Network World has named Veracode to their 10 IT Security Companies to Watch. Sim Simeonov has some commentary on this is his blog.

Recently I got a message from Kelley Jackson Higgins of Dark Reading. She was looking for some comments on Fortify Software’s new paper on “Cross Build Injection” or “XBI”. I had read the paper and, while I think the issues are real, the way they are framed they miss the big picture. So I figured I would partake in a little “XPI”, that’s “Cross Publicity Injection”, and take this opportunity to talk about the larger issue of accepting code into the build process. The Dark Reading article is here.

Whenever externally developed code of an …

XKCD has a funny web security theme today:

We were more than pleased to read a new report by John Pescatore of Gartner recommending that security managers adopt the use of the Common Vulnerability Scoring System (CVSS) to support more repeatable, fast-acting vulnerability management processes.

This recommendation backs up the decision made by our CTO, Chris Wysopal, more than a year ago to adopt the CVSS standard as a part of the Veracode rating system.

Another interesting recommendation in the report is: “Enterprieses should ensure that processes are in place to detect, assess, and manage each software vulnerability class.” You’ll need a combination of static, dynamic and …

Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking.

Today we were throwing some ideas around the office about hacking techniques we had seen reported. This got the discussion flowing towards extrapolating and using techniques in new areas. The following is a list of old and new.

Gaining network access

Popping open the TNI box outside someone’s house and running a phone …