Shellshock – what you need to know

News of the Bash Bug/Shellshock vulnerability is being widely covered since the Ars Technica article published yesterday afternoon.  There is speculation that this bug is going to be more catastrophic than Heartbleed, and like the much publicized OpenSSL vulnerability, we won’t know the full extent of its impact for some time. There are still some major questions to be answered, but for now here is what we do know: While I expect we will find there are fewer public-facing programs with the Bash vulnerability than we found to be vulnerable to OpenSSL, the impact of exploiting this...

Read More

Misfeatures Strike Again

Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now twenty-five. From my perspective, bash has always existed, and I have never given any thought to where it comes from or who maintains it. It’s just there. It’s also unfathomably complicated. It’s a utility; it’...

Read More

Don't Monkey Around: Why Ad-Hoc Testing Is a Hacker's Best Friend

Bottom line? Eighty percent of applications fail their first security test, putting companies and data at risk. Worse, most of these apps aren't developed in-house, meaning you don't always know what kind of code underlies basic functions, or how they retrieve their data. It's easy to point at cloud computing as the culprit behind increased risk, thinking that with so many new apps in development all the time, hackers gorge on choice and have their picks of enterprise-grade applications to compromise. In reality, however, the truth hits closer to home: while the cloud poses some...

Read More

A Guide to Static Testing of Web Apps: No Running Required

In the modern, fast-paced world of Agile software development, where an organization may have new or updated web apps released every few days or weeks, application security scans are sometimes delayed until the last part of the quality assurance (QA) phase. However, even if developers are versed in secure architectural design and threat modeling, security issues will sneak through the development phase — which is why static application security testing (SAST) should be used even at the earliest phase of the Software Development Life Cycle (SDLC). SAST in a Nutshell Static testing,...

Read More

Secure Agile Development: New Blog Series by Analyst Firm

Veracode is sponsoring new independent research on the topic of secure agile development – see below for a summary of the content, which will eventually be published as a complete white paper. The research is being conducted by Securosis, a small, well-respected analyst firm with strong ties to the security community. It will initially be published as a series of blog posts on which anyone can comment, following the firm’s Totally Transparent Research process which aims to maintain the firm’s objectivity while producing licensed research. The content is being written by...

Read More

Is Protecting Against SQL Injection (and Other Issues) Worth $2.6 Million?

It's not exactly earth-shattering news: businesses like having (and making!) money. And it's likely no surprise that many companies achieve that goal in part by handling their operational costs as efficiently as possible. Whether they're selling cheeseburgers or slinging software, close attention paid to the cost of doing business is a calling card of successful organizations. Unfortunately, this basic need for businesses to maximize profits comes at a price. Take, for instance, software security assessments: One IDG study found that 63% of enterprise-developed apps aren't...

Read More

The Globalization of Security Testing: A World of Good (Standards)

Surely and not-so-slowly, the concept of "internationality" is disappearing — at least in terms of the free exchange of information — and the tiny, expensive devices in our pockets and purses are leading the charge. For end users, the benefits of global information access are as obvious as they are numerous, especially thanks to apps such as Word Lens that can make you feel at home almost anywhere. But for developers facing international audiences for the first time, globalization brings a whole set of problems packed into a single, powerful word: standards. This is especially true where...

Read More

The Security Programs Disconnect: Why Does Enterprise-Wide AppSec Lag Behind?

Enterprises are using more apps than ever, many of which are cloud-based. That's according to a recent Forbes article, and — no surprise — this increased use comes with increased risk. Survey data found that 85 percent of all data uploaded went to apps that enabled file sharing, and, perhaps more worrisome, 81 percent of data downloaded came from apps with no encryption of at-rest data. It's no shock, then, to see a push from IT executives for enterprise-wide security programs that vet and review any app created, used or purchased by a company. And yet companies in both the United States...

Read More

Not Just a Buzzword: Achieving Security Awareness Across an Organization

There's a reason digital security and privacy concerns are more prevalent in the minds of end users than they've ever been. When your entire life is stored on a pocket-sized device designed to access other devices and networks, the thought of a stranger gaining access is horrifying. Personal photographs, bank accounts, private correspondences with friends and family — and all it takes is one person with the wrong intentions to take that info and do seriously bad stuff. In this world of third-party apps and extended permissions, the problem is that no one company providing apps or services...

Read More

Security Assessment, Speed — and the Death of Mutual Exclusivity

Maintaining focus is important, but priorities shift. Those seven words sum up a conflict as old as time in the world of software development, where sharpening focus in one area inevitably causes a need for improvement in another. If anything, it's a testament to the cyclical nature of development as a whole: Any change, from a shift in methodology to implementation of new technology, can cause problems (or benefits) bigger than the initial change was meant to fix. As an example, consider the increasing tensions between time to market and security assessment, two monumentally important...

Read More

Pages