Automated Detection for Patterns of Insecurities

While there're lots of pros and cons to consider when it comes to automated source code scanning, Fortify's pricey automated source code analysis tool has the potential to prevent the most common vulnerabilities while the software's still in the development phrase. Recently, they've added 34 new categories of vulnerabilities to their product :

"Thanks to this effort, Fortify Software continues to lead the industry by identifying over 150 categories of vulnerabilities in software.
The updated Secure Coding Rulepacks include: * Increased breadth: 34 new distinct vulnerability categories. * Enhanced support for .NET: 24 new vulnerability categories and coverage for five new third-party libraries, including the Microsoft Enterprise Library. * Expanded JSP support: Coverage for popular tag libraries, including JSTL and Apache Struts, for enhanced protection from cross-site scripting and SQL injection attacks. * Detection of persistent Cross-Site Scripting vulnerabilities: Fortify SCA now detects one of the most common and difficult to identify forms of cross-site scripting, which occurs when malicious data from an attacker is stored in a database and later included in dynamic content sent to a victim."

But how come small to middle size application vendors aren't really considering the use of such automated scanning tools? Overempowerment and trust in their developers' abilities? Not at all. The problem is the lack of incentives for them to do so, but what they're missing is a flow of soft dollars -- a PR boost -- if they were to communicate the efforts undertaken to ship their products audited, and hopefully, products free of brain-damaging bugs.

In respect to the relatively immature market segment for software auditing, Fortify is perfectly positioned to even start fuzzing applications for their customers enjoying their almost pioneer advantage. Or even better, perhaps their customers should consider the concept for themselves. All rest is the endless full disclosure debate, researchers pushing for accountability, and vendors -- legally -- thinking they're on war with them, fighting back however they can. You may also find a related post on how prevalence of XSS vulnerabilities by Michael Sutton informative, and the following posts worth the read as well.

The bottom line question - Can Source Code Auditing Software Identify Common Vulnerabilities? It sure can, but never let a scanner do a developer's job or forward secure coding practices to a third-party.

Interactivity by Default

Proud to be operating in a Web 2.0 world, I'm continuing to integrate features to make the reading of this blog more interactive, less time consuming, and much more easy to navigate. After del.icio.us and TalkR, here comes Snap :

"Snap Preview Anywhere enables anyone visiting your site to get a glimpse of what other sites you're linking to, without having to leave your site. By rolling over any link, the user gets a visual preview of the site without having to go there, thus eliminating wasted "trips" to linked sites."

Enjoy!

Attack of the Biting UAVs

Remotely controlled unmanned aerial vehicles have been shifting usability from defensive(reconnaissance) to offensive(weapons payload) for the last several years. Working prototypes in the shadows of secrecy reaching yet another long-range flight milestone are setting up the foundations for a different kind of warfare. And while the concept has the potential of saving lifes, and of course taking some while protecting the pilot, it will take several more years before fleets of drones are fully capable of integrating their benefits in the NCW field.
Here's an in-depth article on the evolution of UAVs to UCAVS :

"Robotic air vehicles are beginning to replace some of the Air Force’s manned combat aircraft. Soon, they will be handling a major share of the service’s strike mission. The first steps in this transition already have been taken in the field of fighter-class aircraft. Classified projects now in development seem sure to cut into the manned medium and heavy bomber roles, as well. The Predator MQ-1 is leading this transition. A familiar feature of Air Force combat operations for more than a dozen years, the spindly Predator has evolved dramatically. It is no longer simply a loitering “eye in the sky” but rather a versatile weapon system capable of destroying a couple of ground targets on its own or in collaboration with other aircraft. It is in great demand, and the Air Force is acquiring Predators as fast as it can absorb them. Now in early production is a souped-up version of the Predator, the MQ-9 Reaper. Its combat payload—missiles and bombs carried on underwing hardpoints—roughly equals that of an F-16 fighter. In the Reaper, the Air Force has found a craft that truly combines the powers of a potent strike fighter with the capabilities of a reconnaissance drone."

You may also be curious on why the U.S Department of Agriculture is interested in buying some the way I am -- perhaps a sci-fi insects invasion. What would the next logical evolution of UCAVs be? That's UCAVs capable of electronic warfare attacks, and with their flight durability and flexibility of operation, the idea will receive more acceptance as the technology matures. There's also something else to keep in mind, and that's the interest and active research of various terrorist organizations in UAVs. And while they wouldn't sacrifice $7M for a drone, even be able to get hold of one -- unless Iran supplies -- cheap alternatives such as the Spy X plane are already taken into consideration, at least for reconnaissance purposes. Yes they're cheap, and yes they're easy to jam, you can even hear them coming, but the trend is worth mentioning.

The TalkRization of My Blog

The service is quite intuitive for a free one, and I must say I never actually got the time to run a podcast on my one, so TalkR seems like the perfect choice for those of you -- including me -- who want to listen to my blog posts. Here's the TalkR feed URL for you to syndicate, and several samples :

- Social Engineering and Malware
- The Life of a Security Threat
- Russia's Lawful Interception of Internet Communications
- Foreign Intelligence Services and U.S Technology Espionage
- Technical Analysis of the Skype Trojan
- Old Media VS New Media

By the way, when was the last time you met a girl who speaks stuff like this?

Old Media VS New Media

The never ending war of corporate interests between the old and the new media, seems to be re-emerging on a weekly basis. Obviously, newspapers don't really like Google picking up their content and making money without giving them any commissions -- they don't even have to -- and with more shortsighted local newspaper unions asking Google and Yahoo! to stop doing so, I'm so looking forward for the moment in the near future when we'll be discussing their will to get crawled again. You fear what you don't understand, and the old media doesn't like the way it got re-intermediated, thus losing its overhyped content generation exclusiveness. In a Web 2.0 world, everyone generates content, which later on gets mixed, re-mixed, syndicated and aggregated, what if newspapers really tried to adapt instead of denying the future? And isn't it ironic that the newspapers that want to be removed from any search engine's index, are later on using these search engines while investigating for their stories?

Here's a lengthy comment I recently made on the old media vs the new one.

PR Storm

Great to see that Mike Rothman and Bill Brenner know how to read between the lines. Here's a related point of view on the Storm Worm - Why do users still receive attachments they are not supposed to click on?

Meanwhile, Eric Lubow (Guardian Digital, Linuxsecurity.com) have recently joined the security blogosphere and I'll be keeping an eye on his blog for sure -- hope it's mutual. Two more rather fresh blogs worth reading are ITsecurity.com's one -- how's it going Kev -- and Panda Software's blog. And with PandaLabs now blogging, the number of anti virus vendors without a blog, namely still living in the press release world is getting smaller. I remember the last time I was responsible for writing press releases for a vendor I'd rather not associate myself with, and how Web 1.0 the whole practice was. If you really want to evolve from branding to communicating value, hire a blogger that's anticipating corporate citizenship given he's commissioned, and reboot your PR channels.