Justice League Blog
Howard Schmidt Keeps his eye on the Ball
I was recently invited by our Corporate Counsel to attend a local Virginia networking event hosted by the Northern Virginia Technology Council. Howard Schmidt was the speaker. I’ve run into Howard a few more times than I expected to this year, and each time it is interesting to see what he has to say. Howard [...]
Cyber War and US Policy
I spent more time this year in Washington talking to policy makers than I have in past years. I’ve been to the White House, to the Pentagon, and to a think tank or two. One thing became clear, cyber security is a confusing field full of FUD and nonsense! Oh yeah, and the government is [...]
BSIMM Community Conference
We just hosted the first ever BSIMM Community Conference in Annapolis, MD this week. I’m proud to say it was a smash hit. The schedule was packed full of interesting talks from leaders among the BSIMM Community including Microsoft, Intel, Salie Mae, JP Morgan Chase, QUALCOMM, Fidelity, Adobe and Cigital, but by far the most [...]
Securing URL Redirects
(This is a guest post by Cigital consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side [...]
Technology Transfer: Static Analysis Enters the Main Stream
At Cigital we have always been concerned with moving software security into the main stream. One obvious way to do this is through technology transfer. I am particularly proud of the role that Cigital has played getting security-focused static analysis out into the “main stream.” Now that IBM owns Ounce and HP owns Fortify we [...]
Stuxnet p0wns the Physical World
If the code here (courtesy of Ralph Langner) looks unfamiliar, that means you’re probably not a process control engineer familiar with the Siemens Step 7 programming language. And if you are, software security is probably unfamiliar territory! This code turns out to be the payload of the Stuxnet worm, meant to be injected into the [...]
BSIMM Begin
Starting this past winter, we tried an extended BSIMM-related experiment in self-reporting as a means of gathering software security activity data. We did this by directly contacting individuals and organizations to entice them to complete a survey. We called that effort BSIMM Begin. BSIMM Begin is related to the actual BSIMM, but it is not [...]
Remediation – The Game
(This is a guest post, contributed by Timothy Champagne, a consultant at Cigital.) I have long been a fan of card games. During lunch breaks at work, my co-workers and I would often play such games to pass the time and socialize. I found myself thinking that this activity could not be unique to my [...]
Software Security Crosses the Threshold in 2009
I have been tracking the software security market and publishing numbers since 2006. This year’s article is now available on InformIT: Software Security Crosses the Threshold. See these past (mysteriously named) articles for data from previous years: InformIT (2008): Software Security Comes of Age: Space Approaches $500M threshold InformIT (2007): Software Security Demand Rising Darkreading [...]
Input Validation and Data Dictionaries
Our internal discussion board brought up the topic of input validation last week. The discussion was around the regex for validating an email address. The message was that what seems like a very simple input validation can get complicated if the full standard is supported. As I read the discussion I started thinking about Data [...]
