Skip to main content

Melissa Elliott

Melissa Elliott is an application security researcher who has been writing loud opinions from a quiet corner of the Veracode office for two years and counting. She enjoys yelling about computers on Twitter and can be bribed with white chocolate mocha.

Posts by Melissa Elliott
  • Misfeatures Strike Again
    September 25, 2014  | Research
    Misfeatures Strike Again

    Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now… READ MORE

Stay up to date on Application Security

  • Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act

    Bugs happen. Severe bugs happen. Catastrophic bugs happen. There's simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that the bug got through Apple's QA… READ MORE

  • A Tale of Two Compilers
    November 25, 2013  | Research
    A Tale of Two Compilers

    What’s wrong with the following C code? char buf[32]; scanf("%32s", buf); It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case, scanf() will read up to 32 bytes from… READ MORE

  • Executable Archaeology: The Case Of The Stupid Thing Eating All My RAM

    Everyone has had that dreaded experience: you open up the task manager on your computer... and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger… READ MORE

  • Software Upgrade Hygiene: Stop Putting It Off, It Will Only Hurt More

    Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career. Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It… READ MORE

  • Ubuntu Snafu: Privacy Is Hard, Let's Go Shopping

    The following post is about a beta software release, which may — and hopefully will — change. You know what they say about assuming... My faithful army of security-minded Twitter followers alerted me to a sudden change in the Ubuntu Linux distribution's 12.10 beta build that they found alarming: Amazon search had been integrated into the system search bar by default, so that, for example,… READ MORE

  • How Sally Got Owned: An Illustrated Example of How Piracy Can Endanger Your Mobile Device

    Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but… READ MORE

  • Between You and Me, This Isn't Private

    When you tap in your life's details into the latest and greatest cloud-enabled mobile app, where does that information actually go? When you post on a website that claims you're anonymous, are you really? Hey, did you read the privacy policy for any of those services you're using? Do they even have a privacy policy? In the rush to play with new online services – which, admittedly, are often… READ MORE

  • Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1

    No source code? No problem! That's the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program's behavior without running it) to automatically detect and report security vulnerabilities in our customers' codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses: Uncovering the behavior of… READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.