Archive for the ‘Featured’ Category

  • Saving you from Heartbleed

    on Apr 16, 14 • by Roy Sarkar • with No Comments

    Saving you from Heartbleed

    Last week we talked about the flaw in OpenSSL known as “Heartbleed” and it’s massive impact on websites and users around the world. We also mentioned how open-source scanning and support tools, such as OpenLogic, report this flaw. Today, we look at how Klocwork handles the issue. Out of the box The root cause of the Heartbleed issue is that a request to retrieve server memory for OpenSSL’s heartbeat function isn’t validated, resulting in an array access through memcpy() potentially accessing data beyond the length of the array (and into memory that could contain sensitive

    Read More »
  • Heartbleed: The latest on the OpenSSL bug

    on Apr 9, 14 • by Roy Sarkar • with 4 Comments

    Heartbleed: The latest on the OpenSSL bug

    [Update - read this post to see how Klocwork finds the bug] By now, you’ve heard about the OpenSSL flaw that’s capturing the attention of anyone in the world that’s remotely connected with security. Known as “Heartbleed”, this vulnerability allows any enterprising individual to access memory within systems protected by certain versions of the OpenSSL cryptographic library. By accessing memory without authorization, data that you and your end-users care about, such as usernames, passwords, and credit card numbers, are potentially exposed. Given that Netcraft reports that nearly 66% of websites around the world use some

    Read More »
  • Mobile app usage is on the rise in businesses, creating demand for better software security

    on Mar 31, 14 • by Chris Bubinas • with No Comments

    Mobile app usage is on the rise in businesses, creating demand for better software security

    The number of business app installations is skyrocketing. But mobile apps still face substantial software security hurdles, creating an opening for developers who are willing to take the extra steps to build secure apps

    Read More »
  • Managing risks in today’s open source software

    on Mar 28, 14 • by Chris Bubinas • with 1 Comment

    Managing risks in today’s open source software

    The range of open source options available means that software development is increasingly a process of combining disparate pieces. And that process can involve risk from a software security standpoint, as developers may not always be aware of who is responsible for building the components they're using

    Read More »
  • How many zero-days are active in the wild?

    on Mar 7, 14 • by Chris Bubinas • with No Comments

    How many zero-days are active in the wild?

    Zero-day vulnerabilities have become not only a major threat in the software security world but also a major industry, with many selling for large sums on the black market and entire firms emerging that are dedicated solely to finding and profiting off of exploits in the gray market

    Read More »
  • Rather than fail, “goto” success

    on Feb 26, 14 • by Roy Sarkar • with No Comments

    Rather than fail, “goto” success

    You’ve probably heard about Apple’s goto fail vulnerability (if you haven’t, read our summary about it or this deep dive into the problem by Google researcher Adam Langley). The short story is, within a sequence of if statements, two goto fail; statements were placed one after the other like this: if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0) goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) goto fail; goto fail; if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0) goto fail; This code is located deep inside the SSL/TLS security layer for both iOS and MacOS and

    Read More »
Scroll to top