We have a rich history of running webinars at Veracode but it seems that recently we’ve been doing more in house and via partner channels. Going forward you’ll see a monthly update like this post detailing all our anticipated online events to hopefully make you aware of our webinars sooner and help you plan for attendance if you’re interested. Without further ado here’s the slate of webinars for the remainder of May!

I recently came across an interesting blog post by a team member at Acunetix that addressed a challenge many enterprises are facing when it comes to securing third-party components. This is a pretty hot topic in certain circles these days, and understandably so – studies have suggested that as many as 65% of an enterprise’s mission critical applications are developed externally. Additionally, Veracode research shows that a typical internally developed applications contains somewhere between 30% and 70% of externally developed code, indicating that even internally developed apps are utilizing code originating outside of their own walls.

Tomorrow Veracode co-founder and CTO/CISO Chris Wysopal, and Josh Corman co-founder of Rugged Software and Director of Security Intelligence at Akamai Technologies will be filming a video segment with Paul Roberts of The Security Ledger. The trio will be chatting about a variety of topics trending in the Appsec field including but not limited to; recent changes to the OWASP Top 10, security of third party software components, and industry culture.

The ISSC released its latest survey of information security pros, which found application security issues at the top of their list of security threats. Are we surprised?

Our entire Research team is in town this week for a round table catch up and this fun artist’s rendition of them materialized. Given that I haven’t personally met them all I was unable to identify a few of them by these cartoons. I figured I’d turn to our trusty community to help me out, comment below if you you think you know an avatar’s human counterpart with the number next to them and their full name.

A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from Veracode SoSS vol 5), it is clear more attention needs to be given to secure programming techniques.

Everyone has had that dreaded experience: you open up the task manager on your computer… and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger functionality. The icing on the cake, however, is when the mystery program is also eating up all your RAM.

The case of serial killer (and nurse) Charles Cullen shows that arcane application security issues like race conditions can literally be matters of life and death in the healthcare field.

UBM Tech Director of Content, Jonas Tichenor, interviews Evan Fromberg, Senior Director of Channel Sales and Business Development at Veracode. The interview hits the topics of enterprise application security, marketplace challenges in appsec and the partner program at Veracode. A transcript of the interview is available in the full post.

A survey of 3,500 developers by the firm Sonatype found that use of open source software is exploding in the application development community. Alas, much of it is unchecked, with few if any controls over what- or how components are being used.

Application security analytics at Veracode is “living in interesting times.” With each passing month, the data set is growing dramatically in both size and variety. An increasingly diverse set of organizations are submitting their applications for review. New programs such as VAST create usage patterns of Veracode’s services that reflect an evolving security supply chain. On top of this, Veracode’s platform for finding, classifying, and reporting discovered flaws continues to expand to address new challenges such as mobile apps, new vulnerability classes, new scanning technologies and revised policies for defining acceptable application software security. The challenge with all this newness is striking the right balance between keeping the analysis the same to track trends over time and developing new analysis to convey some new findings.

Business to business links with partners are a growing source of data breaches and security incidents in the healthcare field. Coming changes to regulations like HIPAA may bring more accountability.

Yesterday the Associated Press joined the pool of victims who can say they’ve suffered a hacked or stolen Twitter account. The highly publicized event saw the AP have it’s main Twitter account hacked (@AP) sometime in the afternoon and a tweet appeared around 1 p.m. reporting: “Breaking: Two Explosions in the White House and Barack Obama is injured.” As you can imagine the tweet set off a chain reaction of retweets and alarm even causing the Dow Jones to plunge nearly 143 points in only a 3 minute span following the breaking news.

The recently released Microsoft Security Intelligence Report shows that web-based propagation vectors have surpassed traditional malware propagation vectors as the largest threats to distributed network environments. While I agree with Microsoft’s assessment of the threat landscape, I don’t think this is anything new; it is just the current state of a long running trend.