When my bank sent me a message pitching the conveniences of mobile & text banking, I didn’t opt in. Here’s an example of why: WJS reports “Citi Discloses Security Flaw in Its iPhone App.”
Citi claims security tests were conducted before and after the application release, but a recent “routine security review” spotted the flaw. The [...]
good code, secure software
You are currently viewing the author archives of mikeware
Author Archives
Citi Discloses iPhone App Vulnerability
GC Labs: Mitigating XML Entity Expansion Attacks with Xerces
Here are a few typical questions from my “assessment runbook” that I ask for an app that accepts and parses XML data that can be controlled by an attacker (think file uploads, web services, stored XML content made up of inputs from an external user, etc.):
(1) Is there a check to enforce a maximum number [...]
Are your regular expressions anchored?
I recently found a SQL injection vulnerability in a J2EE app where a request parameter is used to construct a dynamic JDBC query via string concatenation. When I discussed the issue with the developer, he became confused and said “Wait, I’m validating this field against a white list like you said a few weeks ago, [...]
BSIMM: A Descriptive Model of Software Security
Gary McGraw discusses prescriptive vs. descriptive models, and why/how BSIMM helps model the reality of software security initiatives in our industry.
Teaching Fortify SCA About Confidential Data
In Cigital’s latest newsletter, I explain a few tips for gaining assurance that Fortify SCA is “seeing” code (specifically private or confidential data) the way you think it should be.
OWASP XSS cheat sheet
OWASP has published a very well written XSS cheat sheet.
Applying Basic Trust Concepts to Software Module Design
As a consultant who reviews code a lot, this statement immediately got me thinking about trust at the code-level. Trust issues are fun to think about — not only because there are bookoos of trust-related issues in today’s apps (particularly mashups) but also because they are difficult to mitigate through good defensive design. As a software design enthusiast, I believe we can apply the concept of trust attacks as described above to low-level module design (think the Class keyword in Java or class keyword is C++) by changing one word in the second sentence:
Building Security In Maturity Model (BSIMM)
A lot has been said about what companies *should do* to build secure software. Ever wonder what companies *really do*? Now you can — the Building Security In Maturity Model (BSIMM) recently went public.
IO Chokepoints: J2EE Filters
This is the first post in a series covering tactics for implementing input and output chokepoints in J2EE. My goal is to describe different techniques in separate posts and then summarize the tradeoffs involved in putting them in place in a final post. In this first post, I’ll show you how to setup a J2EE servlet filter to perform HTML escaping on multiple servlet-related input sources.
CWE/SANS Top 25 released today
Update: Read about Gary McGraw’s take on Top N lists.
MITRE and SANS released the CWE/SANS Top 25 Most Dangerous Programming Errors list today. This list is an attempt at being more code-centric than other similar lists, such as the OWASP Top 10.
Although these lists cover what is often considered “low-hanging” fruit vulnerabilities or the coding [...]