Justice League Blog
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Malicious Code and Software Security
Malicious code is a bigger problem than ever before. Way back in 1996 when Ed Felten and I wrote Java Security, we thought that malicious code was an up and coming issue and we positioned it that way. These days with the likes of Stuxnet and Zeus, things are worse than we ever would have [...]
A Cloud Security Discussion without FUD
I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud [...]
Howard Schmidt Keeps his eye on the Ball
I was recently invited by our Corporate Counsel to attend a local Virginia networking event hosted by the Northern Virginia Technology Council. Howard Schmidt was the speaker. I’ve run into Howard a few more times than I expected to this year, and each time it is interesting to see what he has to say. Howard [...]
Cyber War and US Policy
I spent more time this year in Washington talking to policy makers than I have in past years. I’ve been to the White House, to the Pentagon, and to a think tank or two. One thing became clear, cyber security is a confusing field full of FUD and nonsense! Oh yeah, and the government is [...]
BSIMM Community Conference
We just hosted the first ever BSIMM Community Conference in Annapolis, MD this week. I’m proud to say it was a smash hit. The schedule was packed full of interesting talks from leaders among the BSIMM Community including Microsoft, Intel, Salie Mae, JP Morgan Chase, QUALCOMM, Fidelity, Adobe and Cigital, but by far the most [...]
Securing URL Redirects
(This is a guest post by Cigital consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side [...]
Technology Transfer: Static Analysis Enters the Main Stream
At Cigital we have always been concerned with moving software security into the main stream. One obvious way to do this is through technology transfer. I am particularly proud of the role that Cigital has played getting security-focused static analysis out into the “main stream.” Now that IBM owns Ounce and HP owns Fortify we [...]
Stuxnet p0wns the Physical World
If the code here (courtesy of Ralph Langner) looks unfamiliar, that means you’re probably not a process control engineer familiar with the Siemens Step 7 programming language. And if you are, software security is probably unfamiliar territory! This code turns out to be the payload of the Stuxnet worm, meant to be injected into the [...]
BSIMM Begin
Starting this past winter, we tried an extended BSIMM-related experiment in self-reporting as a means of gathering software security activity data. We did this by directly contacting individuals and organizations to entice them to complete a survey. We called that effort BSIMM Begin. BSIMM Begin is related to the actual BSIMM, but it is not [...]
