http://www.veracode.com/blog Application security testing, analysis, and metrics Tue, 30 Jun 2009 15:06:18 +0000 http://backend.userland.com/rss092 en The “Mobius Defense” is a somewhat novel defense model proposed by Pete Herzog, founder of ISECOM and lead author of the Open Source Security Testing Methodology Manual (OSSTMM). Before continuing to read the following post I suggest you take a few minutes and breeze through the slide deck linked here. ... http://www.veracode.com/blog/2009/06/the-mobius-defense-%e2%80%93-an-impetus-for-application-security/ It was an integer overflow. I guess it is never too late to fix a bug. Don Hodges used the old video game firmware and a MAME machine to debug and fix a problem which has kept expert Donkey Kong players from ever getting past level 22. If you ... http://www.veracode.com/blog/2009/06/mystery-of-donkey-kong-kill-level-solved/ As of July 1, all personal computers sold in China must be pre-installed with content filtering software called Green Dam. The officially stated goal is to protect children from online pornography, but naturally, the technology will also serve to "protect" viewers from offensive text and images such as politically ... http://www.veracode.com/blog/2009/06/even-government-censors-demand-secure-software/ Vaserve, a UK webhosting company says that 100,000 of its customer sites were wiped out in what looks like a zero day attack on HyperVM, a virtualization application they used. The HyperVM was a product of lxlabs. I checked out the lxlabs product documentation and website and could not find ... http://www.veracode.com/blog/2009/06/vulnerability-in-virtualization-app-wipes-out-100000-sites/ It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke's position under President Clinton. This position will be critical for organizing the government's fragmented information security efforts, both for the ... http://www.veracode.com/blog/2009/05/obama-to-pick-new-cyberczar/ In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, ... http://www.veracode.com/blog/2009/05/but-thats-impossible/ If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party ... http://www.veracode.com/blog/2009/05/best-practice-consider-external-data-feeds-untrusted/ As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me ... http://www.veracode.com/blog/2009/04/decoding-the-dbir-2009-cover/ If you're at RSA this week, be sure to check out this panel discussion, featuring Veracode's Chris Wysopal along with Jerry Archer, Mary Ann Davidson, and Brian Chess. Abstract as follows: The growth of Web 2.0 has highlighted two significant trends in application security. First, as the network has hardened, ... http://www.veracode.com/blog/2009/04/panel-source-code-vs-binary-code-analysis/ The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot: According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million. When ... http://www.veracode.com/blog/2009/03/failing-to-check-error-conditions-could-get-you-sued/