http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-11-15 21:17:45 - ZeroDay Labs blog : Seven years ago when we were first embarking on the mission of making static analysis useable, scalable, and able to operate without access to source code, automated static binary analysis was a new concept There were human operated disassemblers, but the ability to do large scale, highly repeatable static binary analysis was an unknown At http://www.secuobs.com/revue/news/340844.shtmlhttp://www.secuobs.com/revue/news/340844.shtml Secuobs.com : 2011-10-21 20:23:05 - ZeroDay Labs blog - Let me start by saying I have a great deal of respect for Dinis Cruz He s tremendously passionate about application security and has made numerous contributions to the community through his involvement with OWASP We even sat on a panel together recently But I was taken aback by a presentation he gave at OWASP AppSec http://www.secuobs.com/revue/news/336251.shtmlhttp://www.secuobs.com/revue/news/336251.shtml Secuobs.com : 2011-09-12 17:01:50 - ZeroDay Labs blog - Today I have a guest commentary on the changes in security landscape since 2001 in Threatpost So as I look back over the last 10 years I don t see much of a change in the vulnerability-scape, if you will, but in the threat landscape New classes of attackers have gone mainstream and global They are http://www.secuobs.com/revue/news/328358.shtmlhttp://www.secuobs.com/revue/news/328358.shtml Secuobs.com : 2011-08-31 17:34:40 - ZeroDay Labs blog - Let s not mince words this rambling diatribe from Oracle s CSO is aimed directly at Veracode No need for a cutesy acronym we re the only company with true static binary analysis technology, delivered as a service Now that we ve got that out of the way, let s try to cut through the rhetoric in just over a http://www.secuobs.com/revue/news/326272.shtmlhttp://www.secuobs.com/revue/news/326272.shtml Secuobs.com : 2011-07-27 20:16:11 - ZeroDay Labs blog - It s that time of year again A time when all the most interesting people, ideas, concepts, and attacks are on display in Las Vegas That s right, we are talking about Blackhat USA and associated conferences Every year about a week before conference time, all the security analysts, researchers, and talking heads begin to espouse their http://www.secuobs.com/revue/news/319579.shtmlhttp://www.secuobs.com/revue/news/319579.shtml Secuobs.com : 2011-07-12 16:05:23 - ZeroDay Labs blog - Call for Papers IEEE Security Privacy Software Static Analysis Abstract submissions due 15 Aug 2011 Final submissions due 15 Sept 2011 Publication date May June 2012 Secure and reliable software is hard to build, but the costs of failure are steep Data breaches caused by attackers exploiting vulnerabilities in software made many headlines in 2011 http://www.secuobs.com/revue/news/316479.shtmlhttp://www.secuobs.com/revue/news/316479.shtml Secuobs.com : 2011-07-08 19:33:07 - ZeroDay Labs blog - Rich Mogull talks about real world IT security challenges today in his column, Simple Isn t Simple in Dark Reading I agree 100pourcents One of the Rich s points is security has to scale or it doesn t solve the real world problem In most cases we know how to solve a security problem for a single instance http://www.secuobs.com/revue/news/315887.shtmlhttp://www.secuobs.com/revue/news/315887.shtml Secuobs.com : 2011-07-06 16:05:01 - ZeroDay Labs blog - Fair warning, this is a bit of a rant Back in my consulting days early 2000, I m getting old , we delighted in the fact that our web application penetration testing methodology didn t rely on automated tools This was completely true we did everything manually, and we were among the best in the industry Many so-called http://www.secuobs.com/revue/news/315415.shtmlhttp://www.secuobs.com/revue/news/315415.shtml Secuobs.com : 2011-06-21 16:30:42 - ZeroDay Labs blog - It s not that users don t want to keep their data safe They do Most corporate users don t want their personal or corporate, private information, available to someone else They don t want their email stolen or their contacts pillaged So why do people insist on ignoring the multitude of security recommendations on how to have a http://www.secuobs.com/revue/news/312624.shtmlhttp://www.secuobs.com/revue/news/312624.shtml Secuobs.com : 2011-05-13 16:18:35 - ZeroDay Labs blog - Over the last few weeks there s been a lot of commentary around the breach of Sony s PlayStation Network Sadly, there has been no good discussion of how PSN was breached What this breach means for Sony is largely defined by how it happened Before we get to that though let s go over a quick timeline http://www.secuobs.com/revue/news/304618.shtmlhttp://www.secuobs.com/revue/news/304618.shtml Secuobs.com : 2011-05-12 21:13:55 - ZeroDay Labs blog - Following the industrial control system attack of Iran s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems The results are unsettling Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities http://www.secuobs.com/revue/news/304404.shtmlhttp://www.secuobs.com/revue/news/304404.shtml Secuobs.com : 2011-04-19 15:19:35 - ZeroDay Labs blog - It s here Data junkies rejoice Today we re proud to release the third volume of our semi-annual State of Software Security report This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months After lots of number crunching and a fair amount of head scratching, we ve unearthed some intriguing findings http://www.secuobs.com/revue/news/299388.shtmlhttp://www.secuobs.com/revue/news/299388.shtml Secuobs.com : 2011-04-08 21:05:16 - ZeroDay Labs blog - The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application There have been a number of great posts and comments that got us thinking more about the issues and the types of data http://www.secuobs.com/revue/news/297181.shtmlhttp://www.secuobs.com/revue/news/297181.shtml Secuobs.com : 2011-04-06 04:28:22 - ZeroDay Labs blog - Background An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups The allegations state that mobile applications are gathering data such as GPS location, device identifiers, http://www.secuobs.com/revue/news/296525.shtmlhttp://www.secuobs.com/revue/news/296525.shtml Secuobs.com : 2011-03-25 16:48:10 - ZeroDay Labs blog - One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat APT bandwagon, handwaving wildly and claiming disingenuously that their product or solution to be even more self-aggrandizing would protect against APTs That, combined with the RSA SecurID http://www.secuobs.com/revue/news/294199.shtmlhttp://www.secuobs.com/revue/news/294199.shtml Secuobs.com : 2011-03-24 22:32:32 - ZeroDay Labs blog - Increasing smartphone adoption rates coupled with the rapid growth in smartphone application counts have created a scenario where private and sensitive information is being pushed to the new device perimeter at an alarming rate The smartphone mobile device is quickly becoming ubiquitous It is not inconceivable to predict, in the near future, a world where http://www.secuobs.com/revue/news/294024.shtmlhttp://www.secuobs.com/revue/news/294024.shtml Secuobs.com : 2011-03-04 22:28:05 - ZeroDay Labs blog - Last week I described the concept of application security debt and application interest rates I promised that I would follow-up with a financial model that could translate these concepts in to real money Recap Here s a quick recap of the initial concept Security debt is similar to technical debt Both debts are design and implementation http://www.secuobs.com/revue/news/289540.shtmlhttp://www.secuobs.com/revue/news/289540.shtml Secuobs.com : 2011-03-02 19:41:49 - ZeroDay Labs blog - Google pulled over 20 malicious apps from the Android Marketplace today The inevitable has happened 2011 has become the year of mobile malware All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place Little to no vetting of apps for malicious behavior before being made available from http://www.secuobs.com/revue/news/288902.shtmlhttp://www.secuobs.com/revue/news/288902.shtml Secuobs.com : 2011-02-25 22:00:01 - ZeroDay Labs blog - Technical Debt Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept Ward Cunningham, a programmer who developed the first wiki program, describes it like this Shipping first time code is like going into debt A little debt speeds development so long http://www.secuobs.com/revue/news/287810.shtmlhttp://www.secuobs.com/revue/news/287810.shtml Secuobs.com : 2011-02-23 05:25:55 - ZeroDay Labs blog - As a web developer you re always told you need to keep up to date on the latest and greatest technologies Usually this is for creating applications which can take advantage of new technologies to deliver a better experience to your users However, I think there is another angle to this, in particular Code Rot Code http://www.secuobs.com/revue/news/287072.shtmlhttp://www.secuobs.com/revue/news/287072.shtml Secuobs.com : 2011-02-23 01:09:00 - ZeroDay Labs blog - The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year Here is a list of all the nominees and the award winners It s always an honor to http://www.secuobs.com/revue/news/287012.shtmlhttp://www.secuobs.com/revue/news/287012.shtml Secuobs.com : 2011-01-31 18:53:14 - ZeroDay Labs blog - We re very excited here at Veracode to announce the availability of our new FREE service to detect cross-site scripting XSS in your web application This is a significant milestone for our company and for the security industry, and we encourage everyone from small ISVs to major enterprises to give us a try Hopefully this will http://www.secuobs.com/revue/news/281905.shtmlhttp://www.secuobs.com/revue/news/281905.shtml Secuobs.com : 2010-12-15 15:58:38 - ZeroDay Labs blog - The 2010 Gartner Magic Quadrant for Static Application Security Testing SAST has been published and Veracode is recognized as a leader We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology I am very proud of the http://www.secuobs.com/revue/news/271947.shtmlhttp://www.secuobs.com/revue/news/271947.shtml Secuobs.com : 2010-12-13 23:08:43 - ZeroDay Labs blog - The Top 10 Mobile Application Risks, or Mobile App Top 10 for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk This behavior can be maliciously designed or inadvertent Modern mobile applications run on mobile devices that have the functionality of a desktop or http://www.secuobs.com/revue/news/271400.shtmlhttp://www.secuobs.com/revue/news/271400.shtml Secuobs.com : 2010-12-08 15:19:23 - ZeroDay Labs blog - As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011 Here are 5 predictions we believe will have a very good chance of coming true 1 Sandboxing goes mainstream with adoption by Firefox and http://www.secuobs.com/revue/news/270222.shtmlhttp://www.secuobs.com/revue/news/270222.shtml Secuobs.com : 2010-12-07 22:05:27 - ZeroDay Labs blog - As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable New technologies and methodologies promise to help streamline the Secure Development Lifecycle SDLC , making processes more efficient and easing the burden of information overload In the realm of automated http://www.secuobs.com/revue/news/270055.shtmlhttp://www.secuobs.com/revue/news/270055.shtml Secuobs.com : 2010-12-03 22:23:28 - ZeroDay Labs blog - I created this video for an internal Veracode video contest It s intended to poke fun at the abundance of thought leaders we have in our industry I shared it on Twitter yesterday but thought I would post here on the blog as well A handful of people have asked if it s meant http://www.secuobs.com/revue/news/269278.shtmlhttp://www.secuobs.com/revue/news/269278.shtml Secuobs.com : 2010-09-27 19:38:11 - ZeroDay Labs blog - Is anyone else getting tired of hearing excuses from customers and worse yet, the security community itself about how hard it is to fix cross-site scripting XSS vulnerabilities Oh, come on Fixing XSS is like squashing ants, but some would have you believe it s more like slaying dragons I haven t http://www.secuobs.com/revue/news/252084.shtmlhttp://www.secuobs.com/revue/news/252084.shtml Secuobs.com : 2010-09-27 17:58:12 - ZeroDay Labs blog - When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems Symantec researchers have found another vulnerability which allows http://www.secuobs.com/revue/news/252035.shtmlhttp://www.secuobs.com/revue/news/252035.shtml Secuobs.com : 2010-09-23 00:34:35 - ZeroDay Labs blog - A little over a week ago it was the 10th anniversary of the 9-11 attack against the US The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, How Secure is Our Critical Infrastructure The hearing went on but no http://www.secuobs.com/revue/news/250836.shtmlhttp://www.secuobs.com/revue/news/250836.shtml Secuobs.com : 2010-07-22 17:56:25 - ZeroDay Labs blog - The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application s data The vulnerabilities are used in stages Stage http://www.secuobs.com/revue/news/242895.shtmlhttp://www.secuobs.com/revue/news/242895.shtml Secuobs.com : 2010-06-14 23:38:24 - ZeroDay Labs blog - Vulnerability disclosure is in the spotlight again First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available Now a group called Goatse Security has disclosed a vulnerability in an AT T website that effects Apple iPad 3G owners The Wall Street Journal reports on the repercussions http://www.secuobs.com/revue/news/231429.shtmlhttp://www.secuobs.com/revue/news/231429.shtml Secuobs.com : 2010-06-01 21:24:47 - ZeroDay Labs blog - In his blog, Gartner analyst Neil MacDonald asks the question, Is NET More Secure Than Java Veracode provided data to help answer this question from our State of Software Security Report which contains the static analysis results from 1591 Java, NET and C C applications NET comes out slightly ahead a vulnerability density average flaws http://www.secuobs.com/revue/news/227608.shtmlhttp://www.secuobs.com/revue/news/227608.shtml Secuobs.com : 2010-05-18 01:13:27 - ZeroDay Labs blog - Lots of people have been asking us for opinions on HTML5 security lately Chris and I discussed the potential attack vectors with the Veracode research team, most notably Brandon Creighton and Isaac Dawson Here s some of what we came up with Keep in mind that the HTML5 spec and implementations are still http://www.secuobs.com/revue/news/222968.shtmlhttp://www.secuobs.com/revue/news/222968.shtml