Secure Development

We'll walk you through the critical step of integrating security into the software development lifecycle (SDLC). You'll hear from the experts on everything from working with developers, to the best ways to assess code for security and the latest development trends and technologies.

Is Your Dynamic Scanning Context Aware?

JPelletier's picture
By Joe Pelletier December 6, 2016  | Managing AppSec
Dynamic analysis, context aware scanning.

When it comes to dynamic scanning & black box testing techniques, speed and accuracy are critical factors. Developers and security teams have no time for false positives, especially in a world where the time between releases is increasingly compressed. Yet a common vulnerability found by dynamic scanners is Cross-Site Scripting (XSS), and these vulnerabilities are often either false positive... READ MORE

5 Ways to Keep Your Applications Safe From Vulnerable Components

TJarrett's picture
By Tim Jarrett December 1, 2016  | Secure Development

In earlier blog posts in this series, we’ve learned more about how the vulnerability used to break into the San Francisco Municipal Transportation Agency’s computers may have come from a single vulnerable open source component. We’ve talked a little about how developers use open source components – and why it’s hard for them to know what’s in their applications... READ MORE

How One Open Source Component Put Up to 25% of Java Applications at Risk

TJarrett's picture
By Tim Jarrett November 30, 2016  | Secure Development
Open Source Component Risk

In the first part of our blog series on the ransomware attack on the San Francisco Municipal Transportation Agency, we discussed how the attacker chose to exploit a deserialization vulnerability in WebLogic to compromise vulnerable systems. And we learned that this vulnerability was a big target, because it is the result of a component (Apache Commons Collections) present in about 50 percent of... READ MORE

Why the Ransomware Attack on San Francisco Is Such a Big Deal

TJarrett's picture
By Tim Jarrett November 29, 2016  | Secure Development
Ransomware attack on San Francisco Municipal Transportation Authority

The day after Thanksgiving saw the San Francisco Municipal Transportation Agency hit with a ransomware attack. The attacker demanded 100 bitcoins (about $73,000) to unlock the computer systems and ticketing machines. According to security journalist Brian Krebs, the SFMTA wasn’t targeted for political reasons – it was a target of opportunity discovered by an attacker looking for... READ MORE

What Developers Should Know About the State of Software Security

jzorabedian's picture
By John Zorabedian November 3, 2016  | Secure Development
State of Software Security: Developer Takeaways

Our latest research into the State of Software Security has something for everybody. For AppSec managers, the report offers evidence that application security is improving, although not as much as we’d like, with a slight lift since our last report in the percentage of applications passing OWASP top 10 policy. But what does our analysis, drawn from billions of lines of code over the past 18... READ MORE

When Infrastructure-as-Code Meets Continuous Delivery

akaufman's picture
By Adam Kaufman November 2, 2016  | Secure Development
Continuous Delivery of Infrastructure

We all remember a time when setting up infrastructure meant racking servers, running cables and managing a web of networking by hand. Indeed, this is still very common and quite necessary for many organizations. Thankfully, though, for those of us who are lucky enough to work in a cloud environment, there’s a newer – some might say better – way. At CA Veracode, we’ve... READ MORE

How Dynamic Scanning Without Planning Almost Ruined My Fantasy League

bpitta's picture
By Brian Pitta November 1, 2016  | Managing AppSec
Dynamic scanning in production

“Is your scanner production-safe?” It’s one of the first questions teams ask me when we are discussing CA Veracode’s Web Application Scanning and black box testing capabilities. For many, this translates to two potential issues: Denial of service (DOS) – will your testing overload my application and take it down? Malicious attacks – if my application is susceptible to SQL injection, will... READ MORE

Why You Should Embrace Failure in Your Development Culture

TJarrett's picture
By Tim Jarrett October 24, 2016  | Secure Development
It is helpful to fail fast in devops.

One of the counterintuitive features of DevOps culture is a willingness to fail. In our success-oriented culture, this might sound like exactly the wrong direction in which to take your development teams. But a willingness to fail quickly, and often, can paradoxically lead your teams to greater success — provided you do it in a structured way and you learn from your failures. There’s... READ MORE

Questions You Should be Asking Your Application Developer Candidates

bcardinale's picture
By Brian Cardinale October 19, 2016  | Secure Development
What questions do you ask a developer applicant to determine security competence.

Old habits die hard. The following questions will help you avoid hiring developers with bad habits. Developers with bad habits are prone to baking in those habits into the overall application architecture. There are two fronts in the war of protecting your applications. The first front is reactive. It is your code maintainers patching flaws in old code bases. The second front is happening right... READ MORE

Why Even Google Is Susceptible to the Most Basic Website Vulnerabilities

jzorabedian's picture
By John Zorabedian October 19, 2016  | Secure Development
Google vulnerable to insecure code.

This week’s National Cyber Security Awareness Month theme of “recognizing and combating cybercrime” brings up an elementary but crucial point about why our efforts to fight cybercrime seem inadequate for the challenge: it can be really difficult to fix what’s broken even when we know exactly what the problem is. Here’s an example. When a sick patient comes to a... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu