So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository [1]. In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail’s website didn’t match the calculated MD5 from the SourceForge distribution.

Since the SVN repository remained intact, we can’t go back and examine the backdoor in detail. However, we do have a newsgroup posting that sheds a little light on the …

We were more than pleased to read a new report by John Pescatore of Gartner recommending that security managers adopt the use of the Common Vulnerability Scoring System (CVSS) to support more repeatable, fast-acting vulnerability management processes.

This recommendation backs up the decision made by our CTO, Chris Wysopal, more than a year ago to adopt the CVSS standard as a part of the Veracode rating system.

Another interesting recommendation in the report is: “Enterprieses should ensure that processes are in place to detect, assess, and manage each software vulnerability class.” You’ll need a combination of static, dynamic and …

Earlier this week, I attended the first PCI Community Meeting in Toronto, a gathering organized by the PCI Security Standards Council to bring QSAs, ASVs, and other PCI stakeholders together in one room with the PCI Council. Let’s be honest here — in the security industry, discussing regulatory compliance is about as dull as it gets. On the other hand, compliance is also a major catalyst, sometimes the only catalyst, in convincing organizations to improve their security posture, so it’s important to understand. As might be expected, I focused my attention on the sessions dealing with …

Network World recently published an article entitled Cisco says FTP feature in IOS is a hacker backdoor. The opening paragraph reads as follows:

Cisco says a flaw in the FTP server utility in its IOS router/switch software could be used as a backdoor by attackers.

Do you see the discrepancy? The opening statement is inconsistent with the title of the article. Are they saying that the flaw could be used as a backdoor, or that the flaw itself is a backdoor?

Any vulnerability that is remote, pre-authentication, and trivial to exploit could be used as a backdoor …

[Today we have our first guest blog entry from Elfriede Dustin. Elfriede is a co-author of "The Art of Software Security Testing" and has written a few books on software testing, most notably, "Automated Software Testing" published by Addison-Wesley in 1999. We have heard plenty from security experts on how to fix the software development process to produce more secure software. Elfriede brings a QA practitioners viewpoint. I'd like to hear more from the testing community on this topic. - Chris Wysopal]

The Software Trustworthiness Framework (STF©)
by Elfriede Dustin

Recently I presented the topic “Automated Software Testing” at …