No source code? No problem! That’s the motto of the binary analyst.

We at Veracode have pushed the limits of static analysis (studying a program’s behavior without running it) to automatically detect and report security vulnerabilities in our customers’ codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses:

• Uncovering the behavior of malware
• Patching bugs in old, unsupported programs
• Verifying a program does what it claims it does
• Looking for evidence of stolen code
• Reverse engineering protocols and file formats for product compatibility
• Realizing just how much other people can learn about your own code!

Laws concerning reverse engineering third-party …

Web security scanners are one tool in the arsenal of any organization that takes security seriously. The ability of automation to rapidly test and verify that an application meets a reasonable standard of security is a key advantage. While manual testing can never be completely removed from the process, automated tools are critical in reducing the amount of time spent on repetitive tasks. In some cases applications are so large that it is not possible for a single human to cover even a small portion of the application’s functionality.

Dynamic Application Security Testing (DAST) has become an integral part of the …

Over the past several weeks, Veracode Director of Marketing Fergal Glynn has been authoring a series on application security for security news blog Threatpost. Titled “A CISO’s Guide to Application security,” the five-part series focuses on defining application security, outlining the elements of a comprehensive appsec program, educating about application and software related risks, determining the true cost of a data breach, and providing recommendations to CISOs for managing enterprise-level appsec. Now that the series has come to a conclusion we have highlighted each post below along with links to the full articles.

Sam King, Veracode’s EVP of Corporate Development, recently gave a webinar titled Disclosures 2012: The Vulnerability of Publicly Traded Companies. The webinar used Veracode’s Study of Software Related Cybersecurity Risks in Public Companies, a featured supplement to the State of Software Security Report. In the webinar, Sam examined risk management and disclosure practices for public companies dealing with security weaknesses at the software and application layer.

Sam King, Veracode’s EVP of Corporate Development, recently gave a webinar titled Disclosures 2012: The Vulnerability of Publicly Traded Companies. The webinar used Veracode’s Study of Software Related Cybersecurity Risks in Public Companies, a featured supplement to the State of Software Security Report. In the webinar, Sam examined risk management and disclosure practices for public companies dealing with security weaknesses at the software and application layer.

At the end of the webinar Sam opened the floor for questions from the audience. We have highlighted a few of these questions below. Stay tuned for a follow-up “Part …

Happy Friday all, and I hope everyone had a great week. Here are the top headlines from this past week in the security world. Enjoy!

Cyber Security Index: “Cyber Security Index Highlights Political Threats, Business Partner Risk” by Paul Roberts (@paulfroberts). This article from Threatpost looks at this year’s Index of Cyber Security score of 1292, which is 292 points higher than when it was introduced last April. The Index was created by Dan Geer and Mukul Pareek in an attempt to gauge the level of perceived cyber risk and concern based on surveys conducted amongst cyber …

Tonight is the last night that Facebook will be a privately held company. In the morning, Facebook shares will hit the market and there will be a feeding frenzy from investors world wide. Stock buyers will put up somewhere near 16 billion (yes with a “B”) dollars to own a portion of the social networking behemoth. However, the Veracode blog isn’t a stock trading or business blog, it’s a security blog. The real concern with Facebook for us security practitioners, is a lack …

In this, our third and final interview segment with Dan Guido, Co-Founder and CEO of Trail of Bits, Dan talks about how organizations should prepare to face security threats, and attack vectors that pose the greatest threat to enterprises today. Watch the interview.

We were very excited and honored to announce that our own CTO and Co-Founder, Chris Wysopal, had been appointed to the Black Hat Review Board where he will advise Black Hat on its strategic direction, assist in reviewing and programming conference content, and provide extended reach into the research community. According to Trey Lord, General Manager of Black Hat, Chris’s appointment reflects his long-standing contributions to Black Hat as well his stature as an influential subject matter expert in the industry. A prestigious group, the review board is comprised of 21 experts from many …

In this second segment of the interview with Dan Guido, CEO and co-founder of Trail of Bits, Dan focuses on vulnerabilities in mobile devices, and shares the outcome of his research findings that he presented at SOURCE called “Mobile Exploit Intelligence Project”.

Data integrity is a fundamental component of information security. In its broadest use, “data integrity” refers to the accuracy and consistency of data stored in a database, data warehouse, data mart or other construct. The term – Data Integrity – can be used to describe a state, a process or a function – and is often used as a proxy for “data quality”.

Data with “integrity” is said to have a complete or whole structure. Data values are standardized according to a data model and/or data type. All characteristics of the data must be correct – including business rules, relations, dates, …

Happy Friday all! Make the day go by a little faster by taking some time out to catch up with a few highlights from this week’s news stories:

Twitter In The News: An interesting occurrence with Twitter this week was the supposed hack that resulted in the posting of over 50,000 user names and passwords online. An initial report by John Mello in PC World reported that “some of the accounts are duds created by robot programs.” Jay Alabaster said in a later article posted in ComputerWorld that, “None of the recently …

We recently sat down with Dan Guido, CEO and Co-Founder of Trail of Bits at SOURCE Boston 2012, to get his views on topics related to application security. In the first of a three part segment, Dan’s commentary focuses on vulnerabilities in general. You can watch the interview here.