Obama to Pick New Cyber Czar

cwysopal's picture
By Chris Wysopal May 28, 2009

It has been announced that President Obama will pick his new cyber czar tomorrow. This will likely be a position reporting to the National Security Advisor, similar to Richard Clarke's position under President Clinton. This position will be critical for organizing the government's fragmented information security efforts, both for the government sector and the country's infrastructure, which is... READ MORE

But That's Impossible!

CEng's picture
By Chris Eng May 19, 2009  | 25

In lieu of actual technical content, and inspired by Jeremiah's blog post, 8 reasons why website vulnerabilities are not fixed, I started thinking about all the different manifestations of reason #8, "No one at the organization knows about, understands, or respects the issue." I polled the Veracode research group, most of whom have been security consultants at one time or another, and ask them... READ MORE

Best Practice: Consider External Data Feeds Untrusted

CEng's picture
By Chris Eng May 4, 2009 3

If you visit this article on the New York Times website, you'll get immediately redirected to the website containing the original content of the article. [UPDATE: they fixed it, so it won't redirect you anymore] Why does this happen, you ask? Apparently the New York Times ingests various third-party news feeds, wraps the article in the New York Times template, and serves it up. Here's... READ MORE

Decoding the Verizon DBIR 2009 Cover

CEng's picture
By Chris Eng April 27, 2009  | 9

As you probably know by now, the pattern of 1s and 0s on the cover of the 2009 Verizon Data Breach Investigations Report contains a hidden message. I decided to give it a whirl and eventually figured it out. No doubt plenty of people managed to beat me to it, as evidenced by the fact that I didn't get my solution in early enough to win the cash prize -- but so far, I haven't seen anybody write up... READ MORE

Panel: Source Code vs. Binary Code Analysis

CEng's picture
By Chris Eng April 20, 2009

If you're at RSA this week, be sure to check out this panel discussion, featuring Veracode's Chris Wysopal along with Jerry Archer, Mary Ann Davidson, and Brian Chess. Abstract as follows: The growth of Web 2.0 has highlighted two significant trends in application security. First, as the network has hardened, attacks against applications have dramatically increased. Second, an explosion in use of... READ MORE

Failing to Check Error Conditions Could Get You Sued

CEng's picture
By Chris Eng March 30, 2009

The Ontario Lottery and Gaming Corp. is in a bit of hot water after refusing to pay a $42.9 million jackpot: According to the statement, Kusznirewicz was playing an OLG slot machine called Buccaneer at Georgian Downs in Innisfil, Ont., on Dec. 8 when it showed he had won $42.9 million. When the machine's winning lights and sounds were activated, an OLG floor attendant initially told Kusznirewicz... READ MORE

SOURCE Boston Conference Was a Blast

cwysopal's picture
By Chris Wysopal March 16, 2009

I had a great time at the SOURCE Boston conference last week. Veracode was a sponsor and a few Veracoders participated as advisory members or volunteers. I had the pleasure, along with Chris Eng, of presiding over the application security track. I think all the talks were of high quality but still a few stood out for me: Dino Dai Zovi on Mac OS Xploitation. Dino showed how to exploit a quicktime... READ MORE

Anti-Debugging Series - Part IV

TShields's picture
By Tyler Shields February 27, 2009  | 5

In this final part of the anti-debugging series we're going to discuss process and thread block based anti-debugging. Processes and threads must be maintained and tracked by the operating system. In user space, information about the processes and threads are held in memory in structures known as the process information block (PIB), process environment block (PEB) and the thread information block... READ MORE

How To Protect Your Users From Password Theft

CEng's picture
By Chris Eng January 26, 2009  | 11

Monster.com recently disclosed yet another major breach that compromised the personal data of over 1.3 million users. This is not unlike the previous breach in August 2007, though the attack vector was likely different. From a notice on their website (emphasis mine): We recently learned our database was illegally accessed and certain contact and account data were taken, including Monster user IDs... READ MORE

How Boring Flaws Become Interesting

CEng's picture
By Chris Eng January 20, 2009  | 7

One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu