can [...]
BEAST and SSL/TLS
This is a guest post by Amit Sethi, Technical Manager at Cigital. There has been a lot of talk about BEAST (Browser Exploit Against SSL/TLS) lately. The attack against SSL 3.0 / TLS 1.0 was recently publicized by Thai Duong and Juliano Rizzo. Do you know what the risks are, and how to protect yourself? [...]
When All You Have is a Hammer…
We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static or dynamic, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of [...]
Evading WAFs and other forms of Input Validation
My colleague, David Lindsay, is one of the authors of a new book, Web Application Obfuscation, about obfuscation techniques. Even the title is somewhat obfuscated because the book is about obfuscation techniques that can be used to attack web applications. The set of techiques described in the book by David and the other authors is [...]
Increasing Static Visibility
Sometimes, people talk loosely about an important difference between static and dynamic analyzers. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static tool [...]
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Gartner and Static Analysis
James McGovern recently wrote a post on Gartner’s static analysis (SA) report. Among other things, he lamented the lack of actionable guidance within the report. A lack of implementation guidance doesn’t shock me from Gartner, I can’t say I expect that from them. I can help James and community out by giving some of that [...]
Confusion between “Logging and Debug”
I was talking with one of my consultants the other day about a common confusion Developers sometimes have regarding a pretty mundane piece of security guidance. Specifically, “What does it mean I have to turn off logging/debug in production?” In my mind, these two separate issues exist here, intertwined. Almost every logging framework has an [...]
Sharing architecture ideas with the community
We’re pleased to have a guest blogger for this Justice League entry. Michael Cohen is a Senior Security Consultant at Cigital where he is responsible for leading, assessing, architecting and implementing secure software for Fortune 500 companies. Michael also works with Cigital teams on enterprise-wide security solutions intended to improve an organization’s security posture and [...]
Busting the SQL Stored Procedure Myth
One of the commonly proposed remedies for SQL Injection is to use SQL stored procedures. Use of stored procedures can greatly reduce the likelihood that you’ll code an SQL injection, but it’s not the stored procedure-ness that’s saving you. Stored procedures let you use Static-SQL instead of forcing you to always use Dynamic-SQL. In Static-SQL [...]
