Software Integrity

Archive for August 2015

 

Software developers vs. software security: Why can’t we all get along?

I was a software developer for over 20 years before I switched to the application/software security field. Being a part of several software engineering teams in my early career, and later becoming a security analyst, has put me in a unique position to understand these two worlds. Although I continue to enjoy the security assessment […]

Continue Reading...

Posted in Maturity Model (BSIMM), Software Security Testing | Comments Off on Software developers vs. software security: Why can’t we all get along?

 

Gary McGraw discusses the security risks of dynamic code

Dynamic language and associated development and operations (DevOps) methodologies change and evolve constantly. Due to these intentionally ever-changing dynamic aspects of software, security measures must also be in a constant state of progression. The old-school software security approach relied on searching for defects at the very end of the software development life cycle (SDLC). When considering […]

Continue Reading...

Posted in Dynamic Analysis (DAST), Security Architecture, Software Security Testing, Vulnerability Assessment | Comments Off on Gary McGraw discusses the security risks of dynamic code

 

The cathedral and the bazaar of software security vulnerabilities

Underlying Mary Ann Davidson’s incendiary blog post about reverse engineering and much of the debate about security vulnerabilities and bug bounties is the classic duality between the Cathedral and the Bazaar In 1997, Eric Raymond published a now-famous essay entitled “The Cathedral and the Bazaar,” which was exploring two different schools of thought related to […]

Continue Reading...

Posted in Application Security, Maturity Model (BSIMM), Software Security Testing, Vulnerability Assessment | Comments Off on The cathedral and the bazaar of software security vulnerabilities

 

Serving resources over SSL with CSP upgrade-insecure-requests

You know how AppScan Standard and other dynamic testing tools report a finding when an HTTPS page accesses some HTTP resources? How do you fix this issue effectively? Perhaps, the owners of those resources already did all the server-side legwork: obtaining a certificate, configuring the server and setting up redirects. And they’ve ensured that the […]

Continue Reading...

Posted in Application Security, Dynamic Analysis (DAST) | Comments Off on Serving resources over SSL with CSP upgrade-insecure-requests

 

Integrating Touch ID into your iOS applications

What is Touch ID? Touch ID is Apple’s fingerprint technology for iOS mobile devices. It allows consumers to unlock their phones and make purchases conveniently using their fingerprint(s). As of iOS version 8.0, Apple opened up Touch ID to developers by making APIs available for use in the SDK. Biometric opinions This post assumes you […]

Continue Reading...

Posted in Mobile Application Security, Software Security Testing | Comments Off on Integrating Touch ID into your iOS applications

 

Software is everywhere

We live in a world that runs on software. In 2011, Marc Andreesen declared “software is eating the world,” and in the ensuing four years, software has only become more voracious. Software pervades every aspect of our lives, from the things you touch every day (laptops, smart phones, TVs, cars) to the infrastructure of society […]

Continue Reading...

Posted in Internet of Things | Comments Off on Software is everywhere