ForAllSecure

Uncovering OpenWRT remote code execution (CVE-2020-7982)

ForAllSecure

Introduction. For ForAllSecure, I’ve been focusing on finding bugs in OpenWRT using their Mayhem software. My research on OpenWRT has been a combination of writing custom harnesses, running binaries of the box without recompilation, and manual inspection of code. ForAllSecure Vulnerability Disclosures

88

FuzzCon TV Launches With An Introduction to Fuzzing Panel

ForAllSecure

Following a successful FuzzCon event held in person at RSAC in San Francisco earlier this year, ForAllSecure is continuing the discussion with a series of follow-up sessions online called FuzzCon TV (formerly A Fuzzing Affair). The first episode is designed to be an introduction to fuzzing.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Life As A Professional Hacker

ForAllSecure

Last month Guido Vranken hosted a successful Reddit AMA , sharing insight on his experience as a professional vulnerability researcher.

56

Game Theory: Why System Security Is Like Poker, Not Chess

ForAllSecure

The 1980’s film “Wargames” asked a computer to learn whether global thermonuclear war made sense. In the film, thermonuclear war didn’t make sense but what if, in real life, preemptive cyberattacks were our best hope for winning?

IT 63

The Best Sales Forecasting Models for Weathering Your Goals

Every sales forecasting model has a different strength and predictability method. It’s recommended to test out which one is best for your team. This way, you’ll be able to further enhance – and optimize – your newly-developed pipeline. Your future sales forecast? Sunny skies (and success) are just ahead!

Challenging ROI Myths Of Software Application Security Testing (SAST)

ForAllSecure

There are several benefits for using Static Analysis Security Testing (SAST) for your software security. Having previously worked at Coverity (now Synopsys), I’m intimately familiar with the arguments in favor of using SAST.

ForAllSecure Uncovers Critical Vulnerabilities in Das U-Boot

ForAllSecure

Introduction. This summer, I utilized ForAllSecure Mayhem, a next-generation fuzz testing solution, to analyze software that are heavily used. I felt these types of components in particular deserve more scrutiny from a security perspective.

Demystifying a Docker Image

ForAllSecure

Six months ago ForAllSecure started analyzing Docker images. What does this mean? Imagine we have a user who wants us to fuzz their application. How do they give it to us? Do they tar it up? Do they give us access to an environment where it’s running? Do we integrate into their build pipeline?

Beginning Fuzz Cycle Automation: Improving Testing and Fuzz Development with Coverage Analysis

ForAllSecure

In my previous post , we covered using bncov to do open-ended coverage analysis tasks to inform our testing.

80

Uncovering Memory Defects in cereal (CVE-2020-11104 & CVE-2020-11105)

ForAllSecure

Introduction. Deserialization of untrusted input is a common attack vector, making both the MITRE top-25 most dangerous software errors. Even without an attacker, mistakes in serialization or deserialization decrease the reliability of your code. ForAllSecure Vulnerability Disclosures

52

Future-Proofing Your Information Governance Strategy

Speaker: Crystal Cao, Lindsey Simon & Lisa Ripley

Join Onna and experts from Quip, Airbnb, and Oracle for this live webinar as they dive into proactive data deletion policies, retention strategies, and legal hold practices that are essential to a modern enterprise information governance strategy.

Mayhem Moves to Production with the Department of Defense

ForAllSecure

In 2016, Mayhem -- then still a research prototype -- showed that fully autonomous cybersecurity was possible. This was just the first step. ForAllSecure Journey

Decipher Security Podcast with ForAllSecure CEO David Brumley

ForAllSecure

The Decipher Security podcast by Duo Security analyzes the news, explores the impact of the latest risks, and provides informative and educational material for readers intent on understanding how security affects our world.

Top 3 Trends at Shmoocon 2020

ForAllSecure

On January 31, 2020, Shmoocon held their annual conference in Washington D.C. Each year, the event offers a glimpse into the upcoming trends of the year, defined by the needs of the federal industry. Outlined below are the top three trends observed by our ForAllSecure engineers

56

Top Takeaways from the “Knowing the Unfuzzed and Finding Bugs with Coverage Analysis” Webinar

ForAllSecure

The adoption of fuzzing has resulted in vulnerabilities being found and fixed at scale. Although it is known for a number of its benefits never seen before in other application security testing techniques, advanced users have eventually come across two key questions: Code Coverage

IT 52

The North Star Playbook

Every product needs a North Star. In this guide, we will show you the metrics product managers need to tie product improvements to revenue impact. If you are looking for a more-focused, less-reactive way to work, this guide is for you.

Uncovering Vulnerabilities in Open Source Libraries

ForAllSecure

Introduction. In recent articles, ForAllSecure has discussed how we were able to use our next-generation fuzzing solution, Mayhem, to discover previously unknown vulnerabilities in several open source projects, including Netflix DIAL reference , Das U-Boot , and more.

ForAllSecure's Response to COVID-19

ForAllSecure

COVID-19 is a global pandemic that affects everyone. We all need to work together, and I wanted to share with you some of the things ForAllSecure is doing

52

Why ForAllSecure Is A 2020 RSA Innovation Sandbox Finalist

ForAllSecure

On February 24, 2020, ForAllSecure competed in the RSA Innovation Sandbox (ISB) as a Top 10 Finalist. The opportunity to compete has been an extreme honor, especially considering the annual event is deemed the Oscars of cybersecurity. RSA explains that the purpose of the competition is to, “bring out cybersecurity’s boldest new innovators who have made it their mission to minimize risk.”. ForAllSecure Journey

Top 3 Technical Barriers to Fuzzing

ForAllSecure

Fuzz testing is an effective technique for uncovering serious defects in software. From the Heartbleed vulnerability in 2014 to the infamous Jeep Cherokee hacking in 2015, fuzz testing is the technique that has made many high-profile discoveries possible. Consistently, fuzzing is proven to be a powerful tool for ensuring the safety, security, and resiliency of software. Yet, this three decade year old technique, which has shown rapid evolution, remains largely unused. DevSecOps

B2B Pocket Playbook: End-to-End Guide to Sales Enablement

Sales enablement is the strategic process of providing sales teams with the content, guidance, and mentorship needed to engage targeted buyers. It’s all about equipping sales professionals with the tools they need to put their best-selling foot forward. And if sales teams want to continuously sell better -- and faster -- their sales enablement process must have a game-winning strategy. It's time for you to start selling smarter - and hitting your sales number - with the best B2B database in the market. Get started today.

Why I'm not Sold on Machine Learning in Autonomous Security: Some Hard Realities on the Limitations of Machine Learning in Autonomous netsec

ForAllSecure

Tell me if you’ve heard this: there is a new advanced network intrusion device that uses modern, super-smart Machine Learning (ML) to root out known and unknown intrusions. The IDS device is so smart, it learns what’s normal on your network and does not immediately inform you when it sees an anomaly.

IT 60

Uncovering vulnerabilities in Cryptographic libraries: Mayhem, Matrixssl, and WolfSSL

ForAllSecure

Introduction. As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries. ForAllSecure Vulnerability Disclosures

Autonomy and the Death of CVEs? IS the Manual Process of Reporting Bugs Holding Back the Advent of Automated Tools?

ForAllSecure

How many potholes did you encounter on your way into work today? How many of them did you report to the city? Fuzzing Automation Autonomous Security

Software Is Infrastructure

ForAllSecure

The realization that software is becoming an essential component of our everyday lives was reflected yet again in this year’s. Black Hat. Even more solutions are being touted to deal with the ever-growing exposure of software to malicious threats.

52

Pressure Points: How to Ensure Your B2B Pipeline Passes Inspection

This eBook highlights best practices for developing a pipeline management process that helps sales leaders and their team C.L.O.S.E (you’ll see what we mean in this eBook) more revenue through data-driven prospecting, stage analysis, and subsequent sales enablement.

Analyzing Matio and stb_vorbis Libraries with Mayhem

ForAllSecure

At ForAllSecure, our mission is to help developers find critical bugs in their software quicker, easier, and faster than standard development practices and tools.

Security Ledger Podcast: Security Automation is (and Isn't) the future of InfoSec

ForAllSecure

Every so often, a technology comes along that seems to perfectly capture the zeitgeist : representing all that is both promising and troubling about the future

ForAllSecure Uncovers Vulnerability in Netflix DIAL Software

ForAllSecure

Introduction. This month, as interns at ForAllSecure, we participated in a contest to test the beta version of Mayhem on various open source projects.

New to Autonomous Security? The Components, The Reality, and What You Can Do Today.

ForAllSecure

Marketing-Led Post-COVID-19 Growth Strategies

Businesses are laying off workers, shutting their doors (some permanently), and struggling to react to the radical destruction that coronavirus (COVID-19) is doing to our society and communities. Most have already sustained massive damage, and we still have yet to see the scope of impact of the global pandemic that has upended the globe. Any return to normalcy may seem far-off, but sales and marketing are on the front lines of restarting the economy. When the dust settles, we have a responsibility to turn our shock and grief into fierce determination, and lead the charge of responsible, strategic, sustainable future growth. However, there’s no team better suited to lead that charge than the marketing department. Marketers are uniquely positioned to provide creative solutions to aid their organization in times of change and chart a course for navigating success.

Key Takeaways from ForAllSecure’s, “Achieving Development Speed and Code Quality with Behavior Testing” Webinar

ForAllSecure

Security and speed are often perceived to be mutually exclusive, repelling away from each other like identical poles of a magnet. Dr. David Brumley, CEO of ForAllSecure and professor at CMU, posits that they don’t have to be.

Top 3 Webinar Takeaways: “Continuous Fuzzing: The Trending Security Technique Among Silicon Valley’s Tech Behemoths”

ForAllSecure

Over the last decade, there’s been an uptick in progressive Silicon Valley tech behemoths adopting an application security testing technique called continuous fuzzing. While effective, fuzzing largely remains a hidden secret to the larger developer and security communities. Fuzzing Automation DevSecOps Continuous Fuzzing

How Much Testing is Enough? Understanding Test Results with bncov and Coverage Analysis.

ForAllSecure

A frequently asked question in software testing is “Is that enough testing, or should we do more?” Whether you’re writing unit tests for your programs or finding bugs in closed-source third-party software, knowing what code you have and have not covered is an important piece of information.

IT 52

Top 5 Takeaways From the “ForAllSecure Makes Software Security Autonomous” Livestream

ForAllSecure

In February 2019, Dr. David Brumley, ForAllSecure CEO, and Zach Walker, DIU project manager, discussed how Mayhem, ForAllSecure’s behavior testing solution, has helped secure the Department of Defense’s most critical platforms.

How ZoomInfo Helps Overcome the Top Pain Points of Inside Sales

Recent digital transformation has shifted the B2B landscape by ushering in the era of buyer empowerment. With more access to user reviews, analyst opinion, and industry research, decision-makers are more informed than ever while navigating what is now known as the “buyer’s journey.”

Onward to the Next Chapter in ForAllSecure’s Journey

ForAllSecure

Welcome back to the second installment of the ForAllSecure Journey series. In my previous post , we took a look back at ForAllSecure’s history. In today’s piece, I’d like to share not only my vision for the future, but also an exciting announcement

52

A Reflection on ForAllSecure's Journey in Bootstrapping Behavior Testing Technology

ForAllSecure

Software security is a global challenge that is slated to grow worse.

DevOps Chat Podcast: $2M DARPA Award Sparks Behavior Testing with ForAllSecure's Mayhem Solution

ForAllSecure

Secure software depends on people finding vulnerabilities and deploying fixes before they are exploited in the wild. This has led to a world of security researchers and bug bounties directed at finding new vulnerabilities

The CyberWire Daily Podcast ep. 389 with Guest Speaker David Brumley

ForAllSecure

The CyberWire Daily podcast delivers the day's cyber security news into a concise format. The CyberWire Daily includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world

Marketing Ops: The New Revenue Hero

As data continues to play a starring role in today’s B2B organizations, both marketing and sales operations professionals are poised to solidify their place as critical revenue drivers. In particular, the evolution of the Marketing Operations (Ops) role has created a new standard in marketing and has become a vital component of an organization’s success.