In iOS 5.0, the call to retrieve the device-specific unique identifier (“UDID”) of an iOS device — specifically, the accessor to UIDevice’s uniqueIdentifier property — was officially marked as deprecated. This probably wasn’t much of a surprise to anyone involved in mobile privacy and application development. For over a year, researchers have been pointing out numerous instances in which popular mobile applications exfiltrate device-specific data to remote sites, sometimes without encryption. This often includes the UDID, but also can include the device’s model information (or more personal data, like address book information). Some examples of this research are

Its Friday, and time for our weekly news roundup!

Dan Geer at Source Boston. Before we begin, I came across a very interesting talk I’d like to share with you – Dan Geer’s keynote at SOURCE Boston 2012. I was not there myself, but I read Dan’s script posted here. Geer’s talk was impressive, a must read for anyone that uses the Internet! Among the many quote-worthy gems in his talk – “The Internet will never be free as it is this morning”.

Fergal Glynn on Threatpost. Additionally, threatpost is featuring a multi-part series of …

We are extremely excited to announce that the Veracode Platform has been chosen as SC Magazine’s Information Security Product of the Year. The award was in recognition of the company’s innovative Veracode Platform and the significant business and technical advantages it has brought to companies investing in the technology.

The SC Awards are widely recognized as the most coveted and prestigious awards for the European information security industry; they honor companies working to secure enterprises, and the vendor and channel communities that deliver innovative security technologies. SC Magazine editors handpicked a panel of judges who hold experience as end users, …

Every vibrant technology marketplace needs an unbiased source of information on best practices as well as an active body advocating open standards. In the Application Security space, one of those groups is the Open Web Application Security Project (or OWASP for short).

OWASP operates as a non-profit and is not affiliated with any technology company, which means it is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. All of its articles, …

Today Veracode released a special supplement to the Veracode State of Software Security report, “Study of Software Related Cybersecurity Risks in Public Companies.”

This feature supplement hones in particularly on the vulnerabilities in the software applications of publicly traded companies, following new SEC guidance issued in the US last year relating to disclosure of cybersecurity risks in company filings.

According to Chris Wysopal, CTO and Co-Founder of Veracode, “Companies can put all of the other cybersecurity controls in place but if there are application weaknesses, hackers have the will and time to find and exploit them. The issue …

Happy Friday readers! There was certainly no shortage in security news this week, here are our picks for the top headlines:

Mac OS X Malware: “Mac OS X Pummeled By Yet Another Trojan” by Stefanie Hoffman (@FortiGuardLabs). This post from the Fortinet blog covers a huge topic from this past week’s headlines – Mac OS X Trojan “SabPub.” The recently-discovered Trojan has been attacking Mac users by creating a backdoor that it uses to run malicious commands on host machines. This is the second major Mac Trojan to make headlines in 2012, the first being the Flashback …

SOURCE conference 2012 is happening on Boston right now! The keynote for this year’s conference came from Josh Corman and Jericho. Among other talks, the first day also featured Veracode’s Shyama Rose who presented on “Successful Application Security Programs in an Uncertain Landscape“.

To view a list of Veracode speakers at the conference, click here.

Keynote for Day 2 was from Dan Geer, CISO In-Q-Tel. His keynote generated a lot of interest in the Twittersphere from the conference attendees. In his talk, Geer focused on Internet and critical infrastructure. Click …

At RSA this year, Howard Anderson, News Editor for the Information Security Media Group interviewed Chris Wysopal, Veracode CISO and Co-Founder. In the interview, Chris talked about application security, the future of AppSec, and what he believes to be the next major hot topic in this space. Chris also outlined why organizations now need their comprehensive data leakage protection programs to include application security.

View the podcast below.

We also added in some key highlights of the interview.

Q: What do you think is the hot topic on the application security arena?

Chris: One of the things that I am really …

Veracode Marketing recently polled a list of InfoSec luminaries, asking them “What is the biggest mistake companies make with Application Security and how can they fix it?” We’re pleased to present the responses from a wide array of security experts including Bill Brenner of CSO Magazine, Andrew Hay of the 451 Group, Jack Daniel of Tenable Network Security and Veracode’s own, Chris Wysopal. While all our experts have their unique perspectives, some common themes arose including the basic idea of taking application security more seriously and committing to a programmatic approach vs. ad hoc manual testing. We want to thank …

Happy Friday to all. Welcome to another edition of our Weekly News Roundup.

Dennis Fisher of Threat Post reports on a breach of the Medicaid and Child Health Insurance Plan in Utah which lead to the leakage of personal information, including Social Security numbers of 181,000 individuals. The intrusion occurred after the Utah Department of Technology Services was compromised by hackers who were able to steal 24,000 files. The attackers were able to gain access to the system by exploiting an error in the authentication system on one of the servers.

On a lighter note,

We are thrilled to announce that Veracode has secured an additional $30M in funding from Meritech Capital Partners and existing investors Atlas Venture, .406 Ventures and StarVest Partners.

Our investment demonstrates our confidence in the market and is intended to accelerate Veracode’s already impressive growth” said Rob Ward, Managing Director at Meritech Capital Partners. Some of Meritech’s other portfolio companies include Facebook, Zipcar, Imperva, Good, Vonage and Salesforce.com.

Two new key additions to the executive team are Ed Jennings, who joins Veracode as Executive Vice President of Sales, Marketing & Services, and Greg Nicastro who joins as …

Can’t security professionals and developers just get along?

Consider this – If the number one job of a security professional is to place a developer’s code under a microscope and highlight each and every flaw, you can appreciate why there may be some tension. The majority of solutions used by security professionals to test developer code only offer assessments of what they did wrong. Can we apply a different lens while having this conversation?

Recently we featured a webinar where Donna Durkin, CISO of Computershare, and Tim Jarrett, Director of Product Management, candidly discussed what works and doesn’t when …

threatpost is featuring a series of blog posts on Application Security by Veracoder Fergal Glynn. The first post in the series “ A CISO’s Guide to Defining Application Security – Part 1: Defining AppSec” went live today.

In this post, Fergal defines Application Security or “AppSec” and lists key elements of the discipline. The post outlines various development and deployment options available today which can potentially introduce security vulnerabilities into software, and the need for Appsec products to help manage security risk across all these options.

The next post in this series will examine …

Now and again we present short educational briefings on topics related to Application Security. Last time we discussed Data Breaches, read more here. Today I will present a brief overview of Buffer Overflows.

A Buffer overflow is a common software coding mistake. In order to effectively mitigate buffer overflow vulnerabilities, it is important that you first understand what buffer overflows are, what dangers they pose to your applications, and what techniques attackers use to successfully exploit these vulnerabilities.

A buffer is a sequential section of memory allocated to contain anything from a character string to an array …

Happy Friday! Here’s what was big in cyber security headlines this week. Enjoy!

Global Payments breach: “Up to 1.5 million Visa, MasterCard credit card numbers stolen” by Emil Protalinski (@EmilProtalinski). In this blog post Emil Protalinski details the recent security breach against Global Payments, a major payment processing company. It was announced last Friday that Global Payments had suffered a security breach effecting Visa and Mastercard customers in North America. It has been determined that as many as 1.5 million credit card numbers were stolen in the breach, although the company has assured Visa and Mastercard customers …