Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Misfeatures Strike Again

MElliott's picture
By Melissa Elliott September 25, 2014  | Research

image00.png Bash – the Unix shell – came out when I was fourteen months old. It was a replacement for a similar program that came out eleven years before I was born. By the time I was learning to read, it’d already had years to mature and stabilize. The very first time I ever sat down at a Linux prompt, bash was fifteen years old. It’s now twenty-five. From... READ MORE

Abstinence Not Required: Protecting Yourself Until the Privacy Utopia Arrives

CEng's picture
By Chris Eng September 3, 2014  | Research

Nude photos of various celebrities were leaked to all corners of the Internet a few short days ago. You already know that by now. Thank you iCloud???? — Kirsten Dunst (@kirstendunst) September 1, 2014 As we wait impatiently for the rest of the gory technical details surrounding the compromise(s), many in the security echo chamber have been debating how we ended up here and whether the... READ MORE

Stop Freaking Out About Facebook Messenger

CEng's picture
By Chris Eng August 12, 2014  | Research

Facebook recently announced that mobile chat functionality would soon require users to install Facebook Messenger. Fueled by the media, many people have been overreacting about the permissions that Messenger requests before taking time to understand what the true privacy implications were. In a nutshell, Messenger is hardly an outlier relative to the other social media apps on your phone. Why the... READ MORE

Coming to a computer near you, SQL: The Sequel

cwysopal's picture
By Chris Wysopal August 8, 2014  | Research

It might sound like a bad movie, but it’s playing out in real life – despite what seems like endless hacks using SQL injections, SQLi related breaches keep turning up like a bad penny. GI-Joe.jpg Most recently, Hold Security reported that they discovered a breach by Russian Hacker Ring. While details of this series of breaches are still surfacing, it is time for... READ MORE

Cloud or Not - Third-Party Software Adds Unnecessary Risk

cwysopal's picture
By Chris Wysopal June 13, 2014  | Research

cloud-security-concerns-300x223_2.jpg Don't be misled regarding the security implications of cloud-based software.   There’s been some discussion regarding the Cloud Could Triple Odds of $20M Data Breach research findings by Ponemon – so I thought I would weigh in on this issue. Risky software, regardless of deployment method, is what is adding unnecessary... READ MORE

Improving Software Security Through Vendor Transparency

cwysopal's picture
By Chris Wysopal June 12, 2014  | Research

chris-wysopal-fs-isac-vendor-security_2.jpg Chris Wysopal moderates a panel discussion at the FS-ISAC & Bits Annual Summit 2014   According to Gartner, enterprises are getting better at defending traditional network perimeters, so attackers are now targeting the software supply chain. This has made third-party software – including commercial and outsourced... READ MORE

Benefits of Binary Static Analysis

cwysopal's picture
By Chris Wysopal May 19, 2014  | Research

we-heart-binaries_2.jpg 1. Coverage, both within applications you build and within your entire application portfolio One of the primary benefits of binary static analysis is that it allows you to inspect all the code in your application. Mobile apps especially have binary components, but web apps, legacy back office and desktop apps do too. You don’t want to only analyze the... READ MORE

Agile SDLC Q&A with Chris Eng and Ryan O’Boyle – Part II

CEng's picture
By Chris Eng April 16, 2014  | Research

Welcome to another round of Agile SDLC Q&A. Last week Ryan and I took some time to answer questions from our webinar, "Building Security Into the Agile SDLC: View from the Trenches"; in case you missed it, you can see Part I here. Now on to more of your questions! Q. What would you recommend as a security process around continuous build? Chris-107x150_33.jpg Chris: It... READ MORE

Agile SDLC Q&A with Chris Eng and Ryan O'Boyle - Part I

CEng's picture
By Chris Eng April 10, 2014  | Research

Recently, Ryan O’Boyle and I hosted the webinar “Building Security Into the Agile SDLC: View From the Trenches”. We would like to take a minute to thank all those who attended the live broadcast for submitting questions. There were so many questions from our open discussion following the webinar that we wanted to take the time to follow up and answer them. So without further ado... READ MORE

Security Headers on the Top 1,000,000 Websites: March 2014 Report

IDawson's picture
By Isaac Dawson March 14, 2014  | Research

The March 2014 report is going to be a bit different than those in the past. This is primarily due to architectural changes that were made to get more precise data in less time. Additionally, a lot of work has been done to automate generation of these reports so they can be released more often. Our scan was run on March 5th 2014 using the latest input from the Alexa Top 1 Million.... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu