Welcome to our festive December newsletter! In this issue, we will tell you how
fuzz testing has been integrated with Wind River test management. Find out what
Forrester discovered in their recent study about the economic impact of Codenomicon
Defensics, and learn what Codenomicon R&D department has been up to. Our popular
webinar series continues, check out the recordings of Internet Abuse and Actionable
Information and Agile Fuzzing webcasts. Also, do not forget to take a look at our
We hope that you enjoy this newsletter, and wish you Happy Holidays and
a very successful New Year 2013!
Fuzz testing integrated with Wind River Test Management
Wind River Test Management 5.0. introduces a comprehensive package of security
testing solutions. The new fuzz testing package enables testers to ensure that
the applications they are building rely on robust, secure protocols, and to
efficiently find unknown vulnerabilities, in both in-house and third-party software.
Powered by Defensics, the fuzz testing capabilities of the Wind River Test Management
solution enable software testers to incorporate security testing into their day-to-day
QA routine with no need for special hardware or deep security expertise.
Read more in Wind River blog.
Forrester study: Total Economic Impact of Codenomiconís Defensics Security Testing Suite
Codenomicon commissioned Forrester to perform a study of the total economic impact
of Codenomiconís Defensics security testing suite for a Defensics customer,
who is a large network equipment vendor. This study evaluated cash flows and
financial metrics to quantify the total economic impact. An overview of the study's
findings were presented in a webcast by Chenxi Wang, VP & Principal Analyst at Forrester.
The recording of the presentation is available for download here.
Former White House cybersecurity advisor joins Codenomicon board of directors
Codenomicon is happy to welcome Howard A. Schmidt back to the Board of Directors.
Mr. Schmidt previously served on the Codenomicon Board of Directors from January 2008
until December 2009 when President Barack Obama appointed him as White House Cybersecurity
Coordinator, from which he retired in May 2012. This was not the first time Mr. Schmidt
acted as the US cyber security adviser. During the Administration of George W. Bush,
Schmidt served as vice chair of the President's Critical Infrastructure Protection
Board and special adviser for Cyberspace Security for the White House.
Howard A. Schmidt has had a long distinguished career in defense, law enforcement
and corporate security spanning more than 40 years, bringing with him experience
in business, defense, intelligence, law enforcement, privacy, academia and international
New Defensics platform release
Codenomicon is proud to announce the release of Defensics version 10.2. The latest
version is already available for download, so if you have a valid Download Arena
account, go and get yours now. Using the latest Defensics platform enables you to
use the latest features and capabilities across all Defensics products.
So, what is new in this release? We have been working hard on improving test plans,
making their usage easier, simpler and more efficient. Using test plans makes it
easier to document and replay tests either by yourself or by third parties, such
as the developers of the vulnerable code. Test case re-runs in different Defensics
instances is much more straight forward than earlier, and there are less test suite
Another cool feature are the updated test reports! We have put a lot of effort into
this feature, and we are very happy with the results. Among many other things, we
have improved the report summary to make it more useful. To pinpoint the root cause
of a single failure faster, we have developed a new failure concept which groups all
possible pieces of information together. The full test reports are also now available
in both PDF and DOCX formats, in both A4 and Letter size.
Featured new suite: IPMI
The Intelligent Platform Management Interface is designed to provide remote management
and monitoring for computer systems. It is an UDP based standard promoted by Intel,
Dell, HP and NEC. With IPMI system administrators are able to manage multiple systems
remotely without the need to have an OS installed or the system powered up.
Since IPMI is able to control computer systems at hardware level, any vulnerabilities
found should be considered severe. To ensure robustness, it is essential to test all
IPMI implementations comprehensively. The new Defensics IPMI Test Suite provides test
cases for different types of IPMI commands specified in the latest IPMI 2.0 specification.
The suite acts as a management client to find vulnerabilities within IPMI server
Featured new suite: SIP-I
SIP-I (SIP with encapsulated ISUP) is intended for creating, modifying and terminating
multimedia sessions based on ISUP (ISDN User Part) with SIP. SIP-I (and its IETF
counterpart SIP-T) supports bridging ISUP networks over an IP connection.
ISUP networks have traditionally been closed and with no access from IP networks.
SIP-I opens up a new vector of ISUP message delivery, and vulnerabilities in either
proxies handling SIP-I messages or gateways delivering ISUP into core network may
have severe impact on the reliability and security of telephony networks.
Codenomicon SIP-I Server Test Suite is a new suite that can be used to test entities
handling SIP-I and SIP-T messages. The suite supports several variants and versions
of ISUP and can be used to scan for flaws in implementations handling either SIP or
ISUP parts of the messages.
Check out the latest webinar on Internet Abuse and Actionable Information
Check out our latest webinar on Internet Abuse and Situation Awareness on our web pages.
Lari Huttunen talks about how various organizations have abuse within their networks,
but are potentially lacking the means to clear the problems up. In this webinar we
present a botnet-inspired solution for automatically generating actionable Internet
abuse information. Botnets are traditionally associated with malicious activities,
but their data handling capabilities can also be used to automatically collect,
process and report abuse information.
This webcast was recorded in cooperation with Business Review Webinars.
Agile fuzzing webcast
Agile software development and security testing is an interesting topic, so we put
our heads together with the good people at TEST magazine and came up with a webcast
on how to integrate fuzz testing with agile software development. In the webinar,
we highlighted different automated security testing techniques that are based on
Fuzzing and provided examples on how these can be integrated into an agile development
process. We also discussed how agile fuzzing can be used to improve quality, and
how early elimination of security flaws can help keep down the post-release costs.
If you missed the agile webcast airing, the recording is available here.
Embedded Devices Webinar
The latest Fuzzing 101 Webinar: Fuzzing Connected Devices - Same Problems, Different Devices is now available for download and viewing!
In this webinar, our Security Specialist Rikke Kuiper discusses the vulnerabilities found in various embedded devices, and what their implications are. This webinar covers wireless routers, network-attached printers and storage devices, as well as smart TVs.
Check out the abstract and other related information here.
Wireless Routers Whitepaper available for Download
Our latest whitepaper titled "Wireless Routers: Keeping the Gates" is now available for download!
In this whitepaper we discuss the vulnerability issues we found in nine different manufacturers' consumer-grade wireless routers, and their implications to for example ISPs.
Moreover, this whitepaper demonstrates how generation-based fuzzing can be used to find these vulnerabilities proactively. Enterprises and ISPs providing wireless connectivity can test their equipment themselves, or they can push the testing responsibility to their suppliers. With the help of fuzzing, they can build a more secure wireless infrastructure, lower help desk and maintenance costs, and improve customer satisfaction.
The whitepaper is a part of a series discussing embedded devices and their vulnerabilities. More information and downloads here.
Meet us at events
Check the following list to see where you can find us, and come and say hi! The events list is constantly being updated, find the latest list here.
- 5th Annual SCADA Asia Summit 2013, January 9-10, Singapore
- 8th ETSI Security Workshop, January 16-17, Sophia Antipolis, France
- OOP, Jan 23-27, 2013, ICM International Congress Center, Munchen, Germany
- Belgium Testing Days, February 27 - March 2, Sheraton Brussels Airport Hotel, Belgium
- Medical Devices Summit East, February 28 - March 1, Boston Marriott Long Wharf Hotel, Boston, MA, USA
- Cisco Innovation Test Conference 2013, March 5 - 7, San Jose, CA, USA
- Infosecurity London, April 23-25, Earl's Court, London, UK
Looking forward to meeting you there!
What you don't know makes you vulnerable