ForAllSecure

Uncovering Memory Defects in cereal (CVE-2020-11104 & CVE-2020-11105)

ForAllSecure

Introduction. Deserialization of untrusted input is a common attack vector, making both the MITRE top-25 most dangerous software errors. Even without an attacker, mistakes in serialization or deserialization decrease the reliability of your code. ForAllSecure Vulnerability Disclosures

52

Uncovering OpenWRT remote code execution (CVE-2020-7982)

ForAllSecure

Introduction. For ForAllSecure, I’ve been focusing on finding bugs in OpenWRT using their Mayhem software. My research on OpenWRT has been a combination of writing custom harnesses, running binaries of the box without recompilation, and manual inspection of code. ForAllSecure Vulnerability Disclosures

88

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Game Theory: Why System Security Is Like Poker, Not Chess

ForAllSecure

The 1980’s film “Wargames” asked a computer to learn whether global thermonuclear war made sense. In the film, thermonuclear war didn’t make sense but what if, in real life, preemptive cyberattacks were our best hope for winning?

IT 56

Demystifying a Docker Image

ForAllSecure

Six months ago ForAllSecure started analyzing Docker images. What does this mean? Imagine we have a user who wants us to fuzz their application. How do they give it to us? Do they tar it up? Do they give us access to an environment where it’s running? Do we integrate into their build pipeline?

ABCs of Data Normalization for B2B Marketers

Data normalization. It’s not a far stretch to suggest that the topic isn’t exactly what gets marketers excited in their day-to-day workflow. However, if lead generation, reporting, and measuring ROI is important to your marketing team, then data normalization matters - a lot. In this eBook, we’ll break down the ins and outs of data normalization and review why it’s so critical for your marketing strategies and goals!

Mayhem Moves to Production with the Department of Defense

ForAllSecure

In 2016, Mayhem -- then still a research prototype -- showed that fully autonomous cybersecurity was possible. This was just the first step. ForAllSecure Journey

Decipher Security Podcast with ForAllSecure CEO David Brumley

ForAllSecure

The Decipher Security podcast by Duo Security analyzes the news, explores the impact of the latest risks, and provides informative and educational material for readers intent on understanding how security affects our world.

Beginning Fuzz Cycle Automation: Improving Testing and Fuzz Development with Coverage Analysis

ForAllSecure

In my previous post , we covered using bncov to do open-ended coverage analysis tasks to inform our testing.

80

Top Takeaways from the “Knowing the Unfuzzed and Finding Bugs with Coverage Analysis” Webinar

ForAllSecure

The adoption of fuzzing has resulted in vulnerabilities being found and fixed at scale. Although it is known for a number of its benefits never seen before in other application security testing techniques, advanced users have eventually come across two key questions: Code Coverage

IT 52

Top 3 Trends at Shmoocon 2020

ForAllSecure

On January 31, 2020, Shmoocon held their annual conference in Washington D.C. Each year, the event offers a glimpse into the upcoming trends of the year, defined by the needs of the federal industry. Outlined below are the top three trends observed by our ForAllSecure engineers

56

How to Solve 4 Common Challenges of Legacy Information Management

Speaker: Chris McLaughlin, Chief Marketing Officer and Chief Product Officer, Nuxeo

After 20 years of Enterprise Content Management (ECM), businesses still face many of the same challenges with finding and managing information. Join Chris McLaughlin, CMO and CPO of Nuxeo, as he examines four common business challenges that these legacy ECM systems pose and how they can be addressed with a more modern approach.

ForAllSecure's Response to COVID-19

ForAllSecure

COVID-19 is a global pandemic that affects everyone. We all need to work together, and I wanted to share with you some of the things ForAllSecure is doing

52

Uncovering Vulnerabilities in Open Source Libraries

ForAllSecure

Introduction. In recent articles, ForAllSecure has discussed how we were able to use our next-generation fuzzing solution, Mayhem, to discover previously unknown vulnerabilities in several open source projects, including Netflix DIAL reference , Das U-Boot , and more.

Why I'm not Sold on Machine Learning in Autonomous Security: Some Hard Realities on the Limitations of Machine Learning in Autonomous netsec

ForAllSecure

Tell me if you’ve heard this: there is a new advanced network intrusion device that uses modern, super-smart Machine Learning (ML) to root out known and unknown intrusions. The IDS device is so smart, it learns what’s normal on your network and does not immediately inform you when it sees an anomaly.

IT 60

Uncovering vulnerabilities in Cryptographic libraries: Mayhem, Matrixssl, and WolfSSL

ForAllSecure

Introduction. As part of a recent initiative at ForAllSecure to analyze more open source software with Mayhem, a next-generation fuzzing solution, we decided to investigate some cryptographic libraries. ForAllSecure Vulnerability Disclosures

The 2019 Technographic Data Report for B2B Sales Organizations

In this report, ZoomInfo substantiates the assertion that technographic data is a vital resource for sales teams. In fact, the majority of respondents agree—with 72.3% reporting that technographic data is either somewhat important or very important to their organization. The reason for this is simple—sales teams value technographic data because it makes essential selling activities easier and more efficient.

Autonomy and the Death of CVEs? IS the Manual Process of Reporting Bugs Holding Back the Advent of Automated Tools?

ForAllSecure

How many potholes did you encounter on your way into work today? How many of them did you report to the city? Fuzzing Automation Autonomous Security

Software Is Infrastructure

ForAllSecure

The realization that software is becoming an essential component of our everyday lives was reflected yet again in this year’s. Black Hat. Even more solutions are being touted to deal with the ever-growing exposure of software to malicious threats.

52

Analyzing Matio and stb_vorbis Libraries with Mayhem

ForAllSecure

At ForAllSecure, our mission is to help developers find critical bugs in their software quicker, easier, and faster than standard development practices and tools.

Security Ledger Podcast: Security Automation is (and Isn't) the future of InfoSec

ForAllSecure

Every so often, a technology comes along that seems to perfectly capture the zeitgeist : representing all that is both promising and troubling about the future

The Time-Saving Power of Intent Data for Sales

By using the power of intent data, capturing buyer interest has become more feasible for sales. Not only that, but using it will save immense time during your workflow; a win-win on all fronts.

ForAllSecure Uncovers Vulnerability in Netflix DIAL Software

ForAllSecure

Introduction. This month, as interns at ForAllSecure, we participated in a contest to test the beta version of Mayhem on various open source projects.

New to Autonomous Security? The Components, The Reality, and What You Can Do Today.

ForAllSecure

Key Takeaways from ForAllSecure’s, “Achieving Development Speed and Code Quality with Behavior Testing” Webinar

ForAllSecure

Security and speed are often perceived to be mutually exclusive, repelling away from each other like identical poles of a magnet. Dr. David Brumley, CEO of ForAllSecure and professor at CMU, posits that they don’t have to be.

Top 3 Webinar Takeaways: “Continuous Fuzzing: The Trending Security Technique Among Silicon Valley’s Tech Behemoths”

ForAllSecure

Over the last decade, there’s been an uptick in progressive Silicon Valley tech behemoths adopting an application security testing technique called continuous fuzzing. While effective, fuzzing largely remains a hidden secret to the larger developer and security communities. Fuzzing Automation DevSecOps Continuous Fuzzing

How ZoomInfo Enhances Your Database Management Strategy

Forward-thinking marketing organizations have continuously invested in a database strategy for enabling marketing processes. Download this ebook to learn how to maintain a strategy that includes refreshed information, database cleanses, and an accurate analysis at the same time.

How Much Testing is Enough? Understanding Test Results with bncov and Coverage Analysis.

ForAllSecure

A frequently asked question in software testing is “Is that enough testing, or should we do more?” Whether you’re writing unit tests for your programs or finding bugs in closed-source third-party software, knowing what code you have and have not covered is an important piece of information.

IT 52

Top 5 Takeaways From the “ForAllSecure Makes Software Security Autonomous” Livestream

ForAllSecure

In February 2019, Dr. David Brumley, ForAllSecure CEO, and Zach Walker, DIU project manager, discussed how Mayhem, ForAllSecure’s behavior testing solution, has helped secure the Department of Defense’s most critical platforms.

Onward to the Next Chapter in ForAllSecure’s Journey

ForAllSecure

Welcome back to the second installment of the ForAllSecure Journey series. In my previous post , we took a look back at ForAllSecure’s history. In today’s piece, I’d like to share not only my vision for the future, but also an exciting announcement

52

A Reflection on ForAllSecure's Journey in Bootstrapping Behavior Testing Technology

ForAllSecure

Software security is a global challenge that is slated to grow worse.

How ZoomInfo Enhances Your ABM Strategy

For marketing teams to develop a successful account-based marketing strategy, they need to ensure good data is housed within its Customer Relationship Management (CRM) software. More specifically, updated data can help organizations outline key accounts for their campaigns. And to begin the targeting process, marketing teams must develop an Ideal Customer Profile (ICP) with appropriate firmographic and behavioral data to ensure they’re going after the correct audience.Download this eBook to learn how to start improving your marketing team's data!

DevOps Chat Podcast: $2M DARPA Award Sparks Behavior Testing with ForAllSecure's Mayhem Solution

ForAllSecure

Secure software depends on people finding vulnerabilities and deploying fixes before they are exploited in the wild. This has led to a world of security researchers and bug bounties directed at finding new vulnerabilities

The CyberWire Daily Podcast ep. 389 with Guest Speaker David Brumley

ForAllSecure

The CyberWire Daily podcast delivers the day's cyber security news into a concise format. The CyberWire Daily includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world

Open Source Security Podcast Ep. 151-- The DARPA Cyber Grand Challenge with David Brumley

ForAllSecure

Open Source Security Podcast helps listeners better understand security topics of the day. Hosted by Kurt Seifried and Josh Bressers, the pair covers a wide range of topics including IoT, application security, operational security, cloud, devops, and security news of the day

IoT 40

Innovators under 35

ForAllSecure

I am truly honored to share that I have been named to MIT Technology Review’s prestigious annual list of Innovators Under 35 as a Pioneer. The award, first given by the magazine in 1999, celebrates young innovators who are poised to be leaders in their fields.

52

Data-Driven Marketing 101

This eBook highlights how data-driven strategies empower marketing campaigns through personalization tactics.

Why ForAllSecure is on MIT Technology Review’s 2017 List of Smartest Companies

ForAllSecure

I am honored to share that ForAllSecure has been named to MIT Technology Review’s 2017 list of 50 Smartest Companies. According to the MIT Tech Review team, to make the list, a company must exhibit technological leadership and business acumen, which set them apart from competitors.

52

Why CGC Matters to Me

ForAllSecure

By David Brumley. In 2008 I started as a new assistant professor at CMU. I sat down, thought hard about what I had learned from graduate school, and tried to figure out what to do next. My advisor in graduate school was Dawn Song , one of the top scholars in computer security. She would go on to win a MacArthur "Genius" Award in 2010. She's a hard act to follow. I was constantly reminded of this because, by some weird twist of fate, I was given her office when she moved from CMU to Berkeley.

Case Study: LEGIT_00004

ForAllSecure

LEGIT_00004 was a challenge from Defcon CTF that implemented a file system in memory. The intended bug was a tricky memory leak that the challenge author didn't expect Mayhem to get. However, Mayhem found an unintended null-byte overwrite bug that it leveraged to gain arbitrary code execution.

IT 52

Mayhem Wins DARPA CGC

ForAllSecure

Mayhem is a fully autonomous system for finding and fixing computer security vulnerabilities.On Thursday, August 4, 2016, Mayhem competed in the historical DARPA Cyber Grand Challenge against other computers in a fully automatic hacking contest.and won.

Best Practices for Marketing Database Cleanse

Finding a vendor to cleanse and optimize your marketing database can be difficult if you don’t know what to look for. Download the eBook to get the most out of your database cleanse and find an appropriate vendor for your B2B marketing objectives.