Secure Agile Q&A: API’s, IDE’s and Environment Integration

A few weeks back, I hosted a webinar called “Secure Agile Through Automated Toolchains: How Veracode R&D Does It”, and in this webinar I discussed the importance of security testing and how to integrate it into the Agile SDLC. There were so many questions from our open discussion following the webinar that I have taken […]

Strategies for Rapid Adoption of a Security Programme within a Large Enterprise

A large-scale deployment of the Veracode static code analysis tool across a large enterprise presents a number of unique challenges such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-month time frame.

How to Run a Successful Proof of Concept for an Application Security Programme

So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.

The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new tool for developers, which will assist in the development process and produce better code.

Food for Thought: Mobile Application Security & HIPAA

As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.

New Google Resource for Hacked Sites

I’ve been attending the Search Marketing Expo in San Jose this week keeping up with all the latest and greatest in internet marketing. Monday’s keynote was a presentation from Google’s Matt Cutts and Bing’s Duane Forrester in which they ran through examples of all the things they’ve seen through their “excellent adventures” in working for search engines (it was a Bill and Ted themed presentation).

How We Made Social Sharing “Smarter”

For the curious developers or security folk following us we wanted to share the methodology behind our latest tool, Smart Social Sharing.
The State of Social Sharing
Commercial sharing tools provide simple and fast social sharing of web content. Tools like AddThis, ShareThis, and other CMS plugins that enable social sharing, are ubiquitous.

Plug ‘n Play’s Promiscuous Culture

Platforms like WordPress and Drupal have made publishing and building a web site a breeze, but plug’n play has led to lots of buggy code. Is it time for secure alternatives?

I’m a big fan of WordPress, the amazing and flexible content management platform that makes setting up a sophisticated, classy Web site available to anyone who can use a keyboard and mouse. The most amazing thing about the platform and others like it – including Drupal, Moveable Type – is the incredible diversity of add-ons and plug ins that allow you to integrate cool new features without any coding.

SmartShare and the Veracode Security Tools

From time to time we develop simple applications or tools to help address specific business requirements, or to highlight a piece of security research. Today I’m excited to announce the release of SmartShare, a free tool designed to offer developers, bloggers and marketers a more secure method of on-site bookmark sharing.

Static Analysis: Following Along at Home with Hopper’s Decompiler Feature, Part 1

No source code? No problem! That’s the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program’s behavior without running it) to automatically detect and report security vulnerabilities in our customers’ codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical […]

1 2