Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.
- WordPress 2.5 Cookie Forging Explained
WordPress 2.5.1 came out recently. It includes a critical security fix for a cookie integrity bug that would allow an attacker to impersonate other users, including WordPress admins, by manipulating the contents of an HTTP cookie. Whenever I read about a vulnerability predicated on the user identity being embedded into a client-side token (as opposed to a pseudorandom session identifier), I like… READ MORE
Stay up to date on Application Security
- Obama XSS Silliness
Apparently the security blunder of the weekend goes to the Barack Obama campaign for having XSS vulnerabilities throughout their website. There's no need for me to rehash the story, you can read other articles that describe what happened. My thoughts on the matter are as follows: I wish the media wouldn't refer to this as "hacking Obama's website" because it's not… READ MORE
- Not a CISSP
One of my favorite pieces of swag from RSA was this "Not a CISSP" button that was pinned onto me by none other than Sinan Eren as I was chatting with Justine Aitel at the Immunity booth. Actually, there should have been a prize awarded just for finding the Immunity booth -- they were subletting another vendor's space for a few hours at a time, so one minute they'd be there and the next they were… READ MORE
- WAF Better Than Code Review? Not Really.
I was just reading an article discussing the timeframe for upcoming revisions to the PCI-DSS. Nothing quite so exciting as reading about a compliance roadmap, right? This article reminded us about PCI Section 6.6 becoming mandatory in June 2008, with additional guidance and clarification coming in May (hey, a whole month to prepare!). As a refresher, 6.6 says that web applications must be… READ MORE
- New Attack Class: XSNADOR
Recently making the rounds is this hack against the Facebook Moods application, currently installed by over 84,000 users. By manipulating the fb_sig_user parameter, it’s possible to alter the mood of any user who has the application enabled. Though this is just another manifestation of an authorization bypass issue, the security community should coin a new buzzword to describe these types of… READ MORE
- Squirreling Backdoors Into Distribution Points
So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository . In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail's website didn't match the calculated MD5 from the SourceForge… READ MORE
- Thought Exercise: Automated Vulnerability Creation
A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve -- that is, detecting vulnerabilities. Clearly there's not much business value in making software less safe, though you… READ MORE
- PCI Extends Its Reach to Application Security
Earlier this week, I attended the first PCI Community Meeting in Toronto, a gathering organized by the PCI Security Standards Council to bring QSAs, ASVs, and other PCI stakeholders together in one room with the PCI Council. Let's be honest here -- in the security industry, discussing regulatory compliance is about as dull as it gets. On the other hand, compliance is also a major catalyst,… READ MORE
- BlackHat 2007 Materials
Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled "Static Detection of Application Backdoors." Here are the slide deck and the accompanying whitepaper: Static Detection of Application Backdoors (slides) Static Detection of Application Backdoors (whitepaper) Also, as a proof-of-concept, we had demonstrated using IDA Pro's… READ MORE
- Cenzic Taking SPI to Court
RSnake blogged on this first but I can't help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they're getting litigious. The abstract from the patent reads as follows: A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure… READ MORE
Application Security Tool Kit
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
No thanks, back to the article please.