Checkmarx Named a Leader in Gartner Magic Quadrant for Application Security Testing

What’s HOT in Application Security Vol#23

Top security expert notes hackers aiming for cross-platform vulnerabilities

An increasing amount of hackers are aiming to use cross-platform malware to attack both Microsoft and Apple application vulnerabilities. Hackers tend to favor third party applications that run on both Macs and Windows such as Adobe PDF, Adobe Flash, Java as well as others.

By attacking the same third party application vulnerabilities using the same malware, hackers are able to reap the benefits of the same malware twice. Microsoft security researcher Methusela Cabrian Ferrer referred to this budget hack as ‘economies of scale in cross-platform vulnerabilities’.

The latest trend was spotted a year ago whilst investigating malware called ‘Backdoor Olyx’ which is typically downloaded by clicking on malicious links and websites. The Trojans are released  through email attachments.

For more information please go to:

Notorious hacking group ‘Anonymous’ steal customer data from Australian ISP AAPT

The hacking group ‘Anonymous’ leaked last week business customer information for AAPT. Published information include mobile and desk numbers as well as bank account details of AAPT clients, potentially giving exposing enough information to carry out identity theft. Government customers whose details were exposed include many Australian governmental organizations including; then Australian Federal Police, Australian Communications and Media Authority, Department Of Health as well as numerous other government organizations.

The hacking group claimed that the hack was in response to a new federal government proposal before the Parliament Joint Committee on Intelligence and Security to have access to Australian citizens online activities stored for up to two years.  ‘Anonymous’ claimed the hack was intended to show how the new proposed legislation could put personal Australian citizens web history vulnerable to a leak.

For more information please go to:

The failure of unauthenticated vulnerability scanning

The time has come to finally admit the failure of black box scanning of web applications and networks. Automatically deducing a picture of vulnerability for a target is simply not able to identify the full scope of application vulnerabilities to penetration. The dissecting of streams of false positives is time wasteful and very expensive.  Furthermore, many times to have a full understanding of what the scanning tool was doing in order to come to its findings. Then there are the endless 3D maps of networks and pie charts.

In many cases there is actually no vulnerability probing carried out at all but rather  takes for example a banner,  finds a version string and then just carries out a correlation in its data base of public declared vulnerabilities. What is produced is a list of public declared vulnerability for the detected version. As a result accuracy is very low with less than 10% of all vulnerability finds proposing a real vulnerability risk.

It is unacceptable that automated scanning is the sole source of vulnerability finding especially as the system is far from 100% reliable. Plus there is the huge expense of such systems which certainly do not warrant such a high price. What is considered safe today may not be tomorrow and placing critical assets with this sole form of vulnerability testing is a mistake.

For more information please go to:

Top tips for .NET development

Code comments:

Code comments should really only be used to explain complex algorithms. Too many comments for self-explanatory details just make the code harder to read. Method parameter names should be concise and descriptive. If a method does more things than the name can reasonably be described neatly in a name then consider refactoring the method.

Exceptions should be used to indicate technical errors only:

Exceptions in.NET are a valuable asset and when used are a great feature.  However, they should not be used as a tool is regular programmatic flow. Only when an object does not perform according to its specification/parameter should an exception be used.

Simplicity always triumphs over complex language:

Keeping code simple and transparent is a simple solution to making changes easily

Follow ‘Single Responsibility principle’:

A well factored code is easier to read, change and debug. Each method should only perform a single action. For instance, a single method should never perform compress and save to disk. Good practice will include avoiding breaching within methods and recursive methods.

What is an SQL Injection Attack?

SQL attacks are meant in some way to compromise a database. Data can be usernames, passwords etc. A Structured Query Language is used by data management systems (RDBMS) to manage data in a database.

By inserting commands that are recognized by the management system, hackers can get access to information they wish to retrieve, bypass logins, modify content on a website, shut down a server or as in the yahoo case simply retrieve sensitive data.

Firstly, opportunistic hackers will look for vulnerabilities. In fact hackers can go directly to Google and type in a command such as inurl:index.php?id= and others that can be found at various online hacking forums or tutorial sites. Google will then return a list of sites which can be checked one by one for vulnerabilities.

However, good defense practices can thwart a potential SQL injection attack. Vey basic security details such as storage procedures (not followed very well by Yahoo in the latest stealing of usernames and passwords), minimizing user access to a database so that it is enough for their needs but no more, prepared statements and many more procedures that if employed can deter potential attackers.

photo credit: 401(K) 2012

Jump to Category