Adding Software Development Roles Without the Scaling Nightmare

In a tech industry marked by explosive growth, expanding rosters and exorbitant license fees, scalability doesn't just mean growing to accommodate changes as they come — it's also synonymous with survivability. Take the act of adding new software development roles, something any reasonably successful software company is doing a bunch of these days. Every relevant employee or role within an organization can mean a new layer of security concerns. Onboarding is a major consideration, especially as it applies to bringing in new engineers. By the same token, adding new security execs...

Read More

How Code Review Best Practices Saved One Company Millions

If you've read this blog before, you already understand the security benefits of fixing code errors and other vulnerabilities early and often. But implementing code review best practices has other benefits beyond software security. When it comes to the bottom line, it can bring big positives — often without forcing any major changes to company operations. For proof, look no further than this recent Veracode/Forrester case study, in which committing to code review best practices helped a Global 2000 financial services company secure outsourced and internally developed applications,...

Read More

JetLeak: the latest lesson in the importance of visibility

Earlier this week Gotham Digital Science issued a vulnerability disclosure regarding a vulnerability in Jetty Web Servers. CVE-2015-2080, or JetLeak, allows an unauthenticated remote attacker to read arbitrary data from previous requests submitted to the server by other users. The blog post by Gotham outlines nicely what this vulnerability is and what you need to do address this it. Versions 9.2.3 and later of Jetty Web Server possess the JetLeak vulnerability, and Jetty recommends that users upgrade to version 9.2.9.v20150224 immediately. If you are a Veracode Discovery customer, we can help...

Read More

Which Is More Dangerous: Cause-Motivated or Financially Motivated Hackers?

The Wall Street Journal recently published excerpts from an interview with David DeWalt, FireEye’s CEO. As I read through his comments, one in particular got me thinking: “The breach of Sony last year marked the “elevation” of cybercrime into “sabotage,” DeWalt said. “We’ve watched over the last two or three years significant occurrences of just outright destruction. Attempts to really hurt companies or countries with Internet weaponry. You don’t have to wipe out the company. All you have to do is release the information about the...

Read More

Don't Be a Dinosaur! Try Agile Development Methods Today

The internet has revolutionized the world of software. Today's top-selling, pocket-sized gadgets don't have room for USB flash sticks, let alone full-on optical drives — and considering many laptops and desktops now ship sans disc-reading capability, releasing a full software product without digital distribution is like selling a car without wheels. Because of this, the way developers make software needs to change, too. While methods such as traditional waterfall certainly have their uses, there's no question that Agile development is the way of the future. Here's why....

Read More

What the WhatsApp Update Means for You

There's no question that WhatsApp, the popular messaging app that recently fetched $22 billion from Facebook, is a major player in the communication-technology sphere. So when the EFF released its Secure Messaging Scorecard, on which neither WhatsApp nor any other major messaging clients scored favorably, the company knew its reputation (and its users' safety) was at stake. In response to its low marks, a new WhatsApp update "added end-to-end encryption and enabled it by default in the latest version of its Android messaging application," writes Katherine Noyes for the E-...

Read More

How to Talk to Executives About Risk-Based Security Policies

How do you communicate risk to C-suite executives? The question plagues IT departments nationwide as threats like the recent Sony hack and Backoff POS malware, plus vulnerabilities such as Heartbleed and Shellshock, make it increasingly difficult to keep corporate IT assets safe. Creating a risk-based security policy is made even more complex when internal software development is considered: Should projects be pushed to market before more flaws are discovered, or put on the back burner until more comprehensive solutions can be found? Here are three key talking points to bolster boardroom...

Read More

Will High-Tech Bank Heist Change How Enterprises View Security?

Kaspersky Lab has released reports stating that bank hackers stole millions via malware. The initial reports indicated that hackers stole approximately $1 billion from over 100 banks in 25 countries — including the United States (although now FS-ISAC claims no US banks were impacted). Whether or not US banks were hit isn’t the most interesting point. What is interesting is how the cybercriminals infiltrated the banks they did breach, and what they stole.  As with many of the large breaches we’ve seen in the past year, the cybercriminals used a variety of techniques as...

Read More

Raise the Gates: 3 Tips for Stronger Password Security

Password security is one of the hottest, longest-standing topics in today's world of digital security, and it's no wonder: These single, self-contained words and phrases give users access to a wide breadth of info, powerful systems and functions that enterprise employees need in their daily jobs. Of course, all that power makes them points of intense interest for black-hat attackers and more civic-minded security researchers, albeit for very different reasons. While different technological advancements (biometric thumb and eye scanners, wearable secondary gadgets like Android Wear,...

Read More

Securing the Silver Screen: Source Code in Movies

During Veracode’s Hackathon last year I wanted to answer this question: How secure are the applications that we see in those movie scenes when the source code is scrolling by on an actor’s computer? In the spirit of the Hackathon, where projects range from baking to backdoor detection, I set off. I collected screenshots from four TV shows or movies that featured source code. I found the attribution (link: http://moviecode.tumblr.com/) what application that code was from. And then I scanned the application using the Veracode static platform. The results were put together in a short...

Read More

Pages