6 Ways to Become a More Secure Developer in 2014

Every December security companies pull out their list of predictions for the coming year. These predictions are generally bland, and either cite the specific problem the company addresses as the big trend for the next year, or recycles predictions from previous years.

Rather than add to the noise, the Security Research Team at Veracode created a list of resolutions for 2014 that developers could use to help make their code more secure.

Cross-Site Request Forgery Attacks and Prevention Methods

Ranked at number eight on the 2013 OWASP Top Ten, Cross Site Request Forgery (CSRF) remains a major concern. CSRF manipulates a web application vulnerability which allows an attacker to trick the end user into performing unwanted and possibly sensitive actions.

Mobile Myth: iOS is Safer Than Android

It’s easy to be lulled into a false sense of security when you’re using an iphone, but is iOS really the better smartphone operating system when it comes to malware?

According to F-Secure Labs’ latest Mobile Threat Report, malware authors continue to concentrate on the Android platform with 252 new threat families and variant families.  The report also shows that 81% of discovered threats are profit motivated. So what does this mean? Most bad guys are still looking for cash with their malware!

Fake Weather Channel App Serving up Malware

Top weather app in Google Play ‘Weather Channel VDO‘ looks to be serving more than the forecast. Capabilities include accessing device and carrier information, and examining account and file system. This app is performing Trojan like-capabilities, downloading a 466 kB file from an IP address listed as a known virus site. Findings also include an association with known adware.

Learn more about Veracode’s mobile application reputation service.

FS-ISAC Issues Guidance on Third-Party Application Security

The following is a guest post by Wendy Nather, Research Director, Security, 451 Research.

As a former CISO, I’m always happy to see practical advice for defenders. In increasing order of usefulness, there are these types of advice:

  • “Here’s what could be wrong; you might want to take a look at that.”
  • “This is wrong, and good luck fixing it.”
  • “This is wrong, and here’s how we think you should fix it.”
  • and finally:

  • “When this is wrong, here’s what has worked for us.”

There aren’t enough people in the security industry who are bold enough to step up and say, “Here’s what works.” So when something does come out, we need to pay attention.

Sharing on iDevices: Apple Opens it Up

In their latest OS release, iOS 7, Apple allows for a number of mechanisms to share data, both in the form of files or streaming data. Two of these mechanisms highlight some of the different design choices Apple has made and will likely continue to make in the SDK.

Five Product Security Questions Nobody At CES Wants You To Ask

The annual Consumer Electronics Show kicks off in Las Vegas next week. With rivers of ink spilled on cool, new “smart” products, here are five impertinent security questions that no vendor wants to be asked.

The Consumer Electronics Show (CES) kicks off today in Las Vegas. This year’s show is expected to draw some 150,000 attendees from 150 countries.

Changing A Memory: Veracode Shares the Holidays with Children in Need

This holiday season at Veracode wasn’t just spent at a computer like any other day. It’s the time of year that the generosity of its employees shines by making Christmas magical for children in need. Although this is not the first time Cindy Conrad of Veracode has worked with the Department of Children and Families (DCF) based in Malden, MA, it is the first year Veracode has partnered with them to make a memory for those children, and what a memory it is!

Our “Smart” Christmas Hangover

Christmas, 2013 will be a banner year for the Internet of Things, as smart gadgets appear like mushrooms under the Christmas tree. But get ready for a privacy hangover, as poorly designed, and insecurely deployed gadgets turn on their masters.

Just in time for the holidays, I received an e-mail by way of Electric Imp. If you’re not familiar with the “Imp,” (my phrase, not theirs), it’s a [PAAS?] that makes it easy to build and connect smart devices.

The AppSec Program Maturity Curve 4 of 4

In this series, we’ve advocated that Application Security is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. This Maturity Curve model has been validated by Veracode using the real world results of hundreds of organizations. They have learned that the key to positive return on investment is to start small and scale up over time with each milestone.

1 6 7 8 9 10 68