One of the comments I heard repeatedly at the RSA Conference was that many vendors on the expo floor were jumping on the Advanced Persistent Threat (APT) bandwagon, handwaving wildly and claiming disingenuously that their product — or “solution” to be even more self-aggrandizing — would protect against APTs. That, combined with the RSA SecurID breach last week and a recent article by Bill Brenner at CSO Magazine, made me want to weigh in on this topic.
On one hand, it’s obvious why vendors do it: IT security people are …
Increasing smartphone adoption rates coupled with the rapid growth in smartphone application counts have created a scenario where private and sensitive information is being pushed to the new device perimeter at an alarming rate. The smartphone mobile device is quickly becoming ubiquitous. It is not inconceivable to predict, in the near future, a world where smartphone and mobile device Internet usage becomes the de-facto standard for average business and personal consumer use, surpassing the desktop and laptop computing solutions. While there is much overlap with common operating system models, the mobile device security model has some distinct points of differentiation.
Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money.
Here’s a quick recap of the initial concept. Security debt is similar to technical debt. Both debts are design and implementation constructions that have negative aspects that aggregate over time and the code must be re-worked to get out of debt. Security debt is based on the latent vulnerabilities within an application. Application interest rates are the real world factors outside of the control …
Google pulled over 20 malicious apps from the Android Marketplace today. The inevitable has happened. 2011 has become the year of mobile malware. All the pieces of the malware ecosystem puzzle that researchers have been warning about are falling into place:
- Little to no vetting of apps for malicious behavior before being made available from app stores
- Android kernel code with known privilege escalation vulnerabilities and no way for many mobile users to patch their devices
- Attacker motivation in the form of big numbers of vulnerable devices and several proven ways to monetize their attacks: premium SMS/dialing, in app purchases, …
Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this:
Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite… The danger occurs when the debt is not repaid. Every minute spent on not-quite-right code counts as interest on that debt. Entire …
As a web developer you’re always told you need to keep up to date on the latest and greatest technologies. Usually this is for creating applications which can take advantage of new technologies to deliver a better experience to your users. However, I think there is another angle to this, in particular; Code Rot. Code rot is basically where code becomes ignored, neglected or the environment in which it operates evolves and changes into something that was not foreseen when the code was originally created. In some cases code rot can lead to vulnerabilities.
I like to consider myself a “web …
The 3rd Annual Social Security Blogger Awards were announced last week during the RSA Conference in San Francisco. Veracode received two awards, one for Best Corporate Blog and the other for Best Security Blog Post of the Year. Here is a list of all the nominees and the award winners. It’s always an honor to be recognized by peers, so on behalf of all the Veracode bloggers, thank you for reading — and for your votes!
Veracode Security Guides
Data Security Resources
We’re very excited here at Veracode to announce the availability of our new FREE service to detect cross-site scripting (XSS) in your web application. This is a significant milestone for our company and for the security industry, and we encourage everyone from small ISVs to major enterprises to give us a try. Hopefully this will be one of the first steps in the long road to eliminating XSS; after all, one of the first steps to recovery is admitting you have a problem!
Questions? Comment on this blog post, or try @veracode, @chriseng, or @weldpond …
The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company.
To get our service to the performance level where it is today has taken many hard earned lessons. These were learned satisfying the application security testing needs for …
The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent.
Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication …