Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Application Security Debt and Application Interest Rates

cwysopal's picture
By Chris Wysopal February 25, 2011  | Research 3

Technical Debt Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this: Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite... The danger occurs... READ MORE

CA Veracode Recognized as a Leader in the Magic Quadrant for Static Application Security Testing

cwysopal's picture
By Chris Wysopal December 15, 2010  | Research

The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and CA Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the CA Veracode team has been able to accomplish as a 4.5 year old company. To get our... READ MORE

Mobile App Top 10 List

cwysopal's picture
By Chris Wysopal December 13, 2010  | Research

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose... READ MORE

CA Veracode Research Team Gives 5 Predictions for 2011

cwysopal's picture
By Chris Wysopal December 8, 2010  | Research

As we close out a security eventful 2010, the CA Veracode research team though it would be a good idea to think about what we are likely to see happen in 2011. Here are 5 predictions we believe will have a very good chance of coming true. 1. Sandboxing goes mainstream with adoption by Firefox and Internet Explorer Sandboxing can prevent the exploitation of coding errors by preventing code running... READ MORE

More Vulnerabilities Discovered in Siemens Software

cwysopal's picture
By Chris Wysopal September 27, 2010  | Research

When the Stuxnet worm that attacks Siemens SIMATIC systems was first discovered and made public, one of the first vulnerabilities in the software that was found was a hard coded password. This allowed Stuxnet to steal project information from databases used by Siemens SIMATIC systems. Symantec researchers have found another vulnerability which allows Stuxnet to spread via project files used by... READ MORE

The Sparsely Attended Sept 12, 2001 Hearing: "How Secure Is Our Critical Infrastructure?"

cwysopal's picture
By Chris Wysopal September 22, 2010  | Research

A little over a week ago it was the 9th anniversary of the 9-11 attack against the US. The following day, September 12th, 2001, I was scheduled to testify before the US Senate Committee on Governmental Affairs for a hearing titled, "How Secure is Our Critical Infrastructure?" The hearing went on but no one outside of DC was able to get there in time. The following is the written... READ MORE

Deadly Combo: Zero Day Application Vulnerability + OS Vulnerability = Attacker Win

cwysopal's picture
By Chris Wysopal July 22, 2010  | Research 7

The recent Siemens WinCC SCADA targeted malware packages an zero day application vulnerability with a zero day OS vulnerability. The OS vulnerability in Windows creates a worm capability to get to the target and once on the target the application vulnerability allows compromise of the application's data. The vulnerabilities are used in stages: Stage 1: Use a Windows OS vulnerability for... READ MORE

Website Vulnerability Research and Disclosure

cwysopal's picture
By Chris Wysopal June 14, 2010  | Research 5

Vulnerability disclosure is in the spotlight again. First it was Tavis Ormandy disclosing a vulnerability in Microsoft Windows before Microsoft had a fix available. Now a group called Goatse Security has disclosed a vulnerability in an AT&T website that affects Apple iPad 3G owners. The Wall Street Journal reports on the repercussions against vulnerability researchers in “Computer... READ MORE

Which Tastes Better for Security, Java or .NET?

cwysopal's picture
By Chris Wysopal June 1, 2010  | Research

In his blog, Gartner analyst Neil MacDonald asks the question, "Is .NET More Secure Than Java?". CA Veracode provided data to help answer this question from our "State of Software Security Report" which contains the static analysis results from 1591 Java, .NET and C/C++ applications. .NET comes out slightly ahead. ...the vulnerability density (average flaws per MB of code... READ MORE

MC Frontalot Releases "Zero Day"

cwysopal's picture
By Chris Wysopal April 6, 2010  | Research

"Zero Day" the album that is. Wired has a review. You can read the full lyrics on Frontalot's site. Here is a snippet: Press play, prepare as history is made: "largest hack in one day," all the headlines will say. All out of time, hear the chime from the buzzer. Found this bug on my own, no need for a fuzzer. "It's already too late," spreading as we planned... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu