Posts by Sarah Vonnegut:


One Vulnerability To Rule Them All: SQL Injection

Apr 07, 2014 By Sarah Vonnegut | They’re simple, highly exploitable, and when done ‘correctly’, can be deadly…or at least incredibly costly for an organization. They’ve been used in hundreds of thousands of attacks and have cost companies and organizations millions – at this point billions – in lost or stolen funds as well as other breach costs.
  The nightmare exploit in question?  SQL injection (SQLi) attacks. They’re one of the most common vulnerabilities found on the web; attacks are easy to carry out and can be highly valuable: One little piece of injected code and the organization’s entire database could be used to spoof identities, tamper with existing data, allow the complete disclosure – or complete deletion – of all system data, and give the hacker full administrative access to the server.   
Hackers have gotten more advanced over time, developing automation tools used to scour the web in search of sites vulnerable to SQLi attacks, but organizations have put their focus – and resources – on negating against other types of attacks, allowing hackers to focus in on more easily exploited vulnerabilities.
When it comes to SQLi attacks, history has done a great job of repeating itself. In 2009, the Heartland Payment Systems breach that leaked 130 million credit card numbers was accomplished through SQL injection. The group of hackers responsible for the Heartland breach, led by Albert Gonzalez, also masterminded attacks on Dave & Busters, OfficeMax, Boston Market, Barnes & Noble, and several other businesses – all confronted by SQL injection attacks.

</Read More>

Checkmarx Selected As Finalist For Red Herring Top 100 Europe Awards

Apr 01, 2014 By Sarah Vonnegut | We’re excited to announce that Checkmarx has been chosen as a Finalist for Red Herring’s Top 100 Europe award, a distinctive list that honors the year’s most promising private tech companies in Europe.  
The Red Herring 100 Awards, first started in 1996, are one of the most prestigious events for start-ups across the world. Red Herring’s editorial team analyzes hundreds of cutting edge companies and technologies and selects those positioned to grow at an explosive rate.  The Top 100 companies are assessed on 20 varying criteria, including disruptiveness of the solution in its respective markets, market maturity, quality of the management, financial performance, and technological advantage, among many others.

</Read More>

Top 5 in Security: Weekly Update

Mar 30, 2014 By Sarah Vonnegut | From snooping drones and leaky apps to more hijack-able connected devices, these are your week’s top 5 security stories. 
6 Months Later, Angry Birds Still Spilling Personal Info
Rovio, the gaming company behind the mobile hit Angry Birds, has apparently continued its relationship with the ad platform believed to have been hacked into repeatedly by the British intelligence agency. Worse still, the company continues to collect and share personal information with various third-party advertising services. 
Security researchers at FireEye found that the Android app continues to collect a massive amount of personal data about players who sign-up to the app, including birthday, email, gender, name and country, before pairing it with the customer ID and storing it on the user’s phone. The researchers also discovered that the app sends most of that data in plain text. Even if a player opts out of signing up, the game still collects and sends plenty of information about the device. 
Read more about the still-rogue app here. 

</Read More>

If You Thought The DMV Couldn’t Get Worse… & The Top 5 Security Stories of the Week

Mar 23, 2014 By Sarah Vonnegut | From the latest credit card breach to Microsoft’s privacy ‘faux pas’, here are the week’s top security stories – take a few minutes and catch up before the madness begins again!

</Read More>

BYOD 2.0: Securing the Internet of Things in Your Organization

Mar 20, 2014 By Sarah Vonnegut | In the latest Internet of Things news this week, researchers from Cal Poly successfully designed an app for Google Glass that could take a picture every ten seconds with the display off, “uploading the images to a remote server without giving the wearer any sign that his or her vision is being practically live-streamed to a stranger,” Andy Greenberg writes. It’s scary enough to imagine that someone could be walking around, living their day-to-day lives as someone records their every action at a distance.

</Read More>

3 Key Benefits of Automating Your Source Code Review

Mar 18, 2014 By Sarah Vonnegut | Automation has taken the business world by storm. We automate everything, from marketing to manufacturing and everything in between, and it often pays off: greater ROIs, higher productivity, less overworked employees. In application security, the same can be true. As web applications have become the essence of business in almost every industry, the risks have increased. While we will always need code reviewers, pen testers and security teams for areas requiring human intelligence, for the business side or otherwise, automating your source code analysis is a step towards higher security. Let’s look at the top 3 reasons why you should be automating your code review process.

</Read More>

The Week in Security: PWN2OWN, Double DDoSes, Malaysian Plane Crash Scams & Target’s Missed Alarms

Mar 16, 2014 By Sarah Vonnegut | This week in security was busy with a little bit of everything – breaches, hacking contests, cyber scams, hacktivism and more. Here’s the lowdown on all the biggest security stories of the week: 

</Read More>

Gaping Security Flaw in WhatsApp on Android Let Other Apps Steal Your Messages

Mar 13, 2014 By Sarah Vonnegut | If you’re using WhatsApp on an Android – even after yesterday’s update – your chats are prone to being downloaded by others, a security consultant has discovered.  Bas Bosschert, CTO and consultant at Double Think, along with his brother, discovered this exploit after wondering if it would be possible to upload and read someone’s WhatsApp chats from another app. With a proof of concept on his blog, he proved it was easily possible.

</Read More>

Keeping Up With The Hackers, Part 2: ‘It Takes a Hacker to Catch One’

Mar 11, 2014 By Sarah Vonnegut | In our original Keeping Up With The Hackers post, AppSec expert Dave Ferguson graced our blog with a fantastic post speaking on the tools he uses to stay up-to-date with his hacking skills. For this post, we spoke with Malik Mesellem, another security expert with over 15 years of experience and a love of securing web apps. 

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.