Research

Posts from the Veracode security research team that zero in a bit on new ideas, trends, and technology. The content here will help deepen your understanding of various application security topics and satisfy the technically-inclined reader.

Improving Software Security Through Vendor Transparency

cwysopal's picture
By Chris Wysopal June 12, 2014  | Research

chris-wysopal-fs-isac-vendor-security_2.jpg Chris Wysopal moderates a panel discussion at the FS-ISAC & Bits Annual Summit 2014   According to Gartner, enterprises are getting better at defending traditional network perimeters, so attackers are now targeting the software supply chain. This has made third-party software – including commercial and outsourced... READ MORE

Benefits of Binary Static Analysis

cwysopal's picture
By Chris Wysopal May 19, 2014  | Research

we-heart-binaries_2.jpg 1. Coverage, both within applications you build and within your entire application portfolio One of the primary benefits of binary static analysis is that it allows you to inspect all the code in your application. Mobile apps especially have binary components, but web apps, legacy back office and desktop apps do too. You don’t want to only analyze the... READ MORE

Agile SDLC Q&A with Chris Eng and Ryan O’Boyle – Part II

CEng's picture
By Chris Eng April 16, 2014  | Research

Welcome to another round of Agile SDLC Q&A. Last week Ryan and I took some time to answer questions from our webinar, "Building Security Into the Agile SDLC: View from the Trenches"; in case you missed it, you can see Part I here. Now on to more of your questions! Q. What would you recommend as a security process around continuous build? Chris-107x150_33.jpg Chris: It... READ MORE

Agile SDLC Q&A with Chris Eng and Ryan O'Boyle - Part I

CEng's picture
By Chris Eng April 10, 2014  | Research

Recently, Ryan O’Boyle and I hosted the webinar “Building Security Into the Agile SDLC: View From the Trenches”. We would like to take a minute to thank all those who attended the live broadcast for submitting questions. There were so many questions from our open discussion following the webinar that we wanted to take the time to follow up and answer them. So without further ado... READ MORE

Security Headers on the Top 1,000,000 Websites: March 2014 Report

IDawson's picture
By Isaac Dawson March 14, 2014  | Research

The March 2014 report is going to be a bit different than those in the past. This is primarily due to architectural changes that were made to get more precise data in less time. Additionally, a lot of work has been done to automate generation of these reports so they can be released more often. Our scan was run on March 5th 2014 using the latest input from the Alexa Top 1 Million.... READ MORE

Guidelines for Setting Security Headers

IDawson's picture
By Isaac Dawson March 12, 2014  | Research 4

As part of our Alexa Top 1 Million Security Headers post series(Nov 2012 - Mar 2013 - Nov 2013,) it is not uncommon to have to go back and re-read specifications to determine which header values are valid. While there are numerous sites that detail the various headers and what they do, there isn't a central place that gives developers the information necessary to identify common mis-... READ MORE

Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act

MElliott's picture
By Melissa Elliott February 24, 2014  | Research 5

687474703a2f2f692e696d6775722e636f6d2f6e454859716d532e706e67_0.png Bugs happen. Severe bugs happen. Catastrophic bugs happen. There's simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that the bug got... READ MORE

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

cwysopal's picture
By Chris Wysopal February 5, 2014  | Research

So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-... READ MORE

A Tale of Two Compilers

MElliott's picture
By Melissa Elliott November 25, 2013  | Research

What’s wrong with the following C code? char buf[32]; scanf("%32s", buf); It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case, scanf() will read up to 32 bytes from... READ MORE

CA Veracode Picks for BlackHat 2013

CEng's picture
By Chris Eng July 29, 2013  | Research

Here we go again. BlackHat time. Where to Find Us CA Veracode will be exhibiting at Booth #238. Please stop by and see us! Our Picks As usual, a few of us on the CA Veracode Research team are sharing our picks for the most interesting talks. Some were picked by more than one of us but I've only listed them once to save space. It's cool to see more binary analysis talks making it on to the... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

 

 

contact menu