My experience on my daily works... helping others ease each other

Tuesday, September 27, 2011

CWE: what developers of connected embedded systems need to know

Tapp and Chandran (LRDA) wrote an articles published in EETimes (online). The articles starts with sharing information on vulnerabilities and cases related to exploitation. It then goes into CWE (Common Weaknesses Enumeration), purpose, people behind it, etc. They further explain on propose tool in CWE and end-up with why LRDA should be incorporated in SDLC.

First, the title itself is totally conflicted with the contents of the articles which did not touch anything on developers related things especially in gaining knowledge on using CWE as part of their skills in securing their code. However, I tends to agree with them that there are indeed required to use multiple tools for security check.

Their conclusion are more as promoting use of tools in part of SDLC to improve security testing which I believe it is more as marketing rather than technical.

To be able a developer to use CWE, the developers must well equip with knowledge about vulnerabilities and how does it appear in codes. They can avoid it while writing the codes without waiting to use tools which it will be quite messy when dealing with millions LOC (Lines of Codes). Some of the tools even throw false alarm or too many warning as it depends on techniques implemented (PPT).

On understanding vulnerabilities, there are few ways and one of those is to understanding on the behavior and code structures from coding perspective. A paper published in Springer shares on how a taxonomy can be used by developers to understand further thus improve their security skill and usage of tools. The papers can be read here.
Share:

List of Conferences as of Sep 25, 2011

Share:

Quantum Lecture Series 5

Laboratory of Computational Sciences and Mathematical Physics, Institute for Mathematical Research in Universiti Putra Malaysia will be organizing Expository Quantum Lecture Series 5 on January 9-13, 2012. The theme for EQuaLS5 is "Geometry, Topology and Physics 2012" and the speakers are
  1. John Baez (NUS, Univ of California, Riverside)"Network Theory"
  2. Do Ngoc Diep (Inst of Math, Hanoi)
    "A Procedure for Quantization of Fields"
  3. Maurice de Gosson (Univ. of Vienna)
    "The Symplectic Camel and Quantum Mechanics"
  4. Fredrik Stroemberg (Technical Univ. of Darmstadt)
    "Arithmetic Quantum Chaos"
  5. S. Twareque Ali (Concordia University, Montreal)
    "Coherent States: Theory and Applications"
On-line registration is now open at http://einspem.upm.edu.my/equals5/
Share:

Facebook Updates Could Give Nonprofits Better Visibility

An interesting articles written by Derek Lieu and posted at Social Philantrophy.

My thoughts:
1. Lots of algorithm running behind facebook which one small mistake might affect lots of people
2. Opportunity for researchers as there are lots of research can be done especially on algorithm, security, social etc.
3. Facebook will be here for another decades
Share:

Friday, September 23, 2011

User privacy concerns emerge over supercookies



Difficult to remove new type of cookie which can track user history and preference, giving rise to privacy concerns, note experts, but add that supercookies aren't legal issue for now. [read more]






Share:

Tuesday, September 20, 2011

Applying Static Analysis To Medical Device Software

An interesting articles written back on 2008 by David N. Kleidermacher indicates the importance of having static analysis tool to improve reliability and sustainability of medical devices [read here]

However, as complexity increases especially on mobile devices and mission-critical devices like medical and military, static analysis tool is still far away from achieving zero-tolerant or 99.99% secure. It depends on technique and tool use by the tool to statically analyze applications stored in those devices and at the moment, and as written in my paper title "Preventing Exploitation on Software Vulnerabilities: Why Static Analysis Failed?" in WEC 2010, there are more works need to be done to improve static analysis tool capability especially when the complexity and LOC is increase.
Share:

International Conference on Distributed Computing Engineering (ICDCE 2011)

2011 International Conference on Distributed Computing Engineering (ICDCE 2011)
28 to 30 December 2011
Dubai, United Arab Emirates

2011 International Conference on Distributed Computing Engineering (ICDCE 2011)
will be held in Dubai, Chengdu, China during December 28-30, 2011.  The upcoming
ICDCE 2011 will inherit the advantages of the previous conferences and develop
the conference to a higher level.  The theme of the ICDCE is to discuss the new
development of computer theory and engineering, and to promote its new
application.  ICDCE 2011 will bring together leading engineers and scientists
around the world, so as to present their research results and development
activities in Distributed Computing Engineering. This conference provides
opportunities for the delegates to exchange new ideas and application
experiences
face to face, to establish business or research relations and to find global
partners for future collaboration.

ICDCE is sponsored by Singapore International Association of Computer Science
and Information Technology (IACSIT), and technical co-sponsored by many
universities and institutes.

This year, all ICDCE 2011 conference papers will be included in the ICACTE 2011
proceedings, which is published by ASME Press, and will be included in the ASME
Digital Library, and indexed by the Ei Compendex, ISI Proceeding and other major
indexing services.

The deadline for abstracts/proposals is
30 October 2011

Enquiries: icdce@iacsit.org
Web address: http://www.icdce.org/
Sponsored by: IACSIT
Share:

Implement CRUD operations using RESTful WCF Service and javascript

Found a good articles to start playing with WCF and Javascript (for Java developers) written by Shahriar Iqbal Chowdhury. Check it out @ Code Project
Share:

Friday, September 16, 2011

Using static code analysis to support DO-178b certification

Paul Anderson, GrammaTech   
9/6/2011 6:29 PM EDT

In this Product How-To, Paul Anderson of GrammaTech takes you step by step through the DO-178B and how use his company’s static analysis tools to support the safety-critical software requirements of the specification [read more].

As one of my interest in software security, I keen to evaluate the effectiveness and efficiencies of GrammaTech CodeSonar on its static analysis capability using taxonomy of C Overflow Vulnerabilities Attack which I constructed for the purpose of identifying overflow vulnerabilities in C. However, due to fact (based on my email conversation between one of the company's employee), I can't evaluate theirs thus I'm not sure how their tools could help supporting the safety-critical software requirements.

And I can says one things for sure here that all tools including CodeSonar is yet to successfully help in reducing vulnerabilities in software. This can been seen by looking at various vulnerability database and advisories released by Symantec, Karspesky, Microsoft, NIST, etc. The numbers are still large and yet to see it is tremendously reduce.
Share:

Thursday, September 15, 2011

Google add new artilery in fight with the other giant (Facebook, Yahoo, Microsoft, Apple, etc)

Recently, I heard many IT giant acquiring patents from various company such as Nortel, HTC, IBM, etc and we will definitely keep on reading news of patent infringement case as the fight continues. Latest news was acquisition of some IBM patents related to Java language (JDJ: Google Buys Some Java Patents). And this was continuation from the last battle between Google and the other IT giant. (list of Java related patent).

This fight is hope to bring better future for the consumer and shall not affect or increase in cost of having better technology.
Share:

Vulnerabilities is known and yet it is still there

Reported by Symantec, vulnerabilities still there and will always be there unless we do something to eliminate or reduce it to lower state. This is numbers of vulnerabilities captured/monitored by Symantec. It does not includes or cross-checking between other vulnerability databases such as NIST, CVE, Karspesky, Microsoft, etc.

Check it out the reports at Symantec Vulnerabilities Trend Report.
Share:

Oracle Critical Patch Update - September 2011

Critical Patch Update - September 2011
Dear Oracle Security Alert Customer,

Oracle Security Alert for CVE-2011-3192 was released on September 15th, 2011.

Oracle strongly recommends applying Security Alert fixes as soon as possible.

The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Advisory is available at the following location:

Oracle Critical Patch Updates and Security Alerts
http://www.oracle.com/technology/deploy/security/alerts.html


Oracle Security Alert CVE-2011-3192
http://www.oracle.com/technetwork/topics/security/alert-cve-2011-3192-485304.html



From Oracle Security Alerts team
Share:

Auto-format for references/bibliography using plugin

Some of use may have found the solutions but most of us are still using the old-fashion ways in doing references or bibliography section while writing a technical papers, journal, etc.

Me too facing the same problems when trying to add, edit, or formatting according to certain standards or rules required by journal or conferences which I'm submitting my writing (paper for publications). However, that is no longer a burden to me.

So guys, take a look here or at Microsoft BibWord. You will definitely love it :) ... Enjoy the work of others whom willing to help you guys and by the way, don't forget to give credits to them too :)

Share:

About Me

Somewhere, Selangor, Malaysia
An IT by profession, a beginner in photography

Blog Archive

Blogger templates