Vulnerabilitiy Research

White Papers

Attacking the Build through Cross–Build Injection

A poorly designed software build process can allow an attacker to insert malicious code into the final product or to take control of a build machine. This paper surveys previous attacks related to building open source software, including attacks against Sendmail, OpenSSH and IRSSI. It then shows how three popular build tools for Java (Apache Ant,1 Maven2 and Ivy3) are commonly misused in ways that make them susceptible to crossbuild injection (XBI) vulnerabilities, which can allow attackers to insert Trojans, back doors, or other malicious code. Download White Paper

JavaScript Hijacking

Fortify Software's Security Research Group has announced a new class of vulnerability: JavaScript Hijacking. This is the first class of vulnerability that specifically affects Web 2.0 AJAX-style web applications. Download Fortify’s advisory detailing the risk and how developers can make their code secure. Download White Paper (Registration required)

Webcasts & Videos

The Dark Side of AJAX

This talk considers the security implications of Ajax and the pitfalls and alternatives involved in creating rich Web applications. We will look at Ajax security concerns and discuss the first vulnerability specific to Ajax: JavaScript Hijacking. We will also look at popular Ajax programming frameworks and how they can make or break the security of an application. What happens when you point out the same vulnerability in twelve frameworks on the same day? Watch Webcast (Registration Required)

The Top 10 Software Security Vulnerabilities

Matt Rose, Senior Software Security Consultant at Fortify Software, shares his findings from a year analyzing millions of lines of code. He unveils his top ten most common vulnerabilities and provides detailed examples of each. These technical examples come from his experience working with fortune 500 companies, government agencies, and major ISVs. Watch Webcast (Registration Required)

AJAX & Security

AJAX is used to build much richer user interfaces, on sites like Google Maps and MySpace, but it carries severe security implications. Brian Chess, Chief Scientist of Fortify Software, urges developers to be mindful of these threats. Watch Video (ZDNet Video: 2:24 mins)

SOA Security

Find out why Roger Thornton, CTO of Fortify Software, says SOA should stand for “Secure Old Applications.” Service oriented architecture, though an important enabler, opens applications previously secure deep inside the computing infrastructure of a company to serious risk from hackers, malicious insiders, worms and viruses. Watch Video (ZDNet Video: 2:32 mins)