An advisory from DHS’s ICS CERT makes clear that ICS vendors are making progress toward fixing Heartbleed, but that customers face a long slog. The good news about the Heartbleed vulnerability in OpenSSL is that most of the major sites that were found to be vulnerable to the flaw have been patched. As has been […]
Will crowd funding bug bounties for OpenSSL solve its security problems? Probably not. For years, security experts and thought leaders have railed against the concept of “security through obscurity” – the notion that you can keep vulnerable software secure just by preventing others from understanding how it works. Corporate executives worried about relying on open […]
If you are a current Veracode customer, we’re delighted to announce that we can help you rapidly address the Heartbleed bug. We are offering our comprehensive capabilities for application vulnerability detection to all our customers, at no-charge, to help you respond to this threat. What is Veracode doing to help our customers? We have two […]
The recently disclosed vulnerability in OpenSSL pokes a number of enterprise pain points. Chief among them: the proliferation of vulnerable, third-party code. By now, a lot has been written about Heartbleed (heartbleed.com), the gaping hole in OpenSSL that laid bare the security of hundreds of thousands of web sites and web based applications globally. Heartbleed […]
Ranked at number eight on the 2013 OWASP Top Ten, Cross Site Request Forgery (CSRF) remains a major concern. CSRF manipulates a web application vulnerability which allows an attacker to trick the end user into performing unwanted and possibly sensitive actions.
As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
A security researcher found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal. In other news: the sun rose in the East every day this week.
The news out of Washington D.C. this week was that the Government’s troubled Healthcare.gov web site isn’t just dysfunctional – it’s also insecure. This, after an independent security researcher named Ben Simo found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal that would allow a remote attacker to gain access to applicants’ accounts, according to reports on CNN and The Washington Post.
I recently blogged about Web-based threats finally getting the respect they deserve?, but a recent New York Times article reminds us what happens when companies don’t pay enough attention to this crucial area of security.
The article, titled “Wall Street’s Exposure to Hacking Laid Bare” describes not only the damage done by the five men involved in a seven year hacking spree, it also details how several different large orgnazations were attacked.
Back when I testified with the L0pht to the Senate in 1998 we suggested the government use incentives as a way to get businesses to improve their security. The Senate was Republican controlled at the time and even us political newbies knew that regulation was going to be a non-starter at the time. We also proposed that the government use its purchasing power to require the vendors it buys from to have good security.
2010 was a big year for vendor bug bounty programs. Google announced its program in January with a bounty of $1,337 for high severity security bugs in its Chrome browser. Then in July Mozilla sextupled its bounty to $3000 and the Google program went from “Leet” to “Elite” with an increase of its bounty to $3,133.70. Sensing a trend and a feeling that vendor bug bounties “had arrived” the Veracode research team made one of our 2011 Predictions that Microsoft would jump on the bandwagon too.