Melissa Elliott is an application security researcher who has been writing loud opinions from a quiet corner of the Veracode office for two years and counting. She enjoys yelling about computers on Twitter and can be bribed with white chocolate mocha.
Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now… READ MORE
Stay up to date on Application Security
- Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The ActFebruary 24, 2014 | Research
Bugs happen. Severe bugs happen. Catastrophic bugs happen. There's simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that the bug got through Apple's QA… READ MORE
What’s wrong with the following C code? char buf; scanf("%32s", buf); It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case, scanf() will read up to 32 bytes from… READ MORE
Everyone has had that dreaded experience: you open up the task manager on your computer... and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger… READ MORE
- Software Upgrade Hygiene: Stop Putting It Off, It Will Only Hurt MoreFebruary 5, 2013 | Research
Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career. Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It… READ MORE
The following post is about a beta software release, which may — and hopefully will — change. You know what they say about assuming... My faithful army of security-minded Twitter followers alerted me to a sudden change in the Ubuntu Linux distribution's 12.10 beta build that they found alarming: Amazon search had been integrated into the system search bar by default, so that, for example,… READ MORE
- How Sally Got Owned: An Illustrated Example of How Piracy Can Endanger Your Mobile DeviceJuly 19, 2012 | Research
Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but… READ MORE
- Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1May 29, 2012 | Research
No source code? No problem! That's the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program's behavior without running it) to automatically detect and report security vulnerabilities in our customers' codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses: Uncovering the behavior of… READ MORE
Application Security Tool Kit
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
No thanks, back to the article please.