Application Security This Week for October 20

Here is a good writeup on the overflow error found in libssh2


Speaking of bugs in old software, here's one in sudo.


Using data analysis to further research into malware sources, with PDB paths. Pretty neat!


And in IoT security news, the Catholic church's eRosery (no I'm not kidding) has a number of significant flaws.


That's the news, folks!

Application Security This Week for December 23

SplashData has their 100 worst passwords out again this year.  Remember, at least, prevent these passwords in your signin flow.


Really good breakdown of finding hidden files and directories and using them for information gathering on web applications.


Microsoft has come out with Windows Sandbox - might be a good platform for analyzing malware, but the jury is still out.


Gah, bug in Ghostscript.  Lots of vectors in the ImageMagik/PostScript space these days, watch yourselves.


And this is why I write up folks that have third party hosted JavaScript.


That's the news folks.  Stay safe, and have a good holiday.

Application Security Weekly for July 15

npm is a dumpster fire.  Yet another malicious package discovered that it automagically brought into many projects thanks to dependencies.  In other news, I learned about snyk, which is a pretty cool tool.


In dev news, the #1 development GUI of all time is being updated.  Notepad!


Apple wrote some code to appease the Chinese government and it was kind of a mess.


Vuln-lab found a neat XSS vulnerability on an AT&T site's profile feature.


Remember when I said "Spectre is not exploitable"?  Yeah, I was wrong.  Again, and again, and again...


New variation of my favorite Weblogic vuln - CVE-2017-10271.

I wrote the tests for this vulnerability for Nikto.


And that's the news.

Application Security Weekly for April 1

Chinese cell phone manufacturer OnePlus (incidentally my daily carry) plans on including cryptocurrency mining baked into their next release of Oxygen in the OnePlus 6, sparking security concerns.


The IETF floated a new analog protocol for internet traffic in an attempt to get some more security in the system.


 I don't often talk biotech here, but Razer (the gaming hardware maker) is creating a nanobot infused energy drink for gamers.  I am sure that will go well.


Finally some good news - plans to add a security parameter in response headers.  Should be a good move toward better browser level decision making.


And that's been your week in application security.

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites