Earlier today we announced the winners of our first ever Secure Development Awards. For those that haven’t heard of our new awards this quote from our Co-Founder Chris Wysopal sums it up nicely; “We’ve created this award to recognize developers’ successes in properly implementing security features during the software development lifecycle…” Read more about our Secure Development Award winners!

Veracode’s remedy for the Application Security headache is in full swing at the Black Hat Conference. Swing by the booth (#229) and you can pick up an “I <3 Binaries” t-shirt, some Veracode Vitamins, a Water Bottle, or a chance to win $1,000. But we aren’t the only great booth here at Black Hat this year; quite a few security vendors have gone all to create great themes and fun giveaways. See our picks!

I’ll be speaking at Black Hat Briefings in Las Vegas this year, on “Lessons Of Static Binary Analysis”. The talk will be a two hour intensive workshop covering the details of binary transformation that make Veracode possible.

The topics will range from an introduction to decompilation theory, to the details of how to build an effective intermediate structural model. We’ll be covering control flow and data flow analysis and transformation, and you’ll come away from the talk with an understanding of how variable lifetimes are assessed, procedure arguments and returns discovered, and how to determine the targets of indirect jumps and …

It’s that time of year again.

Veracode’s security research team and our Chief Scientist will be at the Vegas cons in force this year engaging in the usual roguery.

Here’s where to see us speaking:

• Christien Rioux, “Lessons of Binary Analysis”, BlackHat, July 26, 10:15am
• Zach Lanier and Andrew Reiter, “Mapping and Evolution of Android Permissions”, BlackHat, July 26, 2:15pm
• Chris Lytle, “Puzzle Competitions and You”, B-Sides Las Vegas, July 25, 4pm

We’ll also have a booth (#229) for the first time. Here’s when you can stop by and speak with members of the research team, assuming you don’t bump into them in the …

This roundup for the week of July 20th features a post on cyber threats by Barack Obama, a new malware named Messiah targeting Iran and Israel, BYOD best security practices, a huge growth in online identity theft and some lessons learned from the recent Yahoo hack! See you what you missed this week in application security news.

Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but there was a lot of confusion about how it could possibly work and whether it was safe.

The particular person who published the instructions added a note to remember not to type in …

Veracode Researcher Chris Lytle is presenting a talk on Competitive Puzzles at BSides Las Vegas this month. Newbies to the world of competitive puzzles will find valuable resources and tools in Chris’s talk that they can use to break into doing more complex puzzles. Learn more about competitive puzzling and read on!

Secure coding is a challenge that every software company in the world faces. Even the largest companies that attract the best developers in the world (Read: Google, Facebook) have multiple instances of vulnerabilities in their code ranging from XSS to SQL injection to backdoors. So how can you integrate security into your SDLC?

If you’re a security professional, it’s very likely that you or folks you know are putting their last minute travel arrangements in place to go to Black Hat, the premier information security event happening during the week of July 21-26, 2012 in Las Vegas.

The demand for security professionals is looking to surge: ”Ease the Need for IT Security Pros by Writing More Secure Code” by Thor Olavsrud. Today there are about 2.2 million people working as information security professionals, that number is expected to almost double to 4.25 million by 2015. and that still may not be enough to meet the demand. So while finding a qualified IT security professional may be difficult, preventing breaches in the meantime isn’t. Hord Tipton, executive officer for security education and credentialing firm (ISC)2 says that executives need to make writing secure code …

The end of the week is nearing again which means it’s time for the final drink in our series “The Many Flavors of AppSec“. So far you have seen the Anonymous, AppSec in the Cloud, SQL Injection and The Veracoder cocktails. This week we present the Buffer Overflow.

When you tap in your life’s details into the latest and greatest cloud-enabled mobile app, where does that information actually go? When you post on a website that claims you’re anonymous, are you really? Hey, did you read the privacy policy for any of those services you’re using? Do they even have a privacy policy?

In the rush to play with new online services – which, admittedly, are often awesome – it’s easy to forget that anyone with fifteen dollars in their pocket can rent a server to store your personal data in whatever haphazard way they want. It was only …

At Veracode, we help companies from various industries to secure their applications. This post is the first in a series where we share the knowledge gained from working across a diverse set of industries.

This is the first part of a series of talks given by Veracode co-founder and VP of Research Chris Eng. In this video Chris explains what Cross-Site Scripting is and how it enables an attacker to inject client-side script into web pages viewed by other users. The video can be viewed below. We have also transcribed the talk for your convenience.

Cross-Site Scripting (XSS) is a vulnerability that affects web applications and is characterized by an attacker being able to run arbitrary JavaScript code within the browser of the person that they are attacking. In a typical web …

Hello and Happy Friday to all!

IT needs more simplicity: ”CIOs In Search of IT Simplicity” by Kim Nash. Blame old technology, mergers and acquisitions, vital legacy systems, lack of standards, and costly consolidation and integration projects for the complex, convoluted, and difficult applications many organizations are using today. In order to reduce costs, boost agility, and increase security, CIOs are starting to make the simplification of their IT systems a priority. As companies are starting to realize that complexity causes insecurity, and with the ever increasing importance of cyber security, the importance of simplicity in IT systems is …