Dean Coclin, DigiCert – Paul’s Security Weekly #569

Dean Coclin is the Senior Director of Business Development at DigiCert. Dean brings more than 30 years of business development and product management experience in software, security, and telecommunications to the company. Full Show Notes Subscribe to … Continue reading Dean Coclin, DigiCert – Paul’s Security Weekly #569

Rise of Application Security – Application Security Weekly #00

Paul and Keith host the first show of Application Security Weekly! Today, they discuss the brief history of application security, software, and software security! With application security on the rise, hackers and attackers over time have evolved into … Continue reading Rise of Application Security – Application Security Weekly #00

Predicting 2018: Manufacturers Shift to Hardware Security

The market for cybersecurity is getting more saturated by the hour. Companies and products keep popping out of the woodwork, claiming to provide new flavors of security that Keep You and Your Data Safe! A few of these solutions are good. Most of them a… Continue reading Predicting 2018: Manufacturers Shift to Hardware Security

New tool can help prevent government-mandated backdoors in software, Swiss researchers say

A new framework from a lab in Switzerland could help prevent malware like Petya from spreading, but would also make it difficult — if not impossible — for governments to force software companies to deliver backdoored software updates in secret. The Petya ransomware, and its wiperware variant NotPetya, spread on the wings of a software update unwittingly issued by Ukrainian accounting software company M.E. Doc. An attacker, who many believe to be agents of the Russian government, owned M.E. Doc’s network and injected malicious code into a legitimate software update. This new proof-of-concept technology, dubbed “Chainiac” by the Decentralized/Distributed Systems (DEDIS) lab at the Swiss Federal Institute of Technology in Lausanne (EPFL), offers a decentralized framework that eliminates such single points of failure and enforces transparency, making it possible for security analysts to continuously review updates for potential vulnerabilities. “What Chainiac is trying to do,” Bryan Ford, leader of the group that […]

The post New tool can help prevent government-mandated backdoors in software, Swiss researchers say appeared first on Cyberscoop.

Continue reading New tool can help prevent government-mandated backdoors in software, Swiss researchers say

Bug Hunters Prefer Communication Over Compensation

Results of a NTIA survey published today show that researchers prefer open communication with vendors over financial compensation when it comes to vulnerability disclosure. Continue reading Bug Hunters Prefer Communication Over Compensation

Oracle EBusiness Suite ‘Massive’ Attack Surface Assessed

Oracle bug hunter David Litchfield scoured Oracle EBusiness Suite looking for vulnerabilities and shared what he found during a Black Hat talk. Continue reading Oracle EBusiness Suite ‘Massive’ Attack Surface Assessed

Kaspersky Lab Launches Bug Bounty Program

Kaspersky Lab today at Black Hat USA 2016 announced the launch of a public bug bounty, one of the few offered by a software vendor in the computer security industry. Continue reading Kaspersky Lab Launches Bug Bounty Program

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace– it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack

Continue reading SWAMP, the Software Assurance Marketplace

SWAMP, the Software Assurance Marketplace

SWAMP-Logo-Final-Med

I recently took a fresh look at the “SWAMP”, the Software Assurance Marketplace– it is a great idea and a valuable resource.  The short and incomplete story is that SWAMP is a suite of software analysis tools integrated into a centralized, cloud-based software testing environment- and it is available to software developers, software tool developers, and researchers- for free.

From their website:

“Software is a crucial component of daily living, affecting worldwide economic structures and the services we depend on every day. With the increasing rate of security breaches, it is clear that conventional network security solutions are no longer able to defend our privacy, corporate data, and critical banking information. Today’s applications need to be built more securely at the code level, and that code needs to be tested regularly.

The SWAMP was developed to make it much easier to regularly test the security of these applications and to provide an online laboratory for software assessment tool inventors to build stronger tools. Testing is often complicated and challenging, because comprehensive testing requires the use of several disparate tools with no central means of managing the process. The SWAMP is a no-cost, high-performance, centralized cloud computing platform that includes an array of  open-source and commercial software security testing tools, as well as a comprehensive results viewer to simplify vulnerability remediation. A first in the industry, the SWAMP also offers a library of applications with known vulnerabilities, enabling tool developers to improve the effectiveness of their own static and dynamic testing tools. Created to advance the state of cybersecurity, protect critical infrastructures, and improve the resilience of open-source software, the SWAMP integrates security into the software development life cycle and keeps all user activities completely confidential.”

The current test environment is able to test software written in C/C++, Java (including Java on Android), Ruby and Python- with JavaScript and PHP in development.  SWAMP will support eight languages by the end of the year.  There are currently sixteen tools in the suite with more being added, and numerous commercial companies are participating- including Veracode, CodeDX, Goanna, GrammaTech, and Parasoft.

The Marketplace team includes some serious academic centers for technology, the Morgridge Institute and the Department of Computer Sciences at U of Wisconsin-Madison, the Pervasive Technology Institute at Indiana University, and the National Center for Supercomputing Applications (NCSA) at U of Illinois Urbana-Champaign.  In my conversation with Bart Miller and Miron Livny of SWAMP it was clear that this project was built for practical use in the real-world, it is not an academic exercise- this is immensely practical and useful stuff.

There are many more details on their background page, including some impressive tech specs (at least I consider 700 cores, 5 TB of RAM, and 104 TB of HDD impressive).

We are going to try to get folks from SWAMP on the Security Weekly Podcast to discuss the marketplace in depth.  Stay tuned for more on that.

 

Jack

Continue reading SWAMP, the Software Assurance Marketplace