Squirreling Backdoors Into Distribution Points

So it seems that SquirrelMail 1.4.11 and 1.4.12 were recently backdoored. Similar to some high-profile backdoors in the past, this was done by modifying the distribution tarball on rather than infiltrating the source code repository [1]. In this case, the backdoor was detected when a user noticed that the MD5 published on SquirrelMail’s website didn’t […]

Boston/Cambridge InfoSecurity Events

Software Security Weaknesses – Avoiding and Testing Bob Martin is giving a talk tonight at the Boston Software Process Improvement Network (SPIN) meeting on “Software Security Weaknesses – Avoiding and Testing”. The meeting is at MITRE in Bedford in the basement conference center of M-Building (the one next to the parking garage). Pizza and discussions […]

Risk vs Vulnerability

George Ou has an interesting analysis of Microsoft OS vs Apple OS vulnerability counts. Anything comparing the security of these two companies becomes controversial. I think that any analysis of vulnerability counts should include a paragraph on risk vs. vulnerabilities to diffuse the Mac fanboys. I might be able to leave my backdoor safely unlocked […]

Thought Exercise: Automated Vulnerability Creation

A few of us were hanging out in the Veracode kitchen the other day and got to discussing the idea of programmatically injecting vulnerabilities into software. This is essentially the opposite of the problem that most security vendors, including ourselves, are trying to solve — that is, detecting vulnerabilities. Clearly there’s not much business value […]

External Code in the Software Development Process

Recently I got a message from Kelley Jackson Higgins of Dark Reading. She was looking for some comments on Fortify Software’s new paper on “Cross Build Injection” or “XBI”. I had read the paper and, while I think the issues are real, the way they are framed they miss the big picture. So I figured […]

Classifying and Prioritizing Software Vulnerabilities

We were more than pleased to read a new report by John Pescatore of Gartner recommending that security managers adopt the use of the Common Vulnerability Scoring System (CVSS) to support more repeatable, fast-acting vulnerability management processes. This recommendation backs up the decision made by our CTO, Chris Wysopal, more than a year ago to […]

Friday Hacker Brainstorming

Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking. Today we were throwing some ideas around […]

Secure Software and Application Testing – Before Procurement

Chenxi Wang of Forrester Research and Chris Wysopal, our founder and CTO, will discuss ways to secure applications before they are purchased and deployed in an enterprise — as a part of contract negotiations and the RFI and RFP process. More information on the seminar and instructions on how to register can be found on […]

1 2 3 5