Common Vulnerabilities
Experts say the following common problems in software code, which programmers haven't bothered to mitigate, account for the vast majority of vulnerabilities. The good news: most of these are easily fixed if they're found.
Buffer overflows. If a programmer doesn't tell a program to limit the amount of data that can go into an input field, a malfeasant can stuff that field with tons of data, flooding other parts of memory and letting the bad guy take control of the system.
Format string vulnerabilities. Format strings are what tell, say, a printer how to present letters and numbers on a page. If a user inputs rogue code into the format string, they can take control of the computer, in a similar way to buffer overflows.
Canonicalisation issues. An attacker can bypass security checks simply by knowing that when Y program handles X program's data, it doesn't do the same security check.
Inadequate privilege checking. Someone can slip in unchecked if a program doesn't ask for authentication at every doorway to features.
Script injection. If a programmer fails to strip out the capability to run script, attackers can enter and run it. For example, attackers could enter commands into a SQL database query that allows them to execute commands on the system.
Information leakage. Because of poor design, some programs expose their own playbooks - directory structures, configuration information, IP addresses, passwords - to attackers who know where to look for such information.
Error handling. A subset of information leakage, sometimes the way a program handles an error exposes information an attacker can use. For example, an e-mail bounces back and the error message might contain IP addresses, server names, or even type of server that let the attacker know how and where to hack.
Source:@STAKE.CSO
Put It in Writing
This is from a contract between GE and software vendor General Magic Incorporated (GMI), from earlier this year, which, experts say, represents some of the strongest language to date that software users have crafted to hold software vendors accountable for the quality of their code. It also creates clout-by-proxy: if General Magic has to make sure the code conforms for GE, it will conform for all users of the product.
7.3 Code Integrity Warranty. GMI warrants and represents that the GMI software, other than the key software, does not and will not contain any program routine, device, code or instructions (including any code or instructions provided by third parties) or other undisclosed feature, including, without limitation, a time bomb, virus, software lock, drop-dead device, malicious logic, worm, Trojan horse, bug, error, defect or trap door (including year 2000), that is capable of accessing, modifying, deleting, damaging, disabling, deactivating, interfering with or otherwise harming the GMI software, any computers, networks, data or other electronically stored information, or computer programs or systems (collectively, "disabling procedures"). Such representation and warranty applies regardless of whether such disabling procedures are authorised by GMI to be included in the GMI software. If GMI incorporates into the GMI software programs or routines supplied by other vendors, licensors or contractors (other than the key software), GMI shall obtain comparable warranties from such providers or GMI shall take appropriate action to ensure that such programs or routines are free of disabling procedures. Notwithstanding any other limitations in this agreement, GMI agrees to notify GE immediately upon discovery of any disabling procedures that are or may be included in the GMI software, and, if disabling procedures are discovered or reasonably suspected to be present in the GMI software, GMI, as its entire liability and GE's sole and exclusive remedy for the breach of the warranty in this section 7.3, agrees to take action immediately, at its own expense, to identify and eradicate (or to equip GE to identify and eradicate) such disabling procedures and carry out any recovery necessary to remedy any impact of such disabling procedures.
Source: FreeEdgar.com/SEC
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Wireless LANs: Is my enterprise at risk?
Business Intelligence and Enterprise Performance Management: Trends for Emerging Businesses
CRM your salespeople will love
Security Inside Out
Achieving the impossible: Unlimited application scalability
Still Sneaking In: The Threats Your Security Tools Aren't Telling You About
Radicati Market Quadrant 2008 on Corporate Web Security
Refresh your AUP: Top tips to ensure your acceptable use policy is fit for purpose
- White PaperWhat you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
- White PaperView this webcast and discover the drivers for changing network design practices, why many organisations are changing their approach to network architecture and how enterprises should be moving forward with open architecture multi-vendor network solutions. Register now and learn how your business can maximize the business value of the enterprise network.
- White PaperJoin industry expert Bob Spurzem and Chuck Arconi of Fox Hollow to discover how to reduce Exchange total storage and keep it at a manageable level. Learn how Exchange storage growth can be contained without sacrificing security and accessibility.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
CIO Live Podcast #79: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires Part II 05 October, 2007 06:00:00
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #78: Brent D Taylor, author of The Outsider's Edge: The Making of Self-Made Billionaires 28 September, 2007 17:34:25
For his new book, The Outsider's Edge: The Making of Self-Made Billionaires, social researcher Brent D Taylor spent four years of intensive research investigating the psychological make-up and backgrounds of some of the world's richest men and women, including IT luminaries Bill Gates, Larry Ellison and Steve Jobs. Taylor discovered that, despite working in different industries and coming from different upbringings, they all have one thing in common -- they are all outsiders. - +
CIO Live Podcast #77: Panasonic Speeds Up Trans-Pacific File Transfers, Part III 21 September, 2007 07:00:00
Part three in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #76: Panasonic Speeds Up Trans-Pacific File Transfers, Part II 14 September, 2007 07:00:00
Part two in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance. - +
CIO Live Podcast #75: Panasonic Speeds Up Trans-Pacific File Transfers, Part I 07 September, 2007 07:00:05
Part one in our three-part special report from CIO's sister publication Network World in the US, as Paul Desmond reports from the Network World IT Roadmap Conference in Santa Clara, California. With development teams in the US and Japan, Panasonic needed a more efficient way to move very large files between the two locations. Iben Rodriguez, IT consultant for Panasonic Research and Development, explains how a storage-area network and virtual server technology helped speed up WAN performance.
- +
Chris Hoff on Virtualization and Cloud Computing 20 November, 2008 10:55:00
Chris Hoff, chief security architect for the systems and technology division at Unisys and an advisor on the Skybox Security customer advisory board, is one of the biggest critics of virtualization security out there. Not because it isn't important - but rather because it is vital and needs to mature rapidly. - +
Cybersecurity is focus of new start-up incubator 20 November, 2008 07:19:00
Texas uni announces the Institute for Cyber Security.The University of Texas at San Antonio Tuesday announced a technology incubator aimed at fostering IT security-based start-ups within the state. - +
Dilip Sarangan on Physical Security M&A 20 November, 2008 11:18:00
Dilip Sarangan tracks physical security companies for Frost & Sullivan. He expects the industry's "need to have" products to weather the economic storm well, with the big players (now including IBM and Cisco) looking for value-priced acquisitions. - +
International Challenges in PCI Security 20 November, 2008 09:15:00
In a country that's seen many regulatory compliance challenges this decade, the headaches of PCI security tend to be analyzed from a largely American perspective. - +
PCI council sharpens oversight of security auditors 19 November, 2008 10:53:00
Quality assurance plan targets security assessors and scanning vendorsThe PCI Security Standards Council Monday unveiled a plan to sharpen oversight of the hundreds of security-service providers now authorized to evaluate merchant networks under the organization's Payment Card Industry data standards.
Vignette Announces 2008 Excellence Awards 21 November, 2008 10:50:00
PGP and Ponemon Institute Unveil Inaugural Australian Data Breach Study 2008 20 November, 2008 17:34:00
Symantec Cloud Services Transform Data Centre Operations Through Proactive Management 20 November, 2008 12:06:00
Verizon Business Offers Tips to Building a Successful Unified Communications and Collaboration Plan 20 November, 2008 12:04:00
AARNet Brings 4K Digital Cinema to Australia: First 4K HD Video Signal delivered into Australia by AARNet 20 November, 2008 12:02:00
|
||
|
||
|
|
||
|
Everything you need to know about email and web security (but were afraid to ask)
What you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
Buying Guides
Latest Products
Buying Guides
