Just Another Web Application Breach

Another day another web application breach hits the news. This time ITWorld reports Hackers steal user data from the European Central Bank website, ask for money. I can’t say that I’m surprised. Although vulnerabilities (SQL Injection, cross-site-scripting, etc.) are easy for attackers to detect and exploit, they are still very common across many web applications. […]

What the Bell Canada Breach Tells us About Legacy Sites and Third-Party Risk

We’re only a fraction of the way into 2014 and the data breach headlines keep coming. The latest in the list of cyber-attack casualties is Bell Canada, which was affected by a breach that impacted tens of thousands of its customers. On February 2nd, Bell Canada confirmed it had been hacked by hacktivist group “NullCrew”.

From a security perspective, it was interesting to note that the hackers did not have to rely on sophisticated, cutting-edge attacks to extract sensitive customer data.

Whitepaper: A Dose of Reality on Automated Static-Dynamic Hybrid Analysis

As application inventories have become larger, more diverse, and increasingly complex, organizations have struggled to build application security testing programs that are effective and scalable. New technologies and methodologies promise to help streamline the Secure Development Lifecycle (SDLC), making processes more efficient and easing the burden of information overload. In the realm of automated web […]

Art vs. Science

I was just reading Dre’s post, R.I.P. CISSP, over at the tssci security blog, in which he predicts the upcoming OWASP People Certification Project will be the next big thing. This paragraph is quoted from James McGovern’s blog (James is the project leader): As an Enterprise Architect, I understand the importance of the ability for […]

Cenzic Taking SPI to Court

RSnake blogged on this first but I can’t help but comment on it. Essentially, Cenzic managed to get a patent issued on the technique of fault injection, and now they’re getting litigious. The abstract from the patent reads as follows: A method of testing a target in a network by fault injection, includes: defining a […]

Veracode CEO Shares His Thoughts on Automated Vulnerability Analysis in Podcast

Veracode president and CEO, Matt Moynahan, was featured yesterday in a podcast interview with IT security expert Dan Sullivan on automated vulnerability analysis as a service. In the podcast, Matt answers questions on automated application vulnerability analysis – offered as an outsourced service. And he discusses why companies are looking for solutions that use multiple […]