A developer’s main goal usually doesn’t include creating flawless, intrusion proof applications. In fact the goal is usually to create a working program as quickly as possible. Programmers aren’t security experts, and perhaps they shouldn’t be. But when 70% of applications failing to company with enterprise security standards (data from Veracode SoSS vol 5), it is clear more attention needs to be given to secure programming techniques.

Everyone has had that dreaded experience: you open up the task manager on your computer… and there’s a program name you don’t recognize. It gets worse when you google the name and can’t find a concrete answer on what it is and why it’s there. It gets even worse when you remove it from Autoruns and it comes back. It gets terrible when you realize it has keylogger functionality. The icing on the cake, however, is when the mystery program is also eating up all your RAM.

Back in November 2012 I did Veracode’s initial release of a report on the top 1 million websites from the Alexa list. My goal was to turn it into a series so it would be possible to track how these sites change over time in regards to security headers that are added, removed or changed.

Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but there was a lot of confusion about how it could possibly work and whether it was safe.

The particular person who published the instructions added a note to remember not to type in …

One of Veracode’s own posts has been making headlines recently – Mark Kriegsman’s AdiOS utility. AdiOS is being featured by a large number of popular news sources. Mark created a great video about this free app – check it out here

If you haven’t already seen it, be sure to check out the video game (Veracode Defender) we made to promote some of the recent changes we made to our reports. Click here to play

With tax season upon us, “Tax Season = Tax Scams, Prepare yourself,” by Stefanie Hoffman at …

One of the great things about the Veracode platform is the insight we get from examining our anonymized customer data – not only information about the vulnerability landscape (as published in the State of Software Security report) but insight into the composition of the applications that we scan. As I alluded in my last post, one of the things we record when scanning applications is the presence of frameworks and other supporting technologies, and we’ve been at work mining that data to understand what developers use to …

Evan Fromberg, Sr. Director of Channel Sales and Business Development here at Veracode, recently wrote a guest post on Rackspace’s Cloud Blog. In his post, Evan talks about the emergence of a growing need for businesses of all sizes to increase speed to market.

He examines the impact of this trend on the adoption of cloud platforms, and what this means for the security of applications being migrated to the cloud. The post sheds light on some of the vulnerabilities in applications that are becoming more prevalent, and also reveals …

You’ve probably read by now that online retailer Zappos suffered a security breach affecting over 24 million customers. As a Zappos customer, I received the email last night alerting me about the breach. I got a nearly identical email from their sister company, 6pm.com, as well. This is a clear sign that I buy too many shoes.

What’s interesting to me about this breach is that Zappos is renowned for their customer service, so watching how they communicate in the coming days and weeks should be an interesting case study. A few notable points so …

Here’s a feel good story to start the new year.

Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. Nothing special about that; we detect thousands of these things every week. But as we discussed this particular finding, we noticed that the layout of the website looked… familiar. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium.

From Lithium’s website: “The world’s most innovative companies such as AT&T, Barnes & Noble, Best Buy, Sephora, Univision, Home Depot, and HP …

When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.

Today we’re releasing Volume 4 of our semi-annual State of Software Security report. This edition incorporates data from 9,910 application builds (twice as many as last time) analyzed via our cloud-based platform over the past 18 months. In this edition, we also discuss how the threat landscape has evolved during 2011 and how we’ve adapted our analysis and evaluation criteria to account for those changes. Here are a few of the highlights:

• Application security performance declines steeply when the current threat landscape is taken into account in the evaluation criteria
• XSS and SQL injection affect a higher proportion …
  
  » Read the blog post in full here

Dark Reading published an list of 10 big breaches in 2011.

Dark Reading said, “No one was immune: not social networks, not financial institutions, and not even security firms.” I thought I would take a look at how many of these breaches were due to an application vulnerability. These are the breaches that most likely would have been prevented if the organizations had an application security program that built and tested applications with security in mind.

Information about some of the breaches was not available. Specifically I couldn’t find any details about how Epsilon, WordPress, Cyworld or Steam …

Seven years ago when we were first embarking on the mission of making static analysis useable, scalable, and able to operate without access to source code, automated static binary analysis was a new concept. There were human operated disassemblers, but the ability to do large scale, highly repeatable static binary analysis was an unknown. At Veracode we have demonstrated that this is now possible. We have already analyzed billions of lines of code that makes up well over ten thousand applications.

So today I am going to crank up the wayback machine and look to some of the original …

Let me start by saying I have a great deal of respect for Dinis Cruz. He’s tremendously passionate about application security and has made numerous contributions to the community through his involvement with OWASP. We even sat on a panel together recently. But I was taken aback by a presentation he gave at OWASP AppSec Brazil entitled Making Security Invisible by Becoming the Developer’s Best Friends.

The premise of the talk was that developers and security teams should communicate and work better together — hard to find fault with that. But after flipping through the slides and watching …

Today I have a guest commentary on the changes in security landscape since 2001 in Threatpost.

So as I look back over the last 10 years I don’t see much of a change in the vulnerability-scape, if you will, but in the threat landscape. New classes of attackers have gone mainstream and global. They are sophisticated and effective. But our defenses have barely gotten better. There has been an incremental approach to defenses: deeper packet inspections, more heuristic anti-malware, more auto-update patching, but it hasn’t been able to keep up. I hope over the next …