Tag Archives: swsec

Cybersecurity SQL Injection Irony

letters on cork board spelling ironyIt’s been a funny week for the SQL Injection Hall-of-Shame. As those who follow the Hall-of-shame know, there’s a pretty steady trickle of new incidents published regarding SQLi. It’s usually a few every month, not as many as are currently going into my new IoT Hall-of-Shame but still very regular.

So I was surprised that this week we have two new entries and they’re both cybersecurity companies. It’s partially funny, partially sad and partially scary.

First up is Staminus. They’re a DDoS protection company and seem to have a very good product. I spend more time on the SwSec and AppSec side of things but the kind of work they do is also important. However when you’re a security company, it’s just funny to people when you get hacked.

In this case Staminus was not only vulnerable to sql injection, but they were also doing other bad cybersecurity practices. In particular they seem to be storing customer credit card data unencrypted. One tenet of security is that you can never stop all attacks. You have to prepare for the inevitable day when someone breaches your system. That’s why it’s important that we have strong encryption, complaints from the FBI notwithstanding.

Following the attack the hackers actually left a funny message. The published a document called Tips when running a security company and detailed all the weaknesses they discovered due to bad security practices. In their defense, security expert Brian Krebs noted that anti-DDoS companies are regular targets for attackers.

Also in the news this week was well-known computer security company Symantec. They have a large share of the enterprise computer security market with their Symantec Endpoint Protection (SEP) product. SEP allows companies to manage the security software for all of their computers from a central management console (SEPM) and this was the tool that has the vulnerabilities.

As it turns out there are two vulnerabilities in SEPM, one is cross-site request forgery and one is SQL injection. While Symantec has called this a routine advisory, it was serious enough for US-CERT to issue an update advisory telling people to patch their SEPM software. US-CERT (United States Computer Emergency Readiness Team) is the government body in the US that keeps track of cybersecurity issues.

Yes, cybersecurity issues can and do happen to everyone. But we can all get at least a bit of a laugh when companies who’s only job is security are the targets. This is especially true when the issues involved are simple and preventable like SQL injection.

Software Cybersecurity Podcast

My friend Kevin Greene is devoted to improving the state of software security in the United States and he’s passionate about it. Kevin now has a regular podcast at FedScoop on cybersecurity insights and perspectives and it’s well worth listening to.

Choose Software Security

We recently got together and chatted about the state of cybersecurity today. In particular we talked about the “Internet of Things” (IoT) and my IoT Hall-of-Shame as well as static analysis in general. Kevin was instrumental in getting the Software Assurance Marketplace (SWAMP) setup and funded and we talked about our participation there as well.

“Probably if we did a really great job [with software security], the rest of cybersecurity would be a whole lot easier.”

So have some fun and learn something useful about software security at the same time. Here’s where you can listen: FedScoop Cybersecurity Insights & Perspectives. If you have other topics you’d like to cover, let he and I know in the comments or on Twitter.

For more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

AutoSec Automotive CyberSecurity

parasoft car small
Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term, especially as it applies to automotive and I mostly agree with him. But appsec is also pretty poorly fitted to automotive so maybe we should be calling it AutoSec. Feel free to chime-in using the comments below or on twitter.

I guess the point is that as cars get more complicated and get more “smart” parts and get more connected (The connected car) as part of the “internet of things”, you will start to see more and more automotive security breaches occurring. From taking over the car to stealing data to triggering airbags we’ve already had several high-profile incidents which you can see in my IoT Hall-of-Shame.

To help out we’ve put together a high-level overview of a 7-point plan to get you started. In the near future we’ll be diving into detail on each of these topics, including how standards can help you not only get quality but safety and security, the role of black-box, pen-test, and DAST as well as how to get ahead of the curve and harden your vehicle software using static code analysis (SAST) and hybrid testing (IAST).

The webinar was recorded for your convenience, so be sure and check it out. If you have automotive software topics that are near and dear to your heart, but sure to let me know in the comments or on Twitter or Facebook.

In the meantime, for more security info check out the security resources page and a few of these books can help.
Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development,

Platform Embedded Security Technology Revealed: Safeguarding the Future of Computing with Intel Embedded Security and Management Engine,

Software Test Attacks to Break Mobile and Embedded Devices (Chapman & Hall/CRC Innovations in Software Engineering and Software Development Series)

Halloween Security Slashers Webinar

Halloween themed software security webinar
Halloween themed software security webinar

I’m doing a Halloween themed Parasoft webinar this Friday on Stopping Software Security Slashers with Static Analysis. As always it’s a free webinar and you can register here.

We like to have fun at these holiday webinars, so we’ll investigate how some security issues are similar to the famous horror movie villains you know and love, like Jason, Freddy, Leatherface, Michael and Norman. I hope to see you there.

Overview

Stagefright, Heartbleed, and other grisly-sounding software defects are scary for good reason: they make applications vulnerable to menacing cyberattackers—no hockey mask or knife-fingered glove required. In the absence of an adequate defect prevention strategy, your application is likely to stumble as malicious (and even not so malicious) hackers bear down on vulnerabilities, potentially crashing the software or exposing sensitive data. If your software is deployed to a medical device, automotive system, or any other safety-critical application, this is only the beginning of the nightmare.

But your application deployment doesn’t have to end in gruesome horror. By implementing quality practices, such as a static analysis, throughout the SDLC, you reduce the potential attack surface cyberattackers can exploit. Moreover, by automating the continuous application of defect prevention technologies, you eliminate the possibility of defects recurring like a chainsaw-wielding maniac that won’t stay down.

In this webinar, we’ll look at why recently publicized defects are so scary and discuss how to take a proactive approach to ensuring the safety, security, and reliability of your applications. We’ll focus on how to leverage standards, such as OWASP, PCI DSS, and CWE, to evolve development policies from static analysis findings so that your application isn’t the next victim.

Resources