2011 has been a busy year for Veracode on the event circuit. The Veracode team has spoken at nearly 200 industry events this year. We racked up frequent flyer miles, collected a rainbow assortment of conference badges, and generally had fun presenting to all of you that attended the year’s major (and minor) industry and government forums.

Here are just a few highlights of some of our speaking opps this year…

RSA 2011
In the talk “Intelligence on the Intractable Problem of Insecure Software” Veracode’s Sam King, vice president of strategy and product marketing, and …

When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.

Congratulations to Fergal Glynn for having his first guest post placed on ThreatPost.com – see it here: http://threatpost.com/en_us/blogs/quality-coding-takes-break-holidays-why-122011

In this post Fergal asks if developer code quality is seasonal? Fergal used the State of Software Security data set to analyze applications in early stages of the development life cycle. He examined application size and a roll-up of the total quantity of flaws per application to determine what he calls “flaw density”.

The results are interesting, January through September has a relatively flat flaw density. Then, there is a big bump in flaw density in …

For a few days after the 2011.6 Release, Veracode’s Development & Research teams hosted our first ever Hackathon. It’s been a productive year for us at Veracode, and after six product releases and a record number of applications scanned, we felt like it was a great opportunity for us to see what creative ideas our team could come up with if they had a few days of free reign to code anything that excited them (you know, without us Product Managers telling them what to do).
There’s only …

Backdoors! But wait, there’s more…

You recently heard our CTO, Chris Wysopal discuss in his blog post the warnings issued by ICS-CERT on backdoors in a standard network module for control systems. The type of equipment was the Schneider Electric Quantum Ethernet Module. You can read more about the full warning here. Chris went on to discuss how this warning was consistent with what we observed in our recently released State of Software Security report where we found that backdoors were present in 3% of software vendor developed code (Schnieder’s module being an example of this type …

Those of you in the Boston area may have seen Veracode’s very own Chris Eng (VP of Research) on the local CBS news Monday night. Chris is featured in a story about storing personal information in the cloud. Chris discusses best practices and advises users about operating and storing documents in the cloud. We think Chris did a great job! If you missed it, or are not in the Boston area here is a chance to see Chris on TV.

For those of you interested I put together a sampling of other Veracode appearances on …

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.

Backdoors in industrial control systems

These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.

We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find …

Hello World!

I’ve recently joined Veracode as a product marketing manager. One of my responsibilities to respond to customer questions about Veracode, what we do and why we do it. So I thought it would be a good idea to blog about some of the common and/or recent questions I’ve been getting. So here goes the first one:

Why are false positives a costly headache for enterprises?

The short answer is: because the development team has to spend time, expensive time that they can’t afford to waste, figuring out that they don’t need to fix those flaws. Long answer …

Veracode recently published the 4th Volume of our State of Software Security report or SOSS as we affectionately call it around here. We have been making SOSS since early 2010 and we serve up a new offering every six months. Our goal is simple – give a taste of the state of application security as we see it and make an earnest call to action to improve the status quo. The data is derived from the analysis of real-world applications processed on Veracode’s cloud platform. These applications come to us from many industries, supplier types (e.g. ISVs, outsourcers …