By now, our readers have undoubtedly seen the buzz about a serious security vulnerability in Oracle Java, with corresponding exploit code making its way around (in the form of active, in-the-wild attack campaigns, as well as penetration testing tools). If you haven’t, the gist is that, due to an issue in the way access control permissions are checked in Java, it is possible for an applet to effectively grant itself full permissions, including the ability to execute commands *outside* of the Java sandbox (an operation that is, of course, typically limited). For those interested, Immunity, Inc., posted an excellent,
In my last blog I discussed why web application inventory knowledge is so powerful. So I’m following that with what happens when enterprises actually get the inventory data for the first time.
Usually the first reaction is “OMG! We have a lot of stuff.” This is especially true when the discovery process detects applications outside the well known network ranges or domain patterns. It reminds me of those reality shows where they clear out all the stuff from people’s houses and lay everything out on the lawn for a yard sale and wonder how everything fit into their house.
By Dan Cornell, CTO of the Denim Group (www.denimgroup.com)
At Denim Group, we help clients build secure software and secure the software they have built. We have a long-standing partnership with Veracode because their SaaS scanning engine provides us with the vulnerability information we need to help make our customer’s applications more secure.
Our goals when we work with clients rolling out software security testing programs are the following:
In my 15 year history of being online I don’t believe I’ve ever had one of my accounts hacked. Clearly I know how to construct a secure password or perhaps more likely I’ve just never really been important or unlucky enough to be hacked. Count how many password variations you use for your many accounts across the web, is it around 6 or 7? Then congratulations you’re perfectly average. I can’t lie, I was a bit stunned by my own predictability while reading this article and I’m revamping my password strategies as we speak.
You wouldn’t believe what Veracoders can do in just three short days.
Heck, I just watched us do it –again– at the Summer 2012 Hackathon, and I can barely believe it myself.
As you may recall, the rules of our Hackathons are simple: you have three days to design, prototype, test, refine, build, and present anything you like, provided it’s legal and within our “Veracode of Conduct”. Your hack does not have to relate to security, or computers, or Veracode — but many people do use the Hackathon and their own inspiration to propel the company forward in new and exciting ways.
One of the big stories from this year’s BlackHat conference was Microsoft’s inaugural BlueHat contest. The contest challenged security researchers to design a novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities. We were lucky enough to grab a few minutes of Microsoft’s leader of security community outreach and strategy, Katie Moussouris’ time to answer a few of our questions on the BlueHat contest.
Enterprises have been scanning web applications for security vulnerabilities for some time now. So what’s the big deal between doing some application scans and securing your application perimeter?
Well the first thing is the sheer size and scale of today’s enterprise application perimeter – which we define as all of your Internet facing applications– including the enterprise applications accessed by mobile users…
If you’ve been in the security industry for awhile, you may notice that there are a lot of events. As in, somewhere in the world, there is a security event happening just about every day of the year. You have your giant industry events, analyst events, regional events, hacker cons, and pretty much any kind of gathering you can possible think of – including conferences on boats, trains, and buses. At any given time, you can find a security conference happening *somewhere*. So, what is it about the security industry that loves an event?
Over the next 2 to 3 weeks we’ll be authoring a number of posts about our annual Hackathon that ran last week as one of our goals this time around was to share a lot more than we did for our inaugural Hackathon last year. Last week we kicked things off with our brief intro announcing the start of the Hackathon and today we keep things going with our photo round up.