Software Integrity

Archive for 2008

 

Automated code review tools for security

Computer security has experienced important fundamental changes over the past decade. The most promising developments in security involve arming software developers and architects with the knowledge and tools they need to build more secure software. Among the many security tools available to software practitioners, static analysis tools for automated code review are the most effective. Here’s how they work—and why all developers should use them. The rise of […]

Continue Reading...

Posted in Code Review, Static Analysis (SAST) | Comments Off on Automated code review tools for security

 

Web application security versus software security

I have been known to take the Web application security community to task for a myopic focus on Web and Web only. Being constrained by HTTP does serve to make things pretty easy! Lately, I have adjusted my thinking. Jeremiah Grossman and I cross paths out there on the evangelism circuit pretty often and have […]

Continue Reading...

Posted in Software Security Testing, Web Application Security | Comments Off on Web application security versus software security

 

Three new books

There are three new books (recently released) that are worth a look. Once is an absolute necessity for any security practitioner. The others may be interesting for some readers of the blog. The book that you MUST READ RIGHT NOW is the second edition of Ross Anderson’s Security Engineering book. Ross did a complete pass […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Three new books

 

Is pen testing security testing?

Some people start “Security Testing” by buying and using a pen-test tool on project. Such tools uncover security vulnerabilities (though they seldom help with root cause analysis or even obtaining double-digit code coverage). These tools are degenerate, at best, in facilitating a security testing strategy. Why? Because, these tools are “black box” tools. What are […]

Continue Reading...

Posted in Application Security, Penetration Testing | Comments Off on Is pen testing security testing?