Melissa Elliott

Melissa Elliott is an application security researcher who has been writing loud opinions from a quiet corner of the Veracode office for two years and counting. She enjoys yelling about computers on Twitter and can be bribed with white chocolate mocha.
Posts by Melissa Elliott

Misfeatures Strike Again

September 25, 2014  | Research

image00.png Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now twenty-five. From... READ MORE

Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act

February 24, 2014  | Research 5

687474703a2f2f692e696d6775722e636f6d2f6e454859716d532e706e67_0.png Bugs happen. Severe bugs happen. Catastrophic bugs happen. There's simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that the bug got... READ MORE

A Tale of Two Compilers

November 25, 2013  | Research

What’s wrong with the following C code? char buf[32]; scanf("%32s", buf); It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case, scanf() will read up to 32 bytes from... READ MORE

Executable Archaeology: The Case Of The Stupid Thing Eating All My RAM

May 13, 2013  | Research 13

Everyone has had that dreaded experience: you open up the task manager on your computer... and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger... READ MORE

Software Upgrade Hygiene: Stop Putting It Off, It Will Only Hurt More

February 5, 2013  | Research 7

Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career. Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It... READ MORE

Ubuntu Snafu: Privacy Is Hard, Let's Go Shopping

September 25, 2012  | Research

The following post is about a beta software release, which may — and hopefully will — change. You know what they say about assuming... My faithful army of security-minded Twitter followers alerted me to a sudden change in the Ubuntu Linux distribution's 12.10 beta build that they found alarming: Amazon search had been integrated into the system search bar by default, so that, for example,... READ MORE

How Sally Got Owned: An Illustrated Example of How Piracy Can Endanger Your Mobile Device

July 19, 2012  | Research 7

Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but... READ MORE

Between You and Me, This Isn't Private

July 11, 2012  | Research

When you tap in your life's details into the latest and greatest cloud-enabled mobile app, where does that information actually go? When you post on a website that claims you're anonymous, are you really? Hey, did you read the privacy policy for any of those services you're using? Do they even have a privacy policy? In the rush to play with new online services – which, admittedly, are often... READ MORE

Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1

May 29, 2012  | Research 5

No source code? No problem! That's the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program's behavior without running it) to automatically detect and report security vulnerabilities in our customers' codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses: Uncovering the behavior of... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.