The Veracode Movember effort still needs your help! – Donate Here.

Movember has been an entertaining, interesting and at times embarrassing month. From the looks we garnered around the office, in public, or from family, friends and loved ones, it is at times hard to justify the Moustache. This is all easily rectified once you inform the onlookers about the underlying cause, raising awareness for Prostate Cancer.

The security firm ReVuln found itself on the receiving end of some harsh criticism this month after it demonstrated several previously unknown holes in common industrial control platforms, then said it would not share the details of those holes to vendors. As information about software vulnerabilities becomes more and more valuable, the question arises: who is to blame when software gets hacked: the researcher who exposes the weakness, or the developers who created it?

When the revolution comes, the first up against the firewall will be your business partners – along with every other third-party that provides you with software.

It used to be that you could call for more secure software from individual vendors – and Microsoft heeded that call, for example with its push for trustworthy computing, starting in 2002 – but today we’re more dependent on software than ever, and more interconnected than ever; we rise and fall by the security of our associates.

Having spent the last 10 years or so working with technology on a day-to-day basis, I thought I’d seen a good deal of “Woah, that is cool” moments. These moments range from just discovering modern day technology (the fact that companies made billions on database software blew my much younger mind for about a week) to more niche discoveries (my first identified SQL Injection vulnerability was a doozie, and I didn’t even know it had a name until two years later!)

When we were kicking around ideas for a new SoSS supplement, I thought the vendor testing angle could be interesting. We had just launched our VAST program so the topic made our marketing folks happy, but also because I think the supply chain analogy can be an interesting lens to view the security industry. We can think about the software supply chain as the vulnerability supply chain.

Nate Silver, the rock star statistician behind the New York Times FiveThirtyEight blog, became an unwilling player in the heated political rhetoric ahead of the Nov 6. Presidential election. Silver covers politics and other news from the viewpoint of a statistician: putting the rhetoric and the political consultant’s alchemy aside to look at the numbers.

Our new SoSS Feature Supplement report found that 62% of vendor applications fail to comply with enterprise security policies upon first submission. This stat, more than any other in the report, demonstrates the need for an executive level mandate to secure the software supply chain.

Our latest SoSS release is a feature supplement, these allow us to extend our analysis to a variety of topical areas. This feature supplement focuses on the actual state of vendor application security testing programs currently being implemented by our enterprise customers.

What is Movember?

“Since its humble beginnings in Melbourne, Australia, Movember has grown to become a truly global movement inspiring more than 1.9 Million Mo Bros and Mo Sistas to participate with formal campaigns in Australia, New Zealand, the US, Canada, the UK, South Africa, Ireland, Finland, the Netherlands, Spain, Denmark, Norway, Belgium and the Czech Republic. In addition, Movember is aware of Mo Bros and Mo Sistas supporting the campaign and men’s health cause across the globe..

Tuesday’s Presidential election in the U.S. didn’t result in deadlocked vote counts, hanging chads or court challenges. But all the ingredients were there. First among them: a hackeneyed and insecure vote collection system that fails to protect the integrity of votes.

Something unusual happened recently: I found an XSS problem in the web application controlling our security scans.

Let’s set the stage; I started using the Internet before it was called the Internet. I had some informal security training in college and graduate school, but when I started my first job my boss said “I’m going to make you a security expert.” I’ve used that security training, and kept learning more, in the jobs I’ve had in the thirty years since then.

I would like to share with you all the results of my scan and review of the Alexa Top 1,000,000 Sites HTTP response headers as they relate to security. I was mostly curious about which sites were using Content Security Policy (CSP) but ended up becoming more interested in all of the various modern day security headers that sites specify. The results were pretty impressive and I certainly learned a lot from it.

California’s Attorney General issued a warning to mobile developers this week: come clean about what kinds of user data you collect – or else! It was a laudable act – especially in the face of federal government indifference. But more daylight may not make users any safer.