Justice League Blog
Moving to Mobile – New Threats
A ‘move to mobile’ represents an ideal opportunity to revisit threat modeling. The natural question: how do my threats change when I bring a model channel into my existing application?
More on Malware (Including Bad Ads)
Just two months ago, I invoked the malicious code problem in a Justice League blog entry. The growth in malicious code is caused by the Trinity of Trouble (connectivity, complexity and extensibility) which incidentally is also what makes the software security problem more interesting to work on every day. My most recent informIT article, titled [...]
The Stuxnet Payload
I met Silver Bullet #59 victim Ralph Langner at Joe Weiss’s Applied Control Solutions Conference in Rockville last Fall. That was when (much to the surprise of the Siemens guys there) Ralph first revealed that the Stuxnet payload was aimed directly at physical control systems. In some sense, Stuxnet has changed the world by showing [...]
Scrap Static Tools, just “Fix your code”?
Recently, Gary and I collaborated on an InformIT article on static analysis. you will find our observations regarding static analysis shared by others. It’s encouraging to note that Flash Sheridan observes many of the same difficulties and more formally treats them in his ISSRE ’10 publication. It’s worth a read. A few commentators shared some [...]
Evading WAFs and other forms of Input Validation
My colleague, David Lindsay, is one of the authors of a new book, Web Application Obfuscation, about obfuscation techniques. Even the title is somewhat obfuscated because the book is about obfuscation techniques that can be used to attack web applications. The set of techiques described in the book by David and the other authors is [...]
Invincea Named Most Innovative Startup at RSA
Cigital is proud to have helped Invincea create a secure security product. (See this post for more.) “What,” you say, “isn’t that redundant?” No, unfortunately many “security products” are not at all secure themselves. Surprising as it may be, software security is neither guaranteed nor common in security software. Invincea is bucking this trend by [...]
Increasing Static Visibility
Sometimes, people talk loosely about an important difference between static and dynamic analyzers. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static tool [...]
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Malicious Code and Software Security
Malicious code is a bigger problem than ever before. Way back in 1996 when Ed Felten and I wrote Java Security, we thought that malicious code was an up and coming issue and we positioned it that way. These days with the likes of Stuxnet and Zeus, things are worse than we ever would have [...]
A Cloud Security Discussion without FUD
I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud [...]
