Deeper BPM Solutions
Blog Archive
All Tags
algorithms
android
android_os
application_security
architecture
bpm
business
business_rules
coding
cognitive_corporation
confidentiality
data
data_masking
data_security
ea
education
efficient
efficient_coding
encryption
enterprise_applications
enterprise_architecture
enterprise_architecture_framework
enterprise_systems
full_disk_encryption
information
information_systems
integrity
internet
is_management
it_leadership
java
javaone
linkedin
managing_is_projects
marketing
media
microsoft_tags
neutrality
ontology
open
open_source
optimization
oracle
personally_identifiable_information
pii
privacy
process_automation
programming
qr_codes
quality
rules
security
security_in_depth
semantic_technology
semantic_web
semantics
services
soa
software
source
sql_injection
success
system_integration
systems
testing
truecrypt
tuning
upgrade
vulnerability
web
web_services
windows_7
workflow
Our people weigh in on the issues of the day.
Blue Slate's people think a lot about the challenges facing their industries today. In the process, they often come up with completely unexpected slants on current issues, or new ways of thinking about business problems. Bluespeak is where they share those thoughts. Feel free to read and reflect.
[Any views or opinion represented in this blog are personal and belong solely to the blogger and do not represent those of Blue Slate Solutions.]
Fuzzing – A Powerful Technique for Software Security Testing
It is unexpected input that is useful when looking to find untested paths through the code. If someone shows me an application for evaluation the last thing I need to worry about is using it in an expected fashion, everyone else will do that. In fact, I default to entering data outside the specification when looking at a new application. I don’t know that my team always appreciates the approach. They’d probably like to see the application work at least once while I’m in the room.
These days there is a formal name for testing of this type, fuzzing. A few years ago I preferred calling it “gorilla testing” since I liked the mental picture of beating on the application. (Remember the American Tourister luggage ad in the 1970s?) But alas, it appears that fuzzing has become the accepted term.
Fuzzing involves passing input that breaks the expected input “rules”. Those rules could come from some formal requirements, such as a RFC, or informal requirements, such as the set of parameters accepted by an application. Fuzzing tools can use formal standards, extracted patterns and even randomly generated inputs to test an applications resilience against unexpected or illegal input.
[Read More]Friday January 21, 2011 | By David Read
SQL Injection – Why Does Our Profession Continue to Build Applications that Support It?
SQL Injection is commonly given as a root cause when news sites report about stolen data. Here are a few recent headlines for articles describing data loss related to SQL injection: Hackers steal customer data by accessing supermarket database1, Hacker swipes details of 4m Pirate Bay users2, and Mass Web Attack Hits Wall Street Journal, Jerusalem Post3. I understand that SQL injection is prevalent; I just don’t understand why developers continue to write code that offers this avenue to attackers.
From my point of view SQL injection is very well understood and has been for many years. There is no excuse for a programmer to create code that allows for such an attack to succeed. For me this issue falls squarely on the shoulders of people writing applications. If you do not understand the mechanics of SQL injection and don’t know how to effectively prevent it then you shouldn’t be writing software.