External Code in the Software Development Process

cwysopal's picture
By Chris Wysopal October 16, 2007

Recently I got a message from Kelley Jackson Higgins of Dark Reading. She was looking for some comments on Fortify Software's new paper on "Cross Build Injection" or "XBI". I had read the paper and, while I think the issues are real, the way they are framed they miss the big picture. So I figured I would partake in a little "XPI", that's "Cross Publicity Injection", and take this opportunity to... READ MORE

Exploits of a Mom

cwysopal's picture
By Chris Wysopal October 10, 2007

XKCD has a funny web security theme today: READ MORE

Classifying and Prioritizing Software Vulnerabilities

KMunro's picture
By October 8, 2007

We were more than pleased to read a new report by John Pescatore of Gartner recommending that security managers adopt the use of the Common Vulnerability Scoring System (CVSS) to support more repeatable, fast-acting vulnerability management processes. This recommendation backs up the decision made by our CTO, Chris Wysopal, more than a year ago to adopt the CVSS standard as a part of the Veracode... READ MORE

Friday Hacker Brainstorming

cwysopal's picture
By Chris Wysopal October 5, 2007

Sometimes when you are deep in the forest looking at one branch of one tree, trying to reduce false negative rates for detecting a specific class of software vulnerability, it is useful to step back and look at the forest of what is going on in criminal hacking. Today we were throwing some ideas around the office about hacking techniques we had seen reported. This got the discussion flowing... READ MORE

Secure Software and Application Testing - Before Procurement

KMunro's picture
By September 25, 2007

Chenxi Wang of Forrester Research and Chris Wysopal, our founder and CTO, will discuss ways to secure applications before they are purchased and deployed in an enterprise -- as a part of contract negotiations and the RFI and RFP process. More information on the seminar and instructions on how to register can be found on the Veracode site. READ MORE

PCI Extends Its Reach to Application Security

CEng's picture
By Chris Eng September 20, 2007

Earlier this week, I attended the first PCI Community Meeting in Toronto, a gathering organized by the PCI Security Standards Council to bring QSAs, ASVs, and other PCI stakeholders together in one room with the PCI Council. Let's be honest here -- in the security industry, discussing regulatory compliance is about as dull as it gets. On the other hand, compliance is also a major catalyst,... READ MORE

The Weakest Link

KMunro's picture
By September 17, 2007

We spend a lot of time thinking about hackers and abuse cases. This article entitled "Who Needs Hackers" by John Schwartz of the New York Times talks about how flawed systems, the increasing complexity of systems, and even mergers and acquisitions can make computer systems unreliable. The rush to market can lead to not enough testing. Pressures to ship software and hardware quickly and to keep... READ MORE

Security Policy Without Enforcement Doesn't Work

cwysopal's picture
By Chris Wysopal September 13, 2007

One of my first "real" jobs in security back in the 90's was working as an IT security engineer for a government contractor and internet backbone provider. One of our tasks was finding people who bridged the internal network with the internet. We found one guy who had been running his own ecommerce business on our external network. He showed up on our scans because he had 2 network interfaces on... READ MORE

BlackHat 2007 Materials

CEng's picture
By Chris Eng August 28, 2007

Finally getting around to posting our materials from the talk that Chris Wysopal and I gave at BlackHat this year entitled "Static Detection of Application Backdoors." Here are the slide deck and the accompanying whitepaper: Static Detection of Application Backdoors (slides) Static Detection of Application Backdoors (whitepaper) Also, as a proof-of-concept, we had demonstrated using IDA Pro's... READ MORE

Cenzic Taking SPI to Court

CEng's picture
By Chris Eng August 21, 2007  | 6

RSnake blogged on this first but I can't help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they're getting litigious. The abstract from the patent reads as follows: A method of testing a target in a network by fault injection, includes: defining a transaction baseline; modifying at least one of an order and a structure... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu