Veracode’s nomination for “Best Corporate Security Blog” at the 2012 Social Security Bloggers Awards got the Veracode Marketing team thinking about the other great information security blogs we follow. The Marketing team thought it would be fun to compile a list of what we think are the best 20 information security blogs.

We used a very scientific process to compile this list. Inputs included – quality of blog content (from both a technical and an entertainment standpoint), level of authority of contributors, frequency of updates, overall appearance and our own subjectivity :)

All the team members weighed in, and …

As an application security analyst, one of my responsibilities includes studying commonly made (and easily preventable) programming mistakes that result in potential security risks. In my experience, some of the most common flaws come from the improper validation of data read from files. In most cases, a programmer has had SOME foresight and it is rare to see data from a file used with NO verification (although, it does happen occasionally). The problem though, is that the check usually only attempts to ensure the overall length of the data and due to the wide variety of uses for data …

We’re all getting ready for the yearly RSA pilgrimage. I thought I’d put together a quick post on where you can find Veracode founders and members of the Veracode Research team out at RSA. We’re looking forward to some great conversations and networking.

Conference Presentations

• Chris Wysopal, Monday 9:30-10:20am. PANEL: National and International Security Standards — The Viability of Cross-Jurisdictional Solutions, (Cloud Security Alliance Summit), Gateway Room 102/103
• Chris Eng, Monday 2:00-3:10pm. Security Testing (SEM-002), Room 305
• Chris Eng, Monday 3:30-4:30pm. PANEL: Data Mining for Enterprise Security, (Mini-Metricon 6.5), SFSU @ 835 Market Street, Rooms 626-627
• Chris Wysopal, …
  
  » Read the blog post in full here

Happy Friday! It may have been a short week, but there was no shortage of big news in the security world.

However, before we delve into this week’s big news in the security world, I’d like to give a shout out to Veracode developer and blogger, Mark Kriegsman whose blog post on the utility he developed, AdiOS, has been making the rounds in the blogosphere and Twitterverse. AdiOS is a free utility that lets iOS users quickly scan the apps they’ve downloaded to see which have access to their complete address book. After downloading the utility, users can see …

Recently, Veracode’s Jim Lynch and Fred Pinkett, VP of Product Management at Security Innovations discussed key strategies that organizations need to adopt in order to implement a formalized Application Security Training program for development teams. The well attended webinar generated a number of questions from attendees. The following are some highlights of the Q&A at the end of the discussion.

It’s finally Friday and the start to a long weekend! Here are this week’s hot security topics, as reported by our esteemed peers in the industry:

Applications uploading data from your iPhone’s address book without permission: “iOS apps and the address book: who has your data and how they’re getting it,” a great article by Dieter Bohn details the source of the problem and how you can detect it yourself. It also includes a list of some of the other offenders that may surprise you as well as an ongoing conversation of over 150 comments.

Our very …

Veracoder Mark Kriegsman created a free utility, called AdiOS, that lets iOS users quickly scan the apps they’ve downloaded to see which have access to their complete address book. After downloading the utility, users can see which applications are accessing using this tool. Read about the utility and download it to see which of your apps are transmitting your phone book data.

January 25th, 2012 saw the announcement of new data security regulations for the European Union (E.U.) – the idea being to ‘upgrade’ to the challenges of a new world. The previous Data Privacy Directive had been implemented in 1995 and didn’t reflect the changing data ownership and distribution model that exists today…Cloud storage concerns, jurisdictional issues, the sheer volume of information that now exists on each business and individual.

Vivian Reding, the EU Justice Commissioner, had the unenviable task of updating this historic law and making it ‘fit for purpose’ for modern business concerns, the first results can …

“On January 31, Veracode released our first platform update of 2012, including new scans for iOS, improved eLearning progress tracking and reporting, additional API methods, and better communication of expected turnaround times for applications.”

That was the headline of the release announcement that went out to our opted-in Veracode users about two weeks ago, and it does a pretty good job of summing up what was in the release. But I thought it might be interesting to lift the lid a little bit and talk about some of …

As most of the folks who work at Veracode know, I’m brand new to the IT security space. I’ve been in start-ups most of my career and I’ve touched many industry verticals, but this is my first foray into security. I’m not sure if it was a complete coincidence, but from the moment my initial discussions began with Veracode I started to hear about breaches almost every day. Our new CEO, Bob Brennan, and I discussed this phenomenon the other day. He’s only been at the company for ten weeks, and he too attested to suffering from this …

As you know, we love Security Testing! But there is a whole other world of software testing out there – functional, black box, white box, integration, unit, you know what I mean… One of my favorite resources on software testing is the Software Testing Club. They have a great blog, a quarterly printed publication called THE TESTING PLANET (Chris Wysopal was featured in the last iteration), and a very active community.

Introducing Mr Fails

I recently came across a very entertaining Software Testing …

According to market researcher DataMonitor the size of the global software market is forecast to have a value of $299.1 billion in 2014, an increase of 32.6% since 2009. According to them, the computer software market consists of systems and application software. Systems software comprises operating systems, network and database management and other systems software. Application software comprises general business productivity and home use applications, cross-industry and vertical market applications, and other application software. Let’s just take a moment to let the enormity of that number sink in – $299B dollars is a big market!

Now, let’s examine another market. According …

At corporations and government offices around the world a security failure happens every day. Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk. A recent security incident involving the FBI can teach us something about corporate security.

Excerpts in italics from Hackers Intercept FBI Call With U.K.

The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

The 16-minute call was posted on the Internet on Friday. The hacker …

» Read the blog post in full here

Welcome to our Weekly News Roundup. Read on to learn about the latest this week in the world of security, put together for you by our marketing team. Enjoy!

1. Android users potentially hit by malware attacks: Two possible Android attacks, one, according to Symantec, due to thirteen applications from three different developers that have been collecting data and performing tasks without the user’s knowledge (Millions Of Android Users Potentially Hit By New Malware Attack, by Oliver Haslam). Another is a bug unique to HTC smartphones that allows some applications to send the user’s Wi-FI network …

If your organization had an unlimited budget to spend on your enterprise security program, in what areas would you focus investments? Application security? Mobile strategy? Web Application Firewalls?

Wendy Nather from the 451 Group and Veracode’s CTO Chris Wysopal presented the latest research on enterprise security spend, and discussed how to “make the case” for security initiatives in a recent webinar. This popular webinar also generated a large number of questions from attendees, and the highlights of the Q&A session are posted below. You can access a full recording of the webinar here.

For those of you …