Author Archives

Banking Millions from Malware enabled by Badware

News broke this week that one of the criminals involved in a massive global banking fraud scheme that relied heavily on the Zeus trojan to steal millions from both U.S. and European banking accounts will be sentenced this Spring.
The news reminded me of the relationship between malicious software (i.e. “malware”) and insecure software (i.e., “badware”). Criminals [...]

Establishing Effective Static Analysis Capabilities

Planning to establish or reboot a static analysis capability this year? Use this simple framework to plan a new implementation or reflect on an existing program to improve maturity.
Over the years, we’ve learned that there are four primary dimensions to any static analysis capability:

Solution Architecture
Policy
Application On-Boarding
Vulnerability Management

It doesn’t matter if you’re considering building an in-house [...]

My Threat Modeling Talk @ OWASP AppSec USA

OWASP recently posted videos of all talks from the OWASP AppSec USA conference held in Minneapolis in September 2011.
You can find my talk on an approach for “simplifying threat modeling” here. Grab my slides here.
Check it out and let me know what you think. Would love to hear from you and your thoughts on where [...]

GC Labs: Securing URL Redirects

Can attackers control URL redirection functionality exposed by your application?

Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side script that constructs the URL being transferred to using data that is received from the client (i.e., something that can be controlled by an attacker). A lot of sites simply accept a URL as input to the redirection script, and that’s what gets them into trouble.

GC Labs: Mitigating XML Entity Expansion Attacks with Xerces

Here are a few typical questions from my “assessment runbook” that I ask for an app that accepts and parses XML data that can be controlled by an attacker (think file uploads, web services, stored XML content made up of inputs from an external user, etc.):
(1) Is there a check to enforce a maximum number [...]

Are your regular expressions anchored?

I recently found a SQL injection vulnerability in a J2EE app where a request parameter is used to construct a dynamic JDBC query via string concatenation. When I discussed the issue with the developer, he said something to the effect of “Wait, I’m validating this field against a white list like our standards say, what’s [...]

BSIMM: A Descriptive Model of Software Security

Gary McGraw discusses prescriptive vs. descriptive models, and why/how BSIMM helps model the reality of software security initiatives in our industry.

Teaching Fortify SCA About Confidential Data

In Cigital’s latest newsletter, I explain a few tips for gaining assurance that Fortify SCA is “seeing” code (specifically private or confidential data) the way you think it should be.

Applying Basic Trust Concepts to Software Module Design

As a consultant who reviews code a lot, this statement immediately got me thinking about trust at the code-level. Trust issues are fun to think about — not only because there are bookoos of trust-related issues in today’s apps (particularly mashups) but also because they are difficult to mitigate through good defensive design. As a software design enthusiast, I believe we can apply the concept of trust attacks as described above to low-level module design (think the Class keyword in Java or class keyword is C++) by changing one word in the second sentence:

Building Security In Maturity Model (BSIMM)

A lot has been said about what companies *should do* to build secure software. Ever wonder what companies *really do*? Now you can — the Building Security In Maturity Model (BSIMM) recently went public.