Penetration Testing Doesn't Have to Feel Like Rabbit Farming

About half of all business Web apps developed in the last 15 years are Java-based. This makes Java an obvious target for hackers since it contains so many potential targets, and penetration testing is often skipped in favor of patchwork security solutions. Because much of today's background Java code is derived from crowdsourced code libraries, developers often trust that their code is safe without verifying that its source has done testing or is even as friendly as it claims to be. The problem? As building apps has gotten easier and programmers have become more prolific, few companies...

Read More

Monetary Authority of Singapore (MAS) Compliance: As Easy as Chewing Gum and Walking

Singapore is famous for its balmy weather, insanely clean streets — and maximum-security banks. The dark side of such a utopia is an overwhelming set of rules and regulations that can quickly become disastrous for tourists. The half-joke about visiting Singapore, chewing gum, and never leaving has a little too much truth to be funny. But I digress. Singapore is renowned for its economy and is quickly becoming the Switzerland of Asia for its bank security and business-friendly tax policies. Strict laws and safe banks make for both a millionaire's dream come true and an international...

Read More

A Neglected Threat

This post was jointly authored by Ed Jennings, Chief Marketing Officer and Anne Nielsen, Product Marketing Manager at Veracode. Enterprises everywhere — not just the biggest banks — are ignoring a major gap in their approach to security The recent breach at JPMorgan Chase compromised some of the personal account information of 76 million households and 7 million small businesses. This breach, along with those at Target, Home Depot, Lowes and others, highlights the issue of vendor security: if you are buying something, are you also responsible for securing it? Benjamin Lawsky, New...

Read More

Security Headers on the Top 1,000,000 Websites: October 2014 Report

The October 2014 edition of this report adds back the much needed analysis of changes, additions and removals of security headers. These are important metrics as it allows us to gain insight into how web site operators are reacting to the changes of their web resources. Now that we have a previous report to compare against, we can once again generate these statistics and do a full analysis. As before, it is strongly recommended that our post on setting security headers is reviewed to understand what these headers do and guidelines on how to set them properly in your environment. There were no...

Read More

Managing Vendor Risk: How to Take Your Cybersecurity to the Next Level

Name a firm that doesn't outsource its data. It's tough, right? And it's equally difficult to find a CIO who isn't concerned about cybersecurity. The fact is, outsourcing data poses security risks. The rise of technologies such as mobile, cloud and social — in addition to the shift toward an ever-connected, Internet-of-Things (IoT) world — has given cybercriminals a broader attack surface upon which to act. Privacy and data security have become the primary issues for firms that place their data in the hands of others. Managing Risks It seems like everything went...

Read More

App Testing (and Retesting): When Are You Secure Enough to Launch?

Enterprises recognize the need for cutting-edge, user-friendly apps, but Veracode reports that of 12,000 security professionals surveyed, 69 percent cite application-layer vulnerabilities as the greatest threats to app security. What's more worrisome is that just 10 percent of respondents say that their apps were reviewed for security before, during and after launch. App testing remains the most effective way to prevent problems down the line — so how you know when your app is ready for prime time? What's the Big Deal? Application flaws can lead to security breaches. If hackers...

Read More

HIPAA Compliance and the Healthcare Supply Chain: Broken Links?

Healthcare agencies are no strangers to IT security risks. In August, Community Health Services (CHS) announced the theft of 4.5 million patient records due to a Heartbleed breach; now, companies are dealing with Shellshock, which exploits open-source Bash code to compromise appliances and network hardware such as medical devices. To combat these threats and maintain HIPAA compliance, many agencies have "hardened" traditional access points, making it more difficult for attackers to slip through. The rise of an app-enabled healthcare supply chain, however, is creating new breach...

Read More

What Microsoft's Agile Development Plans Mean for Application Security

Waterfall development has been a staple of technology's largest software houses for decades, but now even the most blue-chip tech firms are considering more nimble approaches. Agile development has proven its power over the past few years, and Microsoft looks to be shifting its development process to take advantage of its benefits — including that fact that it provides an opportunity for CISOs to easily integrate security testing into their development processes, ensuring their apps are as secure as possible in a time when information security is only growing in importance. A More...

Read More

Want a Powerful Culture of Security? Communicate "the Why"!

This post was jointly authored by Vivian Vitale, EVP of Human Resources and Maria Loughlin, VP of  Engineering at Veracode. What is a culture of security? Can you impose one? Does it evolve? What are the elements that make it stick? As leaders at Veracode, where security is job #1, we challenge ourselves with these questions. We represent two different functional perspectives: the human-resources lead and the engineering lead. We both come from companies deeply rooted in security, whether we're talking products or services (or both). Together, we have learned that multiple cultural...

Read More

How Medical Services Can Close the Gap in Healthcare Security

Personally identifiable information (PII) is rapidly becoming a hot commodity for cybercriminals, since it lets them file false tax returns and create fake credit-card accounts. But the most valuable PII? Healthcare data. Once compromised, thieves can use this data to claim medical benefits and obtain prescription drugs. According to Healthline, healthcare security took a beating last year, with 44 percent of total identity breaches targeting the medical-services industry. As noted by Modern Healthcare, more than 12 percent of all Americans have suffered some kind of healthcare-related...

Read More

Pages