Software Integrity

Archive for 2009


Proper use of Java SecureRandom

Java SecureRandom updates as of April 2016 There have been several changes to Java’s SecureRandom API since creating this post back in 2009. According to Oracle, the following interesting changes have been made: For UNIX-like platforms, two new implementations have been introduced that provide blocking and non-blocking behavior: NativePRNGBlocking and NativePRNGNonBlocking. The getInstanceStrong() method was introduced […]

Continue Reading...

Posted in Software Security Testing | Comments Off on Proper use of Java SecureRandom


Moving cybersecurity past cyberplatitudes

John Pescatore from Gartner convened a virtual panel on the cybersecurity issue at the 2009 Gartner Information Security Summit. I provided a video for the panel answering two questions that John posed. The two questions get to the heart of the cybersecurity issue: Question 1: What should the US government do to drive real improvements […]

Continue Reading...

Posted in Security Conference or Event, Software Security Testing | Comments Off on Moving cybersecurity past cyberplatitudes


Improving software security (maturity models and their ilk?)

Ben Worthen broke the BSIMM story on as was posted earlier. I was shocked when someone said, “Oh and ASVS is also available, great” on an OWASP list. Super, I thought, but I don’t understand the connection. When I looked at the WSJ site, I noticed Jim Manico (of OWASP, Aspect, and ASVS fame) […]

Continue Reading...

Posted in Maturity Model (BSIMM), OWASP, Security Metrics, Software Security Program Development | Comments Off on Improving software security (maturity models and their ilk?)


Gartner and static analysis

James McGovern recently wrote a post on Gartner’s static analysis (SA) report. Among other things, he lamented the lack of actionable guidance within the report. A lack of implementation guidance doesn’t shock me from Gartner, I can’t say I expect that from them. I can help James and community out by giving some of that […]

Continue Reading...

Posted in Code Review, Static Analysis (SAST) | Comments Off on Gartner and static analysis