How Boring Flaws Become Interesting

CEng's picture
By Chris Eng January 20, 2009  | 7

One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to aggressively reduce false positives, thereby enabling our customers to more efficiently triage their... READ MORE

10th Anniversary of the Cyberspace Underwriters Laboratories

cwysopal's picture
By Chris Wysopal January 13, 2009

It was 10 years ago this week that Tan from the L0pht wrote Cyberspace Underwriters Laboratories to describe a vision of third party testing and certification of computer hardware and software. Tan's vision got one step closer this week when CWE and SANS issued the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors. Finally there is consensus about what the worst software security flaws are.... READ MORE

CWE/SANS Top 25 Most Dangerous Programming Errors

cwysopal's picture
By Chris Wysopal January 12, 2009 3

Today is a very exciting day for software security. The CWE/SANS Top 25 Most Dangerous Programming Errors is being released. I was one of the 41 contributors to the Top 25 Errors. The list of possible programming errors that can end up causing a vulnerability in an application is immense. The MITRE Common Weakness Enumeration (CWE) has grown to 700 entries. They are all valid programming errors... READ MORE

Anti-Debugging Series - Part III

TShields's picture
By Tyler Shields January 7, 2009  | 5

It's time for part three in the Anti-Debugging Series. With this post we will stay in the realm of "API based" anti-debugging techniques but go a bit deeper into some techniques that are more complex and significantly more interesting. Today we will analyze one method of detecting an attached debugger, and a second method that can be used to detach a debugger from our running process. Advanced... READ MORE

Tallying Twitter's Application Security Best Practice Violations

CEng's picture
By Chris Eng January 7, 2009 3

If you were paying attention the last few days, you've probably read about the wave of attacks launched against the popular Twitter service. It started over the weekend, with a series of phishing attacks sent to unsuspecting Twittizens via Direct Message. Then, on Monday morning, Fox News announced Bill O'Riley (sic) was gay, CNN anchor Rick Sanchez tweeted that he was high on crack, and the... READ MORE

Anti-Debugging Series - Part II

TShields's picture
By Tyler Shields December 30, 2008  | 5

Welcome back to the series on anti-debugging. Hopefully you have your debugger and development environment handy as we are about to dive into the first round of anti-debugging code. In the first post to this series we discussed six different types of anti-debugging techniques that are in common use today. To refresh, the classifications buckets that we chose to use are: API Based Anti-Debugging... READ MORE

Major Break in MD5 Signed X.509 Certificates

cwysopal's picture
By Chris Wysopal December 30, 2008

Jacob Appelbaum and Alexander Sotirov just gave a presentation at the Chaos Communications Congress in Germany. They have implemented a practical MD5 collision attack on x.509 certificates. All major browsers accept MD5 signatures on certs even though it has been shown to have the collision problem for almost 2 years now. If you can generate your own X.509 certificates you can perform perfect... READ MORE

Anti-Debugging Series - Part I

TShields's picture
By Tyler Shields December 2, 2008

For those that don't know, anti-debugging is the implementation of one or more techniques within computer code that hinders attempts at reverse engineering or debugging a target process. Typically this is achieved by detecting minute differences in memory, operating system, process information, latency, etc. that occur when a process is started in or attached to by a debugger compared to when it... READ MORE

News Report on Non Vulnerability in Windows Vista

cwysopal's picture
By Chris Wysopal November 20, 2008

Are editors so excited to use the headline "Vulnerability in Windows Vista" in their SEO URLs that they will have their reporters write a story on a non-issue? IDG News has published a news report titled, "Researchers find vulnerability in Windows Vista". The report says: An Austrian security vendor has found a vulnerability in Windows Vista that it says could possibly allow an attacker to run... READ MORE

Credit for Researchers

cwysopal's picture
By Chris Wysopal November 13, 2008

Computer security researchers are much like scientific researchers in several ways. We build on the research of those who come before us, we sometimes rediscover the same things independently, and other times we forget where we learned things and sometimes claim them as our own. We also occasionally take an engineer's approach and implement research discovered by others and not credit them as it'... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu