Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Podcast: Key Takeaways From Veracode's Latest State of Software Security Report

Key SoSS Takeaways 2017

Veracode just published its latest “State of Software Security” report, get it here. Based on Veracode Platform data, these “SoSS” reports have been offering a goldmine of intelligence about how organizations are approaching AppSec since 2011. This year’s report is no different. Evan Schuman recently sat down with Veracode’s Director of Product Management Tim Jarrett to discuss the findings... READ MORE

What's New in the State of Software Security 2017 Report

jzorabedian's picture
By John Zorabedian October 18, 2017  | Security News
State of Software Security 2017

In the past year, we’ve seen an unprecedented series of cyber assaults on democratic elections, ransomware attacks that spread around the world affecting hundreds of thousands of systems in more than 150 countries, and record-breaking data breaches. If we’re going to address this growing crisis effectively, we need a probing inspection of root causes, and fearless prescriptions for new ways... READ MORE

Message Digests, aka Hashing Functions

msheth's picture
By Mansi Sheth June 13, 2017  | Research

This is the fourth entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. The third entry taught you how to securely configure basic encryption/decryption primitives. This... READ MORE

Anatomy of a Cross-Site Scripting Flaw in the Telerik Reporting Module

Telerik Reporting Cross-Site Scripting Vulnerability

One of the interesting aspects of working as a Veracode Application Security Consultant is seeing the wide range of code across many business sectors. On an average day, I could look at some COBOL code twice my age in the morning, and by lunch I’m exploring a large .NET MVC app, before transitioning to review a self-deploying microservices package comprised of Java, node.js, and a little PHP for... READ MORE

Encryption and Decryption in Java Cryptography

msheth's picture
By Mansi Sheth April 18, 2017  | Secure Development
Encryption and decryption in Java Cyrptography

This is the third entry in a blog series on using Java cryptography securely. The first entry provided an overview covering architectural details, using stronger algorithms, and debugging tips. The second one covered Cryptographically Secure Pseudo-Random Number Generators. This entry will teach you how to securely configure basic encryption/decryption primitives. This blog... READ MORE

Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

msheth's picture
By Mansi Sheth March 29, 2017  | Research
Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

Skip to the tl;dr This is the second entry in a blog series on using Java cryptography securely. The first entry provided an overview and covered some architectural details, using stronger algorithms and some debugging tips . This entry covers Cryptographically Secure Pseudo-Random Number Generators. This blog series should serve as a one-stop resource for anyone who needs to implement... READ MORE

How to Get Started Using Java Cryptography Securely

msheth's picture
By Mansi Sheth March 17, 2017  | Research

Skip to the tl;dr Cryptography is the backbone of today's information systems. Its applications are all around us: secure email communications, storage of our login credentials, digital cash and mobile payments, to name just a few. Cryptography is one of the most complicated topics in information security, but the good news is we already have well-defined algorithms, implementations and... READ MORE

Vegas Cons 2016 Wrap Up

tpalarz's picture
By Tom Palarz August 18, 2016  | Research
Defcon 2016 Wrap Up

In my earlier post, I gave my thoughts on what the trends were so far part way through the set of conferences last week (BSidesLV, Blackhat, and DefCon24). In this post, I wrap up my thoughts for the week’s conferences. There were several great talks I missed at BSides this year. Two in particular were ones I’m bummed I missed: one on FOIA requests [http://sched.co/7a8k] (given... READ MORE

Crypto Fun at Black Hat 2016

tpalarz's picture
By Tom Palarz August 9, 2016  | Research

This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code) GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a... READ MORE

DEF CON 24: Day One

tpalarz's picture
By Tom Palarz August 8, 2016  | Research

DEF CON is at a new venue since my last visit (two years ago), and I have to give props to the conference staff for all the hard work they’ve put in. Lines to get to talks and villages are still incredibly long as ever, and make it hard to justify the time to wait and missing out on something else. Some trends I’m noticing so far: The car hacking industry is maturing a bit with... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu