Our “Smart” Christmas Hangover

Christmas, 2013 will be a banner year for the Internet of Things, as smart gadgets appear like mushrooms under the Christmas tree. But get ready for a privacy hangover, as poorly designed, and insecurely deployed gadgets turn on their masters. Just in time for the holidays, I received an e-mail by way of Electric Imp. If you’re not familiar with the “Imp,” (my phrase, not theirs), it’s a [PAAS?] that makes it easy to build and connect smart devices. Among the cool gift ideas Electric Imp was promoting: a whole line of products produced by the company Quirky along with GE under the “Wink:...

Read More

The AppSec Program Maturity Curve 4 of 4

Program Levels 5 to 6 – from Improved to Optimized This is the final post in a series on the Application Program Maturity Curve. In this series, we’ve advocated that Application Security is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. This Maturity Curve model has been validated by Veracode using the real world results of hundreds of organizations. They have learned that the key to positive return on investment is to start small and scale up over time with each milestone. It’s easy to climb a few...

Read More

How to Run a Successful Proof of Concept for an Application Security Programme

So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation. Socialising the Proof of Concept The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new...

Read More

Veracode Directly Delivers Recommended Controls Called for by the Financial Services Industry

A group of leading banks, insurance, and mortgage companies including Aetna, Goldman Sachs, JP Morgan Chase, Citi, (among others) recently crafted recommended controls for addressing third party software security in the paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.” This paper acknowledges that conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web, mobile, and desktop applications developed by third party software suppliers. Further, this group offers three controls for...

Read More

Video Interview with the CISO of Aetna, Jim Routh

Businesses run on software; it gives us the features and functions needed to make our teams more productive. In order to get those features and functions, we turn to third party software suppliers for the latest and greatest. However, these software suppliers that produce these nifty applications need to apply the same software security measures enterprises use for their internal software development. Unfortunately, too few enterprises have taken the steps necessary to understand the approach these software suppliers are taking for software security. In an effort to address this issue, a...

Read More

Golang's Context Aware HTML Templates

Golang is a new open source programming language that is growing in popularity. Since I am getting bored of Python, I decided to begin studying it. While I'm really enjoying it as a language, I was completely caught off guard when I started reading about Golang's built in HTML templating package. I noticed in their documentation they are doing context based encoding. Not only that, it is all done automatically. No explicit calls to encodeJS or htmlentities or any of that other stuff we as security professionals commonly recommend our customers to use. Context Aware XSS is something I as a...

Read More

All Hail Senator Appsec

Pen testing? Vulnerability scanning? The U.S. Senate’s newest member shows that he can ask the tough questions on privacy and data security. It’s about time. The technical aptitude of our elected representatives - or the lack of it – is so pronounced that it has become the butt of jokes. Long after the late Alaska Senator Ted Stevens inaptly likened the Internet to a “series of tubes” in 2006, congressmen and women continue to exhibit head-slapping ignorance about topics (like online advertising) that (in theory) they are making laws to govern. That’s why it was so refreshing to read a...

Read More

The Appsec Program Maturity Curve 3 of 4

Program Levels 3 to 4 – from Baseline to Integrated This is post three in a series on the Application Program Maturity Curve. A dedicated and rigorous Application Security Program is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. It will deliver an effective software security strategy that addresses both immediate and systemic risks with a rigorous plan and continued investment. The mantra of any successful appsec program is utilization, adoption and expansion. Without a clearly defined and governed policy, none...

Read More

Static Testing vs. Dynamic Testing

With reports of website vulnerabilities and data breaches regularly featuring in the news, securing the software development life cycle (SDLC) has never been so important. The enterprise must, therefore, choose carefully the correct security techniques to implement. Static and dynamic analyses are two of the most popular types of security tests. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC. Testing, after all, can be considered an investment that should be carefully monitored. Static and Dynamic...

Read More

VAST Program Wins the Financial World Innovation Award for the Most Innovative Financial Services Solution

The Veracode Vendor Application Security Testing (VAST) program has won the Financial World Innovation Awards in recognition for its ability to deliver a solution to the complex problem of third party application security in the category of “Technology Vendors - Most Innovative Financial Services Solution”. As financial services are driven to grow and expand, they are turning to third parties to provide the software that allows their employees to be more productive, and enables the enterprise to get to market faster. However, these mobile, SaaS, and outsourced applications have not received...

Read More

Pages