Secure Coding Is Required When Attacks Are Inevitable

With everything on a CISO's plate, preventing and reacting to external attacks has usually been done on a contingency basis, with a reliance on existing security to keep hackers away and the hope that a directed attack doesn't occur. But today, a majority of security professionals expect their businesses will be hacked in the coming year. That means CISOs have to change their approaches to security, anticipating events rather than waiting to react to them. What's more, they have to understand the increased importance of secure coding for every aspect of their overall security...

Read More

Threat Profile: Cross-Site Request Forgery

What is Cross-Site Request Forgery (CSRF)? More importantly, how can your business take action against it? Here's everything you need to know about this threat, its potential impact and your best defense. Cross-Site Basics CSRF attacks are listed among the OWASP Top 10, but they are often overlooked in favor of Cross-Site Scripting (XSS) vulnerabilities, advanced malware or inherent software flaws that make headline news. But cross-site forgery problems can be just as devastating if they're not quickly identified and defeated. At their most basic level, CSRF attacks force end users to...

Read More

Is Executive Communication the New CISO Challenge?

CISOs play a critical role keeping a company's most critical asset — data — safe from both internal and external threats. But they're now tasked with the job of mastering executive communication, so they can both engage other C-suite members and give them a practical understanding of cybersecurity risk. As noted by CIO, "tension" between the CISO and other members of the C-suite, especially the CIO, isn't always a bad thing. It's all too easy for CISOs to retreat behind technology-driven language and obscure metrics while other board members look on,...

Read More

AngularJS Expression Security Internals

Introduction As part of my research duties I tasked myself with becoming more familiar with the newer MVC frameworks, the most interesting one was AngularJS. I wanted to share with everyone my process for analyzing the expression functionality built in to AngularJS as I feel it's a pretty interesting and unique code base. AngularJS exposes an expression language that exposes a limited set of JavaScript to an HTML template. These expressions are evaluated within an ng-app directive of an AngularJS application.  Expressions: What are AngularJS Expressions? AngularJS Expressions are a...

Read More

Ignore At Your Own Peril: Popular Third-party Applications Can have Vulnerabilities Too

Adobe has issued emergency patches to address a critical vulnerability in Flash Player versions 16.0.0.287 and earlier for Windows and Macintosh systems. The vulnerability, CVE-2015-0311, has been exploited in the wild, via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below. The vulnerability can potentially allow attackers to take control of an affected system. The best course of action to mitigate the risk introduced by this vulnerability is to patch the application as soon as possible. We also recommend turning on the "right-...

Read More

Vendor Management: 5 Best Practices for Secure Applications

Third-party software can be problematic. Just ask American Airlines, which recently experienced an issue with its iPad-based electronic flight bags. A misconfiguration in third-party mapping software caused the devices to crash when pilots tried to access a specific map, in turn delaying flights and frustrating crew members. Thankfully, the issue wasn't malicious, but it does highlight the need for effective vendor management when it comes to rolling out enterprise-grade software. Based on a recent Veracode whitepaper, here are five best practices to help improve overall security and...

Read More

What is the State of Software Security in 2015?

A Look at Industry Benchmarks Gartner estimates that enterprises spent $12 billion securing their network perimeters in 2014 — 20 times more ($600 million) than they spent on securing the application layer[1]. At the same time, the threat surface available to cyberattackers is continuously expanding as enterprises increasingly rely on web, mobile and cloud applications to drive their businesses. So it’s not surprising that web application attacks remain one of the most frequent patterns in confirmed breaches and account for up to 35% of breaches in some industries, according to...

Read More

Cloud-Based Application Security: Bank on It?

Clouds are less secure. This is the long-held wisdom of cloud computing, the notion that goes bump in the night and keeps many companies from moving any or all of their data off local stacks. It comes with a host of anecdotal "evidence" to prove the point: Surely, cloud services must be less secure because they're "outside," beyond the benefit of in-house protection and testing. But what if the oft-repeated notion is wrong? What if cloud computing — and cloud-based application security — is actually more secure than staying on-site? Bank on It? According to...

Read More

Searching Third-Party Code (and Third-Party Vendors) for Red Flags

In some ways, dealing with problems caused by insecure third-party code is harder than resolving internal development issues. By default, you have less direct control over a vendor's actions when a security issue is discovered, making it difficult ensure that the issue is remediated. There are additional enterprise-vendor relationships to navigate -- sales teams, vendor executives, procurement teams, contract lawyers -- can all influence the level of risk your company absorbs from software vendors. Too often absorbing this additional risk results in unwanted surprises. It's the reason...

Read More

The State of Malware and the Banking Trojan

It's no secret financial institutions are under constant attack. For online banking services, a banking Trojan is among the most aggressive cyberthreats. With a growing number of criminal crews using banking malware, financial institutions must adapt their security policies to protect their online customers — and their money. Financial Trojans in 2014: The Good News In March 2015, security experts at Symantec published a report on the evolution of financial Trojans in 2014. Researchers analyzed nine common banking Trojans between January and December of 2014. They found the number...

Read More

Pages