A large-scale deployment of the Veracode static code analysis tool across a large enterprise presents a number of unique challenges such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-month time frame.
So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.
The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new tool for developers, which will assist in the development process and produce better code.
As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
I’ve been attending the Search Marketing Expo in San Jose this week keeping up with all the latest and greatest in internet marketing. Monday’s keynote was a presentation from Google’s Matt Cutts and Bing’s Duane Forrester in which they ran through examples of all the things they’ve seen through their “excellent adventures” in working for search engines (it was a Bill and Ted themed presentation).
For the curious developers or security folk following us we wanted to share the methodology behind our latest tool, Smart Social Sharing.
The State of Social Sharing
Commercial sharing tools provide simple and fast social sharing of web content. Tools like AddThis, ShareThis, and other CMS plugins that enable social sharing, are ubiquitous.
Platforms like WordPress and Drupal have made publishing and building a web site a breeze, but plug’n play has led to lots of buggy code. Is it time for secure alternatives?
I’m a big fan of WordPress, the amazing and flexible content management platform that makes setting up a sophisticated, classy Web site available to anyone who can use a keyboard and mouse. The most amazing thing about the platform and others like it – including Drupal, Moveable Type – is the incredible diversity of add-ons and plug ins that allow you to integrate cool new features without any coding.
From time to time we develop simple applications or tools to help address specific business requirements, or to highlight a piece of security research. Today I’m excited to announce the release of SmartShare, a free tool designed to offer developers, bloggers and marketers a more secure method of on-site bookmark sharing.
No source code? No problem! That’s the motto of the binary analyst. We at Veracode have pushed the limits of static analysis (studying a program’s behavior without running it) to automatically detect and report security vulnerabilities in our customers’ codebases. Doing binary static analysis by hand is still a worthwhile skill, however, with myriad practical […]
Let’s not mince words: this rambling diatribe from Oracle’s CSO is aimed directly at Veracode. No need for a cutesy acronym; we’re the only company with true static binary analysis technology, delivered as a service. Now that we’ve got that out of the way, let’s try to cut through the rhetoric (in just over a […]
[UPDATE: Since there seems to be some confusion, the "We" in the title of this post is NOT "Veracode". The expression is a generic one intended to illustrate the attitude exhibited by many companies who like to downplay the value and/or effectiveness of technologies that they themselves do not sell. I can't believe I am […]