Archive for the ‘Secure Coding’ Category

A tool to identify malicious insiders

November 24, 2011

William Jackson / GCN

The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.

……….

Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.

Posted in Risk Management, Secure Coding, Social Engineering / Phishing, Training / Awareness | Leave a Comment »

Common Weakness Scoring System (CWSS)

July 8, 2011

CWSS:

  • provides a common framework for prioritizing security errors (“weaknesses”) that are discovered in software applications
  • provides a quantitative measurement of the unfixed weaknesses that are present within a software application
  • can be used by developers to prioritize unfixed weaknesses within their own software
  • in conjunction with the Common Weakness Risk Analysis Framework (CWRAF), can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.

Posted in Application Security, DDoS, Secure Coding, Vulnerability Analysis | Leave a Comment »

Coordinated Vulnerability Disclosure

April 30, 2011

More and more companies are coming with formal Coordinated Vulnerability Disclosure Processes/Standards

After a product or service is released, we feel security is a shared responsibility across the broad community. Collaboration between security researchers and vendors is ultimately about preventing attacks and protecting the computing ecosystem.  By working together through coordinated efforts when vulnerabilities are identified, we can effectively minimize customer risk while a solution is developed.   We encourage others to adopt this philosophy in the interest of creating a safer and more trusted internet for everyone. 

Posted in Application Security, Communication, Policy and Governance, Secure Coding | Leave a Comment »

Building “privacy by design” mindset

February 15, 2011

As Mobile devices starting to store more and more personal data of its owner (location, search, shopping data), it’s becoming real threat to the users.

To provide Users better tools to protect their personal data, ACLU of Northern California, the ACLU of Washington, and the Tor Project has organized 2011 Privacy Developer Challenge to develop apps for mobile devices that can educate users about mobile privacy and give them the ability to demand control of their own personal information, without loss of functionality. The winning apps will be released under an open source license.

Goal: ….demonstrate the possibility that apps for mobile devices can actually enhance the privacy of users. By doing so, we hope not only to generate technology that is useful today, but also to encourage developers and companies to adopt the “privacy by design” mindset so that future devices and technologies will be designed with privacy in mind from the start.

Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | Leave a Comment »

Until mobile platforms get mature

January 29, 2011

After iPhone Tracker, its Android, which has been in the news for similar reasons – recording credit card or financial account numbers (or any numbers, in general). It’s nothing to do with iPhone or Andriod OS only…it’s the overall mobile platform, which needs to get mature before it can securely process financial transactions or store Confidential data.

While it’s evolving, there are several things we can do — to take advantage of mobile commerce and other opportunities created by mobile technologies – including writing secure code. Even though, in the past year or so, there has been so much focus on incorporating security in the SDLC process, only a small percentage of companies have implemented it as a formal program.

A general SDLC includes five phases: initiation, acquisition / development, implementation / assessment, operations / maintenance, and sunset (disposition). Each of the five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process. Including security early in the information SDLC will usually result in less expensive and more effective security than adding it to an operational system.

Posted in Communication, Privacy, Secure Coding, Threat Management, Uncategorized | Leave a Comment »

Need an iPhone app to track the trackers

January 25, 2011

Four researchers took a fairly large sample (1400) of iPhone apps and tested them in a testbed environment. Their test results are quite interesting.

First, the good news:

Only a small number blatantly compromised privacy: 36 accessed the device’s location without first informing the user; another five mined data from the user’s address book without permission.

Which is just 3% of the total population. Now the bad new:

…more than half of the iPhone applications studied collected the device ID—a 40-digit hexadecimal number identifying a particular phone. More than 750 of the apps studied used some sort of tracking technology. In about 200 cases, the developer created a way to track a device’s identifier code; the other apps used this functionality from advertising or tracking software library.

I agree that these are likely not malicious apps but as the article says, <quote> identifier code…..would give you a lot of information on the user, including—most of the time—their real name <unquote>, the device ID tracking will be an interesting debate in coming months as FTC’s Privacy Report gets finalized and published.

Posted in Application Security, Consumer Information Protection, Privacy, Secure Coding | 1 Comment »

Top 25 Most Dangerous Software Errors

January 9, 2011

Following its tradition, MITRE’s Common Weakness Enumeration (CWE) [jointly with SANS Institute] created a list of 2010′s Top 25 Most Dangerous Software Errors.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped.

……

The 2010 Top 25 makes substantial improvements to the 2009 list, but the spirit and goals remain the same. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses.

Posted in Application Security, Consumer Information Protection, Secure Coding | Leave a Comment »

Baking Security in the Software Development Process

September 19, 2010

I concur with Adrian; we can build compliers that can catch security flaws in the code or run the code through the best SCA (Source Code Analysis) tools but until we create a culture of project managers and developers understanding the value of early identification and mitigation of security vulnerabilities, we’ll not be able to bake security in the SDLC process.

I am all for automating as much security as we can into the development process, especially as a check on developer activities. Nothing wrong with that — we do it today. But to think that we can automate security and remove it from the hands of developers is naive to the point of being surreal. Timing attacks, logic attacks, and architectural flaws do not show up to a compiler or any form of pre/post automated checks.

Posted in Application Security, Information Security, Secure Coding | Leave a Comment »

Preventing pervasive string injection-type attacks

June 16, 2010
Kaminsky, the famous security researcher, launched a startup – introducing Interpolique as the first product
Interpolique — which was released for security experts and IT to poke around at and analyze, but not to use operationally — is basically a framework that lets developers continue to write code the way they always have, but with a tool that helps prevent them from inadvertently leaving string injection flaws in their code. It requires developers to use different prefixes that describe variables of the strings, without requiring any major changes to their coding style, he says. And the resulting code is automatically formatted in such a way that can’t be easily abused by the bad guys.

Posted in Application Security, Infrastructure Security, Secure Coding | Leave a Comment »

Follow

Get every new post delivered to your Inbox.

Join 1,010 other followers