Posts by Sharon Solomon:

iStock_000031271006XSmall

Recent PayPal Bug Highlights CSRF Vulnerability Risks

Dec 15, 2014 By Sharon Solomon | PayPal has revolutionized the e-commerce market in recent years with its convenient characteristics that bolster user privacy. Gone are the days when online shopping required cumbersome bank transfers or complex credit card verifications. Unfortunately there is still work to be done on the security front after Egyptian researcher Yasser Ali shocked the world with his PayPal bug finding.

</Read More>
iStock_000024004901Small-300x300

7 Essential Resource Centers to Boost Your InfoSec IQ

Dec 04, 2014 By Sharon Solomon | Many applications today possess critical vulnerabilities – SQL injections (SQLi), Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) being just a few of them. The first step in combating these security issues is getting to know how they work and learning about them from real life scenarios. Unfortunately, not all developers today are familiar with the security aspects of software development.

</Read More>
iStock_000017130427Small

SQL Injection Tutorial: Tackling SQLi with Source Code Analysis

Nov 20, 2014 By Sharon Solomon | The impact of the Drupal fiasco is still being felt across all industry sectors. The world’s third biggest CMS platform was compromised with arguably the oldest hacking technique in existence – the SQL injection (SQLi). While the Drupal 7.32 update has resolved this specific problem, SQL injections won’t really go away until they are treated from the root – the application code.    

</Read More>
iStock_000018742597Small

Samsung’s ‘Find My Mobile’ CSRF Flaw: A Wake Up Call for Mobile Developers

Nov 06, 2014 By Sharon Solomon | Samsung is currently topping sales charts worldwide with a wide range of Android powered phones catering to virtually all market segments. This mass distribution of mobile devices has magnified the importance of creating secure mobile applications. Unfortunately, a CSRF loophole has been found in one of the the South Korean phone manufacturer’s proprietary applications.

</Read More>
Image

Pakistani Ethical Hacker Reveals How He Exposed Android Vulnerabilities

Oct 21, 2014 By Sharon Solomon | Hackers are often viewed as modern-day pirates. While mostly true due to the security hazards they create, ethical hackers actually are very helpful in actually improving security standards. Most of these security experts perform these actions simply for the benefit of the community. Rafay Baloch is one such ethical hacker.   Baloch, also known as Pakistan’s “Top Ethical Hacking Prodigy”, has been in the headlines recently for exposing two vulnerabilities in Android’s stock (AOSP) browser. These security loopholes allow hackers to steal the mobile user’s session cookie, enabling them to perform a wide variety of malicious actions including identity theft.   The Pakistani AppSec expert, currently an undergraduate student who spends his free time honing his research skills, was also kind enough to take Checkmarx’s questions and provide an in-depth view into how he revealed the aforementioned vulnerabilities in the world’s most popular mobile OS.  

</Read More>
Android

Major Android Browser Flaw Allowing Hackers to Bypass SOP Mechanism

Sep 30, 2014 By Sharon Solomon | The Android platform has taken the world by storm in recent years. It was announced at Google’s recent 2014 I/O developer conference that over 538 million Android devices are currently in use worldwide. Android has now leapfrogged Apple’s iOS in the US, where it currently has almost 52% of the smartphone market share.

</Read More>
Photo

Swift Vulnerabilities: What the New Language Did Not Fix

Aug 20, 2014 By Sharon Solomon | Swift is a new language developed by Apple for iOS and OS X development. Introduced at Apple’s developer conference WWDC 2014, the language is designed to eventually replace Objective-C and provide several important benefits, one of which is greater resilience against erroneous code. This research, published originally on Dr.Dobb’s, covers how Swift compares with Objective-C from the security perspective.   The Checkmarx researchers based the comparison on Apple’s Secure Coding Guide, examining the various vulnerabilities stated in the document and checking if they can be exploited in Swift. It’s important to mention that only loopholes that exist in Objective-C were explored and not new ones that may exist in Swift. In each case, typical classifications  including the category, the severity and also the likelihood of exploitation were used.  

</Read More>
eBay-Small

eBay Data Breach: A Big Wake-Up Call for e-Commerce Giants

May 27, 2014 By Sharon Solomon | eBay, the world’s largest and most used eCommerce platform, has suffered a major security breach. More than 100 million users have been affected in what has become this year’s biggest cybercrime so far. It’s still not clear how the intruders gained access to the eBay databases, but this is definitely the right time to bolster application security.
Identity/data theft has become serious problem in recent years. The aforementioned eBay breach is still creating waves as millions of usernames, passwords, phone numbers and physical addresses have been stolen.
“Cyber-attackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” eBay recently commented. “The company is aggressively investigating the matter.”

</Read More>
HTML5

Learning from the Experts – How JavaScript and HTML5 Vulnerabilities Affect Application Security

May 20, 2014 By Sharon Solomon | Checkmarx recently sponsored an educational webinar to raise Application Security awareness amongst developers and IT professionals. JavaScript and HTML5 were given special attention in the online event hosted by SecureWorld. The aim was to shed some light on the vulnerabilities created by the integration of new features and functionality into the programming languages. Maty Siman from Checkmarx and LivePerson’s Yair Rovek shared their InfoSec Industry experiences backed by real-time demonstrations. Sam Masiello, Head of Application Security at Groupon, was the moderator. “Insecure code is all around us,” Masiello explained at the beginning of the webinar. “It doesn’t matter if you are running Windows, iOS, Android or Java. These loopholes, if left unpatched, leave your company data vulnerable.”

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.