Recent events suggest that the biggest threat to users of the emerging Internet of Things won’t be buffer overflows or SQL injection, but the pesky “ethical bypass” – legal, but ethically murky efforts by private firms and governments to exploit individuals’ data.
Today marks a special day; the first post in our new series “Application Security Education Spotlight”. In this series we will highlight the exciting world of application security education and hear the perspectives of University faculty across the nation. For our first interview we caught up with Oklahoma State University professor Jim Burkman. At the OSU Spears School of Business, Jim’s main area of research is Information Assurance and Security. Dr. Burkman has his PhD from Indiana University, years of experience in the field, and recently advised the OSU Information Security and Assurance Club to the National Collegiate Cyber Defense Competition.
Last month I gave a keynote at RVAsec in Richmond, VA on the topic of “The Future of Government Info Sharing”. The slides for my talk are available online.
The inspiration for my talk was the a confluence of the DHS announcing their Enhanced Cybersecurity Services and the lack of information available about the root causes of major data breaches. To me these signaled that information sharing is headed in the wrong direction.
Are you a Veracode customer? If so, this post is for you! Our services team is excited to announce a brand new monthly contest we’ll be running aimed at rewarding you for working hard and taking steps to improve your application security posture. Beginning this month, we will be evaluating your usage of our platform and the improvements you make to your Appsec programs and if you do a great job you might be in line for a prize.
When I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas — data structures, machine structures, algorithms, etc. The languages with which you chose to illustrate those concepts were secondary to the concepts themselves. I believe most leading research universities emphasize concepts over mechanics in a similar fashion.
2010 was a big year for vendor bug bounty programs. Google announced its program in January with a bounty of $1,337 for high severity security bugs in its Chrome browser. Then in July Mozilla sextupled its bounty to $3000 and the Google program went from “Leet” to “Elite” with an increase of its bounty to $3,133.70. Sensing a trend and a feeling that vendor bug bounties “had arrived” the Veracode research team made one of our 2011 Predictions that Microsoft would jump on the bandwagon too.
Microsoft’s decision to institute a bounty program for software vulnerabilities is historic – but for all the wrong reasons.
What comes to mind when I say the name “Pumpsie Green”? Nothing? OK. How about “Jackie Robinson”?
OpenColleges.edu recently produced this great interactive graphic on internet safety. The graphic has a lot of information on some of the most widespread internet threats to your children including cyber bullying, identity theft, and computer viruses. In addition the graphic covers the topic of plagiarism and goes on to promote general internet safety tips for all circumstances. The graphic comes out of Australia so many of the recommended resources are based down under but a quick Google search should turn up resources in your respective countries.
OWASP released its oft-cited Top 10 list of web application vulnerabilities. But maybe we’d be better with an OWASP Top 1!
OWASP – The Open Web Application Security Project – released its official OWASP Top 10 list for 2013 on Wednesday – the first major update to the oft-cited list of common web application vulnerabilities in three years.
The rise of BYOD friendly workplaces means employees are now downloading personal apps on devices that have access to corporate as well as private data. It is not uncommon for useful and seemingly harmless applications to be designed to perform tasks that are unrelated and unnecessary to the advertised function of the app.