Ranked at number eight on the 2013 OWASP Top Ten, Cross Site Request Forgery (CSRF) remains a major concern. CSRF manipulates a web application vulnerability which allows an attacker to trick the end user into performing unwanted and possibly sensitive actions.
It’s easy to be lulled into a false sense of security when you’re using an iphone, but is iOS really the better smartphone operating system when it comes to malware?
According to F-Secure Labs’ latest Mobile Threat Report, malware authors continue to concentrate on the Android platform with 252 new threat families and variant families. The report also shows that 81% of discovered threats are profit motivated. So what does this mean? Most bad guys are still looking for cash with their malware!
Top weather app in Google Play ‘Weather Channel VDO‘ looks to be serving more than the forecast. Capabilities include accessing device and carrier information, and examining account and file system. This app is performing Trojan like-capabilities, downloading a 466 kB file from an IP address listed as a known virus site. Findings also include an association with known adware.
Learn more about Veracode’s mobile application reputation service.
The following is a guest post by Wendy Nather, Research Director, Security, 451 Research.
As a former CISO, I’m always happy to see practical advice for defenders. In increasing order of usefulness, there are these types of advice:
- “Here’s what could be wrong; you might want to take a look at that.”
- “This is wrong, and good luck fixing it.”
- “This is wrong, and here’s how we think you should fix it.”
- “When this is wrong, here’s what has worked for us.”
There aren’t enough people in the security industry who are bold enough to step up and say, “Here’s what works.” So when something does come out, we need to pay attention.
In their latest OS release, iOS 7, Apple allows for a number of mechanisms to share data, both in the form of files or streaming data. Two of these mechanisms highlight some of the different design choices Apple has made and will likely continue to make in the SDK.
The annual Consumer Electronics Show kicks off in Las Vegas next week. With rivers of ink spilled on cool, new “smart” products, here are five impertinent security questions that no vendor wants to be asked.
The Consumer Electronics Show (CES) kicks off today in Las Vegas. This year’s show is expected to draw some 150,000 attendees from 150 countries.
This holiday season at Veracode wasn’t just spent at a computer like any other day. It’s the time of year that the generosity of its employees shines by making Christmas magical for children in need. Although this is not the first time Cindy Conrad of Veracode has worked with the Department of Children and Families (DCF) based in Malden, MA, it is the first year Veracode has partnered with them to make a memory for those children, and what a memory it is!
Christmas, 2013 will be a banner year for the Internet of Things, as smart gadgets appear like mushrooms under the Christmas tree. But get ready for a privacy hangover, as poorly designed, and insecurely deployed gadgets turn on their masters.
Just in time for the holidays, I received an e-mail by way of Electric Imp. If you’re not familiar with the “Imp,” (my phrase, not theirs), it’s a [PAAS?] that makes it easy to build and connect smart devices.
In this series, we’ve advocated that Application Security is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. This Maturity Curve model has been validated by Veracode using the real world results of hundreds of organizations. They have learned that the key to positive return on investment is to start small and scale up over time with each milestone.
So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.
The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new tool for developers, which will assist in the development process and produce better code.