We were very excited and honored to announce that our own CTO and Co-Founder, Chris Wysopal, had been appointed to the Black Hat Review Board where he will advise Black Hat on its strategic direction, assist in reviewing and programming conference content, and provide extended reach into the research community. According to Trey Lord, General Manager of Black Hat, Chris’s appointment reflects his long-standing contributions to Black Hat as well his stature as an influential subject matter expert in the industry. A prestigious group, the review board is comprised of 21 experts from many …

In this second segment of the interview with Dan Guido, CEO and co-founder of Trail of Bits, Dan focuses on vulnerabilities in mobile devices, and shares the outcome of his research findings that he presented at SOURCE called “Mobile Exploit Intelligence Project”.

Data integrity is a fundamental component of information security. In its broadest use, “data integrity” refers to the accuracy and consistency of data stored in a database, data warehouse, data mart or other construct. The term – Data Integrity – can be used to describe a state, a process or a function – and is often used as a proxy for “data quality”.

Data with “integrity” is said to have a complete or whole structure. Data values are standardized according to a data model and/or data type. All characteristics of the data must be correct – including business rules, relations, dates, …

Happy Friday all! Make the day go by a little faster by taking some time out to catch up with a few highlights from this week’s news stories:

Twitter In The News: An interesting occurrence with Twitter this week was the supposed hack that resulted in the posting of over 50,000 user names and passwords online. An initial report by John Mello in PC World reported that “some of the accounts are duds created by robot programs.” Jay Alabaster said in a later article posted in ComputerWorld that, “None of the recently …

We recently sat down with Dan Guido, CEO and Co-Founder of Trail of Bits at SOURCE Boston 2012, to get his views on topics related to application security. In the first of a three part segment, Dan’s commentary focuses on vulnerabilities in general. You can watch the interview here.

With a goal of helping people understand the overall state of application security, Chris Wysopal, Veracode’s CTO and Co-Founder, recently gave a webinar, “Data Mining a Mountain of Zero-Day Vulnerabilities.” Chris examined the anonymized vulnerability data set produced by Veracode over the course of our analysis of thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers. This data set generated interesting observations about application security in various industry verticals, and common mistakes developers make when coding software.

The webinar enjoyed ample audience participation and response, including a …

Following new SEC guidance issued in the US relating to disclosure of cybersecurity risks in company filings, public companies are beginning to be measured by regulators and investors on the strength of their cybersecurity solution and ability to protect intellectual property and customer data. This infographic looks at the state of software security in public companies, and shows why companies and investors alike should care.

TGIF! There was certainly a lot happening in the cybersecurity space this past week. Here are our picks for the top stories. Have a great weekend readers!

Also, if you would like to get a understanding of how to build and scale an Application Security program within your organization, check out Veracoder Fergal Glynn’s latest blog post on threatpost.

Enterprise Security Practices: “Latest wave of healthcare data breaches symptomatic of sloppy security practices” by Neil Roiter (@nroiter). In this Security Bistro blog post Neil Roiter takes a look at the current state of security in the …

I was having a chat with our CFO by the Keurig machine and he said something I thought was interesting – that one of the things the CFOs of public companies worry about the most is surprises. Surprise, you woke up today and found that 10% of the value of your company is gone because confidential customer information was made public. Surprise, the FTC is knocking on your door asking for a forensic security audit. Surprise, your largest investors are calling about the scope of the breach and what it will cost the company. Surprises like …

In iOS 5.0, the call to retrieve the device-specific unique identifier (“UDID”) of an iOS device — specifically, the accessor to UIDevice’s uniqueIdentifier property — was officially marked as deprecated. This probably wasn’t much of a surprise to anyone involved in mobile privacy and application development. For over a year, researchers have been pointing out numerous instances in which popular mobile applications exfiltrate device-specific data to remote sites, sometimes without encryption. This often includes the UDID, but also can include the device’s model information (or more personal data, like address book information). Some examples of this research are

Its Friday, and time for our weekly news roundup!

Dan Geer at Source Boston. Before we begin, I came across a very interesting talk I’d like to share with you – Dan Geer’s keynote at SOURCE Boston 2012. I was not there myself, but I read Dan’s script posted here. Geer’s talk was impressive, a must read for anyone that uses the Internet! Among the many quote-worthy gems in his talk – “The Internet will never be free as it is this morning”.

Fergal Glynn on Threatpost. Additionally, threatpost is featuring a multi-part series of …

We are extremely excited to announce that the Veracode Platform has been chosen as SC Magazine’s Information Security Product of the Year. The award was in recognition of the company’s innovative Veracode Platform and the significant business and technical advantages it has brought to companies investing in the technology.

The SC Awards are widely recognized as the most coveted and prestigious awards for the European information security industry; they honor companies working to secure enterprises, and the vendor and channel communities that deliver innovative security technologies. SC Magazine editors handpicked a panel of judges who hold experience as end users, …

Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards. In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short).

OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, …

Today Veracode released a special supplement to the Veracode State of Software Security report, “Study of Software Related Cybersecurity Risks in Public Companies.”

This feature supplement hones in particularly on the vulnerabilities in the software applications of publicly traded companies, following new SEC guidance issued in the US last year relating to disclosure of cybersecurity risks in company filings.

According to Chris Wysopal, CTO and Co-Founder of Veracode, “Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them. The issue …

Happy Friday readers! There was certainly no shortage in security news this week, here are our picks for the top headlines:

Mac OS X Malware: “Mac OS X Pummeled By Yet Another Trojan” by Stefanie Hoffman (@FortiGuardLabs). This post from the Fortinet blog covers a huge topic from this past week’s headlines – Mac OS X Trojan “SabPub.” The recently-discovered Trojan has been attacking Mac users by creating a backdoor that it uses to run malicious commands on host machines. This is the second major Mac Trojan to make headlines in 2012, the first being the Flashback …