Med Tech’s Promiscuity Problem

A roundtable discussion of medical device security finds that innovation in the connected health space is outstripping security. And the problem will get worse before it gets better. Physicians are used to counseling their patients on the need to take care of themselves and take reasonable precautions to protect themselves from harm. Are you fond […]

First Prioritize, Then Patch: Yes, Another Blog on PCI 3.0

In November’s update to PCI DSS, now on version 3.0, you may have noticed that the PCI Security Council switched the order of the first two application security focused sub-requirements. Requirement 6.1 now focuses on establishing ongoing best practices, while 6.2 moves on to patching and remediation efforts. Some of our customers have questioned the […]

Why Did the Chicken Cross the Road? To Get Its 3rd-Party Applications Secured!

In the revisions to PCI DSS, now on version 3.0, the PCI Security Council added a note to Requirement 6.3, extending the secure software development mandate to include all custom, third-party developed software. At Veracode, we’ve been talking about the need to secure your third-party code for quite some time now, so we’re excited to […]

NIST Updates Guidance On Securing Software Supply Chains

An updated guide on risk management practices recommends that companies pay more attention to the security of their software supply chain. A draft release of an updated risk management guide from the National Institute of Standards and Technology (NIST) is warning federal agencies and other firms that operate “high impact systems” to pay more attention […]

Software Security: At the Front Line of Data Protection

A report released in the UK this week highlighted nicely the link between software security and data protection- a very hot topic this side of the pond in the midst of EU regulation reform and post-PRISM privacy concerns. The Information Commissioner’s Office (ICO), the UK’s independent regulatory office dealing with data protection and data privacy, […]

Lawsuits, Regulations and Third-Party Security

Every year the world seems to grow a little more regulated – and punitive. We’re now seeing banks suing retailers and compliance management firms over PCI assessments. And the recent breach in question appears to be related to insufficient controls around third-party suppliers. According to the Verizon PCI Compliance Report, 84% of organizations that suffered […]

Food for Thought: Mobile Application Security & HIPAA

As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.

O Budget Where Art Thou? Getting Application Security Funded With BSIMM

The first hurdle to running any successful Application Security program is getting it adequately funded. This should come as no great surprise to anyone. Software security is no different than any other IT initiative. Even a willing security team who has considered the ways needs to find the means, and that involves making a compelling case to those that hold the purse strings.

1 2