The Weakest Link

KMunro's picture
By September 17, 2007

We spend a lot of time thinking about hackers and abuse cases. This article entitled "Who Needs Hackers" by John Schwartz of the New York Times talks about how flawed systems, the increasing complexity of systems, and even mergers and acquisitions can make computer systems unreliable. The rush to market can lead to not enough testing. Pressures to ship software and hardware quickly and to keep... READ MORE

Security Policy Without Enforcement Doesn't Work

cwysopal's picture
By Chris Wysopal September 13, 2007

One of my first "real" jobs in security back in the 90's was working as an IT security engineer for a government contractor and internet backbone provider. One of our tasks was finding people who bridged the internal network with the internet. We found one guy who had been running his own ecommerce business on our external network. He showed up on our scans because he had 2 network interfaces on... READ MORE

BlackHat 2007 Materials

CEng's picture
By Chris Eng August 28, 2007

Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled "Static Detection of Application Backdoors." Here are the slide deck and the accompanying whitepaper: Static Detection of Application Backdoors (slides) Static Detection of Application Backdoors (whitepaper) Also, as a proof-of-concept, we had demonstrated using IDA Pro's... READ MORE

Cenzic Taking SPI to Court

CEng's picture
By Chris Eng August 21, 2007  | 6

RSnake blogged on this first but I can't help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they're getting litigious. The abstract from the patent reads as follows: A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure... READ MORE

Skype and Critical Mass

CEng's picture
By Chris Eng August 20, 2007

There's been a lot of blogging over the weekend about the 36-hour Skype outage that occurred starting last Thursday. From Skype's official explanation, it wasn't a security-related event -- in other words, Skype wasn't hacked. We have no reason to believe otherwise. However, security and availability are often discussed in the same breath, and lots of people will be speculating about the chain of... READ MORE

Backdoor Detection in the News

cwysopal's picture
By Chris Wysopal July 26, 2007 3

There has been some talk in the press lately about backdoors due to the recent court case where it was disclosed that federal agents planted a keystroke logger on a suspect’s computer using a trojan program. Many of the articles don’t report on the court case but raise the question as Declan McCullagh titles his article, “Will security firms detect police spyware?” You can see the security cat... READ MORE

A Security Issue with C++ Object Layouts

crioux's picture
By July 17, 2007 3

Type safety is a feature of numerous modern programming languages. C++ is not strict about type safety, and as a result, vulnerabilities may appear in programs in unexpected ways. Here's an example I recently discovered. Consider this structure: typedef struct _NOTIFYICONDATAA { DWORD cbSize; HWND hWnd; UINT uID; UINT uFlags; UINT uCallbackMessage; HICON hIcon; #if (... READ MORE

Chris Wysopal Interviewed by Christofer Hoff

cwysopal's picture
By Chris Wysopal June 26, 2007

A few days ago Christofer Hoff interviewed me on his blog. We talked about Veracode and the application security industry. Click here to read the interview: Take 5- Five Questions for Chris Wysopal, CTO Veracode   READ MORE

File Format Vulnerabilities On the Rise

CEng's picture
By Chris Eng May 31, 2007

Software flaws have become serious vulnerabilties for companies today, as the security measures have become much better along the perimeter. And it's not just the flaws in enterprise and ISV code -- even code written by major antivirus companies can be at risk. F-Secure just posted a couple security bulletins around vulnerabilities in their antivirus products. Of particular interest is a buffer... READ MORE

Binary Analysis Everywhere

MVanEmmerik's picture
By May 31, 2007

Analysis of binary files without access to the source code is becoming more prevalent in the last five years or so. Of course Java decompilers have been around almost as long as Java itself, but that’s not machine code. I’m talking about analysis of native machine code (x86 or PowerPC instructions), and not from object code (.o or .obj files), which have relocation and symbol information in them... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.