Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Staggering Complexity of Application Security
Newest First  |  Oldest First  |  Threaded View
af_bugcrowd
50%
50%
af_bugcrowd,
User Rank: Author
11/12/2014 | 6:31:52 PM
Re: Devils you know
It's only going to be worse in mobile vulnerabilities once the eyeballs and money on them catches up to usage. There are so many different devices that are going to be unique creases in many of them.  
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/11/2014 | 9:39:44 AM
Re: Devils you know
@Stratustician It's hard for me to imagine that DevOps can still be so tone deaf when it comes to appsec when vulnerabilities like Heartbleed and POODLE have become so commonplace in security news reports. 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
11/10/2014 | 3:43:24 PM
Re: What can you control?
It's  hard for me to imagine getting 100 percent compliance with anything. So anything that moves the needle in the right direction would seem to make sense to me..
TerryB
100%
0%
TerryB,
User Rank: Ninja
11/10/2014 | 1:27:34 PM
What can you control?
Great article and insight. But doesn't this only work if EVERYONE in the stack does it? Your testing may show that your product is fine but holes in o/s or browser still expose you. Maybe I'm just naive but were the old mainframes running MVS-370 as vulnerable as Windows/browser you run apps on today?
Stratustician
100%
0%
Stratustician,
User Rank: Moderator
11/10/2014 | 1:27:02 PM
Re: Devils you know
So true.  For me I find it's usually one of 2 issues that cause these security issues. Often DevOps teams don't have good security input early enough in the design stage, or don't keep up with testing prior to release. The other option is they bring security in way too late and then plug their ears when vulnerabilities in the code are detected by the security team after release, and then it's much harder to pull the app or change it without causing downtime. 

That or overall folks just don't feel that app security is that important to the overall security posture of an organization, which sadly is why we might be in this position in the first place.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
11/10/2014 | 12:19:33 PM
Devils you know
I know a few people who do a little freelance tech security work and several of them have pointed out major bugs to corporations about their sites or apps and often times, the flaw isn't fixed because it would require such an upheavel. It's worrying and makes you wonder when a big breach occurs, whether the company knew about it and chose to do nothing.

The delemna of course is that those firms will be damned if they interrupt service for a fix, and damned if they get caught out later. It's a difficult situation to be in. 


Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...