How can we protect our democratic process from foreign interference? On The Wall Street Journal’s Future of Everything podcast, Chris Wysopal shares his insight on the security of our election processes, why addressing voting machine flaws is only the beginning, and extant threats our elections face.
APT attacks are often directed at organizations that deal in high-value information such as financial organizations, manufacturing companies and governments. While not difficult to fix the vulnerabilities, the danger lies in the millions and millions of lines of code where a flaw could present an opening for a security breach. This piece explores five common types of ATP attacks.
It is crucial that businesses – as well as their development teams – understand the potential cost of the dormant vulnerabilities in their IT environment.
It's more critical than ever for states to protect our democratic system and voting infrastructure from foreign cyber espionage.
Software has transcended from a technical process into the realm of social morality. Security of software is not a technical question, but a moral one, and companies need to treat it that way.
Researchers at NYU have developed a technique to add inert bugs in code to deter hackers. But is this the right approach to more secure code?
Remember last year's Equifax hack? It involved an exploit of a vulnerability in Apache Struts. Yesterday, news came of a new vulnerability in the open source Web framework, one that some people are saying could be worse than the one that put nearly everyone's credit card information into the hands of criminals. VP of Research Chris Eng advises organizations using Apache Struts to upgrade quickly.
The future of cybersecurity product development relies on having a good idea, and the networking skills to gain feedback, interest customers and attract great employees, CA Veracode CTO Chris Wysopal said in a presentation during Black Hat 2018.
CRN asks six security CEOs and technical leaders attending Black Hat 2018 what areas of cybersecurity need to receive more attention in the Boardroom. Read why CA Veracode Vice President of Research Chris Eng believes boards need to be more aware of the risks of breaches resulting from code originating in open-source libraries.
In his latest column for CSO, CA Veracode CTO Chris Wysopal spells out why the blockchain isn't completely secure - the software components interacting with it are written in code, and most software code has bugs and vulnerabilities. Here's how to begin fixing the vulnerabilities.
Blockchain may hold tremendous promise for enterprises, but it's also vulnerable to a variety of attacks. CA Veracode CTO Chris Wysopal and other experts detail the risks in CSO.
CA Veracode's Chris Eng tackles how companies can bring bridge the divide between software developers and cybersecurity teams to bring to market reliable and secure applications in a contributed article in Threatpost.
In a detailed overview of a talk about implementing DevSecOps in an organization, CA Veracode CTO Chris Wysopal tackles an important, practical question head-on: If AppSec is shifting left, and the responsibility of testing security now belongs to developers, what does this mean for the security team?
A study commissioned by CA Veracode reveals that 83% of developers use commercial or open source components in their creations.
Some data from the SOSS (State of Software Security) Report show that organizations doing testing and rehabilitation are placing priorities on the worst vulnerabilities, reducing the density of defects in the high and very high severity range; nevertheless, only 14% of the most serious defects are resolved in less than a month, while almost 12% of applications have at least one high or very high severity defect
Chris Wysopal, chief technology officer at the cybersecurity firm CA Veracode, said the information may have surfaced on the dark web, where criminals could have purchased it for as little as $20 to $30. He said there must have been a “telltale sign” that enabled investigators to confirm that it came from the OPM breach and not another data compromise.
It has been 20 years since Chris Wysopal (AKA Weld Pond) and his colleagues at the Boston-based L0pht* hacker collective famously testified before the US Senate that the internet was hopelessly insecure.
"Developers are concerned about creating quality code, and that means creating secure code," says Pete Chestna, director of relationship with developers, CA Veracode. "To be successful, developers must have a clear understanding of security policies and must have the tools to measure them. When the objective is clear and we give them access to these tools, they are able to integrate the scan in the early stages of the life cycle of software development and can make informed decisions that take safety into account, and as a result, we are seeing a significant improvement in the development of secure software and the resulting products."
Some of the most pressing threats to our national security are found not in the physical world, but in cyberspace. It's past time for our nation to adapt to the changing landscape and bring our security infrastructure up to speed.
"We see that IT security must fundamentally change," explains Julian Totzek-Hallhuber, Solution Architect at Veracode. "Organizations today use a wide variety of applications across multiple business units, but these self-developed or purchased applications continue to have vulnerabilities that allow cybercriminals to attack and cause great damage."
I caught up with Maria Loughlin, vice president of engineering at CA Veracode; Chris Eng, vice president of research at CA Veracode; and Alan Shimel, CEO of DevOps.com, to talk more about their recent panel webinar on bringing in security to make DevOps a reality. It was enlightening to hear their perspectives on how companies can build security into its culture so that it permeates the development process. Many enterprises have realized that with the continuing popularity of DevOps comes the possibility of creating an environment that allows software vulnerabilities. In truth, more teams are integrating security testing into their development processes.
We now live in a world where software applications are omnipresent. The world’s largest enterprises are increasingly finding themselves in the software business. It doesn’t matter what their end products are, they are building Web applications, mobile apps and other software for their products and this software is becoming a key interaction point between brands and their customers and partners. According to a recent McKinsey study, it is now widely accepted that innovation isn’t optional, and that utilizing new software technologies is a prerequisite to success in virtually all industries.
Everybody wants to do DevOps right, and part of that equation is making sure applications and services remain secure even as development and integration transition to a continuous workflow model.
The latest addition to the CA Security portfolio, CA Veracode SourceClear is a SaaS-based software composition analysis tool which relies on a unique vulnerability database that goes beyond the National Vulnerability Database (NVD) and vulnerable methods technology to increase the actionability of static composition analysis (SCA) results. Unique to CA, the combination of CA Veracode and CA Veracode SourceClear offerings enable organisations to use open source libraries to accelerate software development without adding unmanaged risk to support the DevSecOps movement.
The United State's Office of Management and Budget (OMB) oversees the implementation of the president’s objectives in the areas of policy, budget, management and regulation. To that end, the recent government-wide cybersecurity risk assessment, carried out by the OMB, in coordination with the Department of Homeland Security (DHS), highlights several serious issues that continue to imperil federal cybersecurity and ultimately put the nation at risk.