How is testing microservices going to come about, and what is it all going to mean? At DevOps Days Stockholm, Veracode engineer and speaker Peter Chestna (@PeteChestna) presented an argument for the concept of the full-spectrum engineer, a reincarnation of the current full-stack engineer.
Security teams and developers are more aligned and capable of taking a collaborative approach than many in the industry believe, according to a new study from Veracode.
"The latest fine imposed by the ICO is an unfortunate outcome for this public body. Vendors like Veracode in 2014 were offering free scans, with no strings attached. The council officials could have protected the 30,000 leaked email records without incurring any additional cost burden," said Veracode's Paul Farrington (@pfarrington_tm).
Despite frequent talk of tension between software development and security teams, it turns out more than half of organizations surveyed have these two groups collaborating.
"The problem is that the healthcare industry, which is rushing headlong into the IoT, has a bad track record when it comes to cyber security. BitSight, a Boston firm that ranks companies for their level of cybersecurity, compared five industries: health care, finance, retail, utilities, and federal agencies. Health care, represented by 2,500 companies in the survey, placed dead last. Veracode, another Boston cyber company also looked at five industries, but with a different metric. It asked what percentage of known vulnerabilities in software were fixed. In manufacturing, over 80 percent of the problems had been addressed. In medicine, it was half that number. In fact, more than three quarters of all medical software applications currently in use have a known vulnerability."
Developers have the opportunity to change the world with Artificial Intelligence. Learn how CA's suite of products is helping clients. It was great talking with Ayman Sayed, Chief Product Officer at CA Technologies during the Build to Change Summit.
"While far from revolutionary, the NYDFS regulations present an interesting opportunity for the New York’s financial services industry to become a golden beacon of beat practice for introducing and maintaining a secure culture in their organisation. These new standards are the first of many that, in time, we hope, will put to bed the routine box-ticking cybersecurity exercises that ultimately leave organisations uncompliant and at a greater cyber risk," writes Colin Domoney (@colindomoney), Consultant Solution Architect, Veracode.
A decade-old form of malicious software known as ransomware has been making headlines after cybercriminals hijacked hundreds of thousands of computers worldwide. Ransomware, which is often transmitted by email or web pop-ups, involves locking up people’s data and threatening to destroy it if a ransom is not paid. The global cyberattack has affected 200,000 Windows computers in more than 150 countries, including China, Japan, South Korea, Germany and Britain.
The global cyberattack that crippled computers around the world combined elite hacking tools with a particularly devastating form of malicious software known as ransomware. But there was another factor that helped turn the outbreak into one of the nastiest computer infections ever: human fallibility.
A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries' intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.
After months of rumors and leaked drafts, and amid another week of White House controversy that included the firing of FBI Director James Comey, President Donald Trump signed an executive order on cybersecurity.
A global cyber attack using hacking tools widely believed to have been developed by the US National Security Agency and leaked online by a group called the Shadow Brokers has caused chaos around the world.
What Developers Don't Know About Security Can Hurt You Developers won't start writing secure code just because you tell them it's part of their job. You need to give them the right training, support, and tools to instill a security mindset. More from Veracode's Director of Developer Engagement Peter Chestna (@PeteChestna).
DevOps has ushered in a new trend. Teams are moving from batched releases of functionality to single-piece flow. In other words, we no longer think about collecting the work of multiple engineers over multiple sprints into a release. Our ability to bring value to the customer as soon as possible and out-innovate the competition will be driven by releasing the work of a single engineer as soon as it is ready. This typically is accomplished through a continuous integration/continuous delivery (CI/CD) pipeline directly from the source repository through automated testing and finally deployment into production, preferably without any human intervention. What does this mean for developers? Plenty. In this piece, Pete Chestna (@PeteChestna) takes a look at the major capabilities needed by software engineers who want to thrive as full-spectrum engineers (FSEs.)
The new release of the OWASP Top 10 list is out for public comment from the Open Web Application Security Project, and while most of it remains the same there are a couple of new additions, focusing on protections for web applications and APIs. To make room for the new items, a couple of older ones were either removed or merged into new items. Chris Eng, vice president of research at Veracode pointed out the addition of API protections to the list was redundant. "There’s really no need to create a new category for APIs," he said. "If there were a new and prevalent class of vulnerabilities unique to APIs then it would make sense to highlight. Otherwise, the repetition is only going to be confusing."
What has not been updated in the new OWASP Top 10 list is almost more significant than what has. More from Chris Eng (@chriseng), vice president of research, Veracode.
DevSecOps is an effort to bring security into the mix. DevOps is hard to do and security is harder. But at a time when security breaches continue to dominate the headlines, there's no question that security and DevOps need to come together. The only issues are when and how. We asked experts at the intersection of DevOps and security for their best advice on trying DevSecOps. Peter Chestna, Director of Developer Engagment at Veracode states "Developers aren't trained in security. So simply educating developers in the basics of security will go a long way."
While some Java features can lie dormant for years before being popularized, Java 8's functional additions have sparked widespread adoption. To gather insights on the state of the Java ecosystem today, we spoke to nine executives who are familiar with the ecosystem. We asked these experienced Java professionals "What have been the most significant changes to the Java ecosystem in the past year?"
A new release of NSA cyberweapons falls flat as Windows exploits from the Shadow Brokers have mostly been patched, but unsupported systems still at risk. Chris Wysopal, CTO and co-founder of Veracode, said the timing of the release "was well designed." "Some of the exploits are for Windows Vista which was just end-of-lifed on Tuesday [last] week. This means they may never get patches for the vulnerabilities," Wysopal told SearchSecurity.
Following the news that a new zero-day vulnerability that affects all supported versions of Microsoft Word has been uncovered and is already being used to launched attacks. Paul Farrington, Manager, EMEA Solution Architects at Veracode comments "the Microsoft engineers will not only need to devise a patch for this vulnerability, but also to remodel their threat assessment of this type of file interaction. They will need to make the opening of untrusted Word documents a viable option once again, else a major benefit of this word processing software would be seriously weakened."
FireEye Labs has warned of a zero-day vulnerability affecting Microsoft Word. The warning came in a blog by Threat Researcher, Genwei Jiang. In the blog, Jiang says FireEye alerted Microsoft to the vulnerability a few weeks ago and that Microsoft was already working towards a fix. At first glance this seems like just another attack that can be quickly patched and resolved. However, Paul Farrington, Manager, EMEA Solution Architects, Veracode, a company recently acquired by CA says it is much more serious than that.