News

Our latest business and technology news

View: All | Press Releases | In the News | Events

In the News Sep 28 2017 CSO

SecDevOps is hindering developers who are keen on Agile but inadequate at security

Developer-focused education crucial as pen-testers find the same application security problems, over and over again

In the News Sep 25 2017 IDG Connect

DevOps: Where’s all the security talent?

Digital transformation has completely changed how businesses consume applications and software. Businesses are increasingly looking to technology to drive greater efficiencies and create new revenue streams, with Gartner predicting that the enterprise software spend will increase to $351 billion this year. More from CA Veracode's Colin Domoney (@colindomoney).

In the News Sep 20 2017 eWeek

CCleaner Attack Shows Need to Bolster Software Development Security

The latest targets of attackers are developers and insecure development processes, highlighting the need to instill security checkpoints in the development process.

In the News Sep 19 2017 Information Security Buzz

Malicious WordPress Plugin Used To Hijack More Than 200,000 Websites

It was reported that a malicious WordPress plugin has been discovered which has been used to hijack more than 200,000 websites. The plugin called Display Widgets has been found to contain a backdoor that could allow hackers to access what is posted on the site and modify content on infected pages. Colin Domoney (@colindomoney), Consultant Solution Architect at Veracode commented.

In the News Sep 15 2017 Computer Business Review

Is automation the great cybersecurity liberator?

Some are concerned by the prospect of automation threatening the jobs of humans, but it could give skilled professionals the time to defend against cyberattacks more effectively.

In the News Sep 13 2017 O'Reilly

Chris Wysopal on a shared responsibility model for developers and defenders

In this episode of the O'Reilly Security Podcast, Courtney Allen talks with Chris Wysopal (@WeldPond), co-founder and CTO of Veracode. They discuss the increasing role of developers in building secure software, maintaining development speed while injecting security testing, and helping developers identify when they need to contact the security team for help.

In the News Sep 12 2017 ITProPortal

The new order in an open source software world

According to CA Veracode's Colin Domoney (@colindomoney), open source software brings a new set of challenges but if implemented correctly it keep your organisation just as secure as proprietary software.

In the News Sep 12 2017 IT-Daily

Security by design is essential for IoT devices

Cyber ​​criminals and security researchers are constantly finding new ways to hack IoT devices. Julian Totzek-Hallhuber, Solutions Architect at Veracode, explains why "Security by Design" is so important for IoT devices.

In the News Sep 08 2017 SC Magazine UK

DolphinAttack could allow hackers to take over AI voice assistants

Scientists in China have found that ultrasound frequencies that human ears cannot perceive, could be used to issue commands to smart home assistants, such as Alexa, Siri and Cortana. Dubbed DolphinAttack, researchers at Zhejiang University said in a research paper, that they managed to successfully test attacks on several products, including Alexa, Cortana, Google Now, Huawei HiVoice, Samsung S Voice, and Siri.

In the News Sep 08 2017 Infosecurity Magazine

Ultrasonic "DolphinAttack" Could Hack Voice Assistants

Security researchers have warned that voice assistants made by the likes of Amazon, Google and Apple could be ‘hacked’ by remote attackers broadcasting commands in ultrasonic frequencies. Researchers in China found that broadcasting the commands via a loudspeaker enabled them to activate the assistant from several metres, in what they called a “DolphinAttack."

In the News Sep 08 2017 Security Week

Siri, Alexa, Google Now Vulnerable to Ultrasound Attacks

A team of researchers from the Zhejiang University in China have demonstrated how several popular speech recognition systems can be controlled using ultrasound via an attack method they have dubbed “DolphinAttack.” The experts tested Apple’s Siri, Google Now, Samsung’s S Voice, Huawei’s HiVoice, Microsoft’s Cortana, Amazon’s Alexa and the speech recognition system in an Audi Q3 vehicle. They modulated various voice commands on ultrasonic carriers, at a frequency of 20,000 Hz or higher, in order to make them inaudible to humans.

In the News Sep 08 2017 TechBeacon

DevSecOps is doable: 5 ways to unite security and dev teams

Despite the many hacks and breaches consistently making headlines, businesses can't afford to slow down their development processes because they don't want to lose out to the competition. This places them in an awkward position: deciding between speed and an extra step for the sake of security. But the worry is misplaced; companies don’t need to trade speed for security or security for speed.

More from Veracode's Pete Chestna (@PeteChestna)

In the News Sep 07 2017 FAZ.net

Can the federal election results be manipulated?

The Federal Office for the Protection of the Constitution has warned of hacker attacks on the German federal election months ago. Could criminals distort the result by attack?

When the polling stations close on September 24, it can become critical. For then the votes of the federal election are counted. From the level of the regional election leaders it becomes digital. And here the security authorities count with hacker attacks on the server. Werner Maaßen, President of the Federal Office for the Protection of the Constitution, has warned of hacker attacks on the Bundestag election for several months. The Chancellery and election officers take these reminders very serious. "Together with the employees of the Federal Office for Security in Information Technology, we have looked very intensively for weaknesses and are well prepared," says Klaus Pötzsch from the office of the federal election leaders. Thus, the rapid notifications with the first counting results in the election night are passed over the telephone. (…)

According to Veracode's Julian Totzek-Hallhuber, the planning of a possible attack is dependent on whether the election is simply to be disturbed or manipulated. In the first case, the hacker would start an overload attack on the switching computers of the telecommunication companies that provide the trunks for the management network. Many millions of data packets are shot down on the exchange machine until they get to their knees. In this case the count would be delayed by many hours. (…)

"Those who want to chop the federal elections in September have already completed the preparations for the attack", says Totzek-Hallhuber.

In the News Sep 07 2017 ZDF heute

Election hacking: Luckily, we have papers

Can the German federal election be hacked? Reports of security problems are currently hitting waves. In focus: A software that counts the results of individual polling points. In fact, however, it is more of a secondary importance. And then there would be the good old paper.

The federal election is a decentralized matter - federalism wants it so. Cities and municipalities largely decide independently, as they manage, for example, election results. The statutory provisions of the Federation provide only one framework. In addition, the election officerr gave some urgent recommendations, which should be taken into account in the counting of the votes on the election day and the subsequent transmission. (…)

"As a hacker, I would attack exactly this data transfer," says IT security officer Julian Totzek-Hallhuber from the security specialist Veracode. "Because it is based on public lines and is thus in principle vulnerable."

In the News Sep 04 2017 Infosecurity Magazine

The Developers' Skills Gap for Secure DevOps

In today’s application economy, we’re seeing ever-greater demand on software development. Software and applications have risen to the front office, where missed deadlines result in lost revenues and poor functionality can lead to lost customers. Increasingly, businesses are embracing DevOps to feed their need for speed, binding the previous separate developer and operations teams.

More from Veracode's Maria Loughlin (@marialoughlin).

In the News Aug 30 2017 The Security Ledger

Hacking Warships, Capitol Hill takes a Swing at IoT Security and why CS Grads don’t get Security

A new survey by the firm Veracode found that 70% of information technology professionals feel their security education is not adequate for their current positions. In this week’s podcast we talk to Maria Loughlin (@MariaLoughlin), the VP of Engineering at Veracode about why that is, and how to fix it.

In the News Aug 25 2017 CSO

DevOps as an AppSec enabler

DevOps is turning out to be more security-friendly than most predicted. In the recent AppSec and DevOps Trends Report from ESG and Veracode, 45 percent of IT pros revealed that DevOps is actually bringing application security to the forefront and making it even easier to implement and manage. The report surveyed 400 IT, cybersecurity, and application developer professionals involved with application security initiatives about their perspective on AppSec’s role in a DevOps world. While conventional wisdom would say that security testing would have a hard time fitting into a fast-paced, frequent releasing DevOps environment, this isn’t always the case. 

More from Veracode's Chris Wysopal (@WeldPond)

In the News Aug 22 2017 International Business Times UK

Does your resume contain malware? LinkedIn bug could have allowed hackers to spread malicious code

Hackers are known to always be on the lookout for new ways to scale up their attacks, and so go after businesses and organisations that may help them exploit vulnerabilities to infect a wider network of targets. A LinkedIn bug, recently uncovered by security experts, could have provided cybercriminals with just such an avenue of attack.

In the News Aug 22 2017 Wall Street Journal

Vetting Code Libraries, Not Just Kaspersky, Will Improve Security

When the Trump administration removed the Moscow-based Kaspersky Lab AO from the list of cybersecurity vendors authorized to protect U.S. government agencies, it highlighted an uncomfortable question: Should corporate America also avoid software built in Russia, China, or others areas of the world where hackers thrive?

At this stage, when so little public information about the government's Kaspersky concerns is available, it would be an overreaction to ditch foreign-built security software altogether, numerous experts told WSJ Pro. Instead, businesses should scrutinize the open-source libraries of code that often provide the foundation for developers building corporate software and applications. Coders from around the world contribute to the open-source libraries that other professional developers then re-purpose for their clients' uses for projects as minor as a small application up to an entire operating system.

"Some of these open-source libraries have hundreds of committers who submit. If you were thinking maliciously, this is the way you'd go about it because you'd go for something that's already deployed widely," said Chris Eng (@chriseng), vice president of research at Veracode, the application security company recently acquired by CA Inc. "It's less about vetting for geography and more a factor of 'Will this library help me make a program with the functionality I need, so I don't have to write it all from scratch?'" More from Wall Street Journal's Jeff Stone.

In the News Aug 22 2017 Information Security Buzz

UK Govt: UK Company Directors Unprepared For Cyber Attacks

The latest government ‘cyber governance health check’ and a survey of the UK’s top 350 companies revealed that more than two-thirds of boards have not received training to deal with a cyber incident.

In the News Aug 21 2017 Design Products & Applications

DevOps suffering security skills

The 2017 DevSecOps Global Skills Survey, sponsored by Veracode and acquired by CA Technologies, and DevOps.com, found that while 65 percent of DevOps professionals believe it is very important to have knowledge of DevOps when entering IT, they’re not receiving the necessary training through formal education to be successful in today’s DevSecOps world (70 percent). DevSecOps refers to the practice of integrating security into the development and testing of software for a “shift left” mentality for faster, better quality outcomes.

In the News Aug 14 2017 Axios

The 'Digital Paramilitary'

The saw is that sometimes you need a thief to catch a thief, and so it may be with the current crisis in cyberspace around intelligent bots, fake news and the hacking of multiple elections — a hacker army, paid or unpaid, could do a lot to stop the onslaught. Only, with some notable exceptions, the professionals possessing the skills to ferret out and combat the bad guys are hobbled by laws and held at arm's length by society, per the New York Times' Kevin Roose.

I spoke with a few professional hackers and cyber experts. Among the former is Eugene Dokukin, a Ukraine-based man who has run a one-man campaign against Russia since the 2014 Ukraine invasion. In an hour-long chat by Skype, he said the fight goes on — petitioning companies like PayPal, Twitter, Facebook and Google to shut down accounts that he thinks support Russia's cyber war, and hacking into them himself if that doesn't work. "I am a white hat. I am ethical, even if I use unethical methods against the Russians," he said. "It is war."

In the News Aug 14 2017 SC Media

NSA tools used to hack hotels; WikiLeaks in CIA Couch Potato dump

Travelers to Europe and the Middle East need to be aware of an on-going malware campaign that is targeting hotel and hospitality Wi-Fi networks and being used to glean guest and corporate information.

In the News Aug 14 2017 Dev Insider

Security analysis in the development and build process

The HPE Application Lifecycle Manager (ALM) is enriched by Veracode with a Flaw Synchronizer plug-in. Security vulnerabilities are to be identified and corrected at an early stage in the software development lifecycle (SDLC). The Veracode HPE ALM Flaw Synchronizer plug-in automatically imports the findings of static and dynamic security tests into the HPE Application Lifecycle Manager. Development teams can manage the security findings directly in their integrated backlog.

 

 

contact menu