Search the Community
Showing results for tags 'developers'.
Found 4 results
Threat models help application developers answer some fundamental questions about potential risks and how to cut off vulnerabilities before they’re put into production. Some software development lifecycles, however, don’t include threat modeling as part of the code-building process because they’ve either never heard of it, or the process is too difficult. Students at St. Mary’s University in Nova Scotia, Canada, participating in Mozilla’s Winter of Security 2014 project, built a browser-based threat modeling tool that simplifies visualization of systems and data flows, and where soft spots might be introduced during design. The tool, called Seasponge, has been made available on Github and its developers are hoping to not only get feedback and feature suggestions, but also hope to encourage developers to introduce threat modeling into SDLs in order to fix bugs while in design when it’s cheap to do so. “We hope now that it’s out there that people collaborate, build threats for it, collaborate and share files and grow a threat modeling community around Seasponge,” said Glavin Wiechert, one of the students behind the tool along with Joel Kuntz, Sarah MacDonald and Mathew Kallada. “We hope this tool is easy to start out with and will ultimately accelerate the usage of threat modeling and the number of people using threat modeling for projects.” Wiechert, a full-time student at St. Mary’s who also runs his own analytics company, came into this project without much of a security background, other than an interest in the discipline. He and his colleagues, as well as Mozilla, hope that Seasponge ultimately has a place alongside Microsoft’s free SDL threat modeling tool, the most popular tool among developers today. “The original idea came from Mozilla to have a tool like this,” Wiechert said. “There was a heavy demand from their users within Mozilla to use something like the Microsoft threat modeling tool, but have it be more open source and Web-based, and not be forced to be just on the Windows platform.” Being a Web-based alternative to the Microsoft tool, the developers hope that with it now being open source, contributions can be made to help them reach their goals of adding more collaboration features, cloud-based storage for projects, encapsulation of entire systems, and more. “One of the big eye openers for me was the lack of development in terms of the only competition was the Microsoft tool,” Wiechert said. “No one dove into a web platform for threat modeling. I wasn’t very experienced in the field, but it is an important one. I expected more competition and a community, and we hoped to be part of it, but it was really Microsoft-centric.” Wiechert said Mozilla is among the early beta testers and is putting Seasponge through its paces. “It’s functional and you can make new threats in the tool, open, download and save files, visualize them; all the attributes work,” he said. “It’s also functional from a visualization standpoint. I’m hoping Mozilla is using it right now and soon anyone else in the community. We’re hoping to get feedback from the threat modeling community and we’re interested to hear any ideas.” Source
In an effort to head off the problem of malicious or misbehaving browser add-ons, Mozilla is planning to require developers to have their Firefox extensions signed by the company in the near future. As much of users’ computing has moved into their browsers in the last few years, extensions and add-ons have become important tools. There are an untold number of useful extensions for most of the major browsers, but there are also are plenty of malicious ones. Attackers have been known to insert extensions into browser Web stores or other download sites in order to steal users’ data or perform other malicious actions. There also are all kinds of somewhat legitimate extensions that may collect more data than they disclose to users or perform unwanted actions. To defeat this problem, Google requires developers to distribute their extensions through the Chrome Web store. However, Mozilla officials said they didn’t want to take that approach. “We’re responsible for our add-ons ecosystem and we can’t sit idle as our users suffer due to bad add-ons. An easy solution would be to force all developers to distribute their extensions through AMO, like what Google does for Chrome extensions. However, we believe that forcing all installs through our distribution channel is an unnecessary constraint. To keep this balance, we have come up with extension signing, which will give us better oversight on the add-ons ecosystem while not forcing AMO to be the only add-on distribution channel,” Jorge Villalobos of Mozilla said in a blog post. The idea is that sometime in the second quarter, Mozilla will begin requiring developers to submit their extensions and add-ons to AMO, the company’s main distribution channel for those apps. Each submission will go through a review process to ensure that it doesn’t exhibit any malicious or undocumented behavior. If the developer plans to host her extension on AMO and it passes the check, Mozilla will automatically sign it. If the developer plans to host the extension elsewhere, it will go through the same process and be sent back signed if it passes muster. The change will mean that after a transition period of about three months, users won’t be able to install any unsigned extensions on either the Release or Beta versions of Firefox. Villalobos said the company plans to begin displaying warnings about unsigned extensions in Firefox 39. This move by Mozilla will give users more confidence in the extensions and add-ons they’re installing. “Extensions that change the homepage and search settings without user consent have become very common, just like extensions that inject advertisements into Web pages or even inject malicious scripts into social media sites. To combat this, we created a set of add-on guidelines all add-on makers must follow, and we have been enforcing them via blocklisting (remote disabling of misbehaving extensions). However, extensions that violate these guidelines are distributed almost exclusively outside of AMO and tracking them all down has become increasingly impractical. Furthermore, malicious developers have devised ways to make their extensions harder to discover and harder to blocklist, making our jobs more difficult,” Villalobos said. Source
iGoat is a learning tool for iOS developers (iPhone, iPad, etc.). It was inspired by the WebGoat project, and has a similar conceptual flow to it. As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. iGoat is free software, released under the GPLv3 license. Download: https://code.google.com/p/owasp-igoat/wiki/NewDownloads
With the latest release of Nsight™ Visual Studio Edition 3.1, we are excited to present the latest features available to help developers profile, analyse, debug and optimize their GPGPU and graphics applications. Sign Up For The Upcoming Webinars Hosted By GPU Technology Conference Express Webinar Program. The first series of webinars scheduled for September 19th and September 26th, respectively focus on OpenGL 4.2 debugging and OpenGL 4.2 profiling. [table=width: 700, align: center] [tr] [td]Date[/td] [td]Title[/td] [td]Speaker[/td] [td][/td] [/tr] [tr] [td]September 26, 2013, 10:00 AM PDT[/td] [td]Learn How to Profile OpenGL 4.2 with NVIDIA® Nsight™ Visual Studio Edition 3.1[/td] [td]Jeff Kiel, Manager, Graphics Tools, NVIDIA[/td] [td]Register Now[/td] [/tr] [tr] [td]September 19, 2013, 10:00 AM PDT[/td] [td]Learn How to Debug OpenGL 4.2 with NVIDIA® Nsight™ Visual Studio Edition 3.1[/td] [td]Daniel Price, Programmer, Graphics Tools, NVIDIA[/td] [td]Register Now[/td] [/tr] [/table] Register to Nvidia developers Here.