Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled “Static Detection of Application Backdoors.” Here are the slide deck and the accompanying whitepaper:

Static Detection of Application Backdoors (slides)
Static Detection of Application Backdoors (whitepaper)

Also, as a proof-of-concept, we had demonstrated using IDA Pro’s scripting framework to detect one of the backdoor examples that we discussed — suspicious cryptographic API calls. Specifically, it flags calls to known encryption, decryption, and/or key management functions where a constant value is passed to a specific argument position. This …

RSnake blogged on this first but I can’t help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they’re getting litigious. The abstract from the patent reads as follows:

A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure of the transaction baseline to obtain a modified transaction with malformed grammar; and transmitting the modified transaction to a target. The method may further include, receiving a feedback from the …

There’s been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype’s official explanation, it wasn’t a security-related event — in other words, Skype wasn’t hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of events that led to this outage.

It’s worth understanding a little bit about the Skype network. I remembered reading this paper a few years back, in which some Columbia …

Veracode president and CEO, Matt Moynahan, was featured yesterday in a podcast interview with IT security expert Dan Sullivan on automated vulnerability analysis as a service.

In the podcast, Matt answers questions on automated application vulnerability analysis – offered as an outsourced service. And he discusses why companies are looking for solutions that use multiple testing techniques, including Web application scanning and static binary analysis, to provide more comprehensive security reviews.

Here’s the description from the site:

Automated vulnerability assessment can complement manual efforts to find and correct vulnerabilities in application code. In this podcast, Matt Moynahan, CEO …