There's a very interesting vulnerability in Java kicking around. I wrote about
In brief, you can send Java (and some versions of PHP) into an infinite loop if
you can provide some malicious input that will be parsed as a
I like your point Matt. Everybody who's responded thus-far has wanted to
turn this into a discussion about what's most effective or what has the most
benefit, sort of like we were comparing which icky medicine to take or which
overcooked vegetable to eat. Maybe they don't get any pleasure from
At no time did it include corporations who use Ounce Labs or Coverity
Bzzzt. False. While there are plenty of Fortify customers represented in
BSIMM, there are also plenty of participants who aren't Fortify customers.
I don't think there are any hard numbers on market share in this realm, but
We keep a big catalog here:
On 5/6/09 10:41 AM, Brad Andrews andr...@rbacomm.com wrote:
Does anyone know of a source of insecure Java snippets? I would like
to get some for a monthly meeting of leading technical people. My
idea was to have a find
Ben! Thank you! When you talk about sample size, it gives me hope that
we¹re on the right track. We can either:
1) Use ideas that ³experts² theorize will work
2) Gather empirical evidence to judge one idea against another.
We in the security crowd often try to hide behind the need for
In the one sense, we are talking about validating user input, which
mostly needs to concern itself with adhering to business requirements.
This meaning is not very important for security, but the other one,
validating data before something is done with it, is.
Yes, two forms of validation are
Thanks Ken. For me this has been an incredibly eye-opening project.
It can be hard for people to distinguish between ideas that merely
look good on paper and ideas that are actually in widespread use.
Once we’ve cleaned up the data and gotten approval from the
, University of California (Davis) - USA
Brian Chess, Fortify Software - USA
Richard Clayton, Cambridge University - UK
Christian Collberg, University of Arizona - USA
Bart De Win, Katholieke Universiteit Leuven - BE
Juergen Doser, ETH - CH
Eduardo Fernandez-Medina, University of Castilla-La Mancha - ES
- So when a vendor says that they are focused on quality and not
security, and vice versa what exactly does this mean?
We spend most of Chapter 2 of Secure Programming with Static Analysis
describing the different problems that static analysis tools try to solve,
and we show where we think all
Jacob West and I are proud to announce that our book, Secure Programming
with Static Analysis, is now available.
The book covers a lot of ground.
* It explains why static source code analysis is a critical part of a secure
Frederik De Keukelaere [EMAIL PROTECTED] writes:
Would you mind sharing the different data formats you came across for
exchanging data in mashups/Web 2.0? Considering the challenges you
recently discovered, it might be good to have such an overview to look at
it from a security point of view.
You're right that IE does not have the setter methods. You're also right
that hijacking the Object() or Array() constructor method would be enough to
pull off the attack. The bad (good?) news is that IE doesn't call those
methods unless an object is explicitly created with the new
Paola [EMAIL PROTECTED]
Date: Mon, 02 Apr 2007 11:11:24 +0200
To: firstname.lastname@example.org email@example.com
Cc: Brian Chess [EMAIL PROTECTED]
i don't know if you read it but me and Giorgio Fedon presented a paper
named Subverting Ajax at 23rd
I've been getting questions about Ajax/Web 2.0 for a few years now. Most of
the time the first question is along these lines: Does Ajax cause any new
security problems? Until recently, my answer has been right in line with
the answers I've heard from other corners of the world: No.
Hello all, I'm pleased to announce that we've just launched the Java Open
Review Project (http://opensource.fortifysoftware.com). We're reviewing
open source Java code all the way from Tomcat down to PetStore looking for
bugs and security vulnerabilities. We're using two static analysis tools to
Hi Jerry, as one of the creators of the tool you evaluated, I have to admit
I have the urge to comment on your message one line at a time and explain
each way in which the presentation you attended did not adequately explain
what Fortify does or how we do it. But I don't think the rest of the
Title: RE: Comparing Scanning Tools
McGovern, James F wrote:
I have yet to find a large enterprise that has made a significant investment in such tools.
Ill give you pointers to two. Theyre two of the three largest software companies in the world.
Jeff Williams [EMAIL PROTECTED] wrote:
I think there's a lot more that static analysis can do than what you're
describing. They're not (necessarily) just fancy pattern matchers.
Jeff, you raise a important point. Getting good value out of static
analysis requires a second component in
John, I think this has to do with what you want to achieve when you explore
A static analysis tool is a fancy sort of pattern matcher. If the kinds of
patterns you're interested in aren't that fancy, (does the program use
function X()?; what is the class hierarchy?) then a fancy pattern
I spent Phase One of both my academic and professional careers
working on hardware fault models and design for testability.
In fact, the first static analysis tool I wrote was for hardware:
it analyzed Verilog looking for design mistakes that would make
it difficult or impossible to perform design
Mail list logo