Collaborate Disseminate
Want to know what’s in an open source software component before you use it? Microsoft Application Inspector will tell you what it does and spots potentially unwanted features – or backdoors. About Microsoft Application Inspector “At M… Continue reading Microsoft Application Inspector: Check open source components for unwanted features
In our team we are planning to start pro-actively find vulnerabilities in our legacy software products. Previously, we relied on user reports, but that is not a pro-active approach. We don’t have expert penetration testers in… Continue reading Strategies to find software vulnerabilities: what are the categories? [closed]
We explain why you really need to RTFM. Even if TFM is very long and complicated and you are very experienced. Continue reading Serious Security: The decade-ending “Y2K bug” that wasn’t
I depend on PHP CLI for all kinds of personal and (hopefully, soon) professional/mission-critical “business logic”. (This could be any other language and the exact same problem would still stand; I’m just stating what I perso… Continue reading How am I ever going to be able to "vet" 120,000+ lines of Composer PHP code not written by me?
Currently Working on HP Fortify Access Control Database category.
Source:
userId = request.getParameter(Constants.USERID).trim();
Sink:
pstm1.setString(3,userId.trim());
I saw the definition provided by Fortify that is… Continue reading What are things we look to find Access Control Database?
I am in the process of trying to hire an AppSec Engineer to review our source code manually and have only been able to find those using appscan tools for secure code reviews. Is there something in particular I should change or search for t… Continue reading Hiring an AppSec Engineer – What to look for?
I love the idea of integrating Active Directory with Troy Hunt’s Pwned Passwords so that when users or admins try to set already-compromised passwords then they are rejected and it seems that there are two ways to do this:
… Continue reading Security of PwnedPasswordsDLL / PwnedPasswordsDLL-API [on hold]
Mozilla will start using Clever-Commit, an AI coding assistant developed by Ubisoft, to make the Firefox code-writing process more efficient and to prevent the introduction of bugs in the code. How does Clever-Commit work? “By combining data from… Continue reading Mozilla will use AI coding assistant to preemptively catch Firefox bugs
Can we be sure that there are no backdoors if we check the language’s latest source code like Python or PHP? Are the chances of having any backdoor’s in higher languages any less when compared to lower level languages?
I have gone through Ken Thompson’s compiler hack paper; can’t we just go through the compiler’s source code and check for any backdoor, what was the article’s point?
Can we be sure that there are no backdoors if we check the… Continue reading Ken Thompson’s compiler hack