Posted by Tyler Shields in RESEARCH, March 24, 2011 |
Increasing smartphone adoption rates coupled with the rapid growth in smartphone application counts have created a scenario where private and sensitive information is being pushed to the new device perimeter at an alarming rate. The smartphone mobile device is quickly becoming ubiquitous. It is not inconceivable to predict, in the near future, a world where smartphone and mobile device Internet usage becomes the de-facto standard for average business and personal consumer use, surpassing the desktop and laptop computing solutions. While there is much overlap with common operating system models, the mobile device security model has some distinct points of differentiation.
Many …
Posted by Chris Wysopal in RESEARCH, March 4, 2011 |
Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money.
Recap
Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate over time and the code must be re-worked to get out of debt. Security debt is based on the latent vulnerabilities within an application. Application interest rates are the real world factors outside of the control …
Posted by Chris Wysopal in RESEARCH, March 2, 2011 |
Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place:
- Little to no vetting of apps for malicious behavior before being made available from app stores
- Android kernel code with known privilege escalation vulnerabilities and no way for many mobile users to patch their devices
- Attacker motivation in the form of big numbers of vulnerable devices and several proven ways to monetize their attacks: premium SMS/dialing, in app purchases, …
Posted by Chris Wysopal in RESEARCH, February 25, 2011 |
Technical Debt
Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this:
Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite… The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire …
Posted by Isaac Dawson in RESEARCH, February 22, 2011 |
As a web developer you’re always told you need to keep up to date on the latest and greatest technologies. Usually this is for creating applications which can take advantage of new technologies to deliver a better experience to your users. However, I think there is another angle to this, in particular; Code Rot. Code rot is basically where code becomes ignored, neglected or the environment in which it operates evolves and changes into something that was not foreseen when the code was originally created. In some cases code rot can lead to vulnerabilities.
I like to consider myself a “web …
Posted by Chris Eng in RESEARCH, February 22, 2011 |
The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco. Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year. Here is a list of all the nominees and the award winners. It’s always an honor to be recognized by peers, so on behalf of all the Veracode bloggers, thank you for reading — and for your votes!
Veracode Security Guides
SQL Injection
CSRF
Cross-Site Scripting
Data Security Resources
Data Leak
Security Breach
Data Security
Posted by Chris Eng in RESEARCH, January 31, 2011 |
We’re very excited here at Veracode to announce the availability of our new FREE service to detect cross-site scripting (XSS) in your web application. This is a significant milestone for our company and for the security industry, and we encourage everyone from small ISVs to major enterprises to give us a try. Hopefully this will be one of the first steps in the long road to eliminating XSS; after all, one of the first steps to recovery is admitting you have a problem!
Questions? Comment on this blog post, or try @veracode, @chriseng, or @weldpond …
Posted by Chris Wysopal in RESEARCH, December 15, 2010 |
The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company.
To get our service to the performance level where it is today has taken many hard earned lessons. These were learned satisfying the application security testing needs for …
Posted by Chris Wysopal in RESEARCH, December 13, 2010 |
The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent.
Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication …
Posted by Chris Wysopal in RESEARCH, December 8, 2010 |
As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true.
1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer
Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt sandboxing.
2. …
Posted by Chris Eng in RESEARCH, December 7, 2010 |
As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload.
In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST analyzes application binaries or source code, detecting vulnerabilities by identifying insecure code paths without actually executing the program. In contrast, …
Posted by Chris Eng in RESEARCH, December 3, 2010 |
I created this video for an internal Veracode video contest. It’s intended to poke fun at the abundance of “thought leaders” we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it’s meant to satirize any particular person — sorry to disappoint, it’s just a composite. Enjoy!
Posted by Chris Eng in RESEARCH, September 27, 2010 |
Is anyone else getting tired of hearing excuses from customers — and worse yet, the security community itself — about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it’s more like slaying dragons. I haven’t felt inspired to write a blog post in a while, but every once in a while, 140 characters just isn’t enough. Grab your cup of coffee, because I may get a little rambly.
Easy to Fix vs. Easy to Eradicate
Let’s start with some terminology to …
Posted by Chris Wysopal in RESEARCH, September 27, 2010 |
When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by the SIMATIC system known as STEP7 projects. Stuxnet uses a variation of Insecure Library Loading or “Binary Planting” which became news in late August but has been known about for a long time.
What …
Posted by Chris Wysopal in RESEARCH, September 22, 2010 |
A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, “How Secure is Our Critical Infrastructure?” The hearing went on but no one outside of DC was able to get there in time.
The following is the written testimony we submitted. We talked about:
- the security of commercial software
- one of the first botnets
- the threat of consumer devices entering corporate environments
- applications security
All are still major problems today. …
Subscribe by RSS
