What If All Vulnerabilities Had This Disclosure Timeline?

cwysopal's picture
By Chris Wysopal February 6, 2008  | 6

There is an heap overflow vulnerability in RealPlayer 11 build It allows for code execution when RealPlayer opens a malicious song file. Timeline Dec 16, 2007: Gleg customers notified of vulnerability and given exploit code Jan 1, 2008: Public disclosure (no details) with online demonstration Feb 6, 2008: Vulnerability still not patched It's not your typical disclosure time line.... READ MORE

New Unit of Reviewed Code Quality

cwysopal's picture
By Chris Wysopal February 5, 2008  | 4

Now I can finally tell my non-technical friends and family what Veracode does. We offer a globally accessible, on-demand automated version of WTF reporting. However since our technology is automated we report quality in kiloWTF/sec. READ MORE

Binary Analysis Seminar At UC Berkeley

cwysopal's picture
By Chris Wysopal February 1, 2008

On February 14th, Dawn Song of UC Berkeley held a seminar on binary analysis: TRUST Seminar: BitBlaze: a Binary-centric Approach to Computer Security. This seminar was open to the public. Binary analysis is imperative for protecting COTS (common off-the-shelf) programs and analyzing and defending against the myriad of malicious code, where source code is unavailable, and the binary may even be... READ MORE

Unencrypted/Unauthenticated Wireless Control Systems Are a Very Bad Idea

cwysopal's picture
By Chris Wysopal January 11, 2008

A Polish teenager derailed a tram after building his own remote control to hack the control system. Best quote: "Transport command and control systems are commonly designed by engineers with little exposure or knowledge about security using commodity electronics and a little native wit." READ MORE

Overcoming Bias: The Affect Heuristic

cwysopal's picture
By Chris Wysopal January 3, 2008

This article on the affect heuristic was posted to the Security Metrics mailing list (highly recommended). I think it is important for people who are reporting on the potential risks of a system to understand this psychological phenomenon. It shouldn't be dismissed as simply people are irrational and don't understand statistics. People believe that benefit and risk are intertwined. They think a... READ MORE

Squirreling Backdoors Into Distribution Points

CEng's picture
By Chris Eng December 19, 2007

So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository [1]. In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail's website didn't match the calculated MD5 from the SourceForge... READ MORE

Boston/Cambridge InfoSecurity Events

cwysopal's picture
By Chris Wysopal December 18, 2007

Software Security Weaknesses - Avoiding and Testing Bob Martin is giving a talk tonight at the Boston Software Process Improvement Network (SPIN) meeting on "Software Security Weaknesses - Avoiding and Testing". The meeting is at MITRE in Bedford in the basement conference center of M-Building (the one next to the parking garage). Pizza and discussions at 6pm, talk at 7:10pm. Its open to anyone.... READ MORE

Risk vs Vulnerability

cwysopal's picture
By Chris Wysopal December 18, 2007

George Ou has an interesting analysis of Microsoft OS vs Apple OS vulnerability counts. Anything comparing the security of these two companies becomes controversial. I think that any analysis of vulnerability counts should include a paragraph on risk vs. vulnerabilities to diffuse the Mac fanboys. I might be able to leave my backdoor safely unlocked (a vulnerability) in the suburbs of Boston in... READ MORE

Thought Exercise: Automated Vulnerability Creation

CEng's picture
By Chris Eng November 15, 2007 3

A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve -- that is, detecting vulnerabilities. Clearly there's not much business value in making software less safe, though you... READ MORE

Veracode Makes 10 IT Security Companies to Watch

cwysopal's picture
By Chris Wysopal October 16, 2007

Network World has named Veracode to their 10 IT Security Companies to Watch. Sim Simeonov has some commentary on this is his blog. READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu