A dedicated and rigorous Application Security Program is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. It will deliver an effective software security strategy that addresses both immediate and systemic risks with a rigorous plan and continued investment. The mantra of any successful AppSec Program is utilization, adoption and expansion. Without a clearly defined and governed policy, none of these is possible.
With reports of website vulnerabilities and data breaches regularly featuring in the news, securing the software development life cycle (SDLC) has never been so important. The enterprise must, therefore, choose carefully the correct security techniques to implement. Static and dynamic analyses are two of the most popular types of security test. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC. Testing, after all, can be considered an investment that should be carefully monitored.
The Veracode Vendor Application Security Testing (VAST) program has won the Financial World Innovation Awards in recognition for its ability to deliver a solution to the complex problem of third party application security in the category of “Technology Vendors – Most Innovative Financial Services Solution”.
What’s wrong with the following C code?
It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case,
scanf() will read up to 32 bytes from standard input and then append a null terminator, which overflows the buffer of 32 characters and writes a null byte to whatever happens to be next on the stack.
An FTC Forum on security and the Internet of Things showed industry doing its best to muddy the water when it comes to building secure products.
This was a big week for the Internet of Things (IoT) in Washington D.C., as the Federal Trade Commission (FTC) hosted its first ever workshop to discuss security and privacy issues created by the proliferation of IoT technology.
Businesses run on software; it gives us the features and functions needed to make our teams more productive. However, using third party applications – that software that was developed by external parties – with no oversight for what secure development practices are observed can lead to a false sense of security.
Dragos Ruiu's 'BadBIOS' malware may just be evidence that he's having a 'bad day.' But sometimes nightmares are worth paying attention to!
Can a lifetime of researching stealthy computer attacks drive you mad? That’s what some are suggesting is the real story behind BadBIOS, a piece of allegedly super stealthy malware that has plagued computers belonging to researcher Dragos Ruiu for years. Nightmarish, to be sure.
It's too early to say much about what our world will look like once hundreds of billions of Internet connected devices come on line. But one thing is sure: on The Internet of Things, it is the application developer who is king.
Prognosticating about the shape, size and flavor of The Internet of Things has practically become an industry unto itself. In addition to predictions from the usual suspects like Gartner and IDC, a long list of consultancies, technology firms and independent thought leaders stand ready to predict how big the IoT opportunity is and what companies stand to benefit from its success.
As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
As we’ve discussed, the program maturity model for Application Security has six levels. You should be able to recognize at which stage of the curve your particular organization is. The easiest one to recognize is an approach to AppSec called “Do Nothing”. Let’s assume if you are reading this, that’s not you.
If your organization is already pursuing an ad-hoc testing approach to manage the security of your software, you are not alone. Most enterprises with in-house application development teams do some kind of ad hoc AppSec testing, usually during the software QA process. Most organizations who understand the fundamental importance of AppSec start here.