Software Integrity

Archive for March 2017

 

Does Software Quality Equal Software Security? It Depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, CWE/SANS, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | No Comments »

 

Swift: Close to Greatness in Programming Language Design, Part 2

Ahead of Coverity static analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | No Comments »

 

How to Benchmark Your Software Security Strategies

Evaluating the progress of your software security journey is essential, but it can be a considerable challenge. Tracking operational metrics doesn’t tell you whether you are doing the right things. Analyst reports are often too general to provide tactical direction. And companies hold their security plans so close to the vest, it makes competitive research […]

Continue Reading...

Posted in Application Security, Maturity Model (BSIMM), Threat Modeling | No Comments »

 

Forging a SHA-1 MAC Using a Length-Extension Attack in Python

SHA-1 (Secure Hash Algorithm 1) is broken. It has been since 2005. And yet, that hasn’t stopped its continued use. For example, until early 2017 most internet browsers still supported SHA-1. As though to confirm that SHA-1 was really, truly dead, researchers from CWI Amsterdam and Google announced at the end of February 2017 they […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment, Web Application Security | No Comments »

 

Zeroing in on Zero Days

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them […]

Continue Reading...

Posted in Code Review, Embedded Software Testing, Fuzz Testing, Network Security, Software Security Testing, Static Analysis (SAST) | No Comments »

 

Sophia Goreczky Is the Recipient of the 2017 YWCA Emerging Leader Award

Sophia Goreczky, Senior User Experience Designer within Synopsys’ Software Integrity Group, is the recipient of 2017 YWCA Emerging Leader Award. She will be honored, along with 4 other award honorees, at an awards dinner on May 11, 2017, at the Fairmont Hotel in San Jose. Since 1984, the YWCA Silicon Valley Tribute to Women Awards […]

Continue Reading...

Posted in Application Security | No Comments »

 

The Connected Toy Conundrum Is Beginning to Boil

Originally posted on SecurityWeek.  The prediction business is a tricky thing. You can be right, but until you are proven right, you’re either early or wrong. Being early feels just like being wrong–up until the moment you are right. When toymaker VTech announced in November 2015 that nearly five million customer records had been leaked […]

Continue Reading...

Posted in Application Security, Internet of Things | No Comments »

 

Swift: Close to Greatness in Programming Language Design, Part 1

As we are taking our first steps toward a Coverity static analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | No Comments »

 

How to Create Clean Images for Corporate Hardware

Planning an IT initiative can present many challenges, one of which being the choice of software in the organization’s base computer images. When starting out small, it may make sense to buy machines off the shelf if expansion is not anticipated in the near future. However, choosing to do so often includes unwanted programs that add […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST), Security Risk Assessment | No Comments »

 

New Apache Struts 2 Zero-Day Vulnerability: What You Need to Know

It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]

Continue Reading...

Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | No Comments »