Thursday, 29 September 2011

Application Security Highlights (Sep 2011)

“Nothing travels faster than the speed of light with the possible exception of bad news, which obeys its own special laws.” (Douglas Adams, Mostly Harmless)

This is a list of articles, blog entries and studies related to application security that we found interesting and worthwhile reading this month at Astyran.

Active Defence

Client Security

  • Vetting Browser Extensions for Security Vulnerabilities with VEX (Sep 2011, by Sruthi Bandhakavi, Nandit Tiku, Wyatt Pittmann, Samule T. King, P. Madhusudan, and Marianne Winslett), also publicized in Communications of the ACM, 09/2011, Vol. 54 No. 9. This study describes the tool VEX (using a JavaScript parser using ANTLR to examine flows between sources and sinks) to perform static information flow analysis of browser extensions. Given the fact that the world moves to more and more complex HTML5 and JavaScript driven applications, with a lot of the functionality implemented client-side, this is an important study. No doubt attackers will abuse popular browser extensions to attack sites.


  • DRAFT Recommendation for Applications Using Approved Hash Algorithms (September 14th, 2011). This is an update to the earlier released SP 800-107. The revision includes the security properties for SHA-512/224 and SHA-512/256, provides additional security information about HMAC and revises the discussions on hash-based Key Derivation Functions.

Framework Security

Post Mortem

Secure SDLC

  • Building Security In Maturity Model (BSIMM, 3rd release, September 2011). The BSIMM describes 109 activities (and examples thereof) in 12 SDLC related practices. Use it to compare your secure SDLC initiative to a group of similar firms.

The Human Factor

Web 2.0 and Beyond

Well, that’s it for this month!

This post is not supposed to be a full list of all publications regarding application security in the this month but just a selection, based on the amount of time we had free to read them and the relevancy of the topics to our work. Anything I missed or that you think should be added to this list? Let me know!

No comments:

Post a Comment