SEARCH RESULTS
 
Showing 1-10 of 48 records
 
Expand article

PrincipalPermissionAttribute and Static ctor Leads to DoS

2007-12-03 09:03:00 by Keith Brown in Security Briefs
 
...static constructor (or, even worse, if it may get one in the future), realize that this attribute applies to the static constructor as well! Why is this a problem? Well, if a static constructor throws an exception, the class is latched into a mode where each future attempt to call the static constructor leads to the previous exception being...
 
Tags: class sensitive, sensitive, class, class level, static constructor, inside static constructor, class program, static constructor leads, static void
 
 
 
 
Expand article

Software Security Metrics and Commentary on "Metrics Framework" Paper

2007-09-17 20:41:00 by Security Retentive in Security Retentive
 
...Static Analysis Insecure Storage PercentServersNoDiskEncryption Runtime Manual review Application Denial of Service Runtime Pen Testing Insecure Configuration Management Service Accounts with Weak Passwords Runtime Manual review I think unfortunately that this set of metrics misses the mark a little bit. I question whether pen testing for...
 
Tags: metrics, software security metrics, metrics framework, metrics miss, design-time metric, design, upstream sdl metrics, application, web application security
 
 
 
 
Expand article

Banning function calls, assurance, and retrofitting

2008-03-18 19:48:00 by Security Retentive in Security Retentive
 
...static analyzer I'm using. As it turns out there is a fine line to be drawn between what you consider best practices, what a static analyzer can find, how much context the static analyzer has, and how much manual review you really want to put up with Let me give a specific example Coverity's Prevent analyzer has a number of built-in...
 
Tags: code review experience, code, security sensitive context, context, security critical context, unsafe context, static analyzer, file defects, rand
 
 
 
 
Expand article

FUD About Ruby on Rails?

2007-08-31 08:45:00 by Security Retentive in Security Retentive
 
...static analysis tools cover Ruby I'll address both of these I have yet to come across a single Java application that actually uses Java's security manager to specify security controls, access rights, etc. While there are certainly the hooks to do so, and some tools like Netegrity, Sun Access Mgr, etc. will allow you to override Java's...
 
Tags: security manager, native security manager, single java application, java, security manager policy, ruby, override java, sun access mgr, james
 
 
 
 
Expand article

Show 010 - A Panel Discussion with Fortify Softwares Technical Advisory Board

The Article has images The Article has audio podcast
2007-01-22 19:59:59 by rmacmich in The Silver Bullet Security Podcast
...static analysis tools, and software security pedagogy Participating members of the Technical Advisory Board include Bill Pugh , Professor at University of Maryland, static analysis for finding bugs Li Gong, GM at Microsoft, MSN in China Marcus Ranum , CSO of Tenable Network Security, security products trainer Avi Rubin , Professor at Johns...
 
Tags: software security, software security pedagogy, security, computer security, security products trainer, professor, static analysis tools, static analysis, tenable network security
 
 
 
 
Expand article

Securing Network Location Awareness with Authenticated DHCP

2008-03-19 12:47:02 by Steven J. Murdoch in Light Blue Touchpaper
 
...static. This results in laptop computers being configured with fairly open policies, in order to facilitate applications appropriate for a trustworthy office LAN (e.g. file and printer sharing, collaboration applications, and custom servers). When the computer is taken home or roaming, this policy leaves an excessively large attack surface...
 
Tags: network location, location, network location awareness, network, office location, dhcp, network location identifier, logical network, vista dhcp client
 
 
 
 
Expand article

How Secure is Secure?

2008-05-08 16:46:00 by sdl in The Security Development Lifecycle
 
...static (meaning the threats dont change much over time). Computer security is still evolving with new classes of attacks still being discovered, and while hackers understand how to exploit known types of vulnerabilities software developers are still catching up in learning how to modify engineering practices to be resilient against both new...
 
Tags: security metrics, software security metrics, implementation vulnerabilities, potential implementation vulnerabilities, metrics, secure, software, discretionary security protection, security protection
 
 
 
 
Expand article

More on Application Security Metrics

2008-05-08 20:05:00 by Security Retentive in Security Retentive
 
...static analysis tool but now you are, its hard to correlate the results to previous versions of the software Eric says Microsoft has been releasing security bulletins since 1999. Based on some informal analysis that members of our organization have done, we believe well over 50% of *all* security bulletins have resulted from implementation...
 
Tags: defects, fundamental design defects, fewer defects, architectural defects, implementation defects, security, application, security design, software developers
 
 
 
 
Expand article

Zango's in your Face(book)

2008-01-03 21:23:00 by Russ McRee in HolisticInfoSec.org
 
...static.zangocash.com/Setup/46/Zango/Setup.exe, through the analysis mill and I think the evidence speaks for itself IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA IPs called 66.150.14.74 Zango 66.150.14.65 Zango 66.150.14.61 Zango 64.94.137.72 Zango URLs...
 
Tags: 41996b regopenkeyexa, hkey local, hkey local machinesoftware, zango, software installation programs, software, software installation, user knowingly installs, analysis