By now, our readers have undoubtedly seen the buzz about a serious security vulnerability in Oracle Java, with corresponding exploit code making its way around (in the form of active, in-the-wild attack campaigns, as well as penetration testing tools). If you haven’t, the gist is that, due to an issue in the way access control permissions are checked in Java, it is possible for an applet to effectively grant itself full permissions, including the ability to execute commands *outside* of the Java sandbox (an operation that is, of course, typically limited). For those interested, Immunity, Inc., posted an excellent,
In my last blog I discussed why web application inventory knowledge is so powerful. So I’m following that with what happens when enterprises actually get the inventory data for the first time.
Usually the first reaction is “OMG! We have a lot of stuff.” This is especially true when the discovery process detects applications outside the well known network ranges or domain patterns. It reminds me of those reality shows where they clear out all the stuff from people’s houses and lay everything out on the lawn for a yard sale and wonder how everything fit into their house.
By Dan Cornell, CTO of the Denim Group (www.denimgroup.com)
At Denim Group, we help clients build secure software and secure the software they have built. We have a long-standing partnership with Veracode because their SaaS scanning engine provides us with the vulnerability information we need to help make our customer’s applications more secure.
Our goals when we work with clients rolling out software security testing programs are the following:
In my 15 year history of being online I don’t believe I’ve ever had one of my accounts hacked. Clearly I know how to construct a secure password or perhaps more likely I’ve just never really been important or unlucky enough to be hacked. Count how many password variations you use for your many accounts across the web, is it around 6 or 7? Then congratulations you’re perfectly average. I can’t lie, I was a bit stunned by my own predictability while reading this article and I’m revamping my password strategies as we speak.
You wouldn’t believe what Veracoders can do in just three short days.
Heck, I just watched us do it –again– at the Summer 2012 Hackathon, and I can barely believe it myself.
As you may recall, the rules of our Hackathons are simple: you have three days to design, prototype, test, refine, build, and present anything you like, provided it’s legal and within our “Veracode of Conduct”. Your hack does not have to relate to security, or computers, or Veracode — but many people do use the Hackathon and their own inspiration to propel the company forward in new and exciting ways.
One of the big stories from this year’s BlackHat conference was Microsoft’s inaugural BlueHat contest. The contest challenged security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. We were lucky enough to grab a few minutes of Microsoft’s leader of security community outreach and strategy, Katie Moussouris’ time to answer a few of our questions on the BlueHat contest.
Enterprises have been scanning web applications for security vulnerabilities for some time now. So what’s the big deal between doing some application scans and securing your application perimeter?
Well the first thing is the sheer size and scale of today’s enterprise application perimeter – which we define as all of your Internet facing applications– including the enterprise applications accessed by mobile users…
If you’ve been in the security industry for awhile, you may notice that there are a lot of events. As in, somewhere in the world, there is a security event happening just about every day of the year. You have your giant industry events, analyst events, regional events, hacker cons, and pretty much any kind of gathering you can possible think of – including conferences on boats, trains, and buses. At any given time, you can find a security conference happening *somewhere*. So, what is it about the security industry that loves an event?
Over the next 2 to 3 weeks we’ll be authoring a number of posts about our annual Hackathon that ran last week as one of our goals this time around was to share a lot more than we did for our inaugural Hackathon last year. Last week we kicked things off with our brief intro announcing the start of the Hackathon and today we keep things going with our photo round up.
The 2012 Veracode Hackathon officially kicked off this morning and while most of our coverage of the event will come later this week and next week I wanted to give everyone that was curious a quick glimpse into the event.
The event starts over a free breakfast of donuts and bagels and while participants are welcomed t-shirts are also distributed (pink was especially popular among the men.) Shortly there after our research space is transformed into a 24 hour disco club complete with laser shows and our custom mobile media console.
Dropbox Email Spamming: Posted by Aditya Agarwal in the Dropbox blog, a post titled “Security update & new features,” addresses user complaints about spam they were receiving at email addresses they only used for Dropbox. The investigation unveiled that, “usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts.” They went on to say that they had contacted the effected users and helped them secure their accounts. From the Naked Security Blog, Paul Ducklin points out that this is proves the “One site, one password” …
With over 20% of all web vulnerabilities being attributed to SQL Injection, this is the 2nd most common software vulnerability and having the ability to find and prevent SQL injection should be top of mind for web developers and security personnel. In general, a SQL Injection attack exploits a web application which does not properly validate or encode user-supplied input and then uses that input as part of a query or command against a back-end database.
Veracode Marketing recently polled a list of mobile security experts, asking them “What can employees do to minimize risk when bringing their own devices to work?” We’re pleased to present the responses from a wide array of security experts including David Schwartzberg from Sophos, Kevin Flynn from Fortinet and Veracode’s own, Chris Wysopal. While all our experts have their unique perspectives, some common themes arose including changing employees’ view of security. We want to thank all our respondents for participating and we welcome your thoughts too!