Measuring Software Security
Gary McGraw and the Building Security in Measurement Model (BSIMM) team just released BSIMM2 today. If you haven’t heard of BSIMM before, please take a look at the article I wrote about it over at eSecurity Planet. An excerpt is below. “You are not a special snowflake.” This is how Dr. Gary McGraw, author of Software Security: Building Security In, Exploiting Online Games: Cheating...
Read MoreWhite Box and Black Box Testing
If you’re wondering whether to use white box/black box/grey box testing on your applications – I recently wrote an article on the subject. Jay Leek, who heads up corporate IT security services for mobile technology company Nokia Corp, was interviewed for the article and had a lot of valuable, real-world insights to add. For comprehensive application security analysis, “you need...
Read MoreSecurity in the SDLC
Building security into the software development lifecycle is one of my primary research areas – and recently TechTarget asked me to do a video and podcast on the topic. They’ve been syndicated for viewing/listening through BusinessWeek and other outlets. If you’re interested in this topic, please check out the links below. Countdown: Selling Security in the SDLC –...
Read MoreWhose fault is the bad software anyway?
There was an article that came around today called Software insecurity: Plenty of blame to go around over at GCN. The article contends that the blame for bad software lies at the feet of either developers or users, but that specifically who is to blame is up in the air. There is, of course, no shortage of opinion; check it out: Stuart Katzke of the National Institute of Standards and Technology...
Read MoreI feel like I’m taking crazy pills
Is it just me or does anyone else feel like we’re trapped in a skit from “Mondo Bizarro”? Everyone is in a hubub about who to sue for software bugs: Howard Schmidt says sue the developers, Bruce Schneier says sue the vendors, and Pete Lindstrom says not to sue anybody, but to send vulnerability researchers to jail. It’s a veritable “who’s who” of...
Read MoreSurprisingly, I don’t hate this
I came across the article, The truth about security this morning. I followed the link expecting (based on the title and the opening paragraph) to get “fired up” about yet another yahoo telling me how to do my job. However, I was completely wrong about this one. This a lucid and balanced look at disclosure, vendor responsibility, and legislation of software security. Two thumbs up...
Read MoreMan, I love being right!
You’ve probably already heard my rant about the Amir Herzberg “Unprotected Login Hall of Shame”. However, in the interests of getting my due props, I would like to point out the recent statistics by NetCraft citing that SSL use on back logon forms is on the decrease. For those of you that missed my ramblings on this, here’s a quick ramp-up: the “Unprotected Login...
Read MoreHeap Overflows
Some really good research on heap overflows in Windows. Useful reading material – this paper is short and to the point.
Read MoreYet another non-starter
I’m in violent agreement with anybody such as these researchers who contend that C needs to go. However, I really question the idea of trying ONCE AGAIN to replace C with an hitherto unknown or unused langauge. How many times do we need to try this before folks in academia clue in that it won’t work? Listen – if C++, Java, C#, Objective-C, C-, J++ or any of the other...
Read More“Fox in the snow, where do you go?”
A vulnerable browser, an exposure with no patch, a catastrophe for FireFox? And this is a surprise? Hey, since when did any of us believe security by obscurity is a good thing? What do attackers tend to target? The most “props” (or financially) worthy ‘sploits. Think FireFox or Mac OS X are secure? Think again. Sorry to beat a drum here – but weaving security into...
Read MoreA new project, an old topic
A freeware C code analyzer; software security is all the rage right now, and this project seems like a particularly interesting one. I’ll watch this project alertly for further developments and maybe do some preliminary testing with it once I get some free time. C Code Analyzer
Read MoreWhy Secure-Coding Initiatives Don’t Work
Everybody knows that the software industry is plagued with bug-ridden code. There’s been quite a bit of discussion about who to blame – the developers, the vendors, project managers, the customer, etc. In general, it would seem that market forces favor insecure software – for example, if company A provides software with the same functionality as company B, who is favored in...
Read MoreReport: Labels back software sabotage">Report: Labels back software sabotage
“Some of the world’s largest record labels are quietly financing the creation of programs by small software firms that, if deployed, would sabotage the computers and Internet connections of people who download pirated music, according to a published report. Citing industry executives, The New York Times reported in an article that appeared on its Web site on Saturday, that the efforts...
Read MoreTuesday September 7, 2010
Diana Kelley's profile