Software Integrity

Archive for the 'Vulnerability Assessment' Category

 

Does Software Quality Equal Software Security? It Depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, CWE/SANS, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | No Comments »

 

Swift: Close to Greatness in Programming Language Design, Part 2

Ahead of Coverity static analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | No Comments »

 

Forging a SHA-1 MAC Using a Length-Extension Attack in Python

SHA-1 (Secure Hash Algorithm 1) is broken. It has been since 2005. And yet, that hasn’t stopped its continued use. For example, until early 2017 most internet browsers still supported SHA-1. As though to confirm that SHA-1 was really, truly dead, researchers from CWI Amsterdam and Google announced at the end of February 2017 they […]

Continue Reading...

Posted in Application Security, Vulnerability Assessment, Web Application Security | No Comments »

 

Swift: Close to Greatness in Programming Language Design, Part 1

As we are taking our first steps toward a Coverity static analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | No Comments »

 

New Apache Struts 2 Zero-Day Vulnerability: What You Need to Know

It has been more than 48 hours since this attack was made public. At this time, hackers are actively exploiting the critical vulnerability and are able to take complete control of web servers. Several sources have been discussing details for exploiting this vulnerability. Rather than focusing on how to exploit it here, we will ensure that you are […]

Continue Reading...

Posted in Application Security, Open Source Security, Vulnerability Assessment, Web Application Security | No Comments »

 

How Secure Is AngularJS?

Synopsys Principal Security Consultant, Ksenia Dmitrieva-Peguero, recently posed the question at the information security conference, Securi-Tay: How secure is AngularJS? With seven years of experience in the AppSec space, and five years of software development experience, Ksenia’s current concentration centers on the analysis of JavaScript frameworks–researching their security implications, vulnerability discovery, and remediation. In her latest […]

Continue Reading...

Posted in Application Security, Security Conference or Event, Security Training, Vulnerability Assessment | No Comments »

 

Responsible Disclosure on a Timetable

In response to its haphazard patch release cycle in the late 1990s, Microsoft launched an every second-Tuesday-of-the-month “Patch Tuesday” program in 2004. Last week, on February 14 to be exact, Microsoft abruptly canceled its current monthly set of patches and said that its slate of new patches would return on March 14. The problem is […]

Continue Reading...

Posted in Ethical Hacking, Healthcare Security, News, Vulnerability Assessment | No Comments »

 

With Comparisons to Heartbleed, Cloudbleed May Affect Millions

A researcher from Google disclosed on Thursday that private messages, API keys, and other sensitive data were being leaked by a major content delivery network to random requesters, a leakage that could affect up to 5.5 million websites. Like Heartbleed, which was co-discovered by the Synopsys team in Oulu, Finland, and Google in April 2014, […]

Continue Reading...

Posted in Application Security, Cloud Security, Fuzz Testing, News, Software Security Testing, Vulnerability Assessment | No Comments »

 

How to Detect, Prevent, and Mitigate Buffer Overflow Attacks

Since the birth of the information security industry, buffer overflows have found a way to remain newsworthy. In the late 1980s, a buffer overflow in UNIX’s fingerd program allowed Robert T. Morris to create a worm which infected 10% of the Internet–in two days. This event launched cybersecurity to the forefront of computer science headlines […]

Continue Reading...

Posted in Software Security Testing, Vulnerability Assessment | Comments Off on How to Detect, Prevent, and Mitigate Buffer Overflow Attacks

 

Why Secure Code Reviews Matter (and Actually Save Time!)

Modern websites and applications are feature-rich. They provide the user with an intuitive flow through business logic and data. Application developers write these features, rely on their operation, and may even re-use them in their code. Due to rapid, feature-driven development and code sharing, when a vulnerability is introduced in code (and goes undetected) it […]

Continue Reading...

Posted in Code Review, Vulnerability Assessment | Comments Off on Why Secure Code Reviews Matter (and Actually Save Time!)