July 2015 - Code Curmudgeon

Why We View AppSec Vulnerabilities As False

Posted on July 29, 2015 by Code Curmudgeon

I’d like to say a few things as a follow-up to my article on theoretical appsec vulnerabilities last week. The article generated some interesting...

Unscientific AppSec Pain Poll

Posted on July 28, 2015 by Code Curmudgeon

Here’s another one of my completely unscientific polls – this time about AppSec. I find it interesting to know what others think about these...

Comments up and running again

Posted on July 28, 2015 by Code Curmudgeon

Just a brief public service announcement. After being made aware over the weekend that the comment system wasn’t working I’ve figured...

Theoretical AppSec Vulnerabilities

Posted on July 23, 2015 by Code Curmudgeon

As you’re well aware cybersecurity and appsec incidents are a regular feature in the news. I try to avoid jumping immediately on the analysis...

Definitioner

vulnerability

This is a tricky word, especially in application security or cybersecurity. The simple definition in a software context is that the code has some problem that could be exploited by someone at some point. Some think of it as a piece of code with a proven exploit, IE a static analysis violation with a stack trace and values used. This is a very narrow definition that probably doesn't help improve the state of the art. I prefer the idea that it's code that is exploitable based on the body of knowledge (as encapsulated in software coding standards).

CAN (Controller Area Network)

Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.

Man-in-the-middle

Man-in-the-middle (MITM) attacks are where a person or software sits in the middle of communication between two parties. For example between your computer and your bank. Web MITM attacks are often performed by self-signed root certificates where someone like a hotel or computer manufacturers certifies the identity of both parties without actually having the authority. Often this is done for advertising purposes to either monitor behavior or inject ads into a data stream. It also exposes any of the data that is supposedly securely encrypted, like your bank credentials.

security certificate

A digital artifact used in cryptography for secure connections like SSL. The certificate is used to authenticate who a user was, letting you know that you're dealing with the person you think you are. Certificates are normally issued by authorities who take steps to ensure identity before issuing any certificate. There are also self-signed certificates that you can create for yourself but do not have the same level of trust. In essence you are saying "I am who I say I am." For more details see wikipedia.

Phishing

A security attacked based on tricking you to put important data like your login and password into a fake website. For example, a faked email from your bank, even using the proper bank picture you're expecting. They tell you there has been a breach and you need to login immediately and change your password. Don't do it, go to the website directly and see if they have any message there. When in doubt, call the company.