Return to SwATips

Software Assurance Tips Archive

• 20210405 - COTS, GOTS, and NOTS software in RMF for the Army
• 20210412 - Sticking with a RAII Standard
• 20210419 - Heap Inspection
• 20210426 - Polymorphic Catch Performance in C#
• 20210503 - Downloading Package Dependencies for Offline Installs in Debian-based Distributions
• 20210510 - Homoglyphs аnd Homogrаphic Аttаcks
• 20210517 - Secure Pseudo-Random Number Generation
• 20210524 - Side-Channel Attacks
• 20210614 - Secure Compilation
• 20210621 - Living off the Land
• 20210628 - Coverity and Integer Overflows
• 20210705 - A Pedigree of S-BOMs
• 20210719 - File-by-File Scanning for Ada
• 20210726 - Compounding a Classic TOCTOU Mistake
• 20210802 - Stripping: An Inefficient Obfuscation Technique
• 20210809 - Ada LowHigh Integrity Profiles
• 20210816 - The Password that Cannot Be Spoken
• 20210830 - A CWE-499 Breakdown: Serializing Sensitive Data
• 20210906 - When Code Analysis Fails
• 20210913 - Static Header Paths
• 20211004 - Perls of Wisdom: Use of Two-Argument Form of open()
• 20211101 - Additional Risks to DevSecOps Pipelines
• 20211129 - Malicious Injection of Source Code
• 20211220 - GCC as a Static Analysis Tool
• 20220131 - So you put an Unclassified CD in a Classified Machine
• 20220321 - The Death of CentOS on DoD Networks
• 20220328 - Ever-Changing Encryption Standards
• 20220418 - Improper Resource Access Authorization
• 20220613 - Don't Limit your CWEs
• 20220919 - Commercial National Security Algorithm (CNSA) Suite 2.0
• 20221017 - Java, Inner Classes, and Checkmarx Unused Variable Findings
• 20230403 - Coverity BAD_CAST
• 20230410 - Ada Unchecked Conversions
• 20230515 - Checkmarx: Use of Obsolete Function
• 20230918 - A History of Verification, Validation, and Code Scanning
• 20240212 - Assess Only v. Assess and Authorize
• 20240527 - Sorry Root, You're Not the Boss of Me!
• 20240610 - The Zero Trust Paradox: Second Guessing the Good Guys
• 20240902 - Back to the Building Blocks: Codifying Complacency
• 20241118 - Fuzzy Coverage