The Top 5 AppSec Villains

Happy Halloween from Veracode! We’ve all been dealing with all kinds of AppSec villains for a long time – but perhaps you’ve never visualized them in exactly this way. Check out this fun flipbook to learn about the top 5 villains – and how you can defeat them. Do you dare enter this haunted house? You can also view this flipbook on Slideshare, please feel free to download a powerpoint and share with your organization.  

Read More

Agile Scrum Methodology Is the No-Huddle Offense of Software

Agile is beyond a buzzword at this point — it's a way of life. And Agile Scrum methodology is getting there, but its frenetic pace and hyperspecialization of tasks is still novel to many companies. With Agile Scrum's recent advent and rapid gain in popularity, security teams are scrambling to catch up with developers. Not only does this no-huddle offense leave little time to talk about anything but the task at hand, it further complicates the secure development and testing phases that are so critical to building safe, quality software. Just as more NFL teams here in the United...

Read More

How Agile Development, Automation and Security Can Work Together

Cutting corners is rarely good business. Whether you're flipping burgers, schmoozing clients or practicing law, taking the short route in your industry will almost always make someone angry. Take software, an industry governed by (generally) stringent standards and high-paying clients. Agile development, an ever-growing practice that ranges somewhere between beards and UGG boots on the trend-o-meter, has a lot of good things going for it: it's fast, it often eschews outmoded development practices, and it goes a long way toward eliminating the so-called "baked-in" wait times...

Read More

Over 9,000 Back Doors: How Your Partners Make You Vulnerable

For Target, it was the HVAC vendor. For JPMorgan Chase, it was a website run by a third party. Enterprises are becoming even more concerned about the security of their partners as news stories like these get the spotlight: attackers coming in through the digital loading dock. You may think you’ve mapped your attack surface across your own infrastructure, but you could be missing all the back doors that your vendors bring with them. These aren’t necessarily intentional back doors; they’re usually mistakes or bad practices. Providers using the same administrative passwords...

Read More

Only You Can Prevent an XSS Attack — Here's How

The only thing worse than guys spouting industry buzzwords at random is guys spouting negative industry buzzwords at random. For every mention of "disruption" and the "Internet of Things," there's also a reference to an "XSS attack" or "Heartbleed" or some other common cybersecurity threat. Despite how common these buzzwords are, however (or perhaps because they're too common), many actual issues are poorly understood. Once enough people mention something, it becomes uncool to ask what exactly it is — so we all nod and casually mention it...

Read More

Penetration Testing Doesn't Have to Feel Like Rabbit Farming

About half of all business Web apps developed in the last 15 years are Java-based. This makes Java an obvious target for hackers since it contains so many potential targets, and penetration testing is often skipped in favor of patchwork security solutions. Because much of today's background Java code is derived from crowdsourced code libraries, developers often trust that their code is safe without verifying that its source has done testing or is even as friendly as it claims to be. The problem? As building apps has gotten easier and programmers have become more prolific, few companies...

Read More

Monetary Authority of Singapore (MAS) Compliance: As Easy as Chewing Gum and Walking

Singapore is famous for its balmy weather, insanely clean streets — and maximum-security banks. The dark side of such a utopia is an overwhelming set of rules and regulations that can quickly become disastrous for tourists. The half-joke about visiting Singapore, chewing gum, and never leaving has a little too much truth to be funny. But I digress. Singapore is renowned for its economy and is quickly becoming the Switzerland of Asia for its bank security and business-friendly tax policies. Strict laws and safe banks make for both a millionaire's dream come true and an international...

Read More

A Neglected Threat

This post was jointly authored by Ed Jennings, Chief Marketing Officer and Anne Nielsen, Product Marketing Manager at Veracode. Enterprises everywhere — not just the biggest banks — are ignoring a major gap in their approach to security The recent breach at JPMorgan Chase compromised some of the personal account information of 76 million households and 7 million small businesses. This breach, along with those at Target, Home Depot, Lowes and others, highlights the issue of vendor security: if you are buying something, are you also responsible for securing it? Benjamin Lawsky, New...

Read More

Security Headers on the Top 1,000,000 Websites: October 2014 Report

The October 2014 edition of this report adds back the much needed analysis of changes, additions and removals of security headers. These are important metrics as it allows us to gain insight into how web site operators are reacting to the changes of their web resources. Now that we have a previous report to compare against, we can once again generate these statistics and do a full analysis. As before, it is strongly recommended that our post on setting security headers is reviewed to understand what these headers do and guidelines on how to set them properly in your environment. There were no...

Read More

App Testing (and Retesting): When Are You Secure Enough to Launch?

Enterprises recognize the need for cutting-edge, user-friendly apps, but Veracode reports that of 12,000 security professionals surveyed, 69 percent cite application-layer vulnerabilities as the greatest threats to app security. What's more worrisome is that just 10 percent of respondents say that their apps were reviewed for security before, during and after launch. App testing remains the most effective way to prevent problems down the line — so how you know when your app is ready for prime time? What's the Big Deal? Application flaws can lead to security breaches. If hackers...

Read More

Pages