Archive for the ‘Application Security’ Category
September 26, 2010
We all know how Adobe has beaten Microsoft in number of security vlunerabilities and joined Microsoft’s Patch-reporting program to share details on its latest patches. This is posing new challenges for security admins. Symantec recently published a report to discuss the current PDF threat landscape
PDF attacks are on the rise worldwide and show no indication of slowing down. Modern exploit packs have made it relatively simple to create an effective PDF attack. The popularity of these exploit packs along with the success that attackers have been enjoying using PDFs has lead to an explosion in the use of malicious PDFs as an attack vector.
Posted in Anti Virus, Application Security, Report / Paper | Leave a Comment »
September 19, 2010
I concur with Adrian; we can build compliers that can catch security flaws in the code or run the code through the best SCA (Source Code Analysis) tools but until we create a culture of project managers and developers understanding the value of early identification and mitigation of security vulnerabilities, we’ll not be able to bake security in the SDLC process.
I am all for automating as much security as we can into the development process, especially as a check on developer activities. Nothing wrong with that — we do it today. But to think that we can automate security and remove it from the hands of developers is naive to the point of being surreal. Timing attacks, logic attacks, and architectural flaws do not show up to a compiler or any form of pre/post automated checks.
Posted in Application Security, Information Security, Secure Coding | Leave a Comment »
June 16, 2010
Kaminsky, the famous security researcher,
launched a startup – introducing Interpolique as the first product
Interpolique — which was released for security experts and IT to poke around at and analyze, but not to use operationally — is basically a framework that lets developers continue to write code the way they always have, but with a tool that helps prevent them from inadvertently leaving string injection flaws in their code. It requires developers to use different prefixes that describe variables of the strings, without requiring any major changes to their coding style, he says. And the resulting code is automatically formatted in such a way that can’t be easily abused by the bad guys.
Posted in Application Security, Infrastructure Security, Secure Coding | Leave a Comment »
May 18, 2010
Should we be worried?
When it comes to secure messaging, nothing beats quantum cryptography, a method that offers perfect security. Messages sent in this way can never be cracked by an eavesdropper, no matter how powerful.
At least, that’s the theory. Today, Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially-available system.
Posted in Application Security, Communication, Cryptography, Information Security, Infrastructure Security | Leave a Comment »
April 26, 2010
I am neither endorsing nor promoting this device but it sounds innovative to fit a
full PIN entry keypad to a USB Drive. The drive uses 256-bit AES encryption to secure data and remains encrypted until the correct PIN code is entered at the point it is inserted into the PC.
The Encryption and authentication are handled on the drive itself, so there is no software involved- no driver updates, no software updates, no admin privileges necessary, and no worries about whether you may or may not be able to open stored files on any operating system.
Posted in Application Security, Information Security | Leave a Comment »
April 26, 2010
McAfee released a
faulty update which impacted some enterprise customer and consumer base–home users of products globally. Per McAfee -
The error can result in moderate to significant issues on systems running Windows XP Service Pack 3.The immediate impact on corporate users was lessened for corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, though those customers could also be impacted when running a scan.
Posted in Anti Virus, Application Security | Leave a Comment »
