Archive for the ‘Software Security’ Category

  • Building a Software Security Threat Model

    on Apr 20, 11 • by Brendan Harrison • with 5 Comments

    Building a Software Security Threat Model

    We’ve talked at length before regarding software security assurance and the role static analysis can play in ensuring code is written securely. We’ve got a bunch of great resources for anyone looking to dive into this particular aspect of software security: Summary of various secure coding standards, including links to specific checkers supported by Klocwork Free secure coding e-learning courses, including an intro to Microsoft’s secure development lifecycle A ‘buyer’s guide’ to selecting a static analysis tool as part of a secure coding program authored by a major payment software company To build on this,

    Read More »
  • What, me worry (about Mac-attacks)?

    on Dec 9, 10 • by Todd Landry • with 5 Comments

    What, me worry (about Mac-attacks)?

    After being a PC user for most of my life, I just can’t help but feel a little bit exposed without any kind of antivirus on my shiny new Mac. I mean, I’ve heard it ad nauseum that the Mac just isn’t as prone to attacks as PCs are, but I for one just find that hard to believe. It is a computer that connects to the Internet after all; there has to be some level of risk there. According to this site, there are regular updates to address new Trojan horses, and other security

    Read More »
  • Rootkitting a PLC – who would have thought they were vulnerable

    on Oct 19, 10 • by Eric Hollebone • with 2 Comments

    Part of my life has been spent in the manufacturing sector working with industrial automation devices, but the discovery of the Stuxnet virus is the first time I’ve ever heard of specifically virus targeting and even rootkitting a PLC (programmable logic controller) or  SCADA (supervisory control and data acquisition) network. When working in industrial plants, we took the standard precautions with regard to Windows viruses and even started to add virus protection for Linux, but never did it occur to any of us that the industrial automation equipment might be at risk. Whenever the subject was even brought

    Read More »
  • The Alphabet Soup of Software Security Guidelines

    on Jun 15, 10 • by Todd Landry • with 5 Comments

    The Alphabet Soup of Software Security Guidelines

    With the recent story that the iPad has inherent security vulnerabilities, I thought it might be an appropriate time to delve into the world of software security guidelines…but I must warn you, this blog will contain an abnormal amount of acronyms, and may not be suitable for all audiences. When talking about software security guidelines, there are really 5 or 6 organizations that are leading the charge, and they include: -          OWASP -          SANS Institute -          MITRE -          PCI Security Standards Council -          SEI Let’s first look at OWASP. OWASP stands for Open Web Application

    Read More »
  • Google offers cash reward for finding bugs in Chrome

    on Feb 5, 10 • by Eric Hollebone • with 1 Comment

    Google offers cash reward for finding bugs in Chrome

    As Google Chrome climbs out of obscurity in the browser market and expands into a light-weight but fully functional OS, security seems to have become a top of mind issue over at chromium headquarters. In the Chromium Blog, Chris Evans of Chrome Security announced a cash for bugs initiative, paying between 500 and 1337 USD depending on the severity for any previously undiscovered flaw.  I am glad to see Google encouraging the community at large to participate in hardening my current browser of choice.  As Chris points out, Mozilla was one of the first to embark on this type of

    Read More »
  • From Static Analysis to 0day Exploit – a demonstration

    on Dec 9, 09 • by Eric Hollebone • with No Comments

    I have always been fascinated by the whole area of code vulnerabilities and security exploits and how hackers turn those issues into real-world problems for the rest of us. Jeremy Brown posted an interesting article on Jeremy’s Computer Security blog where he uses his security know-how to draw a straight line between a software vulnerability found with static analysis and a real 0day exploit on an open source project called gAlan. Jeremy takes us on a short journey where he finds an unprotected buffer with static analysis, creates an exploit payload to cause a buffer overrun, rewrites the

    Read More »
  • Software Assurance Forum Day 3 Recap

    on Nov 5, 09 • by Todd Landry • with No Comments

    My first day at the SWA forum was actually the 3rd day at the conference, and from all accounts it has been a very productive and relevant first 2 days. Today was no different as it was kicked off with a panel discussion on the Evolution of Software Assurance Processes, and included speakers from Lockheed Martin, Waters Edge LLC, SEI/CERT, and SafeCode. I thought it was an entertaining discussion from a group definitely passionate about the topic. Something seemed missing though as I came out of it hoping for something more…Some good questions rounded out

    Read More »
  • Preparing for the Software Assurance Forum 2009

    on Oct 30, 09 • by Todd Landry • with No Comments

    Next week I’m heading out to the Software Assurance Forum (use SOF96945 for the conference code) in Washington D.C. (well, actually Arlington, Virginia, but D.C. sounds more glamorous). If you’re not familiar with what the SWA is, in a nutshell, its key objective is to encourage software developers to raise overall software quality and security from the start, rather than relying on applying patches to systems after vulnerabilities are discovered. Anyways, while I’m there, I’ll be taking part in 2 speaking opportunities. The first will be as part of a 6 person panel discussion entitled

    Read More »
  • CWE Top 25

    on Jan 13, 09 • by Gwyn Fisher • with 5 Comments

    Another year, another list of the most obvious things that competent developers should already know how to avoid? This one even has the NSA backing it, as well as the usual laundry list of pimping vendors attempting to make PR out of anything remotely related to homeland security… Quick, where do I sign up? OK, perhaps that’s a bit cynical, but I have to say that my usual reaction to any web application-centric security laundry list is that most developers in that space write crap code, so why should we be surprised, or expect that

    Read More »
Scroll to top