Facebook: The Importance of Paying for Defense

Facebook’s $50,000 award for research on static code analysis puts the focus on the importance of defensive technology – and that’s a welcome change. We may have over-learned the lesson about the limits of cyber defense. However, Facebook’s surprise award of $50,000 to two researchers for their work on a new method for discovering vulnerabilities […]

How to Develop an Enterprise-Wide Security Vulnerability Assessment Solution

It’s becoming evident that modern enterprise executives understand the importance of application security (AppSec). Despite this, however, only a very small percentage of applications undergo a true security vulnerability assessment, leaving the majority wide open to attack. Enterprise executives who understand the importance of AppSec must learn how to secure both new and existing apps, […]

For Java: I Patch, Therefore I Am?

Oracle’s Java platform is so troubled the question is whether to patch it, or kill it off. Oracle Inc. released its latest Critical Patch Update (CPU) on Tuesday of last week, with fixes for 113 vulnerabilities spread across its product portfolio, including 29 for Oracle’s Fusion Middleware, and 20 for the troubled Java platform. The […]

Heartbleed Still Causing Heartburn on Industrial Systems

An advisory from DHS’s ICS CERT makes clear that ICS vendors are making progress toward fixing Heartbleed, but that customers face a long slog. The good news about the Heartbleed vulnerability in OpenSSL is that most of the major sites that were found to be vulnerable to the flaw have been patched. As has been […]

Time to Crowdfund Open Source Security?

Will crowd funding bug bounties for OpenSSL solve its security problems? Probably not. For years, security experts and thought leaders have railed against the concept of “security through obscurity” – the notion that you can keep vulnerable software secure just by preventing others from understanding how it works. Corporate executives worried about relying on open […]

Customer Announcement: Securing Your Applications From Heartbleed

If you are a current Veracode customer, we’re delighted to announce that we can help you rapidly address the Heartbleed bug. We are offering our comprehensive capabilities for application vulnerability detection to all our customers, at no-charge, to help you respond to this threat. What is Veracode doing to help our customers? We have two […]

Heartbleed And The Curse Of Third-Party Code

The recently disclosed vulnerability in OpenSSL pokes a number of enterprise pain points. Chief among them: the proliferation of vulnerable, third-party code. By now, a lot has been written about Heartbleed (heartbleed.com), the gaping hole in OpenSSL that laid bare the security of hundreds of thousands of web sites and web based applications globally. Heartbleed […]

Cross-Site Request Forgery Attacks and Prevention Methods

Ranked at number eight on the 2013 OWASP Top Ten, Cross Site Request Forgery (CSRF) remains a major concern. CSRF manipulates a web application vulnerability which allows an attacker to trick the end user into performing unwanted and possibly sensitive actions.

Food for Thought: Mobile Application Security & HIPAA

As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.

Healthcare.gov’s Coming Security Crackup

A security researcher found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal. In other news: the sun rose in the East every day this week.

The news out of Washington D.C. this week was that the Government’s troubled Healthcare.gov web site isn’t just dysfunctional – it’s also insecure. This, after an independent security researcher named Ben Simo found an exploitable vulnerability on the U.S. Government’s Healthcare.gov portal that would allow a remote attacker to gain access to applicants’ accounts, according to reports on CNN and The Washington Post.

1 2 3 7