Businesses run on software; it gives us the features and functions needed to make our teams more productive However, these applications and providers build, maintain, and host critical systems as well as high risk data and need to apply the same controls we use. Financial Services are inherently accountable for the risk from vulnerabilities in the software that serves our customers and employees. Too few enterprises have adapted to the growing attack surface of web applications by addressing vendor software security.
Golang is a new open source programming language that is growing in popularity. Since I am getting bored of Python, I decided to begin studying it. While I’m really enjoying it as a language, I was completely caught off guard when I started reading about Golang’s built in HTML templating package. I noticed in their […]
Pen testing? Vulnerability scanning? The U.S. Senate's newest member shows that he can ask the tough questions on privacy and data security. It’s about time.
The technical aptitude of our elected representatives – or the lack of it – is so pronounced that it has become the butt of jokes. Long after the late Alaska Senator Ted Stevens inaptly likened the Internet to a “series of tubes” in 2006, congressmen and women continue to exhibit head-slapping ignorance about topics (like online advertising) that (in theory) they are making laws to govern.
A dedicated and rigorous Application Security Program is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. It will deliver an effective software security strategy that addresses both immediate and systemic risks with a rigorous plan and continued investment. The mantra of any successful AppSec Program is utilization, adoption and expansion. Without a clearly defined and governed policy, none of these is possible.
With reports of website vulnerabilities and data breaches regularly featuring in the news, securing the software development life cycle (SDLC) has never been so important. The enterprise must, therefore, choose carefully the correct security techniques to implement. Static and dynamic analyses are two of the most popular types of security test. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC. Testing, after all, can be considered an investment that should be carefully monitored.
VAST Program Wins the Financial World Innovation Award for the Most Innovative Financial Services Solution
The Veracode Vendor Application Security Testing (VAST) program has won the Financial World Innovation Awards in recognition for its ability to deliver a solution to the complex problem of third party application security in the category of “Technology Vendors – Most Innovative Financial Services Solution”.
It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. Out of the 2,589,918 responses we had over 100,000 distinct security headers and values to analyze.
What’s wrong with the following C code?
char buf; scanf("%32s", buf);
It’s a classic and easy to make off-by-one error, caused by the willy-nilly inconsistency of common C functions regarding whose responsibility the null terminator is and whether it’s included in a passed count of bytes. In this case,
scanf() will read up to 32 bytes from standard input and then append a null terminator, which overflows the buffer of 32 characters and writes a null byte to whatever happens to be next on the stack.
An FTC Forum on security and the Internet of Things showed industry doing its best to muddy the water when it comes to building secure products.
This was a big week for the Internet of Things (IoT) in Washington D.C., as the Federal Trade Commission (FTC) hosted its first ever workshop to discuss security and privacy issues created by the proliferation of IoT technology.