Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java VM or the .NET CLR. As more companies with software security testing technology wade into the “no source available” pool (come on in guys, the water is nice), it is important to understand what capabilities you need for software assurance when you don’t have access to …

It’s time for the yearly BlackHat picks. Without further ado, here’s where you’ll have a good chance of finding me next week. Of course, you know what they say about the best laid schemes — there is no way I will actually make it to all of these, but as of now, this is what’s caught my interest:

Day 1

John McDonald & Chris Valasek: Practical Windows XP/2003 Heap Exploitation
Andrea Barisani & Daniele Bianco: Sniff keystrokes with Lasers /Voltmeters
Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism ’09
Pwnie Awards

Day 2

Zane …

Christien Rioux, Veracode co-founder and chief scientist, recently gave a webinar on mobile app security. He covers the strengths and weaknesses of 3 popular mobile application platforms: Windows Mobile, RIM Blackberry, and Google Android. Veracode recently announced our capability to scan Windows Mobile applications for vulnerabilities and malicious code. Blackberry and Android support will be coming in the next few months.

Watch the webinar:

Veracode Security Solutions

Internet Security
Malicious Code
Vulnerability Assessment
Web Security
Application Testing
Dynamic Analysis

Security Alternatives

HP Fortify
Whitehat Security
IBM Rational AppScan

Security Threat …

Yesterday it was reported by various media outlets that a recent BlackBerry software update from Etisalat (a UAE-based carrier) contained spyware that would intercept emails and text messages and send copies to a central Etisalat server. We decided to take a look to find out more.

We’re not sure why the software was delivered in both .jar and .cod form. The .cod file is a RIM proprietary format that contains the compiled Java classes along with a signature. Therefore it’s not even necessary to send the .jar, but they did, completely unobfuscated. Arrogance or incompetence? Here’s what’s …

Let’s take a step back for a moment from who the actors are in the recent DDoS attacks and look at the root cause of the problem, because that isn’t going away. We have a horribly insecure software ecosystem that let’s the bad guys take advantage of all the insecure software that vendors have shipped in the last 5 years to build distributed denial of service (DDoS) armies. The attackers then target these DDos armies at whoever they choose and are able to shut down their networks

It is time to stop thinking about computer security as a castle wall …