Kickstarter Password Breach … #FTW?
Last Wednesday I spoke about password storage security in a Cigital at the WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail...
View ArticleUnderstanding the Apple ‘goto fail;’ Vulnerability
You may have heard about the recently publicly disclosed vulnerability (http://support.apple.com/kb/HT6147) in Apple iOS. Let’s take a look at the goto fail details as well as at who is affected....
View ArticleDr. McGraw talks Software Security on Security Weekly
Software Security on Security Weekly (with paul dot com) Episode 366 of Security Weekly features a conversation with Gary McGraw. Watch the whole thing here Here is a quick viewer’s guide to skipping...
View ArticleOpenSSL: Fix or Rewrite?
Today’s OpenSSL bug adds another tally on to the rapidly growing list of major security issues with the OpenSSL library. A friend and former colleague, Mike Nygard asked a very important question....
View ArticleCordova InAppBrowser Remote Privilege Escalation
Earlier this year, I identified an interesting vulnerability (CVE-2014-0073) in one of Apache Cordova’s core plug-ins (InAppBrowser). Cordova, also sometimes referred to as PhoneGap, is a popular...
View ArticleWhy Aren’t We Learning From (Defect) History?
I was recently part of Silver Bullet 100 where I was asked “How much progress have we made in the last ten years with Architecture Risk Analysis (that is, finding and fixing flaws in software design)?”...
View ArticleOn Optimism and Software Security
If you have watched the 100th Episode of The Silver Bullet podcast, you’ll see that Gary McGraw and I were the only two out of 6 people who were optimistic about software security and the future. I...
View ArticleAssociating Security Responsibilities Within Development Frameworks
Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a...
View ArticleSoftware Security and the User Interface
We had an internal discussion the other day about the pros and cons of connecting professionally with random folks. During that discussion a separate thread was started about how to hide who you are...
View ArticleAlphabet Soup: SAST, DAST, IAST, and RASP Explained
Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they...
View Article