2011 Event Roundup

2011 has been a busy year for Veracode on the event circuit. The Veracode team has spoken at nearly 200 industry events this year. We racked up frequent flyer miles, collected a rainbow assortment of conference badges, and generally had fun presenting to all of you that attended the year’s major (and minor) industry and government forums. Here are just a few highlights of some of our speaking opps this year… RSA 2011 In the talk “Intelligence on the Intractable Problem of Insecure Software” Veracode’s Sam King, vice president of strategy and product marketing, and Chris Wysopal shed light on...

Read More

The Thought Leader... One Year Later

When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let's see how he's doing! Enjoy.

Read More

Is Code Quality Seasonal?

Congratulations to Fergal Glynn for having his first guest post placed on ThreatPost.com – see it here: http://threatpost.com/en_us/blogs/quality-coding-takes-break-holidays-why-122011 In this post Fergal asks if developer code quality is seasonal? Fergal used the State of Software Security data set to analyze applications in early stages of the development life cycle. He examined application size and a roll-up of the total quantity of flaws per application to determine what he calls "flaw density". The results are interesting, January through September has a relatively flat flaw density....

Read More

Veracode Hackathon!

For a few days after the 2011.6 Release, Veracode’s Development & Research teams hosted our first ever Hackathon. It’s been a productive year for us at Veracode, and after six product releases and a record number of applications scanned, we felt like it was a great opportunity for us to see what creative ideas our team could come up with if they had a few days of free reign to code anything that excited them (you know, without us Product Managers telling them what to do). There’s only one major rule: you can work on anything that interests you as long as you can demo it to everyone at...

Read More

Backdoors and Beyond

Backdoors! But wait, there's more... You recently heard our CTO, Chris Wysopal discuss in his blog post the warnings issued by ICS-CERT on backdoors in a standard network module for control systems. The type of equipment was the Schneider Electric Quantum Ethernet Module. You can read more about the full warning here. Chris went on to discuss how this warning was consistent with what we observed in our recently released State of Software Security report where we found that backdoors were present in 3% of software vendor developed code (Schnieder’s module being an example of this type of...

Read More

Is Personal Information Safe in the Cloud?

Those of you in the Boston area may have seen Veracode's very own Chris Eng (VP of Research) on the local CBS news Monday night. Chris is featured in a story about storing personal information in the cloud. Chris discusses best practices and advises users about operating and storing documents in the cloud. We think Chris did a great job! If you missed it, or are not in the Boston area here is a chance to see Chris on TV. Video of PD0EnEf7IA0 For those of you interested I put together a sampling of other Veracode appearances on local and national news: http://www.veracode.com/videos

Read More

ICS-CERT Warns of Backdoors in Standard Network Module

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found. Backdoors in industrial control systems These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment. We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security...

Read More

Why are False Positives a Costly Headache for Enterprises?

Hello World! I’ve recently joined Veracode as a product marketing manager. One of my responsibilities to respond to customer questions about Veracode, what we do and why we do it. So I thought it would be a good idea to blog about some of the common and/or recent questions I’ve been getting. So here goes the first one: Why are false positives a costly headache for enterprises? The short answer is: because the development team has to spend time, expensive time that they can’t afford to waste, figuring out that they don’t need to fix those flaws. Long answer takes some explaining. For those of...

Read More

The SoSS is Bitter

Veracode recently published the 4th Volume of our State of Software Security report or SOSS as we affectionately call it around here. We have been making SOSS since early 2010 and we serve up a new offering every six months. Our goal is simple – give a taste of the state of application security as we see it and make an earnest call to action to improve the status quo. The data is derived from the analysis of real-world applications processed on Veracode’s cloud platform. These applications come to us from many industries, supplier types (e.g. ISVs, outsourcers & open source) and...

Read More

About Veracode's December Platform Release

On Thursday night, Veracode released its sixth major platform update of 2011 (affectionately known as "2011.6"). I’d like to take the opportunity to walk through a few of the items in the release in detail and talk about how they make our customers' lives easier and their applications more secure. First, some introductions are in order, since this is the PM team’s first time posting on the Veracode blog. The Veracode product management team is responsible for the roadmap and user experience of the services that Veracode provides to its customers through the Veracode platform. The platform is...

Read More

Pages