Rss Feed
Tweeter button
Facebook button
Technorati button
Reddit button
Myspace button
Linkedin button
Webonews button
Delicious button
Digg button
Flickr button
Stumbleupon button
Newsvine button

List of UK healthcare companies that are not secure by default

By , December 15, 2017 3:53 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 24 healthcare companies. We found 2 healthcare companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 8% of UK healthcare companies have security vulnerabilities.

Healthcare company Secure Home Page
Aviva Healthcare Yes https://www.aviva.co.uk/
AXA PPP Yes https://www.axappphealthcare.co.uk/
Benenden Healthcare Society Yes https://www.benenden.co.uk/
Birmingham Hospital Saturday Fund Yes https://www.bhsf.co.uk/
Bupa Yes https://www.bupa.co.uk/
CS Healthcare Yes https://www.cshealthcare.co.uk/
Engage Mutual Assurance Yes https://www.onefamily.com/
Exeter Family Friendly Yes https://www.the-exeter.com/
General & Medical Healthcare Yes https://www.generalandmedical.com/
Health-on-Line Yes https://www.health-on-line.co.uk/
Healthshield Yes https://www.healthshield.co.uk/
HSF Yes https://www.hsf.co.uk
Insurety No http://www.april-uk.com
Medicash Yes https://www.medicash.org
National Friendly Yes https://nationalfriendly.co.uk/
Saga Dual http://www.saga.co.uk
Secure Health Yes https://www.securehealth.co.uk/
Sovereign Health Yes https://www.sovereignhealthcare.co.uk/
Simply Health Yes https://www.simplyhealth.co.uk/
Vitality Yes https://www.vitality.co.uk/
Westfield Yes https://www.westfieldhealth.com/
WHA Yes https://www.whahealthcare.co.uk/
WHCA Yes https://www.orchardhealthcare.co.uk/
WPA Yes https://www.wpa.org.uk/

Commentary

Saga’s website is avialable via http and via https. This should be https only.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of ecommerce platforms that are not secure by default

By , December 15, 2017 3:33 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 63 ecommerce companies. We found 9 ecommerce companies that did not have a secure home page (not https or did have https with
an invalid security certificate). That is 14% of ecommerce companies have security vulnerabilities.

Ecommerce company Secure Home Page
2C2P Yes https://www.2c2p.com/
Adyen Yes https://www.adyen.com/
Alipay Yes https://intl.alipay.com/
Amazon Pay Yes https://pay.amazon.com/uk
Apple Pay Yes https://www.apple.com/uk/apple-pay/
Atos Yes https://atos.net/en-gb/united-kingdom
Authorize.Net Yes https://www.authorize.net/
Bambora Yes https://www.bambora.com/sv/overview/#market-select
BitPay Yes https://bitpay.com/
BPAY Yes https://www.bpay.co.uk/
Braintree Yes https://www.braintreepayments.com/en-gb
CM Telecom Yes https://www.cm.com/
Creditcall Yes https://www.creditcall.com/
CyberSource Yes https://www.cybersource.com/en-EMEA/
DigiCash Yes https://www.digi.cash/
Digital River Yes https://www.digitalriver.com/
Dwolla Yes https://www.dwolla.com/
Elavon Yes https://www.elavon.co.uk/index.html
Euronet Worldwide No http://www.euronetworldwide.com/
eWAY Yes https://eway.io/uk
First Data Yes https://www.firstdata.com/en_gb/home.html
Flooz Yes https://www.flooz.me/
Fortumo Online Yes https://fortumo.com/
GoCardless Yes https://gocardless.com/
Heartland Payment Systems Yes https://www.heartlandpaymentsystems.com/about-us
Ingenico Yes https://www.ingenico.com/
Klarna Yes https://www.klarna.com/uk/
ModusLink Yes https://www.moduslink.com/
MPay No http://www.mpay.al/en
Neteller Yes https://www.neteller.com/en/
Nochex Yes https://www.nochex.com/gb/
OFX Yes https://www.ofx.com/en-gb/
PagSeguro Yes https://pagseguro.uol.com.br/
PayPal Yes https://www.paypal.com/uk/home
Payoneer Yes https://www.payoneer.com/main/
Paymentwall Yes https://www.paymentwall.com/en/
PayPoint Yes https://www.paypoint.com/en-gb/consumers/store-locator
Paysbuy Yes https://www.paysbuy.com/
Paysafe Group Yes https://www.paysafe.com/
PayStand No http://www.paystand.com/
Payzone Yes https://www.payzone.co.uk/
Qiwi Yes https://qiwi.com/
Realex Payments Yes https://www.realexpayments.com/uk/
Red Dot Payment No http://reddotpayment.com/
Sage Group Yes https://www.sage.com/en-gb/
Skrill Yes https://www.skrill.com/en/
Stripe Yes https://stripe.com/gb
Square Yes https://squareup.com/gb
SWREG Dual http://faq.swreg.org/
Tencent Yes https://www.tencent.com/en-us/
TIMWE No http://www.timwe.com/
TransferWise Yes https://transferwise.com/
True Money No http://www.truemoney.com/
Trustly Online Yes https://trustly.com/en/
Verifone No http://www.verifone.co.uk/
WebMoney Yes https://www.wmtransfer.com/
WeChat Pay Yes https://pay.weixin.qq.com/index.php/public/wechatpay
WePay Yes https://go.wepay.com/
Wirecard Yes https://www.wirecard.com/
Worldpay No http://www.worldpay.com
Xendpay Yes https://www.xendpay.com/
Xsolla Yes https://www.xsolla.com/
Yandex.Money Yes https://money.yandex.ru/

Commentary

I was surprised to see that WorldWay is not secure by default.

I was also surprised to see that SWREG, the oldest of all the ecommerce companies in the world, is also not secure by default. Longevity has no bearings on the operating standards of a business. Interestingly the company that now owns SWREG, Digital River is secure by default.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of UK online casinos that are not secure by default

By , December 15, 2017 1:30 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is
insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is
insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via
http.
?? We could not find a website to evaluate.

We tested 75 online casinos. We found 12 online casinos that did not have a secure home page (not https or did have https with an invalid security certificate). That is 16% of UK online casinos have security vulnerabilities.

Casino Secure Home Page
21Jackpots No http://21jackpots.com/
32Red Casino Yes https://www.32red.com/
50 Stars Casino No http://www.50starscasino.com/english/eur/download.html
888Casino Yes https://www.888casino.com/
All British Casino Yes https://www.allbritishcasino.com/
All Irish Casino Yes https://www.allirishcasino.com/
BETAT Casino Yes https://betat.co.uk/home/
Betfred Casino No http://www.betfred.com/casino
Betsafe Casino Yes https://www.betsafe.com/en/casino
Betspin Casino Yes https://www.betspin.com/gb
Betway Casino Yes https://casino.betway.com/lobby/en/#/home
Bet-At-Home Casino Yes https://uk.bet-at-home.com/
bgo Vegas Yes https://www.bgo.com/
Cashmio Casino Yes https://www.cashmio.com/en
CasinoLuck Yes https://www.casinoluck.com/
Casino Kings Yes https://www.casinokings.com/
Casino Magix Yes https://www.casinomagix.com/
Casumo Casino Yes https://www.casumo.com/en-gb/
ComeOn Casino Yes https://www.comeon.com/
Carnival Casino No http://www.carnivalcasino.com/
Casino Cruise Yes https://www.casinocruise.com/en-gb
Casino King Yes https://www.casinokings.com/
Casino Plex No http://casinoplex.co.uk/
Casino Share No http://www.luxurycasino.co.uk/en-gb/
Casino Splendido Yes https://www.casinosplendido.com/
Casino.com Yes https://www.casino.com/uk/
Challenge Casino No http://www.luxurycasino.co.uk/en-gb/
Conquer Casino Yes https://www.conquercasino.com/
Cyber Club Casino Yes https://www.cyberclubcasino.com/
Dash Casino Yes https://www.dashcasino.com/
Dr Vegas Casino Yes https://www.drvegas.com/
Dream Palace Casino Yes https://www.dreampalacecasino.com/
EnergyCasino Yes https://energycasino.com/en/
FruityCasa Casino Yes https://www.fruitycasa.com/
Gala Casino Yes https://www.galacasino.com/
GameVillage Yes https://www.gamevillage.com/
Golden Lounge Casino No http://www.goldenlounge.com/
Grosvenor Casino Yes https://www.grosvenorcasinos.com/
Guts Casino Yes https://www.guts.com/gb/page/welcome
Intercasino Yes https://www.intercasino.co.uk/
Jackpot Luck Casino Yes https://www.jackpotluck.com/
Jetbull Casino Yes https://www.jetbull.com/
Karamba Casino Yes https://www.karamba.com/
Ladbrokes Casino No http://casino.ladbrokes.com/en
Magic Box Casino No http://www.magicboxcasino.com/
Mansion Casino Yes https://play.mansioncasino.com/
Maria Casino Yes https://www.mariacasino.co.uk/
mFortune Casino Yes https://www.mfortune.co.uk/
MobileWins Casino Yes https://www.mobilewins.co.uk/
Monte Carlo Casino No http://www.casinomontecarlo.com/
Moon Games Casino Yes https://www.moongames.com/
Mr Green Casino Yes https://www.mrgreen.com/en
Nedplay Casino Yes https://www.nedplay.com/
Noxwin Casino Yes https://www.noxwin.com/#/
Oddsring Casino Yes https://www.oddsring.com/home
Paddy Power Casino No http://casino.paddypower.com/
PokerStars Casino Yes https://www.pokerstarscasino.uk/
Power Slots Yes https://www.powerslots.eu/
Prospect Hall Casino Yes https://prospecthallcasino.com/games/index/
Spinit Casino Yes https://www.spinit.com/en
Redbet Casino Yes https://www.redbet.com/en/casino
Red Queen Casino Yes https://www.redqueencasino.com/
Rizk Casino Yes https://rizk.com/gb
Roxy Palace Casino Yes https://www.roxypalace.com/
Royal Swipe Casino Yes https://www.royalswipe.com/
SCasino Yes https://www.scasino.com/uk/
Sportingbet Casino Yes https://casino.sportingbet.com/en/casino
ShadowBet Casino Yes https://www.shadowbet.com/uk
Slotty Vegas Casino Yes https://slottyvegas.com/en/welcome/
Sporting Index Casino Yes https://casino.sportingindex.com/
Trada Casino Yes https://www.tradacasino.com/
Unibet Casino Yes https://www.unibet.co.uk/casino#filter:uk-unibet-picks-casino-slots-7-420439
Vegas Paradise Casino Yes https://www.vegasparadise.com/
VideoSlots Casino Yes https://www.videoslots.com/
William Hill Casino Yes https://casino.williamhill.com/#!/

Commentary

Reputation

Just as with wealth management, there are some big names in this list, that spend lots of money on advertising, and yet they are not secure. You cannot rely on a trusted brand name to mean that you get a secure website.

Downloading from a non secure site

One site in particular deserves a special mention. 50 Stars Casino. This is not secure, but for you to gamble with them you need to download a software package from their non-secure website and then install the software. I did download it. The download is digitally signed, but given that it’s downloading off a non-secure page, the download could, technically be anything, not necessarily the software the casino wants you to download. This is not good. Not only is the website not secure, but it could potentially attack your computer if the download is compromised.

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of UK currency exchanges that are not secure by default

By , December 15, 2017 12:42 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with

data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is
insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is
insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via
http.
?? We could not find a website to evaluate.

We tested 67 currency exchanges. We found 11 currency exchanges that did not have a secure home page (not https or did have https with an invalid security certificate). That is 16% of UK currency exchanges have security vulnerabilities

Currency Exchange Secure Home Page
#1 Currency Yes https://www.no1currency.com/
Ace-FX Yes https://www.ace-fx.com/
American Express Yes https://www.americanexpress.com/uk/content/foreign-exchange/foreign-exchange-services.html
Asda Travel Money Yes https://money.asda.com/travel-money/
Barclays Bureau de change Yes https://www.barclays.co.uk/travel/foreign-currency-exchange/
Barrhead Travel Yes https://www.barrheadtravel.co.uk/foreign-exchange
Best Exchange No http://www.bestexchange.co.uk/
Best Foreign Exchange Yes https://www.bestforeignexchange.com/
BFC Exchange Yes https://www.bfcexchange.co.uk/
Central FX No http://www.centralfx.co.uk/
City Forex Yes https://www.cityforex.co.uk/
Change Group Yes https://www.changegroup.co.uk/
Compare Holiday Money Yes https://www.compareholidaymoney.com/
Covent Garden FX Yes https://www.coventgardenfx.com/
Currencies for you Yes https://www.currencies4you.com/
Currency converter Yes https://www.currencyconverter.co.uk/
Currency matters Yes http://www.currencymatters.co.uk/
Currency solutions Yes https://www.currencysolutions.co.uk/
Currency UK Yes https://www.currencyuk.co.uk/
Euro Change Yes https://www.eurochange.co.uk/
Danske Bank Yes https://danskebank.co.uk/personal/help/currency-converter/currency-converter
Debenhams No http://finance.debenhams.com/travel-money/
Elavon Yes https://www.elavon.co.uk/dcc.html
Exchange Rates Yes https://www.exchangerates.org.uk/
First Choice Yes https://www.firstchoice.co.uk/holiday/info/foreign-exchange
First Rate Yes https://www.firstrate.co.uk/
Fourex No http://www.fourex.co.uk/
Global Exchange Yes https://www.globalexchange.co.uk/
GCEN Yes https://gcen.co.uk/
Money Yes https://www.money.co.uk/travel-money.htm
H & T Group Yes https://www.handt.co.uk/travel-money
Halifax Travel Money Yes https://www.halifax.co.uk/travel/travel-money/
Hargreaves Lansdowne No http://www.hl.co.uk/investment-services/currency-service/latest-currency-report/currency-converter-exchange-rates
HiFX Yes https://www.hifx.co.uk
HSBC Expat Yes https://www.expat.hsbc.com/1/2/hsbc-expat/foreign-exchange-currency
HSBC Travel Money Yes https://www.hsbc.co.uk/1/2/travel-money
ICICI Bank No http://www.icicibank.co.uk/personal/travel-money.page
Internation Currency Exchange Yes https://www.iceplc.com/
Kanoo Foreign Exchange Yes http://www.kanoocurrency.co.uk/
KBR Foreign Exchange Yes https://www.kbrfx.com/
M & S Currency Exchange Yes https://bank.marksandspencer.com/travel/travel-money/currency-exchange-rates/
Money Corp Yes https://www.moneycorp.com/uk/
Money Saving Expert Yes https://travelmoney.moneysavingexpert.com/
Natwest International No http://www.natwestinternational.com/nw/personal-banking/travel-and-international/g48/travel-money/currency-converter.ashx
Northwest Money Exchange No http://www.northwestmoneyexchange.com/
Post Office Money Yes https://www.postoffice.co.uk/foreign-currency
RBS Yes https://www.rbs.co.uk/personal/travel/g1/money/exchange-rates.ashx
Reuters Yes https://uk.reuters.com/business/currencies
Ruislip Currency No http://www.ruislipcurrency.co.uk/
Saga Travel Money Yes https://www.saga.co.uk/insurance/travel-money.aspx
Sainsbury’s Bank Travel Money Yes https://www.sainsburysbank.co.uk/travel/ins_travelmoney_tmo_skip
Santander Travel Money Yes https://www.santander.co.uk/uk/current-accounts/ordering-travel-money
Senil Cash & Go Yes https://www.senli.co.uk/
Smart Currency Business Yes https://www.smartcurrencybusiness.com/
Smart Currency Exchange Yes https://www.smartcurrencyexchange.com/
Sterling Yes https://www.sterlingfx.co.uk/
Tesco Travel Money No http://www.tescobank.com/travel-money/
The Currency Club Yes https://www.thecurrencyclub.co.uk/
The Money Shop Yes https://www.themoneyshop.com/travel-money/
Thomas Cook Yes https://www.thomascook.com/travel-money/foreign-currency/
Thomas Money Exchange Yes https://www.thomasexchangeglobal.co.uk/
TorFX Yes https://www.torfx.com/
Travelex Yes https://www.travelex.co.uk/
WeSwap Yes https://www.weswap.com/en/
World First Yes https://www.worldfirst.com/uk/foreign-exchange/
UAE Exchange Yes https://www.uaeexchange.com/gbr/
XE No http://www.xe.com/

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of UK Wealth Management companies that are not secure by default

By , December 15, 2017 12:16 pm

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

This is an updated version of an earlier post. We have added 15 companies since the first version.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 68 wealth management companies. We found 18 wealth management companies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 27% of UK wealth management companies have security vulnerabilities

Wealth Management Company Secure Home Page
Aberdeen Asset Management No http://www.aberdeen-asset.co.uk/
Aberdeen Asset Management Trust Centre No http://www.invtrusts.co.uk/investmenttrusts/
Allianz Global Investors Yes https://uk.allianzgi.com/role-gate-page
Artemis Investment Management LLP Yes https://www.artemisfunds.com/
Baillie Gifford Yes https://www.bailliegifford.com/
Barclays Wealth Yes https://www.barclays.co.uk/wealth-management/
Blackrock Yes https://www.blackrock.com
Brewin Dolphin Yes https://www.brewin.co.uk/
Cantab Asset Management Yes https://www.cantabam.com/
Capital Yes https://www.capital.co.uk/
Capital International Yes https://www.capital-iom.com/
CBRE Global Investors No http://www.cbreglobalinvestors.com/Pages/default.aspx
CCLA Yes https://www.ccla.co.uk/
Charles Stanley Yes https://www.charles-stanley.co.uk/
Citi Yes https://www.citibank.co.uk/personal/wealth-management-products.do
City Asset Management Plc No http://www.city-asset.co.uk/
Clifton asset management Yes https://www.clifton-asset.co.uk/
Close Brothers Asset Management Yes https://www.closebrothersam.com/
EFG Yes https://www.efgam.com/home/Landing-Asset-Management.html
Equester Capital Management Yes https://www.neptunefunds.com
Fidelity Worldwide Investment Yes https://www.fidelity.co.uk/home
Franklin Templeton No http://www.franklintempleton.co.uk/
GAM Yes https://www.gam.com/
Hargreaves Lansdowne No http://www.hl.co.uk/
Hawksmoor investment management No http://www.hawksmoorim.co.uk/
Heartwood investment management No http://www.heartwoodgroup.co.uk/
Henderson Global Investors Yes https://www.janushenderson.com/ukpi
Hermes Investment Management Yes https://www.hermes-investment.com/ukw/
Interactive Investor No http://www.iii.co.uk/funds
Investec Bank Yes https://www.investec.com/en_gb.html
Invesco Perpetual Yes https://www.invescoperpetual.co.uk/uk
Kleinwort Hambros Yes https://www.kleinworthambros.com/en/
Lion Trust No http://www.liontrust.co.uk/
London and Capital Yes https://www.londonandcapital.com/
M&G Securities Ltd No http://www.mandg.co.uk/
Majedie No http://www.majedie.com/
Mattioli Woods Yes https://www.mattioliwoods.com/
Mayfair Capital Yes https://www.mayfaircapital.co.uk/
Money Farm Yes https://www.moneyfarm.com/uk/
Montanaro Yes http://www.montanaro.co.uk/
Morning Star No http://www.morningstar.co.uk/uk/
MunnyPot Yes https://www.munnypot.com/
Newton Investment Management Yes https://www.newtonim.com/
Nova Financial Yes https://www.novia-financial.co.uk/
Nutmeg Yes https://www.nutmeg.com/
Old Mutual Wealth Yes https://www.oldmutualwealth.co.uk/
Prospect Wealth Management Yes https://prospectwealth.co.uk/
Psigma investment maangement No http://www.psigma.com/pages/psigma-investment-management-landing.aspx
Quilter Cheviot Yes https://www.quiltercheviot.com/uk/private-client/
Rathbones Yes https://www.rathbones.com/
Sanlam Life and Pensions UK Limited Yes https://www.sanlam.co.uk/home.aspx
Saranac Partners Yes https://www.saranacpartners.com/
Scalable Capital Yes https://uk.scalable.capital/
St. Jame’s Place Yes https://www.sjp.co.uk/
Standard Life Investments Yes https://www.standardlifeinvestments.com/
State Street Global Advisors Yes https://www.ssga.com/home.html
Schroders No http://www.schroders.com
SVM Asset Management No http://www.svmonline.co.uk/
Swanest Yes https://swanest.com/
T Rowe Price Yes https://www3.troweprice.com/usis/corporate/en/home.html
TAM Yes https://www.tamassetmanagement.com/
Threadneedle Asset Management Yes https://www.mythreadneedle.com/
Tilney Group Yes https://www.tilney.co.uk/
Troy Asset Management No http://www.taml.co.uk/
UBS Global Asset Management Yes https://www.ubs.com/global/en/asset-management.html
Unicorn Asset Management Yes https://www.unicornam.com/
Vanguard Asset Management Yes https://www.vanguardinvestor.co.uk/
Wealth Horizon No http://www.wealthhorizon.com/

Commentary

It is interesting that you cannot trust a name or a brand to be secure. For example, Aberdeen Asset Management is probably the one name that is most known in the UK. They are regularly featured on the early morning BBC Radio 4 Today Programme to provide their expert opinion. Unfortunately, their website is not secure.

A number of these companies have names that sound old and established, or strong and reliable. They are names, just that. The reliability is in their behaviour. A key part in that is “are they secure”?

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of UK Building Societies that are secure by default

By , December 15, 2017 11:42 am

This is one of several posts of the topic of security of websites. Inspired by my initial post on the security of UK banks.

The reason for splitting this data into multiple posts is to make it more manageable. So that data on one institution is not mixed with data on another type of institution.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

We tested 45 building societies. We found 16 building societies that did not have a secure home page (not https or did have https with an invalid security certificate). That is 36% of UK building societies have security vulnerabilities.

Building Society Secure Home Page
Bath Investment & Building Society Yes https://www.bathbuildingsociety.co.uk/
Beverly Building Society No http://beverleybs.co.uk/
Britannia Savings No http://britannia.co.uk/
Buckinghamshire Building Society No http://www.bucksbs.co.uk/
Cambridge Building Society Yes https://www.cambridgebs.co.uk/
Chorley & District Building Society No http://www.chorleybs.co.uk/
Coventry Building Society Yes https://www.coventrybuildingsociety.co.uk/
Cumberland Building Society Yes https://www.cumberland.co.uk/
Darlington Building Society Yes https://www.darlington.co.uk/
Dudley Building Society Yes https://www.dudleybuildingsociety.co.uk/
Earl Shilton Building Society No http://www.esbs.co.uk/
Ecology Building Society Yes https://www.ecology.co.uk/
Furness Building Society Yes https://www.furnessbs.co.uk/
Hanley Economic Building Society Yes http://www.thehanley.co.uk/
Harpenden Building Society Yes https://www.harpendenbs.co.uk/
Hinckley & Rugby Building Society Yes https://www.hrbs.co.uk/
Holmesdale Building Society Yes https://www.theholmesdale.co.uk/
Ipswich Building Society Yes https://www.ibs.co.uk/
Leeds Building Society No http://www.leedsbuildingsociety.co.uk/
Leek United Building Society Yes https://www.leekunited.co.uk/
Loughborough Buildiong Society Yes https://www.theloughborough.co.uk/
Manchester Building Society Yes https://www.themanchester.co.uk/
Mansfield Building Society Yes https://mansfieldbs.co.uk/
Market Harborough Building Society No http://www.mhbs.co.uk/
Marsden Building Society Yes https://www.themarsden.co.uk/
Melton Mowbray Building Society Yes https://www.themelton.co.uk/
Monmouthshire Building Society Yes http://www.monbs.com/
National Counties Building Society No http://www.ncbs.co.uk/
Newbury Building Society Yes https://www.newbury.co.uk/
Newcastle Building Society Yes https://www.newcastle.co.uk/
Norwich & Peterborough Building Society Yes https://www.nandp.co.uk/
Nottingham Building Society Yes https://www.thenottingham.com/
Penrith Building Society Yes https://www.penrithbuildingsociety.co.uk/
Principality Building Society No http://www.principality.co.uk/
Progressive Building Society No http://theprogressive.com/
Scottish Building Society Yes https://www.scottishbs.co.uk/
Saffron Building Society Yes https://www.saffronbs.co.uk/
Skipton Building Society No http://www.skipton.co.uk/
Stafford Railway Building Society Yes https://srbs.co.uk/
Swansea Building Society No http://www.swansea-bs.co.uk/
Teachers Building Society Yes https://www.teachersbs.co.uk/
Tipton & Coseley Building Society Yes https://www.thetipton.co.uk/
West Bromwich Building Society No http://www.westbrom.co.uk/
Yorkshire Building Society Yes https://www.ybs.co.uk/index.html

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

List of UK banks that are “secure by default”

By , December 13, 2017 3:02 pm

Not the usual software post today. Something about website security, because that affects everyone. In particular I’m going to talk about the security of online banks and related organisations.

This post has been updated since I first wrote it. 3 banks have been added.

Natwest Online Banking

Two days ago I became aware that National Westminster Bank Plc’s website was not secure. The bits that do the online banking are secure, but the main website, which links to the secure bit, that isn’t secure. This is important because if the non-secure bits get compromised, by a man-in-the-middle attack, or by scripts injected into the site by your ISP then that can provide a means for compromising the access to the secure part of the website.

This important because although your bank may say go to this special page to login, that isn’t how people work. People remember the easy bit (the company name, say “Natwest” in this case), go to that website and then navigate from there to get to the login page. Because of this the whole site needs to be secure.

I raised this with Natwest via twitter, whose customer support team didn’t understand the issue. Which is understandable. I chained Troy Hunt in on the discussion, as he is a well known security researcher. A few hours later this all blew up on twitter and my notifications just became a blur as lots of people effectively told Natwest they were wrong. As I write this, it is still going strong.

One respondent even produced a video showing you a simulation of how this could be done. It’s not the same because he’s modifying his own page in the browser, but it is equivalent in many respects to how a man-in-the-middle-attack would work and is useful for non technical people to understand. His video is in this tweet. Scott Helme went a step further and created a video of the secure Natwest web page loading without any security, because the security had been removed.

Troy Hunt has written up a detailed post on the technical side of this.

Is it only Natwest?

I thought it would be interesting to look at each bank in the UK to see if when you visit their company homepage, is that secure by default? That is, is the page loaded by HTTPS? There are more tests than this that you could do, but that’s the baseline. If they can’t meet that then the other tests are meaningless.

Some banks provide the website in both http and https versions. This is bad practice. If someone visits the website as http then the customer should be served the https version of the page.

Also please note, these test results are for a desktop computer visiting the website. A mobile phone may well get a different experience. In other words desktop visitors may get a secure site, but mobile visitors might not. Or vice versa.

The results list the bank name, if the home page is secure or not and the URL of the page deemed to be the home page for the test.

The following key is used for the secure status:

Yes The site is secure, loaded via https
Dual The site can be loaded via http, or via https.
Invalid The site loads via https, but the security certificate is invalid and thus the site is insecure.
Partial The site loads via https, but loads some parts of the page without https. The site is insecure.
No The site is loaded via http, not via https.
Fixed The site is loaded via https, but at the time of first writing it was loaded via http.
?? We could not find a website to evaluate.

Where possible we’ve tried to identify the appropriate home page (or equivalent) for each bank. In a few occasions that wasn’t possible to do.

We tested 163 UK banks. We found 60 banks that did not have a secure home page (not https or did have https with an invalid security certificate). That is 37% of UK banks have security vulnerabilities. Since publishing this article, 6 banks have responded by fixing their security.

Bank Secure Home Page
Abbey National Treasury Services Plc Yes https://www.santander.co.uk/uk/about-santander-uk/investor-relations/abbey-national-treasury-services-plc
ABC International Bank Plc Yes https://www.bank-abc.com/world/ABCIB/en/Pages/default.aspx
Access Bank UK Limited Yes https://www.theaccessbankukltd.co.uk/
Adam & Company Plc Yes https://www.adambank.com/
ADIB (UK) Ltd No http://www.adib.co.uk/en/Pages/default.aspx
Ahli United Bank (UK) PLC No http://www.ahliunited.com/
AIB Group (UK) Plc Yes https://group.aib.ie/
Airdrie Savings Bank Yes https://airdriesavingsbank.com/
Al Rayan Bank PLC Yes https://www.alrayanbank.co.uk/
Aldermore Bank Plc Yes https://www.aldermore.co.uk/
Alliance Trust Savings Limited No http://www.alliancetrustsavings.co.uk/
Alpha Bank London Limited No http://www.alpha-bank.uk/
ANZ Bank (Europe) Limited Yes https://www.anz.com/unitedkingdom/en/personal/
Arbuthnot Latham & Co Limited No http://www.arbuthnotlatham.co.uk/
Atom Bank PLC Yes https://www.atombank.co.uk/
Axis Bank UK Limited Yes https://www.onlineaxisbankuk.co.uk
Bank and Clients PLC No http://www.bankandclients.com/
Bank Leumi (UK) plc No http://www.bankleumi.co.uk/
Bank Mandiri (Europe) Limited No http://www.bkmandiri.co.uk/
Bank of America Merrill Lynch International Limited Yes https://www.bofaml.com/content/boaml/en_us/home.html
Bank of Baroda Yes https://www.bankofbaroda.com/
Bank of Beirut (UK) Ltd No https://www.bankofbeirut.co.uk
Bank of Ceylon (UK) Ltd No http://www.bankofceylon.co.uk/
Bank of China (UK) Ltd No http://www.bankofchina.com/uk/
Bank of Communications (UK) No http://www.uk.bankcomm.com/BankCommSite/shtml/ygzh/en/8848/list.shtml?channelId=8848
Bank of Cyprus UK Limited No http://www.bankofcyprus.co.uk/
Bank of India No http://www.bankofindia.co.in/english/home.aspx
Bank of Ireland (UK) Plc Invalid https://bankofirelanduk.com/
Bank of London and The Middle East plc Yes https://www.blme.com/
Bank of New York Mellon (International) Limited Yes https://www.bnymellon.com/uk/en/index.jsp
Bank of Scotland plc Yes https://www.bankofscotland.co.uk/
Bank of the Philippine Islands (Europe) Yes https://www.bpiexpressonline.com/p/0/165/bpi-europe
Bank Saderat Plc No http://www.saderat-plc.com/
Bank Sepah International Plc Yes https://www.banksepah.co.uk/
Barclays Bank Plc Yes https://www.barclays.co.uk/
BFC Exchange Ltd Yes https://www.bfcexchange.co.uk/
BIRA Bank Ltd Yes https://bira.co.uk/services/bank/
BMCE Bank International plc No http://www.bmce-intl.co.uk/disclaimer.html
British Arab Commercial Bank Plc Yes https://www.bacb.co.uk/
Brown Shipley & Co Limited Yes https://www.brownshipley.com/
C Hoare & Co Yes https://www.hoaresbank.co.uk/
CAF Bank Ltd Yes https://secure.cafbank.org/
Cambridge & Counties Bank Limited Yes https://ccbank.co.uk/
Cater Allen Limited Yes https://www.caterallen.co.uk/
Charity Bank Limited Yes https://charitybank.org/
Charter Court Financial Services Limited No http://www.chartercourtfs.co.uk/
China Construction Bank (London) Limited No http://www.uk.ccb.com/london/en/index.html
CIBC World Markets Plc No http://www.cibcwm.com/cibc-eportal-web/portal/wm?pageId=home&language=en_CA
ClearBank Ltd Yes https://www.clear.bank/
Close Brothers Limited Yes https://www.closebrothers.com/
Clydesdale Bank Plc CYBG plc No http://www.cybg.com/
Co-operative Bank Plc Dual http://www.co-operativebank.co.uk/
Coutts & Company Yes https://www.coutts.com/
Credit Suisse (UK) Limited Yes https://www.credit-suisse.com/uk/en.html
Credit Suisse International Credit Suisse Yes https://www.credit-suisse.com/uk/en/investment-banking/financial-regulatory/international.html
Crown Agents Bank Limited No http://www.crownagentsbank.com/
DB UK Bank Limited Yes https://www.db.com/unitedkingdom/
Diamond Bank (UK) Plc Yes https://diamondbankukplc.com/
Duncan Lawrie Limited No http://www.camellia.plc.uk/duncan-lawrie
EFG Private Bank Limited Yes https://www.efgl.com/
Europe Arab Bank plc Yes https://www.eabplc.com/
First Direct No http://www1.firstdirect.com/1/2/
FBN Bank (UK) Ltd No http://www.fbnbank.co.uk/
FCE Bank Plc No http://www.fcebank.com/
FCMB Bank (UK) Limited Yes https://www.fcmbuk.com/
Gatehouse Bank Plc No http://www.gatehousebank.com/
GE Capital Bank Limited GE Capital No http://www.gecapital.co.uk/en/
Ghana International Bank Plc No http://www.ghanabank.co.uk/
Goldman Sachs International Bank No http://www.goldmansachs.com/
Guaranty Trust Bank (UK) Limited Yes https://www.gtbankuk.com/
Gulf International Bank (UK) Limited Yes https://www.gib.com/
Habib Bank Zurich Plc No http://www.habibbank.com/uk/home/ukHome.html
Habibsons Bank Limited No http://habibbankuk.com/
Halifax Fixed http://www.halifax.co.uk/
Hampden & Co Plc Yes https://www.hampdenandco.com/
Hampshire Trust Bank Plc Yes https://www.htb.co.uk/
Harrods Bank Ltd Yes https://www.harrodsbank.co.uk/
Havin Bank Ltd No http://www.havanaintbank.co.uk/
HSBC Bank Plc Yes https://www.hsbc.co.uk/1/2/
HSBC Private Bank (UK) Limited Yes https://www.hsbcprivatebank.com/en
HSBC Trust Company (UK) Ltd ??
ICBC (London) plc No http://www.icbclondon.com/icbc/%E6%B5%B7%E5%A4%96%E5%88%86%E8%A1%8C/%E5%B7%A5%E9%93%B6%E4%BC%A6%E6%95%A6%E7%BD%91%E7%AB%99/en/
ICBC Standard Bank Plc Yes https://www.icbcstandardbank.com/CorporateSite
ICICI Bank UK Plc No http://www.icicibank.co.uk/
Investec Bank PLC Yes https://www.investec.com/en_gb.html
Itau BBA International PLC Yes https://www.itau.com.br/itaubba-en
J.P. Morgan Europe Limited Yes https://www.jpmorgan.com/country/GB/en/jpmorgan
J.P. Morgan International Bank Limited ??
J.P. Morgan Securities plc Yes https://www.jpmorgansecurities.com/
Jordan International Bank Plc No http://www.jordanbank.co.uk/
Julian Hodge Bank Limited Yes https://www.hodgebank.co.uk/
Kexim Bank (UK) Ltd No http://srssprojects.in/aboutus.html
Kingdom Bank Ltd Yes https://www.kingdom.bank/
Kleinwort Benson Bank Ltd Yes https://www.kleinworthambros.com/en/
Kookmin Bank International Limited Yes https://www.kbfg.com/Eng/
Lloyds Bank Plc Yes https://www.lloydsbank.com/
Lloyds Bank Private Banking Limited Fixed http://www.lloydsbank.com/private-banking/home.asp
Lloyds Banking Group No http://www.lloydsbankinggroup.com/
Macquarie Bank International Ltd Yes https://www.macquarie.com/uk/corporate
Marks & Spencer Financial Services Plc Yes https://bank.marksandspencer.com/
Masthaven Bank Limited Yes https://www.masthaven.co.uk/
Melli Bank plc No http://www.mellibank.com/
Methodist Chapel Aid Limited Yes https://www.mcafundingforchurches.co.uk/
Metro Bank PLC Yes https://www.metrobankonline.co.uk/
Mizuho International Plc Yes https://www.mizuho-emea.com/
Monzo Bank Ltd Yes https://monzo.com/
Morgan Stanley Bank International Limited Yes https://www.morganstanley.com/
National Bank of Egypt (UK) Limited No http://www.nbeuk.com/
National Bank of Kuwait (International) Plc Yes https://nbk.com/
National Westminster Bank Plc Fixed http://personal.natwest.com/
Natwest International Fixed http://www.natwestinternational.com/nw/personal-banking.ashx
Nationwide Building Society Yes https://www.nationwide.co.uk/
Nomura Bank International Plc No http://www.nomura.com/
Northern Bank Limited No http://danskebank.co.uk/personal
Northern Trust Global Services Ltd Yes https://www.northerntrust.com/
OakNorth Bank Limited Yes https://www.oaknorth.com/
OneSavings Bank Plc No http://www.osb.co.uk/
Paragon Bank Plc Yes https://www.paragonbank.co.uk/
PCF Group Holdings Ltd Yes https://pcf.bank/
Persia International Bank Plc No http://persiabank.co.uk/
Philippine National Bank (Europe) Plc No http://www.pnb.com.ph/europe/
Punjab National Bank (International) Limited Yes https://www.pnbint.com/
QIB (UK) Plc Yes https://www.qib-uk.com/en/index.aspx
R. Raphael & Sons Plc Yes https://www.raphaelsbank.com/
Rathbone Investment Management Limited Yes https://www.rathbones.com/
RBC Europe Limited No http://www.rbc.com/contactus/rbc_europe.html
Reliance Bank Ltd No http://www.reliancebankltd.com/
Revolut Yes https://www.revolut.com/?lang=en
Royal Bank of Scotland Plc No http://personal.rbs.co.uk/personal.html
Sainsbury’s Bank Plc Yes https://www.sainsburysbank.co.uk/
Santander UK Plc Yes https://www.santander.co.uk/uk/index
Schroder & Co Ltd No http://www.schroders.com/
Scotiabank Europe Plc No http://www.scotiabank.com/global/en/0,,6182,00.html
Scottish Widows Bank Plc No http://www.scottishwidows.co.uk/bank/
Secure Trust Bank Plc Yes https://www.securetrustbank.com/
SG Hambros Bank Limited Yes https://www.societegenerale.co.uk/en/worldwide-details/office/head-office/
Shawbrook Bank Limited Yes https://www.shawbrook.co.uk/
Smith & Williamson Investment Services Limited No http://smithandwilliamson.com/
Sonali Bank (UK) Limited No http://www.sonali-bank.com/
Standard Chartered Bank Yes https://www.sc.com/en/
Starling Bank Limited Yes https://www.starlingbank.com/
State Bank of India Yes https://www.onlinesbi.com/
Sumitomo Mitsui Banking Corporation Europe Limited Yes https://www.smbcgroup.com/emea/info/smbce
Tandem Bank Limited Yes https://www.tandem.co.uk/
TD Bank Europe Limited Yes https://www.td.com/about-tdbfg/our-business/index.jsp
Tesco Personal Finance Plc No http://www.tescobank.com/
TSB Bank plc Yes https://www.tsb.co.uk/personal/
Turkish Bank (UK) Ltd Yes https://www.turkishbank.co.uk/
UBS Limited Yes https://www.ubs.com/uk/en.html
Ulster Bank Ltd Fixed http://digital.ulsterbank.co.uk/
Union Bank of India (UK) Limited Yes https://www.unionbankofindiauk.co.uk/
Union Bank UK Plc Yes https://www.unionbankuk.co.uk/netbanking/
United National Bank Limited Yes https://www.ubluk.com/
United Trust Bank Limited Yes https://www.utbank.co.uk/
Unity Trust Bank Plc Yes https://www.unity.co.uk/
Vanquis Bank Limited Yes https://www.vanquis.co.uk/
Virgin Money plc Yes https://uk.virginmoney.com/virgin/
VTB Capital plc Yes https://www.vtbcapital.com/
Weatherbys Bank Limited Yes https://www.weatherbys.bank/
Wesleyan Bank Limited Yes https://www.wesleyan.co.uk/wesleyan-bank/
Westpac Europe Ltd Yes https://www.westpac.com.au/about-westpac/global-locations/westpac-uk/
Wyelands Bank Plc Yes https://www.wyelandsbank.co.uk/
Zenith Bank (UK) Limited No http://www.zenith-bank.co.uk/

An earlier version of this post also commented on Building Societies. That data has been moved to a separate post to make examining the data easier.

Commentary

From the above, we’re only commenting on the security of the home page. It’s possible that secure pages link to non-secure pages and also possible that non-secure pages link to secure pages. Either is not good. All pages in a bank should be secure. If in doubt, follow the link to the bank yourself and make your own judgement. We list the above for your information, not to endorse a particular bank or to discredit a particular bank. Although that said, you should have a serious chat with your bank if it is listed above and is not secure.

Of the banks above, Airdrie Savings Bank stands out. It is no longer in business and yet it still provides a secure website.

Axis Bank UK Limited had two websites. One had a 2014 copyright date, the other 2017. We tested the 2017 website.

Ulster Bank had multiple websites. One was secure. One was not. The non-secure website was the first listing in a Google search.

Lloyds bank is worrying. The home page was secure, but the private banking page was not secure, but had a link to the standard log in page. Not good.

The Co-operative bank provides both http and https versions of it site. Mobile users only get the http version (tested on Android). On the desktop customers can either http or https. This needs to be fixed. https only should be served to desktop and mobile visitors.

The Bank of England passes this test, but you can’t have an account there, so we haven’t included it in our test results.

If you find any mistakes, or have additional institutions you’d like me to look at, please get in touch. @softwareverify on twitter or email customer support.

Additional Reading

If you want to know more about securing your website with HTTPS and additional measures, read this excellent article on the 6 step happy path to HTTPS by Troy Hunt.

Reference list of banks. https://en.wikipedia.org/wiki/List_of_banks_in_the_United_Kingdom

Disclaimer

I shouldn’t need to point this out, but i will, all the same, just to be clear.

The data provided on this page should taken at face value. If you’re not sure about something, please verify it yourself. Nothing reported here should be regarded as a criticism or an endorsement or recommendation of an organisations security effectiveness. I am simply passing comment on whether the home page (whatever that may be) is provided as https on not. Other security concerns are a separate matter.

If your organisation is listed here and is not marked as secure, your best course of action is to fix that, not to complain that someone is reporting a fact anyone with a web browser can discover. The security status of your home page is public information, albeit information that many people don’t understand.

Share

Getting code coverage for a child process?

By , May 31, 2017 5:43 pm

In this blog post I’m going to explain how to collect code coverage for a process that is launched by another process. We’ll be using C++ Coverage Validator to collect the code coverage.

For example you may have a control process that launches helper programs to do specific jobs and you wish to collect code coverage data for one of the helper programs. I’m first going to show how you do this with the GUI, then I’ll show you how to do this with the command line.

For the purposes of this blog post I’m going to use a test program called testAppFromOtherProcess.exe as the child program and testAppOtherProcessCpp.exe as the parent process. Once I’ve explained this for C++, I’ll also provide examples for programs launched from Java and for programs launched from Python.

The test program

The test program is simple. It takes two numbers and calculates the sum of all the products. If less than two arguments are supplied they default to 10.

int _tmain(int argc, _TCHAR* argv[])
{
	int	nx, ny;
	int	x, y;
	int	v;

	nx = 10;
	ny = 10;
	v = 0;

	if (argc == 2)
	{
		nx = _tcstol(argv[1], NULL, 10);
	}
	else if (argc >= 3)
	{
		nx = _tcstol(argv[1], NULL, 10);
		ny = _tcstol(argv[2], NULL, 10);
	}

	for(y = 0; y < ny; y++)
	{
		for(x = 0; x < nx; x++)
		{
			v += (x + 1) * (y + 1);
		}
	}

	return v;
}

The parent C++ program

The parent C++ program is a simple MFC dialog that collects two values and launches the test program. The code for launching the child process looks like this:

void CtestAppOtherProcessCppDlg::OnBnClickedOk()
{
	// get data values

	CString	str1, str2;
	DWORD	v = 0;

	GetDlgItemText(IDC_EDIT_COUNT1, str1);
	GetDlgItemText(IDC_EDIT_COUNT2, str2);

	// create command line

	CString	commandline;

	commandline += _T("testAppFromOtherProcess.exe");
	commandline += _T(" ");
	commandline += str1;
	commandline += _T(" ");
	commandline += str2;

	// run child process

	STARTUPINFO         stStartInfo;
	PROCESS_INFORMATION stProcessInfo;

	memset(&stStartInfo, 0, sizeof(STARTUPINFO));
	memset(&stProcessInfo, 0, sizeof(PROCESS_INFORMATION));

	stStartInfo.cb = sizeof(STARTUPINFO);
	stStartInfo.dwFlags = STARTF_USESHOWWINDOW;
	stStartInfo.wShowWindow = SW_HIDE;

	int	bRet;

	bRet = CreateProcess(NULL,
			(TCHAR *)(const TCHAR *)commandline,
			NULL,
			NULL,
			FALSE,
			0,
			NULL,
			NULL,
			&stStartInfo,
			&stProcessInfo);
	if (bRet)
	{
		// wait until complete then get exit code

		WaitForSingleObject(stProcessInfo.hProcess, INFINITE);

		GetExitCodeProcess(stProcessInfo.hProcess, &v);

		// tidy up

		CloseHandle(stProcessInfo.hProcess);
		CloseHandle(stProcessInfo.hThread);
	}

	// display result

	SetDlgItemInt(IDC_STATIC_VALUE, v, FALSE);
}

Configuring the target C++ program

Before we can collect code coverage we need to tell C++ Coverage Validator about the target program and the program that is going to launch it. We do this from the launch dialog (or launch wizard). From the launch dialog, select the program to launch using the Browse... button and selecting the file with the File dialog. Once a file has been chosen a default value will be selected for the Application to Monitor. This is the same program as you just selected with the File dialog.

CVLaunchDialogApplicationToMonitor

To allow us to monitor other programs we need to edit the list of applications we can monitor. Click the Edit... button to the right of the Application to monitor combo box. The Applications To Monitor dialog is displayed.

CVApplicationsToMonitorDialog

We need to add our target program to the list of programs to monitor. Click Add.... The Application To Monitor dialog is displayed. Choose our launch program testAppOtherProcessCpp.exe using Browse.... C++ Coverage Validator will identify any other executables in the same folder and add these to the list of target programs you may want to monitor. You can remove any programs you don't want to monitor with the Remove and Remove All buttons. Your dialog should look like the one shown below.

CVApplicationToMonitorDialog

Click OK to close the Application To Monitor dialog.

Click OK to close the Applications To Monitor dialog.

The Application to monitor combo will now have additional entries in it. Select testAppFromOtherProcess.exe in the Application to monitor combo. Leave the launch count set to 1. The first time testAppFromOtherProcess.exe is launched it will be monitored. Click Go! to start the parent process.

CVApplicationToMonitorParentProcess

You will notice that C++ Coverage Validator is not collecting data. Now click on the Launch Child Process button. The child process is launched, C++ Coverage Validator recognises the parent process is launching a child process that is configured to be monitored and has the correct launch count (this is the first time it is being launched and the launch count is set to "1") - the child process is instrumented for code coverage. You can see the instrumentation progress in the title bar and pretty soon code coverage statistics are being displayed by C++ Coverage Validator.

CVCodeCoverageResults

Command Line, example for C++

OK, that's wonderful, we can collect code coverage using the GUI to launch one program and collect data from a child process. All without any coding. Super. So how do we do that from the command line? Glad you asked!

"c:\C++ Coverage Validator\coverageValidator.exe" 
-program "e:\test\release\testAppOtherProcessCpp.exe"
-directory "e:\test\release" 
-programToMonitor "e:\test\release\testAppFromOtherProcess.exe" 

How does this work?

  • -directory. Specify the startup directory.
  • -program. Specify the program to launch.
  • -programToMonitor. Specify the program to that will be monitored for code coverage.

Very straightforward and simple. Paths must have quotes if they contain spaces. If in doubt always use quotes. Note also that where you've installed C++ Coverage Validator will be different, most likely in C:\Program Files (x86)\Software Verification. We shortened it for the example to make it fit the page.

Java

The parent program in Java is very simple. It takes any arguments passed to it and passes them to the target program.

import java.io.IOException;
import java.lang.ProcessBuilder;
import java.util.ArrayList;

public class testAppFromOtherProcessJava 
{
    public static void main(String[] args) throws IOException, InterruptedException
	{
		String			target = "e:\\om\\c\\testApps\\testAppFromOtherProcess\\Release\\testAppFromOtherProcess.exe";
        	ProcessBuilder	p = new ProcessBuilder();

		// add the args to be passed to the target program, unlike C/C++, args[0] is not the program name

		ArrayList	targetArgs;

		targetArgs = new ArrayList();
		targetArgs.add(target);
		for(int i = 0; i < args.length; i++)
		{
			targetArgs.add(args[i]);
		}

		p.command(targetArgs);

		// run the process, wait for it to complete and report the value calculated

		Process			proc;

	        proc = p.start();
		proc.waitFor();

		System.out.println("Result: " + proc.exitValue()); 
    }
}

You can compile this program with this simple command line. This assumes you have a Java Development Kit installed and javac.exe on the command line.

javac testAppFromOtherProcessJava.java

Configuring the target Java program

As with the C++ target program we need to tell C++ Coverage Validator about the target program and the program that is going to launch it. We're running a Java program so the executable to launch is the Java runtime. Click the Browse... button and select the Java runtime you are using.

CVLaunchDialogJava

The launch directory is automatically configured to be the same as the launch program. In the case of a Java program, that is almost certainly incorrect. We're going to choose the directory where our Java class is located. Click the Dir... button and choose that directory.

CVLaunchDialogJavaDirectory

We also need to tell the Java runtime what class to execute. This is provided as an argument to the program being run (the Java rutnime). In the arguments field, type the name of the class. In this case testAppFromOtherProcessJava (without the .class extension).

CVLaunchDialogJavaArguments

To allow us to monitor other programs we need to edit the list of applications we can monitor. Click the Edit... button to the right of the Application to monitor combo box. The Applications To Monitor dialog is displayed.

CVApplicationsToMonitorDialog

We need to add our target program to the list of programs to monitor. Click Add.... The Application To Monitor dialog is displayed. Choose the Java runtime java.exe using Browse.... C++ Coverage Validator will identify any other executables in the same folder and add these to the list of target programs you may want to monitor. You can remove any programs you don't want to monitor with the Remove and Remove All buttons. We now need to add the target program to the list of programs we want to monitor. Click Add... and select testAppFromOtherProcess.exe. Your dialog should look like the one shown below.

CVApplicationToMonitorDialogJava

Select testAppFromOtherProcess.exe in the Application to monitor combo. Leave the launch count set to 1. The first time testAppFromOtherProcess.exe is launched it will be monitored. Click Go! to start the parent process.

CVLaunchDialogApplicationToMonitorJava

The Java process launches testAppFromOtherProcess.exe immediately. As such you will notice that C++ Coverage Validator starts collecting code coverage almost instantly because it has recognised the Java process is launching a child process that is configured to be monitored and has the correct launch count.

CVCodeCoverageResultsJava

Command Line, example for Java

As you can see, it's slightly more complicated for Java than for C++, but only because the Java runtime is located in a different folder than the test executable and because we also have to specify a Java class to execute. We still managed to collect code coverage for a child process of a just in time compiled language without any coding.

Of course, you now want to know how to do this for the command line. Is this any more complicated than for the C++ example? No! Just as easy. Here's how you do it:

"c:\C++ Coverage Validator\coverageValidator.exe" 
-program "c:\program files\java\jdk1.8.0_121\bin\java.exe"
-directory "e:\test\release" 
-arg testAppFromOtherProcessJava
-programToMonitor "e:\test\release\testAppFromOtherProcess.exe"

How does this work?

  • -arg. Specify an argument to the program to launch. In this example this specifies the Java class to execute.
  • -directory. Specify the startup directory.
  • -program. Specify the program to launch. In this example this specifies the Java runtime.
  • -programToMonitor. Specify the program to that will be monitored for code coverage.

Use as many -arg options as you need. We only used one because that's all we need for the example.

Python

The parent program in Python is very simple.

import sys
import subprocess

cmdLine = r"E:\om\c\testApps\testAppFromOtherProcess\Release\testAppFromOtherProcess.exe"
for arg in range(1, len(sys.argv)):
  cmdLine += " "
  cmdLine += sys.argv[arg]
  
subprocess.call(cmdLine, stdin=None, stdout=None, stderr=None, shell=False)

Configuring the target Python program

As with the C++ target program we need to tell C++ Coverage Validator about the target program and the program that is going to launch it. We're running a Python program so the executable to launch is the Python interpreter. Click the Browse... button and select the Python interpreter you are using.

CVLaunchDialogPython

The launch directory is automatically configured to be the same as the launch program. In the case of a Python program, that is almost certainly incorrect. We're going to choose the directory where our Python script is located. Click the Dir... button and choose that directory.

CVLaunchDialogPythonDirectory

We also need to tell Python what script to launch. This is provided as an argument to the program being run (the Python interpreter). In the arguments field, type the name of the script. In this case testAppFromOtherProcess.py.

CVLaunchDialogPythonArguments

To allow us to monitor other programs we need to edit the list of applications we can monitor. Click the Edit... button to the right of the Application to monitor combo box. The Applications To Monitor dialog is displayed.

CVApplicationsToMonitorDialog

We need to add our target program to the list of programs to monitor. Click Add.... The Application To Monitor dialog is displayed. Choose the Python interpreter python.exe using Browse.... C++ Coverage Validator will identify any other executables in the same folder and add these to the list of target programs you may want to monitor. You can remove any programs you don't want to monitor with the Remove and Remove All buttons. We now need to add the target program to the list of programs we want to monitor. Click Add... and select testAppFromOtherProcess.exe. Your dialog should look like the one shown below.

CVApplicationToMonitorDialogPython

Select testAppFromOtherProcess.exe in the Application to monitor combo. Leave the launch count set to 1. The first time testAppFromOtherProcess.exe is launched it will be monitored. Click Go! to start the parent process.

CVLaunchDialogPythonAppToMonitor

The Python process launches testAppFromOtherProcess.exe immediately. As such you will notice that C++ Coverage Validator starts collecting code coverage almost instantly because it has recognised the Python process is launching a child process that is configured to be monitored and has the correct launch count.

CVCodeCoverageResultsPython

Command Line, example for Python

As you can see, it's slightly more complicated for Python than for C++, but only because the Python interpreter is located in a different folder than the test executable and because we also have to specify a Python script. We still managed to collect code coverage for a child process of a scripted language without any coding.

Of course, you now want to know how to do this for the command line. Is this any more complicated than for the C++ example? No! Just as easy. Here's how you do it:

"c:\C++ Coverage Validator\coverageValidator.exe" 
-program "c:\python36-32\python.exe"
-directory "e:\test\release" 
-arg testAppFromOtherProcess.py
-programToMonitor "e:\test\release\testAppFromOtherProcess.exe"

How does this work?

  • -arg. Specify an argument to the program to launch. In this example this specifies the Python script to run.
  • -directory. Specify the startup directory.
  • -program. Specify the program to launch. In this example this specifies the Python interpreter.
  • -programToMonitor. Specify the program to that will be monitored for code coverage.

Use as many -arg options as you need. We only used one because that's all we need for the example.

Conclusion

We've demonstrated how to monitor code coverage in a target program launched from C++, Java and Python, using both the GUI and the command line. Each example is slightly different, showing you the changes required for each situation. If you have any questions please email support@softwareverify.com

You can download the C++, Java and Python code used in these examples here.

Share

Updated error codes for all Validator tools

By , May 12, 2017 12:01 pm

We’ve just updated our documentation for all our Validator tools to include an up to date list of Exit return codes. You may find these useful if you’re running these tools from the command line.

These error codes apply to C++ Bug Validator, C++ Coverage Validator, C++ Memory Validator, C++ Performance Validator, C++ Thread Validator, .Net Coverage Validator, .Net Memory Validator, .Net Performance Validator and VM Validator.

0 All ok
-1 Unknown error. An unexpected error occurred starting the runtime
-2 Application started ok. You should not see this code returned
-3 Application failed to start. E.g. runtime not present, not an executable or injection dll not present
-4 Target application is not an application
-5 Don’t know what format the executable is, cannot process it
-6 Not a 32 bit application
-7 Not a 64 bit application
-8 Using incorrect MSVCR(8|9).DLL that links to CoreDLL.dll (incorrect DLL is from WinCE)
-9 Win16 app cannot start these because we can’t inject into them
-10 Win32 app – not used
-11 Win64 app – not used
-12 .Net application
-13 User bailed out because app not linked to MSVCRT dynamically
-14 Not found in launch history
-15 DLL to inject was not found
-16 Startup directory does not exist
-17 Symbol server directory does not exist
-18 Could not build a command line
-19 No runtime specified, cannot execute script (or Java) (obsolete)
-20 Java arguments are OK – not an error (obsolete)
-21 Java agentlib supplied that is not allowed because Java Bug Validator uses it (obsolete)
-22 Java xrun supplied that is not allowed because Java Bug Validator uses it (obsolete)
-23 Java cp supplied that is not allowed because Java Bug Validator uses it (obsolete)
-24 Java classpath supplied that is not allowed because Java Bug Validator uses it (obsolete)
-25 Firefox is already running, please close it (obsolete)
-26 Lua runtime DLL version is not known (obsolete)
-27 Not compatible software
-28 InjectUsingCreateProcess, no DLL name supplied
-29 InjectUsingCreateProcess, Unable to open PE File when inspecting DLL
-30 InjectUsingCreateProcess, Invalid PE File when inspecting DLL
-31 InjectUsingCreateProcess, No Kernel32 DLL
-32 InjectUsingCreateProcess, NULL VirtualFree() from GetProcAddress
-33 InjectUsingCreateProcess, NULL GetModuleHandleW() from GetModuleHandleW
-34 InjectUsingCreateProcess, NULL LoadLibraryW() from LoadLibraryW
-35 InjectUsingCreateProcess, NULL FreeLibrary() from FreeLibrary
-36 InjectUsingCreateProcess, NULL VirtualProtect() from GetProcAddress
-37 InjectUsingCreateProcess, NULL VirtualFree() from GetProcAddress
-38 InjectUsingCreateProcess, unable to find DLL load address
-39 InjectUsingCreateProcess, unable to write to remote process’s memory
-40 InjectUsingCreateProcess, unable to read remote process’s memory
-41 InjectUsingCreateProcess, unable to resume a thread
-42 UPX compressed – cannot process such executables
-43 Java class not found in CLASSPATH
-44 Failed to launch the 32 bit svlGetProcAddressHelperUtil.exe
-45 Uknown error with svlGetProcAddressHelperUtil.exe
-46 Couldn’t load specified DLL into svlGetProcAddressHelperUtil.exe
-47 Couldn’t find function in the DLL svlGetProcAddressHelperUtil.exe
-48 Missing DLL argument svlGetProcAddressHelperUtil.exe
-49 Missing function argument svlGetProcAddressHelperUtil.exe
-50 Missing svlGetProcAddressHelperUtil.exe
-51 Target process has a manifest that requires elevation
-52 svlInjectIntoProcessHelper_x64.exe not found
-53 svlInjectIntoProcessHelper_x64.exe failed to start
-54 svlInjectIntoProcessHelper_x64.exe failed to return error code
-55 getImageBase() worked ok
-56 ReadFile() failed in getImageBase()
-57 NULL pointer when trying to allocate memory
-58 CreateFile() failed in getImageBase()
-59 ReadProcessMemory() failed in getImageBase()
-60 VirtualQueryEx() failed in getImageBase()
-61 Bad /appName argument in svlInjectIntoProcessHelper_x64.exe
-62 Bad /dllName argument in svlInjectIntoProcessHelper_x64.exe
-63 Bad /procId argument in svlInjectIntoProcessHelper_x64.exe
-64 Failed to OpenProcess in svlInjectIntoProcessHelper_x64.exe
-65 A DLL that the .exe depends upon cannot be found
Share

How to output to stdout from an MFC program

By , January 31, 2017 1:00 pm

If you’ve ever developed an MFC program with a graphical user interface and then later thought that it would be really nice to also provide a command line version with output to stdout you’ve probably bumped into the problem that there is no stdout for these programs. The program isn’t attached to a console.

So how do you do it?

The secret to this is a Win32 API “AttachConsole” which is available from Windows XP onwards.
AttachConsole takes one argument, a DWORD identifying the process to which to attach. In our case we want to attach to the parent process, so we pass ATTACH_PARENT_PROCESS which is defined as (DWORD)-1.

AllocConsole(ATTACH_PARENT_PROCESS);

When you need to print to this console use _cprintf(), which is defined in conio.h.

But we’re still working with legacy systems!

If you need your code to work on old systems as well as modern systems you’ll need to use GetProcAddress() as shown below.

#ifndef ATTACH_PARENT_PROCESS
#define ATTACH_PARENT_PROCESS	((DWORD)-1)
#endif	//ATTACH_PARENT_PROCESS

typedef BOOL (WINAPI *AttachConsole_FUNC)(DWORD);

//-NAME---------------------------------
//.DESCRIPTION..........................
//.PARAMETERS...........................
//.RETURN.CODES.........................
//--------------------------------------

BOOL attachToProcessConsole(DWORD	processId)
{
	HMODULE				hMod;

	hMod = GetModuleHandle(_T("Kernel32.dll"));
	if (hMod != NULL)
	{
		AttachConsole_FUNC	func;

		func = (AttachConsole_FUNC)GetProcAddress(hMod, "AttachConsole");
		if (func != NULL)
		{
			// valid for Windows XP onwards

			return (*func)(processId);
		}
	}

	return FALSE;
}
Share

Panorama Theme by Themocracy