Well, where should I start? Looking back at my blog archives I've realized 2014 "year of the mobile apps" - at least for me. I was heavily involved in analyzing mobile applications: Android and iOS. For the first time in my whole infosec career path I was disassembling iOS applications and doing stuff (binary analysis) I was used to (some years ago). Besides doing a lot of mobile apps analysis, I was pretty much involved in structuring and hacking data. Even though I think I'll go nuts once I read/hear "BIG data" one more time, I think data analysis is a field I'd like to get deeper into. Visualizing and making it understandable for everyday Joe would make the whole topic more fancy. But let's stick to 2014 and break down the topics I've dealt with in last 12 months...
Regarding the Android stuff I must say one can automate a lot of things nowadays. If going straightforward you'll be following in most cases the same procedure and applying several steps. For the same reason I've released ADUS, the Android debug utility suite. It helped me a lot automating things and concentrate on the code and applications behaviour. Besides that I've found some cool Python frameworks out there helping me out with the analysis stuff:
Oh... and speaking of Python: I have to mention IPython, espcially IPython Notebook. I have discovered a new way of interacting with data, analyzing and finally visualizing it. Pandas has tons of useful functions to structure, manipulate or plot your data. And besides that I've "re-discovered" SQLite as a every-day DB for storing all kind of information. Using Python along with SQLAlchemy will make you the "God of Big Data" :) But for now you can call me "Mr. SQL" :p My SQL and IPython skills can be admired in my 24h Android sniffing post and not only.
Let's now talk about the #infosec community. In 2014 there have been some topics worth to be mentioned (just the main ones): Heartbleed, Shellshock, SSL/TSL Poodle. Do you know what they have in common? Fancy names, a good PR machine and fancy logos. In the case of the Heartbleed vulnerability, they had:
Bug hunters seem to know how to promote their findings and catch everybodys attention. Don't get me wrong but I don't think
CVE-2014-0160 would have been so interesting without all the PR engine behind it. And what about the lessons learned? I know crypto is hard, but the coding might be even harder. We have learned we should not trust any piece of software. Every single piece of code might be buggy or even contain critical vulnerabilities we aren't yet aware of. Individual audits and full disclosure might be a step towards better application security.
Also have a look at these security reports: