Posted by Chris Wysopal in RESEARCH, December 15, 2010 |
The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company.
To get our service to the performance level where it is today has taken many hard earned lessons. These were learned satisfying the application security testing needs for …
Posted by Chris Wysopal in RESEARCH, December 13, 2010 |
The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent.
Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication …
Posted by Chris Wysopal in RESEARCH, December 8, 2010 |
As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true.
1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.
2. …
Posted by Chris Eng in RESEARCH, December 7, 2010 |
As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload.
In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST analyzes application binaries or source code, detecting vulnerabilities by identifying insecure code paths without actually executing the program. In contrast, …
Posted by Chris Eng in RESEARCH, December 3, 2010 |
I created this video for an internal Veracode video contest. It’s intended to poke fun at the abundance of “thought leaders” we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it’s meant to satirize any particular person — sorry to disappoint, it’s just a composite. Enjoy!
Posted by Chris Eng in RESEARCH, September 27, 2010 |
Is anyone else getting tired of hearing excuses from customers — and worse yet, the security community itself — about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it’s more like slaying dragons. I haven’t felt inspired to write a blog post in a while, but every once in a while, 140 characters just isn’t enough. Grab your cup of coffee, because I may get a little rambly.
Easy to Fix vs. Easy to Eradicate
Let’s start with some terminology to …
Posted by Chris Wysopal in RESEARCH, September 27, 2010 |
When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by the SIMATIC system known as STEP7 projects. Stuxnet uses a variation of Insecure Library Loading or “Binary Planting” which became news in late August but has been known about for a long time.
What …
Posted by Chris Wysopal in RESEARCH, September 22, 2010 |
A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, “How Secure is Our Critical Infrastructure?” The hearing went on but no one outside of DC was able to get there in time.
The following is the written testimony we submitted. We talked about:
- the security of commercial software
- one of the first botnets
- the threat of consumer devices entering corporate environments
- applications security
All are still major problems today. …
Posted by Chris Wysopal in RESEARCH, July 22, 2010 |
The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application’s data. The vulnerabilities are used in stages:
Stage 1: Use a Windows OS vulnerability for wormable spread. This is the zero day .LNK file attack.
Stage 2: If the malware lands on a computer running Siemens WinCC software it uses an application vulnerability to access the database containing sensitive information and exfiltrates the …
Posted by Chris Wysopal in RESEARCH, June 14, 2010 |
Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer Experts Face Backlash”.
The AT&T website vulnerability is part of a growing new trend for vulnerability disclosures. As software and services move from traditional installed software to SaaS and into the cloud, more vulnerabilities are only going to …
Posted by Chris Wysopal in RESEARCH, June 1, 2010 |
In his blog, Gartner analyst Neil MacDonald asks the question, “Is .NET More Secure Than Java?”. Veracode provided data to help answer this question from our “State of Software Security Report” which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead.
…the vulnerability density (average flaws per MB of code scanned) for .NET was 27.2 and for Java the overall density was 30.0.
The question of which platform helps create a more secure application has been debated vigorously for many years. Back in 2003, with Andy Jaquith and other consultants …
Posted by Chris Eng in RESEARCH, May 17, 2010 |
Lots of people have been asking us for opinions on HTML5 security lately. Chris and I discussed the potential attack vectors with the Veracode research team, most notably Brandon Creighton and Isaac Dawson. Here’s some of what we came up with. Keep in mind that the HTML5 spec and implementations are still evolving, particularly with respect to security concerns, so we shouldn’t assume any of this is set in stone.
Don’t Forget Origin Checks on Cross-Document Messaging
Applications that use cross-document messaging could be unsafe if origin checking is done incorrectly (or not at all) in the message …
Posted by Chris Wysopal in RESEARCH, April 6, 2010 |
“Zero Day” the album that is. Wired has a review. You can read the full lyrics on Frontalot’s site. Here is a snippet:
Press play, prepare as history is made:
“largest hack in one day,” all the headlines will say.
All out of time, hear the chime from the buzzer.
Found this bug on my own, no need for a fuzzer.
“It’s already too late,” spreading as we planned.
No need for the NO OPs, I know just where to land.
Clearing out the registers, with pointers to my functions,
loaded to your memory and writing new instructions.
Posted by Tyler Shields in RESEARCH, March 25, 2010 |
I’ve been focused on conducting research into the mobile spyware arena these last few months and the results have been very interesting. As I’m sure you are aware, I released a fully functional piece of Blackberry Spyware called txsBBSpy at the Shmoocon security conference in February 2010 and have done a number of interviews and podcasts on the topic. While my research is interesting, other high profile attacks just this week could really make this type of spyware/trojan a lot more dangerous.
At CanSecWest security conference this week, iPhone, Firefox, Safari, and other mobile operating systems and browsers were …
Posted by Chris Eng in RESEARCH, February 26, 2010 |
Here’s a quick post to let you know all the places to get your Veracode fix at RSA Conference 2010.
- On the Expo floor, we’ll be in booth 729. I’ll be at the booth for a few hours on Tuesday and Wednesday. Stop by if you’d like to talk about our service offerings, get a quick demo, or just say hello.
- On Monday morning at 9:25am, Ashish Larivee will be giving a presentation, Metrics for Insights on the State of Application Security at Mini Metricon.
- On Monday morning at 11:15am, I’ll be on a panel,
Subscribe by RSS
