It’s that time of year again… A time when all the most interesting people, ideas, concepts, and attacks are on display in Las Vegas. That’s right, we are talking about Blackhat USA and associated conferences. Every year about a week before conference time, all the security analysts, researchers, and talking heads begin to espouse their thoughts regarding which of of the conference sessions will be the highlights of the week. Each person’s idea of what will be “the best talk of the week” is colored through his or her own biased lens. To this end, we asked some of our …

Call for Papers
IEEE Security & Privacy
Software Static Analysis

Abstract submissions due: 15 Aug. 2011
Final submissions due: 15 Sept. 2011
Publication date: May/June 2012

Secure and reliable software is hard to build, but the costs of failure are steep. Data breaches caused by attackers exploiting vulnerabilities in software made many headlines in 2011 and show no sign of abating. Sony, RSA Security, and PBS were compromised, their intellectual property stolen, and the privacy of their customers impacted; all due to vulnerabilities in software. Software reliability problems have led to bungled lotteries, medical device failures, …

Rich Mogull talks about real world IT security challenges today in his column, “Simple Isn’t Simple” in Dark Reading. I agree 100%. One of the Rich’s points is security has to scale or it doesn’t solve the real world problem. In most cases we know how to solve a security problem for a single instance of that problem; one SQL injection flaw in one app, for instance. The challenge is doing it at scale. If you can’t do it at scale you don’t solve the problem for the business.

[UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am having to explain this.]

Fair warning, this is a bit of a rant.

Back in my consulting days (early 2000, I’m getting old), we delighted in the fact that our web application penetration testing methodology didn’t rely on automated tools. This was completely true; …