As information security professionals, we must pursue any opportunity to evolve our approach to Application Security. Most enterprises with in-house development teams do some kind of ad hoc AppSec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven AppSec Program Maturity Curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.
We know that any type of software is bound to be hacked eventually, but Apple is claiming that nothing will get past its new fingerprint scanning technology. While its security implications far exceed those of a traditional PIN, could a hack of this nature truly be dangerous to high profile individuals? What would a hack like this mean for an enterprise or government agency? In part three of our discussion of Apple’s fingerprint scanning technology for the iPhone 5S, we discuss where these attacks are likely to come from and what this means for your mobile security.
The private sector is usually in the fortunate position of being able to ignore the National Institute of Standards and Technology (NIST)’s guidance as new special publications come out and affect change in the public sector. However, the latest draft on addressing supply chain security epitomizes a trend we are seeing in the industry. Everyone – public, private, non-profit, etc. – should heed this new guidance as a harbinger of what is to come.
Information systems have rapidly expanded in terms of capability and number, permitting an increased reliance on outsourcing and commercially available products. This has resulted in a loss of both visibility and understanding for how acquired technology is developed, integrated and deployed.
Talking Code episode 8 is here and it’s question time for Paul Roberts, Chris Wysopal and Joshua Corman. This week’s discussion centers around securing source code build servers in the SDLC – an issue that concerns both supply chain and operational security.
Apple’s Fingerprint Scanner: Claims, Concerns, and Implications – Mobile Device Security Series 2 of 3
Apple’s making a lot of claims about how well they securely store that fingerprint and who can access it and what’s actually being stored. Nobody’s ever been really too deeply verify any of this yet. We do have a few hints from patent filings, from documentation of the company that makes the sensor, documentation of the trust zone technology that Apple says they’re using to store. Apple really put quite a bit of engineering effort into this, so they claim a couple of things.
Application development is really important, but rarely funny. This developer’s list of simple steps to make your application code totally unmanageable is the exception.
Application programming is really important, but it’s rarely very funny. Software developers are the freemasons of the digital age. And that makes application development … well … masonry. And that’s not typically the stuff of the late night talk shows.
Did you know that 30-50% of people choose not to use any sort of passcode on their smartphones? The inconvenience that comes with typing in a long passcode means users are willing to put their mobile lives at risk. Apple has attempted to solve this problem by creating a fingerprint scanning application that allows for convenience and security without compromise. With this type of technology on the rise, users may be wondering how it works and if this type of passcode is really safer. In part 1 of our Apple fingerprint technology series, Jared Carlson and Darren Meyer, both senior security researchers at Barracuda, discuss this type of technology and what it means for mobile security.
How does the federal government differ from common enterprises when it comes to software security? Our trio breaks down the differences. The most thought provoking discussion comes around the question “Can we get a PCI for application security?,” referencing the success that PCI compliance has had in helping security measures in its narrow scope.
Open source has worked its way into a stunning array of commercial and free technology products. Now Google is using its bank account to help improve the security of the underlying code.
The problem is serious enough to prompt OWASP to make room on its Top 10 for third party software components. Veracode’s own Chris Wysopal recently argued that the prospect of NSA “back doors” in common technology were a lot less of a privacy concern than run of the mill vulnerabilities in shared code.
Mobile devices are extremely interesting for attackers because they hold a digital representation of our lives.
Every application that resides on our devices contains information on some aspect of our lives. What games we play, who we talk to, where we work, what utilities make our lives easier are all captured in our mobile devices. Anyone armed with this information can mimic our digital lives to friends, family, colleagues and corporate systems.
The ability to mimic your life is valuable to a variety of people. A marketing department that can mimic your life will get better at selling you things.