Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Stolen Data Headers from the Federal Reserve Hack

cwysopal's picture
By Chris Wysopal February 6, 2013  | Research 8

Just another day at the office. Anonymous hacked into a Federal Reserve computer. Wait, what? Don’t worry, the attackers did not make off with any money, as far as we can tell, or disrupt any critical functions. What did they get? Just the details of 4000 bank executives. The data has been posted to pastebin and hosted on several compromised sites including other government sites. Someone... READ MORE

Software Upgrade Hygiene: Stop Putting It Off, It Will Only Hurt More

MElliott's picture
By Melissa Elliott February 5, 2013  | Research 7

Many years ago, you got your first job and bought your first car. It was a reasonable price, sturdy, and you made sure always to wear your seatbelt and not to break the posted speed limit too badly. It did its job and served you well as you went to college and started your career. Now, that car is quite old. The air conditioner broke three years ago and you just never got around to fixing it. It... READ MORE

Android Apps Phoning Home

CEng's picture
By Chris Eng January 22, 2013  | Research

Last fall, we acquired some cool mobile security technology that we've been feverishly working to integrate and bring to market for a few different use cases. By way of introduction, the Marvin technology gives us a way to quickly assess various characteristics of a mobile app and identify new variants of mobile malware. That's done through a combination of quick static analysis and instrumented... READ MORE

Ubuntu Snafu: Privacy Is Hard, Let's Go Shopping

MElliott's picture
By Melissa Elliott September 25, 2012  | Research

The following post is about a beta software release, which may — and hopefully will — change. You know what they say about assuming... My faithful army of security-minded Twitter followers alerted me to a sudden change in the Ubuntu Linux distribution's 12.10 beta build that they found alarming: Amazon search had been integrated into the system search bar by default, so that, for... READ MORE

How Sally Got Owned: An Illustrated Example of How Piracy Can Endanger Your Mobile Device

MElliott's picture
By Melissa Elliott July 19, 2012  | Research 7

Last week, a fake iOS App Store server went live with simple instructions for how to circumvent paying for in-app purchases (such as bonus levels in games) and unlock them for free. Most apps were vulnerable to being duped into believing the user had already paid for their content. Many people willing to engage in software piracy eagerly followed the steps and found that they worked, but... READ MORE

Between You and Me, This Isn't Private

MElliott's picture
By Melissa Elliott July 11, 2012  | Research

When you tap in your life's details into the latest and greatest cloud-enabled mobile app, where does that information actually go? When you post on a website that claims you're anonymous, are you really? Hey, did you read the privacy policy for any of those services you're using? Do they even have a privacy policy? In the rush to play with new online services – which,... READ MORE

Static Analysis: Following Along at Home with Hopper's Decompiler Feature, Part 1

MElliott's picture
By Melissa Elliott May 29, 2012  | Research 5

No source code? No problem! That's the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program's behavior without running it) to automatically detect and report security vulnerabilities in our customers' codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical uses: Uncovering the... READ MORE

Top Ten Java Frameworks Observed in Customer Applications

TJarrett's picture
By Tim Jarrett January 31, 2012  | Research

One of the great things about the Veracode platform is the insight we get from examining our anonymized customer data - not only information about the vulnerability landscape (as published in the State of Software Security report) but insight into the composition of the applications that we scan. As I alluded in my last post, one of the things we record when scanning applications is the presence... READ MORE

Application Security Debt and Application Interest Rates

cwysopal's picture
By Chris Wysopal February 25, 2011  | Research 3

Technical Debt Architects and developers are well aware of the term technical debt but many in the security community have never heard of this concept. Ward Cunningham, a programmer who developed the first wiki program, describes it like this: Shipping first time code is like going into debt. A little debt speeds development so long as it is paid back promptly with a rewrite... The danger occurs... READ MORE

Veracode Recognized as a Leader in the Magic Quadrant for Static Application Security Testing

cwysopal's picture
By Chris Wysopal December 15, 2010  | Research

The 2010 Gartner Magic Quadrant for Static Application Security Testing (SAST) has been published and Veracode is recognized as a leader. We are pleased to be able to share the leaders position with IBM and HP, two of the biggest and oldest companies in information technology. I am very proud of the work the Veracode team has been able to accomplish as a 4.5 year old company. To get our service... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu