Happy Friday all! Spring has sprung, bringing warm weather to the Boston area along with some hot topics in the application security world:
Veracode at Black Hat Europe: Chris Wysopal recently presented at Black Hat Europe. Chris’s presentation, titled ‘Data Mining a Mountain of Zero Day Vulnerabilities’, explored the most common software security flaws as seen by the Veracode Platform. Contact us or Tweet us to get a copy of the slides.
Android Security: “Is Google confused about Android Security?” by Tim Armstrong (@Securelist). In this blog post Tim Armstrong recounts a strange experience he had with Android’s Ice Cream Sandwich email client where he was unable open a .zip attachment because it “might contain malicious software.” Tim was intrigued by this and decided to put this new security measure to the test.. The article offers a good look at the efforts Google is making towards mobile application security and where the new policies still fall short.
Enterprise App Sec: “Application Security Processes Not Implemented at Many Enterprises, Survey” by Brian Prince (@brianhprince). In this article Brian Prince takes a look at the (alarming) results of an application security survey recently conducted by Security Innovation and the Ponemon Institute. As it turns out, a vast majority of software developers and security specialists are still not building security measures into their applications and nearly half of those surveyed are not required to fix vulnerable code. This has resulted in over half of the surveyed population having experienced one to ten data breaches each in the past two years. Additionally the survey determined that SQL injection and exploited vulnerable code are the most common causes for data breaches. Read the full article for more input from Brian and Ponemon Institute CEO Larry Ponemon.
Verizon Data Breach Investigation Report: This week saw the release of Verizon’s 2012 DBIR, an annual report focused on the current state of data security. There is a whole lot to take in here, so I’m going to recommend you read Chris Wysopal’s (@WeldPond) application security-focused overview of the report “Verizon Data Breach Investigative Report 2012 – Application Security Specific Highlights” post from this very blog. The post lists hacking methods most commonly used in breaches against large and small organizations, and also lists the top 10 threat action types against larger organizations, Additionally, Wysopal summarizes the key focus areas that represent the largest opportunities that reduce exposure to loss.
If you’d like to take a broader look at the DBIR, I’d suggest Rich Mogull’s (@rmogull) article, “How to Read and Act on the 2012 Verizon Data Breach Investigations Report (DBIR).” This blog post is a great guide for those who would like to get the most out of reading the report. Rich offers advice for what to keep in mind while reading the report, his interpretation of some of the most common trends found within, and a look at how readers should act on the report’s key takeaways.
iOS Application Security: “34 iOS app makers at center of congressional inquiry on data collection practices” by Jennifer Van Grove (@jbruin). Apple may have recently updated their privacy policies but iOS app developers are not out of the woods yet. Last week 34 social app companies were contacted by the Energy and Commerce Committee in an attempt to shine some light on the recent data privacy concerns that arose when it was discovered that many apps were dumping user data externally. The ECC is trying to determine exactly what user information is being stored, how it is used, and what policies are in place for storage and usage. Check out the full article for more details and a copy of the letter sent by the ECC.
Finally, if you are still concerned about which of your iOS apps may be sharing your information, check out Mark Kriegsman’s AdiOS app, a free tool that scans your installed iOS apps and reports on which are capable of accessing personal info.