Software Security

It has been said, that when most IT professionals talk about cybersecurity, they are really talking only about network security, and even then they are only talking about network encryption. The human element of cybersecurity aside, the weakest link in the cybersecurity chain is not network encryption, but rather is software security. Roughly speaking, software security means finding and remediating bugs and flaws in the software applications that run on the machines that make up Internet and other systems. Web servers, spreadsheets, browsers, messaging apps, and so forth, are typically what malicious hackers use to break into your computer and steal (or take hostage) your information. Bugs relate to software implementation, and flaws relate to software design. We must pay careful attention to both (alongside human and organizational factors, as well as hardware and cryptographic security), because the frequency and damage caused by cyberattacks continues to escalate.

'Hardware is fast, but hard to change. It is very efficient, but it is also very rigidly defined. This is a disadvantage to evolution, but is an advantage to security. Hardware cannot be easily exploited or changed by an attack. In contrast, software is malleable and easily changed. This quality is advantageous to core functionality, but is harmful to security as well as performance...' "Last minute changes to design -- and future improvements -- are easily accommodated. But this malleability creates a broader surface for attack."

- Michael Hicks, University of Maryland, College Park

Legacy Programming Languages

Vulnerable C Functions


The New Generation of Programming Languages




Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. Featuring: zero-cost abstractions, move semantics, guaranteed memory safety, threads without data races, trait-based generics, pattern matching, type inference, minimal runtime, and efficient C bindings.



It is faster to say World Wide Web than it is to say WWW

Transport Layer Security (TLS) Protocol Version 1.2

"This document specifies Version 1.2 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications security over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery."

Penetration Testing


Using NMAP - Part 1 of 2 - Ping Sweeps, Port Scans, IP Spoofing and Gathering Information






Metasploit Community Getting Started Guide

"This guide provides information and instructions to get you started with Metasploit Community. The following sections describe the audience, organization, and conventions used within this guide.... This guide is for IT and security professionals who use Metasploit Community as a penetration testing solution."


Malwarebytes | Free Cyber Security & Anti-Malware Software

"Malwarebytes protects you against malware, ransomware, and other advanced online threats that have made antivirus obsolete and ineffective."


"Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom. However this is not guaranteed and you should never pay!.. Nevertheless, it is sometimes possible to help infected users to regain access to their encrypted files or locked systems, without having to pay. We have created a repository of keys and applications that can decrypt data locked by different types of ransomware."


Proactive detection of security incidents II - Honeypots

"An increasing number of complex attacks demand improved early warning detection capabilities for CERTs. By having threat intelligence collected without any impact on production infrastructure, CERTs can better defend their constituencies assets. Honeypots are powerful tools that can be used to achieve this goal. This document is the final report of the ‘Proactive Detection of Security Incidents: Honeypots’ study."

Cybersecurity Topics
The policies of governments, standards bodies, industry organizations and even large companies have an impact on the cybersecurity landscape. The intention of policy and law is to prevent or remediate criminality, abuse and even espionage.
The news produced by and for the cybersecurity community is markedly different than the news that is produced for general public consumption. Many cybersecurity have an engineering or computer science background, and as such, there is an appreciably lower tolerance for bias, spin, and fake news. Still, take anything you read online with a grain of salt, and keep reading, because we are unlikely to ever hear the final word, on anything of interest.
"...Software is malleable and easily changed. This quality is advantageous to core functionality, but is harmful to security as well as performance...' "Last minute changes to design -- and future improvements -- are easily accommodated. But this malleability creates a broader surface for attack."
Someday I will have something intelligent to say about hardware security. Hopefully, someday soon.
Cryptography is the art of making an intentional message unreadable to anyone who does not know/have the key. The art of cryptography is informed by mathematics and computer science. Cryptography is an all or nothing game: once your cipher is broken, all your efforts are lost. But until then, you are undefeatable.
So much to learn, so little time. Of course, cybersecurity is an interdisciplinary filed, and a subfield, of several other important fields of knowledge. Namely: information theory, computer science, and mathematics. There are of course other important areas, but I think for right now my interest lies mainly in these three areas, and these are the sorts of notes I would like to keep here.