See Part 1 of this series here. You might even be an agile pastor and in that case you’re probably thinking… “what an outrageous idea!”. May it is, but I still remember Rebecca. She is a wicked smart software engineer I once worked with. As I attended multiple meetings with different software teams as the designated “Security Expert”, I gained a different perspective on Agile development. Rebecca always seemed tense. Actually, everyone on the team was smart, but they always seemed very …
Blog Posts
BlackDuck, the open source security company, have made their security assessments available online. Open Hub is a free version (with certain limitations I’m sure) of their BlackDuck Hub tool. Not every package has been assessed. Project searches will be in the form of https://www.openhub.net/p/boost, as an example. …
Authentication, Authorization, Authentication… some say passwords have failed. They may be right, but passwords are still here. Software developers should expect users to select strong passwords and likewise, software users expect their data (including passwords) to be stored securely by software vendors. There never seems to be a wrong time to talk about this considering the almost constant trend of data breaches. Here are 8 basic rules for handing passwords securely: Provide Brute Force Protection at Authentication Points: This defeats …
An IOCTL (an abbreviation of input/output control) is a system call for device-specific input/output operations and other operations which cannot be expressed by regular system calls. It’s an interface in a system call by through which the user space can communicate with device drivers. Ioctl interfaces are a primary attack surface for drivers (especially in less audited 3rd party or non-OS code) since they parse input from the user space – hence that input should be validated properly. Vulnerabilities in …
I often get asked, “How can I can become a security expert?” or “What certifications can I take to improve my information security skills?”. Daniel Miessler’s insightful Guide to Information Security Certifications describes the content, cost, and purpose of numerous internationally acclaimed information security certifications. …
Cyber attackers come in different shapes and sizes; different goals, capabilities, risk tolerance etc. As defenders protecting the enterprise, the network or data in our software systems, it’s well worth the effort to understand the different characteristics of those who may attack us. Armed with that knowledge, we can identify which malefactors may be interested in our systems, and equip ourselves for defense. The matrix below (an excerpt from Securing Systems by Brook Schoenfield) provides a good summary of the …
Corporations have always worried about certain nefarious entities compromising or stealing their trade secrets – even before the advent of the Internet. The global accessibility that the Internet provides has driven those fears outer space high, and nation states have hopped aboard the fear wagon – as well they should! Hardly a week goes by without a mention of a data hack, breach, or leakage. The current debate – if we could call it that – concerning cyber attacks during …
Programming in C or C++ often results in better application performance as both languages do not have the – sometimes clunky – abstractions that are present in higher level languages like Java, Python, C#. C/C++ allows for more flexibility in accessing OS resources including memory. The caveat is that C/C++ does not have the inbuilt protection, provided by higher level languages, that reduce or eliminate the possibility of security vulnerabilities like stack overflows, heap overflows, integer overflows, integer underflows, format string attacks …
A few days ago, October 27 2016 to be exact, the U.S. Copyright Office temporarily made hackers’ lives a lot easier. They eliminated some restrictions imposed by the Digital Millennium Copyright Act (DMCA) that had prevented researchers from circumventing protections, such as encryption, that restricted access to copyright protected material. This means that it’s now legal (at least for the next two years) to hack or reverse engineer the software in your own car, pacemaker, PC, phone, you name it. What …
Address Sanitizer is a compile time tool that instruments C/C++ applications before running memory corruption and memory leak tests. Due to the extra instrumentation, the performance of the resulting binary is reduced so I wouldn’t recommend it for release builds. But it’s a great tool for debugging your code prior to release. For GCC or clang C/C++ compilers, the steps are as simple as: Compile the binaries to be tested with “–fsanitize=address” flag. There are many options that you can tweak. Run the …
