Veracoder Mark Kriegsman created a free utility, called AdiOS, that lets iOS users quickly scan the apps they’ve downloaded to see which have access to their complete address book. After downloading the utility, users can see which applications are accessing using this tool. Read about the utility and download it to see which of your apps are transmitting your phone book data.

At corporations and government offices around the world a security failure happens every day. Employees forward confidential calendar events and messages to personal calendars and personal email accounts. This may make their jobs easier but it can put their companies at risk. A recent security incident involving the FBI can teach us something about corporate security.

Excerpts in italics from Hackers Intercept FBI Call With U.K.

The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

The 16-minute call was posted on the Internet on Friday. The hacker …

You’ve probably read by now that online retailer Zappos suffered a security breach affecting over 24 million customers. As a Zappos customer, I received the email last night alerting me about the breach. I got a nearly identical email from their sister company, 6pm.com, as well. This is a clear sign that I buy too many shoes.

What’s interesting to me about this breach is that Zappos is renowned for their customer service, so watching how they communicate in the coming days and weeks should be an interesting case study. A few notable points so …

Here’s a feel good story to start the new year.

Just before the holidays, we detected a cross-site scripting (XSS) vulnerability while running a web application scan for one of our customers. Nothing special about that; we detect thousands of these things every week. But as we discussed this particular finding, we noticed that the layout of the website looked… familiar. As it turned out, the discussion forum where we found the XSS was a SaaS-based product called Lithium.

From Lithium’s website: “The world’s most innovative companies such as AT&T, Barnes & Noble, Best Buy, Sephora, Univision, Home Depot, and HP …

When we last left our intrepid hero, he was embarking on an quest to become an information security thought leader. A year has passed; let’s see how he’s doing! Enjoy.

ICS-CERT warns of backdoors in a standard network module for control systems. The type of equipment is the Schneider Electric Quantum Ethernet Module. Both static passwords and a remotely accessible debug service were found.

Backdoors in industrial control systems

These backdoor revelations in industrial control equipment are becoming frequent. Earlier this year Dillion Beresford found similar backdoor vulnerabilities in Siemens equipment.

We find these types vulnerabilities fairly often when we scan vendor code on behalf of our customers at Veracode. Our recent State of Software Security Report vol. 4 detailed the findings. We didn’t find …

Today we’re releasing Volume 4 of our semi-annual State of Software Security report. This edition incorporates data from 9,910 application builds (twice as many as last time) analyzed via our cloud-based platform over the past 18 months. In this edition, we also discuss how the threat landscape has evolved during 2011 and how we’ve adapted our analysis and evaluation criteria to account for those changes. Here are a few of the highlights:

Application security performance declines steeply when the current threat landscape is taken into account in the evaluation criteria
XSS and SQL injection affect a higher proportion …

Dark Reading published an list of 10 big breaches in 2011.

Dark Reading said, “No one was immune: not social networks, not financial institutions, and not even security firms.” I thought I would take a look at how many of these breaches were due to an application vulnerability. These are the breaches that most likely would have been prevented if the organizations had an application security program that built and tested applications with security in mind.

Information about some of the breaches was not available. Specifically I couldn’t find any details about how Epsilon, WordPress, Cyworld or Steam …

Seven years ago when we were first embarking on the mission of making static analysis useable, scalable, and able to operate without access to source code, automated static binary analysis was a new concept. There were human operated disassemblers, but the ability to do large scale, highly repeatable static binary analysis was an unknown. At Veracode we have demonstrated that this is now possible. We have already analyzed billions of lines of code that makes up well over ten thousand applications.

So today I am going to crank up the wayback machine and look to some of the original …