Software Testing Blog

Dissecting a 19-year-old bug

(This article is posted to the Coverity Security Research Lab blog as well.) It was with a bizarre combination of nostalgia and horror that I read this morning about a 19-year-old rather severe security hole in Windows. Nostalgia because every bit of the exploited code is very familiar to me: working on the portion of…

Continue reading »

POODLEs are for Legacy

If you haven’t heard, Bodo Möller, Thai Duong, Krzysztof Kotowicz, of Google released an interesting security issue called POODLE (Padding Oracle On Downgraded Legacy Encryption) with SSL 3.0, with a generalized discussion here. The issue is yet another protocol design flaw with SSL 3.0. Hopefully, this will be the final flaw that breaks the SSL legacy camel’s back, pushing…

Continue reading »

Coverity at the SD Summit – Helsinki.

Coverity, along with local partner Jab were again exhibiting at this year’s SD summit in Helsinki. The event welcomed a vast mix of professionals but mainly included Test Managers or those involved in the QA process with an interest in the adoption of continuous integration methods. This is where our platform was able to demonstrate…

Continue reading »

Comments (0)

Coverity Scan, Application Security and Open Source

We have just upgraded the Coverity Scan service to Coverity 7.5. With this upgrade, we’re now enabling Coverity Scan members to utilize Coverity Security Advisor to help them eliminate security defects in Java web applications. Since Heartbleed, GoToFail bug and recently the shellshock, we have aimed to provide the latest technology that will enable open…

Continue reading »

Better than nothing

Here’s a question I get occasionally: This gives an error stating that U must be a reference type to use it in C<U>. But the outer constraint says that T is a reference type, and the inner constraint says that U is a T, so why doesn’t the compiler know that U is a reference…

Continue reading »

NASDAQ OMX and a Year of Resiliency

Best Practices in Software Testing for Financial Services On September 25th we hosted a networking event at the Breslin’s Liberty Hall at the Ace Hotel in New York, where we featured one of our customers, Ann Neidenbach, SVP, Global Technology Services, NASDAQ OMX (NASDAQ: NDAQ), a leading provider of trading, exchange technology, information and public…

Continue reading »

Comments (0)

ShellShock: Bug or Flaw?

As the repercussions from the ShellShock disclosure ripple through the security and business worlds, I wanted to contribute some thoughts on the issue from Coverity’s point of view. However, before drawing any conclusions, it’s instructive to first consider what type of vulnerability ShellShock actually is: a coding bug?  A design flaw?  Analysis on this is…

Continue reading »

Comments (0)

Code Spotter Beta: Now Available For Everyone!

Starting today, we are opening up our beta for Code Spotter to anyone interested in trying out this one of a kind cloud-based platform for finding defects in Java code. Use of the Code Spotter service remains entirely free for the duration of this ongoing beta with absolutely no strings attached or restrictions imposed. So…

Continue reading »

Comments (0)

Spot the defect: randomness

Today on Ask The Bug Guys I’m going to turn things around a bit and ask you to find and explain the bug. Suppose we want to generate a series of pseudo-random integers between 1 and 6 (inclusive) to simulate rolling a fair die. In the class library there is the useful random.Next(min, max) method…

Continue reading »

LibreOffice: Improving Quality Through the Coverity Scan service

LibreOffice_logo

LibreOffice, is a leading an open source office suite developed by the Document Foundation. The project has been a member of the Coverity Scan Service, which allows open source projects to use our award winning static analysis solution for free,  since 2012.  The LibreOffice team has been very busy in the last several months improving their…

Continue reading »

Comments (0)