Dear Reader,

Welcome to our festive December newsletter! In this issue, we will tell you how fuzz testing has been integrated with Wind River test management. Find out what Forrester discovered in their recent study about the economic impact of Codenomicon Defensics, and learn what Codenomicon R&D department has been up to. Our popular webinar series continues, check out the recordings of Internet Abuse and Actionable Information and Agile Fuzzing webcasts. Also, do not forget to take a look at our upcoming eventslist!

We hope that you enjoy this newsletter, and wish you Happy Holidays and a very successful New Year 2013!


Fuzz testing integrated with Wind River Test Management

Wind River Test Management 5.0. introduces a comprehensive package of security testing solutions. The new fuzz testing package enables testers to ensure that the applications they are building rely on robust, secure protocols, and to efficiently find unknown vulnerabilities, in both in-house and third-party software. Powered by Defensics, the fuzz testing capabilities of the Wind River Test Management solution enable software testers to incorporate security testing into their day-to-day QA routine with no need for special hardware or deep security expertise.

Read more in Wind River blog.


Forrester study: Total Economic Impact of Codenomiconís Defensics Security Testing Suite

Codenomicon commissioned Forrester to perform a study of the total economic impact of Codenomiconís Defensics security testing suite for a Defensics customer, who is a large network equipment vendor. This study evaluated cash flows and financial metrics to quantify the total economic impact. An overview of the study's findings were presented in a webcast by Chenxi Wang, VP & Principal Analyst at Forrester. The recording of the presentation is available for download here.


Former White House cybersecurity advisor joins Codenomicon board of directors

Codenomicon is happy to welcome Howard A. Schmidt back to the Board of Directors.

Mr. Schmidt previously served on the Codenomicon Board of Directors from January 2008 until December 2009 when President Barack Obama appointed him as White House Cybersecurity Coordinator, from which he retired in May 2012. This was not the first time Mr. Schmidt acted as the US cyber security adviser. During the Administration of George W. Bush, Schmidt served as vice chair of the President's Critical Infrastructure Protection Board and special adviser for Cyberspace Security for the White House.

Howard A. Schmidt has had a long distinguished career in defense, law enforcement and corporate security spanning more than 40 years, bringing with him experience in business, defense, intelligence, law enforcement, privacy, academia and international relations.

Read more


New Defensics platform release

Codenomicon is proud to announce the release of Defensics version 10.2. The latest version is already available for download, so if you have a valid Download Arena account, go and get yours now. Using the latest Defensics platform enables you to use the latest features and capabilities across all Defensics products.

So, what is new in this release? We have been working hard on improving test plans, making their usage easier, simpler and more efficient. Using test plans makes it easier to document and replay tests either by yourself or by third parties, such as the developers of the vulnerable code. Test case re-runs in different Defensics instances is much more straight forward than earlier, and there are less test suite version dependencies.

Another cool feature are the updated test reports! We have put a lot of effort into this feature, and we are very happy with the results. Among many other things, we have improved the report summary to make it more useful. To pinpoint the root cause of a single failure faster, we have developed a new failure concept which groups all possible pieces of information together. The full test reports are also now available in both PDF and DOCX formats, in both A4 and Letter size.


Featured new suite: IPMI

The Intelligent Platform Management Interface is designed to provide remote management and monitoring for computer systems. It is an UDP based standard promoted by Intel, Dell, HP and NEC. With IPMI system administrators are able to manage multiple systems remotely without the need to have an OS installed or the system powered up.

Since IPMI is able to control computer systems at hardware level, any vulnerabilities found should be considered severe. To ensure robustness, it is essential to test all IPMI implementations comprehensively. The new Defensics IPMI Test Suite provides test cases for different types of IPMI commands specified in the latest IPMI 2.0 specification. The suite acts as a management client to find vulnerabilities within IPMI server implementations.


Featured new suite: SIP-I

SIP-I (SIP with encapsulated ISUP) is intended for creating, modifying and terminating multimedia sessions based on ISUP (ISDN User Part) with SIP. SIP-I (and its IETF counterpart SIP-T) supports bridging ISUP networks over an IP connection.

ISUP networks have traditionally been closed and with no access from IP networks. SIP-I opens up a new vector of ISUP message delivery, and vulnerabilities in either proxies handling SIP-I messages or gateways delivering ISUP into core network may have severe impact on the reliability and security of telephony networks.

Codenomicon SIP-I Server Test Suite is a new suite that can be used to test entities handling SIP-I and SIP-T messages. The suite supports several variants and versions of ISUP and can be used to scan for flaws in implementations handling either SIP or ISUP parts of the messages.


Check out the latest webinar on Internet Abuse and Actionable Information

Check out our latest webinar on Internet Abuse and Situation Awareness on our web pages.

Lari Huttunen talks about how various organizations have abuse within their networks, but are potentially lacking the means to clear the problems up. In this webinar we present a botnet-inspired solution for automatically generating actionable Internet abuse information. Botnets are traditionally associated with malicious activities, but their data handling capabilities can also be used to automatically collect, process and report abuse information.

This webcast was recorded in cooperation with Business Review Webinars.


Agile fuzzing webcast

Agile software development and security testing is an interesting topic, so we put our heads together with the good people at TEST magazine and came up with a webcast on how to integrate fuzz testing with agile software development. In the webinar, we highlighted different automated security testing techniques that are based on Fuzzing and provided examples on how these can be integrated into an agile development process. We also discussed how agile fuzzing can be used to improve quality, and how early elimination of security flaws can help keep down the post-release costs.

If you missed the agile webcast airing, the recording is available here.


Embedded Devices Webinar

The latest Fuzzing 101 Webinar: Fuzzing Connected Devices - Same Problems, Different Devices is now available for download and viewing!

In this webinar, our Security Specialist Rikke Kuiper discusses the vulnerabilities found in various embedded devices, and what their implications are. This webinar covers wireless routers, network-attached printers and storage devices, as well as smart TVs.

Check out the abstract and other related information here.


Wireless Routers Whitepaper available for Download

Our latest whitepaper titled "Wireless Routers: Keeping the Gates" is now available for download!

In this whitepaper we discuss the vulnerability issues we found in nine different manufacturers' consumer-grade wireless routers, and their implications to for example ISPs.

Moreover, this whitepaper demonstrates how generation-based fuzzing can be used to find these vulnerabilities proactively. Enterprises and ISPs providing wireless connectivity can test their equipment themselves, or they can push the testing responsibility to their suppliers. With the help of fuzzing, they can build a more secure wireless infrastructure, lower help desk and maintenance costs, and improve customer satisfaction.

The whitepaper is a part of a series discussing embedded devices and their vulnerabilities. More information and downloads here.


Meet us at events

Check the following list to see where you can find us, and come and say hi! The events list is constantly being updated, find the latest list here.

January

  • 5th Annual SCADA Asia Summit 2013, January 9-10, Singapore
  • 8th ETSI Security Workshop, January 16-17, Sophia Antipolis, France
  • OOP, Jan 23-27, 2013, ICM International Congress Center, Munchen, Germany

February

  • Belgium Testing Days, February 27 - March 2, Sheraton Brussels Airport Hotel, Belgium
  • Medical Devices Summit East, February 28 - March 1, Boston Marriott Long Wharf Hotel, Boston, MA, USA

March

  • Cisco Innovation Test Conference 2013, March 5 - 7, San Jose, CA, USA

April

  • Infosecurity London, April 23-25, Earl's Court, London, UK

Looking forward to meeting you there!



What you don't know makes you vulnerable


Codenomicon Ltd. | www.codenomicon.com | info@codenomicon.com