Veracode Recognized as a Leader in the Magic Quadrant for Static Application Security Testing

The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company. To get our service to the performance level where it is today has taken many hard earned lessons. These were learned satisfying the application security testing needs for some of the biggest and most sophisticated...

Read More

Mobile App Top 10 List

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are...

Read More

Veracode Research Team Gives 5 Predictions for 2011

As we close out an security eventful 2010, the Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true. 1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer Sandboxing can prevent the exploitation of coding errors by preventing code running inside the sandbox from interacting with the operating system. Software companies with apps that are designed to render data and interpret script code downloaded from the Internet start to adopt...

Read More

Whitepaper: A Dose of Reality on Automated Static-Dynamic Hybrid Analysis

As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of automated web application testing, today’s technologies fall into one of two categories, Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST). SAST analyzes...

Read More

How to Become an Information Security Thought Leader

I created this video for an internal Veracode video contest. It's intended to poke fun at the abundance of "thought leaders" we have in our industry. I shared it on Twitter yesterday but thought I would post here on the blog as well. A handful of people have asked if it's meant to satirize any particular person -- sorry to disappoint, it's just a composite. Enjoy!

Read More

Squashing Ants: The Dynamics of XSS Remediation

Is anyone else getting tired of hearing excuses from customers -- and worse yet, the security community itself -- about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it's more like slaying dragons. I haven't felt inspired to write a blog post in a while, but every once in a while, 140 characters just isn't enough. Grab your cup of coffee, because I may get a little rambly. Easy to Fix vs. Easy to Eradicate Let's start with some terminology to make sure we're all on the same page. Sometimes...

Read More

More Vulnerabilities Discovered in Siemens Software

When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by the SIMATIC system known as STEP7 projects. Stuxnet uses a variation of Insecure Library Loading or "Binary Planting" which became news in late August but has been known about for a long time. What...

Read More

The Sparsely Attended Sept 12, 2001 Hearing: "How Secure Is Our Critical Infrastructure?"

A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, "How Secure is Our Critical Infrastructure?" The hearing went on but no one outside of DC was able to get there in time. The following is the written testimony we submitted. We talked about: the security of commercial software one of the first botnets the threat of consumer devices entering corporate environments applications security All are still major...

Read More

Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win

The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application's data. The vulnerabilities are used in stages: Stage 1: Use a Windows OS vulnerability for wormable spread. This is the zero day .LNK file attack. Stage 2: If the malware lands on a computer running Siemens WinCC software it uses an application vulnerability to access the database containing...

Read More

Website Vulnerability Research and Disclosure

Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer Experts Face Backlash”. The AT&T website vulnerability is part of a growing new trend for vulnerability disclosures. As software and services move from traditional installed software to SaaS and into the...

Read More

Pages