In the News

In the News Sep 07 2016 WGBH News

Is Voter Fraud Going High Tech?

The FBI has reportedly told election officials in Arizona and Illinois that Russian hackers are pursuing their voters list. Federal officials have sent a warning to all state election officials that there could be attempts to hack any election related networks. Veracode Co-Founder Chris Wysopal (@WeldPond) and Harvard Cyber Security Project Postdoctoral Fellow Ben Buchanan (@BuchananBen) joined Jim to discuss potential election hacking.

In the News Aug 25 2016 Battery Ventures

Veracode chosen in glassdoor “50 Highest Rated Private Cloud Companies to Work For” List

Delivering key tech infrastructure and software through the cloud is one of the biggest technology trends today, driving billions in new revenue—and also much of the tech industry’s recent M&A activity.

In the News Mar 11 2016 Associated Press

Cruz campaign updates smartphone app to fix security flaws

The campaign of Republican presidential candidate Ted Cruz updated its mobile app after an independent review found security flaws that could have allowed hackers to access personal data from users. The computer-security firm Veracode performed audits of the "Cruz Crew" app and those released by other 2016 presidential contenders at the request of The Associated Press.

In the News Mar 07 2016 IDG

Is a cyber-liability insurance policy in your company's future?

Who’s going to decide when you have negligent security or good security? There are certain common sense things you need to do. The thing is codifying those common sense things – like application security best practices. I think the cyber insurance industry will help do that because they don’t want to pay out, which in turn will create a baseline for security best practices.

In the News Mar 07 2016 Dark Reading

Automakers in the hotseat for vehicle cybersecurity

Whenever you have a supply chain and the more complicated it is, and the more individual pieces it has, the more difficult it is to do security. There are so many different parties involved: infotainment, connectivity, and they’re going with someone else to do the OS, like Apple Car Play, for example. Ford and Toyota are going with their own OSes. Who’s building the apps? [Likely] a third party. For at least three years they are going to have to deal with in-bound vulns at a rate higher than today and have to respond to them.

In the News Mar 06 2016 eWeek

Security training for developers failing to keep up with threats

Services like Veracode can help because their remediation services include consultation with coding experts so that developers see where mistakes are being made. "You need to start before you get to that point," Wysopal said. "You need to understand your application's threat model up-front, how you could be attacked, what data they might go after. Then test before you get hacked versus the threat model."

In the News Mar 02 2016 Threatpost

DROWN flaw illustrates dangers of intentionally weak crypto

Chris Eng, VP of research at Veracode, points out DROWN is the most recent, but far from the only example of intentionally crippled encryption (or backdoors) that have come back to haunt security professionals. “In the security industry there are a number of examples. That’s happened over and over again. The most recent is the Juniper backdoor and Dual EC DRBG. These (backdoors) were meant to be secrets that maybe only the maintenance staff or only a few knew about. But once that secret gets out then the good guys know it and the bad guys know it. It then takes a lot of effort to go back and patch the long tail of deployed products.”

In the News Mar 01 2016 Threatpost

Car industry three years behind today’s cyberthreats

“When you think about the plans to allow customers to download apps for infotainment systems to control different environments the risks is only going to increase,” Wysopal said. “What’s going to happen when something goes wrong?” Eight-seven percent of drivers polled said car manufacturers should be liable for the safety of the car, including third-party app reliability, manufacturer apps and protection from hackers. “We have answered a lot of these questions in the smartphone world with iOS and Android,” Wysopal said. “But when it comes to automobile safety it gets much trickier.”


In the News Feb 18 2016 SC Magazine

Stack-based buffer overflow bug found in glibc

Like Heartbleed and Shellshock before it, the glibc vulnerability reinforces the reality that using components in the application development lifecycle introduces risk. ...our software is constructed like Legos, relying on components rather than coding. This is why it's important to have complete visibility into all of the components development team are using, as well as the versions being used to ensure they can quickly patch and/or update the component version when a new vulnerability is disclosed.

In the News Feb 17 2016 Re/code

Can CNAP succeed without building on past lessons in safety?

For decades, cities were built and developed with functionality and convenience in mind. It wasn’t until the Great Chicago Fire destroyed an entire city and cost the lives of hundreds of people did cities begin creating fire codes. They realized there was diminishing returns on building more fire stations. The buildings themselves needed to become more fireproof. Like a rapidly growing city, we’ve built our applications quickly and without regard for the fact they exist in a hostile environment. Every application that holds valuable data will be attacked, just like every car will drive on a slippery road and every person will be exposed to pathogens. We have to stop pretending we can keep the bad guys from attacking the code that protects our data.

In the News Feb 10 2016 Dark Reading

Simplifying Application Security: 4 Steps

Fortunately, the path to writing and deploying secure applications is not as hard as it’s made out to be. Any company can go from having an ad-hoc approach to having an advanced program, regardless of the number of applications that need securing.

In the News Feb 08 2016 CBR Online

Why moving to cloud and mobile might be a security advantage

Veracode’s Sam King comments that the strategic benefits of cloud and mobile adoption within organizations means that security professionals no longer have fight to be heard in their firms. "They don't have to convince anybody that there's something they have to be concerned about when you've got an application and you're retailing it through another person, like Apple iTunes or Google Play or what have you.” 

In the News Feb 08 2016 eSecurity Planet

5 Best Practices for Reducing Third-Party Security Risks

Any vendor should be able show proof that they conduct code reviews on any applications that touch your applications. “If they say, 'No, we don't do that,' or 'We don't share results on our internal security,' they probably do, and they're just trying to make you go away," said Chris Wysopal, CTO for Veracode. "One of the things we've learned is that if you push hard enough, they say, 'Yeah, you're right. We have had a third-party audit, and we can show you the results.'"

In the News Feb 08 2016 SC Magazine

£4bn investment for NHS digital transformation

The raise in healthcare mobile applications could cause headaches for the government. That's why it's vital that all applications which access confidential data are fully tested and protected from vulnerabilities which could be an easy target for cyber-criminals wishing to damage the NHS or profit from the wealth of sensitive data it holds.

In the News Jan 22 2016 Healthcare Info Security

App Security in Healthcare: Avoiding Missteps

Healthcare organizations need to carefully scrutinize the security of electronic health record and other applications they use because encryption and other features often have shortcomings.

In the News Jan 21 2016 Network World

Healthcare IT execs fear loss of life due to hacked medical devices or networks

The fear of cyberthugs exploiting vulnerabilities in web, mobile, and cloud-based apps is more worrying to healthcare organizations than user error like employee negligence, malicious insiders, and phishing attacks.

In the News Jan 21 2016 Health IT Security

Health Application Vulnerabilities Top IT Executive Concern

Veracode’s Chris Wysopal said that 80 percent of healthcare applications contain easily avoidable cryptographic issues such as weak algorithms, which is why keeping security a priority as software is being built is essential for the industry.

In the News Jan 21 2016 FierceHealthIT

Loss of life, liability top cybersecurity fears for health IT leaders

One thing insecure applications have accomplished is to increase healthcare’s fear of liability. 57% of those surveyed are increasing spending on external security assessments; 56% are adding liability clauses into contracts with commercial-software vendors in their supply chain; 54% are implanting frameworks like the SANS Institute Security Controls.”

In the News Jan 07 2016 SC Magazine

Drupal install process appears to be dripping

It is highly concerning that potentially millions of sites have been left vulnerable to attack through issues with Drupal's update process. Applying security patches to software in a timely fashion is an essential part of any good security management process and when this becomes unreliable it leaves users with an unknown and unmanaged risk in their environment.

In the News Dec 05 2015 MotherBoard

New Analysis: The Most Hackable Programming Language Is Hands-Down PHP

Based on code analyses and scans of 50,000 different applications written within the past 18 months, cloud security firm Veracode has compiled a list of the most and least secure programming languages. Software engineers won't find it especially surprising, with PHP, venue for many a popular and ready-made hack, blowing away the competition.

In the News Dec 03 2015 Dark Reading

The Programming Languages That Spawn The Most Software Vulnerabilities

The wave of WordPress and Drupal vulnerability warnings and patches over the past couple of years, as well as the never-ending discovery of SQL injection bugs in Web applications, can actually be traced back to their underlying scripting language – PHP.

In the News Dec 03 2015 CSO Online

Scripting languages most vulnerable, mobile apps need better crypto

When it comes to mobile development, the single biggest security issue was weak or ineffective cryptography, the Veracode report said. Specifically, 87 percent of Android applications and 80 percent of iOS applications had cryptographic issues.

In the News Nov 23 2015 Dark Reading

SAFECode Releases Framework For Assessing Security Of Software

While it is encouraging that the largest software vendors in the world are beginning to consider the need for communicating about the security of the software products they produce, a focus on only the most-mature vendors sets the wrong expectation for buyers about the overall level of maturity in the market.


In the News Nov 19 2015 The Register

George Osborne fires starting gun on £20m coding comp wheeze

Coding vulnerabilities in web applications remain one of the most frequent patterns in confirmed breaches and account for up to 35 per cent of breaches in some industries. Understanding these threats and the security measure that developers must take to ensure they aren’t using exploitable or malicious code is essential to our global cyber hygiene. This was demonstrated earlier this Autumn when the XcodeGhost malware infiltrated the Chinese Apple App Store after developers used a local, bootlegged version of Xcode, rather than the original Apple version, which contained the malicious code.

In the News Nov 13 2015 SC Magazine

BlackHat Amsterdam: 'numbers will make the difference' when securing the IoT

The devices that make up what we call the IoT are subject to the same software mistakes as you'd find in any computer program. We know how to protect against them, we know how to code against them and yet the same mistakes still crop up.