AppSec is a Major Concern, But Still Not a Top Priority

Imagine this scenario; your brother tells you he is very concerned about the fact the brakes on his car haven’t been working right lately – but he just doesn’t have time to get to the mechanic. It is important he gets to work quickly, and putting his car in the shop will slow him down. What would you say? You’d probably offer to let him borrow your car – right after you slap him upside the head. That line of reasoning doesn’t make any sense, yet it is the same reasoning many companies are using for foregoing implementing a secure development process....

Read More

It's 2015 and I'm Still Not At RSA Conference

RSA is here again.  This year our crew is decked out in spiffy monster ties, sweater vests and cardigans. And here I am again, blogging from my cube.  As usual, I’m perusing the RSA site looking for interesting things that my fellow non-attendees can look at.  And before you ask – no I couldn’t watch the live streaming of the RSA keynote. I’m pretty sure it’s because IT didn’t want our network to totally collapse with everyone streaming it to their desks – oh well. So I’ve been looking some of the session slides that have already...

Read More

The BMW Security Flaw, or Dude, Where's My Car?

Forget LoJack, it's 2015. If you want to protect your car — and your enterprise's secure data — it's about time you add it to the list of devices your AppSec program protects. The recent BMW security flaw announcement proves that even manufacturers acknowledge this brave new world of software vulnerability. It might sound crazy, but the era of computer hackers stealing cars is upon us. Picture this: You return to the downtown garage where you parked your car overnight, only to find it's not there. There's no broken glass, no skid marks from a trailer dragging...

Read More

The Proof (and Profit) of Security Audits Is in the Pudding

Software buyers are increasingly focusing on security as a requirement in the product they purchase. This is far from a bad thing — it's how these software buyers ensure their employees and customers are secure. But it can represent a roadblock for the vendors that supply the software products. Suddenly, testimonials and self-attestations don't carry the weight they once did, leaving independent software vendors (ISVs) to find new approaches to sell their products. Fortunately, overcoming hurdles in this new age of security awareness comes down to documentation, specifically...

Read More

The #VeracodeMonster Social Challenge at RSA Conference

We're bringing back our popular #VeracodeMonster photo challenge - and this time we're bringing all our Monsters to the party. Last year saw the debut of our social photo challenge, we had lanyards made of one of our new Monsters and handed them out left and right at cons, encouraging everyone to post photos of themselves with the Monster wherever they went. And boy did they. We were so blown away by the participation we saw throughout last year that we knew we had to bring the challenge back for round two. This time around there's more Monsters and more prizes. While this...

Read More

Mobile Apps: Welcome to the Wild West

In recent weeks, there has been a lot of talk about the phenomenon of hardware release cycles taking a toll on safe software development. Just as OS platform safety testing gets neglected in the mad dash to keep pace with hardware launch dates, IT organizations are also watching mobile app safety get tossed by the wayside as pressure to keep pace with consumer demands mounts. Between BYOD initiatives and the rapid release and onboarding of native and third-party apps, screening and security testing have reached shocking lows. It's never been more fair to assume all apps are either...

Read More

Study: Risk Visibility Gap

Enterprises around the world rely on web and mobile apps to do business, yet basic security assessments of these applications are not consistently done. In a study we commissioned through IDG, more than 300 IT managers from the US, UK and Germany, were interviewed about their application security programs and processes. The results? Most enterprises aren‘t assessing for critical, commonly exploited vulnerabilities. Web applications seem to be the largest catagory to suffer from this negative trend, even though they represent the majority of the world's developed applications....

Read More

Even Anti-Virus Vendors Recognize the Need for AppSec

It is not uncommon for security vendors to release reports outlining the state of security. Verizon does it each year, and their report is seen as the authority on security statistics. Recently, Symantec released their “2015 Internet Security Threat Report” and what caught my eye is how prevalent the issue of application security was in the report. You’d expect a report from an end-point security vendor to focus heavily on malware and phishing – and the report did. However, the report also covered the rise of the branded vulnerability and how crucial application...

Read More

Transport for London Doubles Mobile Tablet Use, Freedom of Information Request Reveals

More than 23,000 mobile devices issued to staff last year, a 48% increase in last five years This week Veracode released figures obtained from Transport for London (TfL) which show that they have significantly ramped up the number of mobile tablet devices it issues to staff. For those readers who haven’t experienced the joy of the London commute, TfL are responsible for the trusty London tube along with the rail, bus and tram network.   This data obtained from a Freedom of Information request by Veracode, shows the dramatic rise in tablets in the work place across the public and...

Read More

How Third-Party Risk Management Makes Outsourcing Easy

It's no secret that third-party vendors are the backbone of software development. Positions are being created at a record pace while the roles behind them continue to drill down into more specific duties. Just throw in the scores of non-tech businesses continually uncovering critical software needs, and you have an industry in which outsourcing becomes less of a possibility and more of a self-fulfilling prophecy. Third-party risk management can reduce the risk a company assumes in dealing with third-party vendors. Where this might have been a luxury before, the sheer prominence of...

Read More

Pages