Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Guidelines for Setting Security Headers

IDawson's picture
By Isaac Dawson March 12, 2014  | Research 4

As part of our Alexa Top 1 Million Security Headers post series(Nov 2012 - Mar 2013 - Nov 2013,) it is not uncommon to have to go back and re-read specifications to determine which header values are valid. While there are numerous sites that detail the various headers and what they do, there isn't a central place that gives developers the information necessary to identify common mis-... READ MORE

Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act

MElliott's picture
By Melissa Elliott February 24, 2014  | Research 5

687474703a2f2f692e696d6775722e636f6d2f6e454859716d532e706e67_0.png Bugs happen. Severe bugs happen. Catastrophic bugs happen. There's simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that... READ MORE

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

cwysopal's picture
By Chris Wysopal February 5, 2014  | Research

So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-... READ MORE

A Tale of Two Compilers

MElliott's picture
By Melissa Elliott November 25, 2013  | Research

What’s wrong with the following C code? char buf[32]; scanf("%32s", buf); It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case, scanf() will read up to 32 bytes from... READ MORE

Veracode Picks for BlackHat 2013

CEng's picture
By Chris Eng July 29, 2013  | Research

Here we go again. BlackHat time. Where to Find Us Veracode will be exhibiting at Booth #238. Please stop by and see us! Our Picks As usual, a few of us on the Veracode Research team are sharing our picks for the most interesting talks. Some were picked by more than one of us but I've only listed them once to save space. It's cool to see more binary analysis talks making it on to the... READ MORE

What Happens When Companies Don’t Give Web App Security the Attention it Deserves

cwysopal's picture
By Chris Wysopal July 26, 2013  | Research 3

I recently blogged about Web-based threats finally getting the respect they deserve?, but a recent New York Times article reminds us what happens when companies don’t pay enough attention to this crucial area of security. The article, titled “Wall Street’s Exposure to Hacking Laid Bare” describes not only the damage done by the five men involved in a seven year hacking... READ MORE

Do We Want Military Secrets or Civilian Information Sharing?

cwysopal's picture
By Chris Wysopal June 25, 2013  | Research 4

Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online. UPDATE: Video of keynote now available. The inspiration for my talk was the confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches.... READ MORE

To Be a Secure Developer, Learn the Fundamentals

CEng's picture
By Chris Eng June 21, 2013  | Research 3

When I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas -- data structures, machine structures, algorithms, etc. The languages with which you chose to illustrate those concepts were secondary to the concepts... READ MORE

Executable Archaeology: The Case Of The Stupid Thing Eating All My RAM

MElliott's picture
By Melissa Elliott May 13, 2013  | Research 13

Everyone has had that dreaded experience: you open up the task manager on your computer... and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger... READ MORE

Web-based threats finally getting the respect they deserve?

cwysopal's picture
By Chris Wysopal April 23, 2013  | Research

The recently released Microsoft Security Intelligence Report shows that web-based propagation vectors have surpassed traditional malware propagation vectors as the largest threats to distributed network environments. While I agree with Microsoft’s assessment of the threat landscape, I don’t think this is anything new; it is just the current state of a long-running trend. Back in 2008... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu