Archive for the ‘Software Security’ Category

  • Electronic imports contain security threats

    on Jul 19, 11 • by Alen Zukich • with No Comments


    I read an interesting post on electronic imports that could contain security threats.  I can only speak from the software perspective, but I can say that most customers I’ve dealt with usually integrate some sort of software security audit process with any 3rd-party integrator and from my experience that means adopting static analysis.  How many organizations are there that haven’t jumped on board with static analysis?  Probably more than I can count. It would be very interesting to hear of some of the Armed Services and Intelligence cyber threats that the government has not publicly

    Read More »
  • New programs for software security

    on Jul 5, 11 • by Alen Zukich • with No Comments


    The U.S. Department of Homeland Security, in conjunction with the SANS Institute and Mitre have been hard at work again.  See the article.  There are two new programs called the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).  Using these two in conjunction will help users identify the most important weaknesses for their business.  It will be interesting to see adoption in the upcoming weeks. In addition to CWRAF and CWSS the 2011 CWE/SANS Top 25 list has been updated.  There has been a number of position changes and a

    Read More »
  • Toughen up your code with software security best practices

    on Apr 28, 11 • by Patti Murphy • with No Comments


    Crying into your wadded Kleenex about how your vulnerabilities were exploited may make for compelling TV, but when it comes to software security, they’ll cost you a lot more than your personal dignity. Or maybe they’ll cost you millions of dollars in lost business and your personal dignity. Why not toughen up your code by implementing software security best practices that prevent or mitigate the risks? That’s why you should head on over to the Klocwork Developer Network and check out the free eLearning courses provided by Security Innovation, an industry leader in software security

    Read More »
  • Building a Software Security Threat Model

    on Apr 20, 11 • by Brendan Harrison • with 5 Comments


    We’ve talked at length before regarding software security assurance and the role static analysis can play in ensuring code is written securely. We’ve got a bunch of great resources for anyone looking to dive into this particular aspect of software security: Summary of various secure coding standards, including links to specific checkers supported by Klocwork Free secure coding e-learning courses, including an intro to Microsoft’s secure development lifecycle A ‘buyer’s guide’ to selecting a static analysis tool as part of a secure coding program authored by a major payment software company To build on this,

    Read More »
  • What, me worry (about Mac-attacks)?

    on Dec 9, 10 • by Todd Landry • with 5 Comments

    alfred E Neuman

    After being a PC user for most of my life, I just can’t help but feel a little bit exposed without any kind of antivirus on my shiny new Mac. I mean, I’ve heard it ad nauseum that the Mac just isn’t as prone to attacks as PCs are, but I for one just find that hard to believe. It is a computer that connects to the Internet after all; there has to be some level of risk there. According to this site, there are regular updates to address new Trojan horses, and other security

    Read More »
  • Rootkitting a PLC – who would have thought they were vulnerable

    on Oct 19, 10 • by Eric Hollebone • with 2 Comments

    Part of my life has been spent in the manufacturing sector working with industrial automation devices, but the discovery of the Stuxnet virus is the first time I’ve ever heard of specifically virus targeting and even rootkitting a PLC (programmable logic controller) or  SCADA (supervisory control and data acquisition) network. When working in industrial plants, we took the standard precautions with regard to Windows viruses and even started to add virus protection for Linux, but never did it occur to any of us that the industrial automation equipment might be at risk. Whenever the subject was even brought

    Read More »
  • The Alphabet Soup of Software Security Guidelines

    on Jun 15, 10 • by Todd Landry • with 5 Comments


    With the recent story that the iPad has inherent security vulnerabilities, I thought it might be an appropriate time to delve into the world of software security guidelines…but I must warn you, this blog will contain an abnormal amount of acronyms, and may not be suitable for all audiences. When talking about software security guidelines, there are really 5 or 6 organizations that are leading the charge, and they include: –          OWASP –          SANS Institute –          MITRE –          PCI Security Standards Council –          SEI Let’s first look at OWASP. OWASP stands for Open Web Application

    Read More »
  • Google offers cash reward for finding bugs in Chrome

    on Feb 5, 10 • by Eric Hollebone • with 1 Comment


    As Google Chrome climbs out of obscurity in the browser market and expands into a light-weight but fully functional OS, security seems to have become a top of mind issue over at chromium headquarters. In the Chromium Blog, Chris Evans of Chrome Security announced a cash for bugs initiative, paying between 500 and 1337 USD depending on the severity for any previously undiscovered flaw.  I am glad to see Google encouraging the community at large to participate in hardening my current browser of choice.  As Chris points out, Mozilla was one of the first to embark on this type of

    Read More »
  • From Static Analysis to 0day Exploit – a demonstration

    on Dec 9, 09 • by Eric Hollebone • with No Comments

    I have always been fascinated by the whole area of code vulnerabilities and security exploits and how hackers turn those issues into real-world problems for the rest of us. Jeremy Brown posted an interesting article on Jeremy’s Computer Security blog where he uses his security know-how to draw a straight line between a software vulnerability found with static analysis and a real 0day exploit on an open source project called gAlan. Jeremy takes us on a short journey where he finds an unprotected buffer with static analysis, creates an exploit payload to cause a buffer overrun, rewrites the

    Read More »
  • Software Assurance Forum Day 3 Recap

    on Nov 5, 09 • by Todd Landry • with No Comments

    My first day at the SWA forum was actually the 3rd day at the conference, and from all accounts it has been a very productive and relevant first 2 days. Today was no different as it was kicked off with a panel discussion on the Evolution of Software Assurance Processes, and included speakers from Lockheed Martin, Waters Edge LLC, SEI/CERT, and SafeCode. I thought it was an entertaining discussion from a group definitely passionate about the topic. Something seemed missing though as I came out of it hoping for something more…Some good questions rounded out

    Read More »
Scroll to top