Application security is hard. It’s big and complex. And it just might be “the last frontier” for cyber-security (at least for now). Unlike network or endpoint security, you can’t just put another box on the network to secure the application layer. For one thing, there are people and processes involved — developers in São Paulo and Sri […]
Bugs happen. Severe bugs happen. Catastrophic bugs happen. There’s simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into
sslKeyExchange.c and saved. What is clear is that the bug got through Apple’s QA process unnoticed and ultimately shipped on iOS and OSX. Let’s consider for a moment that this bug was committed to your codebase during routine refactoring. How certain are you, really, that you would catch it? What can we do to improve the likelihood it will be caught?
Veracode will be at RSA 2014 February 24-28. Come learn about best practices for securing your enterprise from application-layer attacks – including web, mobile, legacy and third-party applications. You will find us in Booth #3521 in Moscone North Hall. You can learn why our cloud-based platform is a simpler and more scalable way to reduce […]
In the wake of theTarget breach, large enterprises are beginning to realize they need to take responsibility for the security of their vendors. Research by firms such as Gartner and CrowdStrike have noted that as network perimeters have hardened, attackers are increasingly targeting the IT supply chain. This is because when searching for an entry point into a large organization, cyber-criminals are looking for the path of least resistance.
Earlier this week, the Bank of England warned the UK financial sector that they are unprepared for cyber-attacks with a spokesperson stating that a major attack would disrupt “everyday” life. As a portion of any country’s critical infrastructure, the financial sector is a target for cyber-criminals and terrorists.
The financial sector boasts some of the most mature security programs in the business world, yet gaps that an attacker can exploit still remain. Vulnerabilities in mobile or web applications used and purchased by financial institutions pose a threat to financial service organizations’ infrastructure.
We’re only a fraction of the way into 2014 and the data breach headlines keep coming. The latest in the list of cyber-attack casualties is Bell Canada, which was affected by a breach that impacted tens of thousands of its customers. On February 2nd, Bell Canada confirmed it had been hacked by hacktivist group “NullCrew”.
From a security perspective, it was interesting to note that the hackers did not have to rely on sophisticated, cutting-edge attacks to extract sensitive customer data.
So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-party. There has been very little discussion regarding who the vendor is; instead it is Target’s name that is being discussed in relation to one of the largest tech breaches ever.
The world of industrial control systems has been an island unto itself -but no more. The question now is whether the environment can adapt before real damage is done.
Two weeks ago, I had the privilege to attend The S4 Conference, one of the world’s premiere gatherings of experts in the security and integrity of industrial control and SCADA (supervisory control and data acquisition) systems. This is the technology that runs everything from assembly lines to natural gas pipelines to nuclear power plants. I had Dodos on the brain the whole time.
A large-scale deployment of the Veracode static code analysis tool across a large enterprise presents a number of unique challenges such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-month time frame.
The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?
We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.