Rich Mogull talks about real world IT security challenges today in his column, “Simple Isn’t Simple” in Dark Reading. I agree 100%. One of the Rich’s points is security has to scale or it doesn’t solve the real world problem. In most cases we know how to solve a security problem for a single instance of that problem; one SQL injection flaw in one app, for instance. The challenge is doing it at scale. If you can’t do it at scale you don’t solve the problem for the business.

[UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am having to explain this.]

Fair warning, this is a bit of a rant.

Back in my consulting days (early 2000, I’m getting old), we delighted in the fact that our web application penetration testing methodology didn’t rely on automated tools. This was completely true; …

It’s not that users “don’t want to keep their data safe”. They do. Most corporate users don’t want their personal or corporate, private information, available to someone else. They don’t want their email stolen or their contacts pillaged. So why do people insist on ignoring the multitude of security recommendations on how to have a more secure mobile work environment? The answer to this question is that inside, users really just don’t care.

The average corporate user of a mobile device has a litany of reasons why they think they don’t need …

Over the last few weeks there’s been a lot of commentary around the breach of Sony’s PlayStation Network. Sadly, there has been no good discussion of how PSN was breached. What this breach means for Sony is largely defined by how it happened. Before we get to that though let’s go over a quick timeline of some of the important points in the breach’s timeline.

Jan 2, 2011: Months of battles between Sony and PS3 hackers reaches a climax when George Hotz aka GeoHot publishes the Root Key for the PS3. Among other things this allows users to sign and run …

Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities to be rare. It is just the opposite. Common vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors such as SQL injection (#2), Buffer Overflow (#3), and Use of Hard Coded Credentials (#11) have been found in SCADA systems over …

It’s here! Data junkies rejoice!

Today we’re proud to release the third volume of our semi-annual State of Software Security report. This edition incorporates data from 4,835 applications analyzed via our cloud-based platform over the past 18 months. After lots of number crunching and a fair amount of head scratching, we’ve unearthed some intriguing findings that reflect the progress (or lack thereof) being made in securing the world’s software.

Not convinced yet? Here are a few of the data points I found particularly interesting:

Over the past 8 quarters, the prevalence of SQL Injection (% of web apps affected) …

[UPDATE! April 15: Pandora removes all advertising libraries from its Android and iPhone apps!]

The blog post we made earlier this week entitled, Mobile Apps Invading Your Privacy, gives detail around the information being requested by the advertisement libraries embedded inside a popular online radio application. There have been a number of great posts and comments that got us thinking more about the issues and the types of data being requested.

First off we want to thank some people who commented about the Pandora application not having permission to actually access the GPS on the device. Below are the …

[April 8: We've added some more information in a follow-up post]

Background

An article in the Wall Street Journal, dated April 5, 2011, disclosed that Federal prosecutors in New Jersey are investigating numerous smart phone application manufacturers for allegedly, illegally obtaining and distributing personal private information to third party advertisement groups. The allegations state that mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user. The Journal tested 101 applications and found that 56 of them transmitted the device unique identifier off the device, while …

One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product — or “solution” to be even more self-aggrandizing — would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by Bill Brenner at CSO Magazine, made me want to weigh in on this topic.

On one hand, it’s obvious why vendors do it: IT security people are …

Increasing smartphone adoption rates coupled with the rapid growth in smartphone application counts have created a scenario where private and sensitive information is being pushed to the new device perimeter at an alarming rate. The smartphone mobile device is quickly becoming ubiquitous. It is not inconceivable to predict, in the near future, a world where smartphone and mobile device Internet usage becomes the de-facto standard for average business and personal consumer use, surpassing the desktop and laptop computing solutions. While there is much overlap with common operating system models, the mobile device security model has some distinct points of differentiation.

Many …

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money.

Recap
Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate over time and the code must be re-worked to get out of debt. Security debt is based on the latent vulnerabilities within an application. Application interest rates are the real world factors outside of the control …

Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place:

Little to no vetting of apps for malicious behavior before being made available from app stores
Android kernel code with known privilege escalation vulnerabilities and no way for many mobile users to patch their devices
Attacker motivation in the form of big numbers of vulnerable devices and several proven ways to monetize their attacks: premium SMS/dialing, in app purchases, …

Technical Debt
Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this:

Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite… The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire engineering organizations can be brought to a stand-still under the debt load of an unconsolidated …

As a web developer you’re always told you need to keep up to date on the latest and greatest technologies. Usually this is for creating applications which can take advantage of new technologies to deliver a better experience to your users. However, I think there is another angle to this, in particular; Code Rot. Code rot is basically where code becomes ignored, neglected or the environment in which it operates evolves and changes into something that was not foreseen when the code was originally created. In some cases code rot can lead to vulnerabilities.

I like to consider myself a “web …

The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco. Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year. Here is a list of all the nominees and the award winners. It’s always an honor to be recognized by peers, so on behalf of all the Veracode bloggers, thank you for reading — and for your votes!

Veracode Security Guides

SQL Injection
CSRF
Cross-Site Scripting

Data Security Resources

Data Leak
Security Breach
Data Security