Posts Tagged ‘software vulnerability’

Impact of the GNU C Library getaddrinfo() Buffer Overflow Vulnerability (CVE-2015-7547) on EMC/RSA Products

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

On February 16, 2016, security researchers publicly disclosed a vulnerability in the Linux glibc library, which is commonly found in Linux-based operating systems. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used (CVE-2015-7547). A remote attacker could create specially crafted DNS responses, which could cause the library to crash or potentially execute code with the permissions of the user running the library.

Following the disclosure of this vulnerability, we immediately initiated a review of EMC Information Infrastructure and RSA products to assess any potential impact. (more…)

Impact of the GNU glibc gethostbyname Function Buffer Overflow “GHOST” Vulnerability on EMC/RSA Products

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

The “Ghost” vulnerability (CVE-2015-0235) in the gethostbyname functions of the GNU C Library (glib), which is commonly found in Linux based operating systems, affects applications calling this function. In some special instances, the successful exploitation of this vulnerability could allow an attacker to perform remote code execution on a targeted system. Following the release of this vulnerability, we immediately initiated a review of EMC Information Infrastructure and RSA products to assess any potential impact. (more…)

EMC’s Approach to Vulnerability Response

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

Let’s face it – real software products have security vulnerabilities! While building strong secure software development practices goes a long way towards detecting and helping to eliminate security vulnerabilities during the development process, a strong product security program also needs to be prepared to properly handle and respond to security vulnerabilities found in the product after it has shipped. (more…)

Real Software Does Have Bugs (and Vulnerabilities Too)

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

I was recently interviewed by a business journalist at CNBC for a story on high-profile software glitches that impacted operations of a trading company and an airline. The interviewer was seeking insights into the relationship between these glitches and security.

These interviews are always a refreshing opportunity to explain complex concepts in simple terms and to educate our audience about assumptions that we typically take for granted.

This interview was no different. The reporter wanted to understand how an organization could guarantee “bug-free” software. (more…)