Secure software development practices for developers, organizations and technology users

SAFECode announced today the publication of the Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition). The authoritative best practices guide was written by SAFECode members to help software developers, development organizations and technology users initiate or improve their software assurance programs and encourage the industry-wide adoption of fundamental secure development practices. The best practices in the guide apply to cloud-based and online services, shrink-wrapped software and … More

Mac crypto miner distributed via MacUpdate, other software download sites

Software download site/aggregator MacUpdate has been spotted delivering a new Mac crypto miner to users. A new Mac cryptominer was being distributed from hacked MacUpdate pages yesterday, disguised as Firefox, OnyX and Deeper.https://t.co/W8jcotFixl#macOS #Malware #CryptoMining — Thomas Reed (@thomasareed) February 2, 2018 A rare threat Stealthy cryptocurrency miners are most often aimed at Windows and browser users (e.g., the Coinhive script), but no one is safe: neither Linux users, nor Mac users, even though cryptocurrency-mining … More

Bomgar acquires Lieberman Software

Bomgar has acquired Lieberman Software, a provider of privileged identity and credential management software. Terms of the transaction were not disclosed. Remote access is the most common attack pathway for hackers, and the majority of today’s data breaches involve a stolen privileged credential. Bomgar gives organizations the ability to proactively address these threats by providing an approach to securing access to critical systems and ensuring that the credentials to those critical systems are actively managed … More

Is ethical hacking more lucrative than software engineering?

HackerOne published its 2018 Hacker Report, which examines the geography, demographics, experience, tools used and motivations of nearly 2,000 bug bounty hackers across 100 countries. HackerOne found that on average, top earning ethical hackers make up to 2.7 times the median salary of a software engineer in their respective home countries. Also, hackers in India are making as much as 16 times the median. And yet, the new data finds that overall hackers are less … More

Why cryptography is much harder than software engineers think

The recent ROCA vulnerability (CVE-2017-15361) raises some important issues about the design of secure cryptographic software. The vulnerability is not in this case an obvious coding error such as a buffer overflow, or the use of a poor quality random number generator. In this case, it arose from what probably seemed like a reasonable software engineering decision. To understand this in detail requires some pretty complex mathematics. For that, I refer you to the paper … More

PowerDNS patches five security holes in widely used nameserver software

PowerDNS, the company behing the popular open source DNS software of the same name, has pushed out security updates and patches for its Authoritative Server and Recursor offerings that, among other things, fix five security vulnerabilities of note. “PowerDNS users and customers include leading telecommunications service providers, large scale integrators, Wikipedia, content distribution networks, cable networks / multi service operators and Fortune 500 software companies,” the company proclaims on their site. “In various important markets, … More

ESET helps Google protect Chrome users from unwanted software

Google has redesigned Chrome Cleanup on Chrome for Windows, and has upgraded the technology it uses to detect and remove unwanted software. A basic antivirus for Chrome “We worked with IT security company ESET to combine their detection engine with Chrome’s sandbox technology. We can now detect and remove more unwanted software than ever before, meaning more people can benefit from Chrome Cleanup,” Product Manager Phillippe Rivard noted, but added that this feature is not … More

Is your Mac software secure but firmware vulnerable?

Mac users who have updated to the latest OS version or have downloaded and implemented the most recent security update may not be as secure as they originally thought, Duo Security researchers have found. That’s because many of them did not receive the newest firmware along with OS and software updates. Why is keeping your firmware up-to-date important? EFI firmware (Intel’s implementation of the Unified Extensible Firmware Interface – UEFI) is present on all Macs. … More

Lenovo settles FTC charges it harmed consumers with preinstalled software

Lenovo has agreed to settle charges by the Federal Trade Commission and 32 State Attorneys General that the company harmed consumers by pre-loading software on some laptops that compromised security protections in order to deliver ads to consumers. In its complaint, the FTC charged that beginning in August 2014 Lenovo began selling consumer laptops in the United States that came with a preinstalled “man-in-the-middle” software program called VisualDiscovery that interfered with how a user’s browser … More

The security status quo falls short with born-in-the-cloud software

Born-in-the-cloud software, pioneered by companies like Salesforce, are beginning to dominate the computing landscape. According to Gartner, by 2020, the cloud shift will affect more than $1 trillion in IT spending, and cloud computing will be one of the most disruptive forces since the early days of the digital age. We all realize the opportunities abound. Gartner’s Ed Anderson says, “the cloud shift is not just about cloud. As organizations pursue a new IT architecture … More