Do Not Pass QA, Do Not Goto Fail: Catching Subtle Bugs In The Act

Bugs happen. Severe bugs happen. Catastrophic bugs happen. There’s simply no way to know how, exactly, the Goto Fail Bug – a tiny mistake which happened to disable an entire step of SSL verification deep in Apple code – ended up getting written into sslKeyExchange.c and saved. What is clear is that the bug got through Apple’s QA process unnoticed and ultimately shipped on iOS and OSX. Let’s consider for a moment that this bug was committed to your codebase during routine refactoring. How certain are you, really, that you would catch it? What can we do to improve the likelihood it will be caught?

See Veracode at RSA 2014!

Veracode will be at RSA 2014 February 24-28. Come learn about best practices for securing your enterprise from application-layer attacks – including web, mobile, legacy and third-party applications. You will find us in Booth #3521 in Moscone North Hall. You can learn why our cloud-based platform is a simpler and more scalable way to reduce […]

How to be Proactive: Questionmark Answers Their Clients’ Security Questions

In the wake of theTarget breach, large enterprises are beginning to realize they need to take responsibility for the security of their vendors. Research by firms such as Gartner and CrowdStrike have noted that as network perimeters have hardened, attackers are increasingly targeting the IT supply chain. This is because when searching for an entry point into a large organization, cyber-criminals are looking for the path of least resistance.

UK Financial Institutions Can’t Bank on Security

Earlier this week, the Bank of England warned the UK financial sector that they are unprepared for cyber-attacks with a spokesperson stating that a major attack would disrupt “everyday” life. As a portion of any country’s critical infrastructure, the financial sector is a target for cyber-criminals and terrorists.

The financial sector boasts some of the most mature security programs in the business world, yet gaps that an attacker can exploit still remain. Vulnerabilities in mobile or web applications used and purchased by financial institutions pose a threat to financial service organizations’ infrastructure.

What the Bell Canada Breach Tells us About Legacy Sites and Third-Party Risk

We’re only a fraction of the way into 2014 and the data breach headlines keep coming. The latest in the list of cyber-attack casualties is Bell Canada, which was affected by a breach that impacted tens of thousands of its customers. On February 2nd, Bell Canada confirmed it had been hacked by hacktivist group “NullCrew”.

From a security perspective, it was interesting to note that the hackers did not have to rely on sophisticated, cutting-edge attacks to extract sensitive customer data.

Cybercriminals Aimed at Supply Chain to Reach Their True “Target”

So far the Target breach has caused 15.3 million credit cards to be reissued, costing millions of dollars to credit card companies. The full scope of the breach is not yet fully understood or known, but new details are coming out almost daily. For example, an article in the Wall Street Journal recently disclosed that the cyber-criminals were able to access Target’s systems through a third-party. There has been very little discussion regarding who the vendor is; instead it is Target’s name that is being discussed in relation to one of the largest tech breaches ever.

Flightless Birds and The Future Of Critical Infrastructure

The world of industrial control systems has been an island unto itself -but no more. The question now is whether the environment can adapt before real damage is done.

Two weeks ago, I had the privilege to attend The S4 Conference, one of the world’s premiere gatherings of experts in the security and integrity of industrial control and SCADA (supervisory control and data acquisition) systems. This is the technology that runs everything from assembly lines to natural gas pipelines to nuclear power plants. I had Dodos on the brain the whole time.

Strategies for Rapid Adoption of a Security Programme within a Large Enterprise

A large-scale deployment of the Veracode static code analysis tool across a large enterprise presents a number of unique challenges such as understanding your application estate, prioritising your applications for scanning, and communicating with your application owners. This blog post provides some guidance based on my experience at delivering several hundred scanned applications in a 14-month time frame.

How Angry is That Bird?

The news regarding the NSA and its British counterpart discussed how the Angry Birds app was targeted as a means to collect personal information about app users. Presumably the agencies were collecting data that the app was already accessing as part of its normal operations. What data is being accessed and should it concern us?

We performed a behavioral analysis on Angry Birds for Android with our mobile application reputation service. Here’s what we found.

6 Ways to Become a More Secure Developer in 2014

Every December security companies pull out their list of predictions for the coming year. These predictions are generally bland, and either cite the specific problem the company addresses as the big trend for the next year, or recycles predictions from previous years.

Rather than add to the noise, the Security Research Team at Veracode created a list of resolutions for 2014 that developers could use to help make their code more secure.

1 6 7 8 9 10 69