2011 has been a busy year for Veracode on the event circuit. The Veracode team has spoken at nearly 200 industry events this year. We racked up frequent flyer miles, collected a rainbow assortment of conference badges, and generally had fun presenting to all of you that attended the year’s major (and minor) industry and government forums.

Here are just a few highlights of some of our speaking opps this year…

RSA 2011
In the talk “Intelligence on the Intractable Problem of Insecure Software” Veracode’s Sam King, vice president of strategy and product marketing, and …

When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.

Congratulations to Fergal Glynn for having his first guest post placed on ThreatPost.com – see it here: http://threatpost.com/en_us/blogs/quality-coding-takes-break-holidays-why-122011

In this post Fergal asks if developer code quality is seasonal? Fergal used the State of Software Security data set to analyze applications in early stages of the development life cycle. He examined application size and a roll-up of the total quantity of flaws per application to determine what he calls “flaw density”.

The results are interesting, January through September has a relatively flat flaw density. Then, there is a big bump in flaw density in …

For a few days after the 2011.6 Release, Veracode’s Development & Research teams hosted our first ever Hackathon. It’s been a productive year for us at Veracode, and after six product releases and a record number of applications scanned, we felt like it was a great opportunity for us to see what creative ideas our team could come up with if they had a few days of free reign to code anything that excited them (you know, without us Product Managers telling them what to do).
There’s only …

Backdoors! But wait, there’s more…

You recently heard our CTO, Chris Wysopal discuss in his blog post the warnings issued by ICS-CERT on backdoors in a standard network module for control systems. The type of equipment was the Schneider Electric Quantum Ethernet Module. You can read more about the full warning here. Chris went on to discuss how this warning was consistent with what we observed in our recently released State of Software Security report where we found that backdoors were present in 3% of software vendor developed code (Schnieder’s module being an example of this type …

Those of you in the Boston area may have seen Veracode’s very own Chris Eng (VP of Research) on the local CBS news Monday night. Chris is featured in a story about storing personal information in the cloud. Chris discusses best practices and advises users about operating and storing documents in the cloud. We think Chris did a great job! If you missed it, or are not in the Boston area here is a chance to see Chris on TV.

For those of you interested I put together a sampling of other Veracode appearances on …

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.

Backdoors in industrial control systems

These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.

We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find …

Hello World!

I’ve recently joined Veracode as a product marketing manager. One of my responsibilities to respond to customer questions about Veracode, what we do and why we do it. So I thought it would be a good idea to blog about some of the common and/or recent questions I’ve been getting. So here goes the first one:

Why are false positives a costly headache for enterprises?

The short answer is: because the development team has to spend time, expensive time that they can’t afford to waste, figuring out that they don’t need to fix those flaws. Long answer …

Veracode recently published the 4th Volume of our State of Software Security report or SOSS as we affectionately call it around here. We have been making SOSS since early 2010 and we serve up a new offering every six months. Our goal is simple – give a taste of the state of application security as we see it and make an earnest call to action to improve the status quo. The data is derived from the analysis of real-world applications processed on Veracode’s cloud platform. These applications come to us from many industries, supplier types (e.g. ISVs, outsourcers …

On Thursday night, Veracode released its sixth major platform update of 2011 (affectionately known as “2011.6″). Read about a few of the items in the release in detail and learn about how they make our customers’ lives easier and their applications more secure.

We recently sat down with Veracode’s new CEO, Bob Brennan to ask him some questions during his second week on the job. Bob discussed the importance of what Veracode does and how that was instrumental in his decision to join Veracode, and his views on building a productive work environment. He also answered some personal questions about his hobbies and the book he’s reading right now.

Veracode: You must have evaluated numerous other opportunities, what initially attracted you to Veracode?

Bob Brennan: Veracode is focused on making the world’s software more secure. This is a big idea, …

Since our last report, the risks associated with vulnerable software deployed in enterprise environments have been highlighted in the news on nearly a weekly basis. The majority of reported breaches that exposed customer data or intellectual property were caused by attackers exploiting weaknesses in web applications or desktop software. We have also witnessed the rise of new attacker categories: cyber spies focused on stealing intellectual property, and hacktivists motivated by publicly embarrassing companies and individuals.

Essentially, if your organization has anything worth protecting—money, intellectual property or a trusted reputation—you need to be concerned about the security of the software that …

Today we’re releasing Volume 4 of our semi-annual State of Software Security report. This edition incorporates data from 9,910 application builds (twice as many as last time) analyzed via our cloud-based platform over the past 18 months. In this edition, we also discuss how the threat landscape has evolved during 2011 and how we’ve adapted our analysis and evaluation criteria to account for those changes. Here are a few of the highlights:

Application security performance declines steeply when the current threat landscape is taken into account in the evaluation criteria
XSS and SQL injection affect a higher proportion …

HP’s printer division is walking on the hot coals today, as the company has been named in a class action lawsuit.

The suit states that “HP Printers suffer from a design defect in the software (which is also sometimes referred to as “firmware”) that is resident on the HP Printers, which allows computer hackers to gain access to the network on which the HP Printers are connected, steal sensitive information, and even flood the HP Printers, themselves, with commands that are able to control the HP Printers and even cause physical damage to the HP Printers themselves.”

Despite a feature …

For the past 5 years Veracode has relied solely on our talented Research Team for blog content. During that time they’ve delivered some of the best research and commentary on application security existing on the web and in the blogosphere today. But our Research team is as busy as they are talented so I thought it was about time we share the burden of great content creation at Veracode. The good news for our blog readers is that our company is full of really smart people who have a lot to say about security. So, beginning today you’ll …