Software Security

Archive for January 2016

 

When and how to support static analysis tools with manual code review

Analyzing source code for security bugs gets a lot of attention and focus these days because it is so easy to turn it over to a static analysis tool that can look for the bugs for you. The tools are reasonably fast, efficient, and pretty good at what they do. Most can be automated like […]

Continue Reading...

Posted in Code Review, Static Analysis (SAST) | Comments Off on When and how to support static analysis tools with manual code review

 

How your firm can embrace a proactive security approach

According to NIST, 92% of reported security vulnerabilities are in applications, not in networks.  And yet, most companies maintain a reactive security approach when it comes to these applications.  Why wait for an attacker to get past the network security and into your unprotected sensitive data before you decide to do something about it? Transition […]

Continue Reading...

Posted in Data Breach, Vulnerability Assessment | Comments Off on How your firm can embrace a proactive security approach

 

The importance of external network delta testing (in managing security risk)

For the purposes of this post, external network delta testing refers to the act of running network mapping and automated vulnerability scanning over a set of hosts at a consistent interval of time.  An example of this may be performing automated assessments and network mapping every business quarter over an organization’s external IP space. Performing […]

Continue Reading...

Posted in Network Security, Software Security Testing, Vulnerability Assessment | Comments Off on The importance of external network delta testing (in managing security risk)

 

3 security risks that architecture analysis can resolve

Verizon performs an annual assessment of a large sample of breaches and attacks that take place all over the world and analyzes the most common problems and key areas which lead to major attacks. In this article, we discuss three specific security incident patterns from Verizon’s report and how architecture analysis assessments can help organizations […]

Continue Reading...

Posted in Software Architecture and Design, Software Development Life Cycle (SDLC), Software Security Testing, Web Application Security | Comments Off on 3 security risks that architecture analysis can resolve

 

Backdoor found in government AV equipment

A supplier for audio-visual equipment to the US federal government on Thursday issued an update to its products that removed a potential backdoor that could allow “higher privileges than even administrative access to the system via the backdoor,” according to the researchers who first reported it. AMX, a division of the audio-visual company Harman, is […]

Continue Reading...

Posted in Network Security, Vulnerability Assessment | Comments Off on Backdoor found in government AV equipment

 

SSDLC 101: What is the secure software development life cycle?

Most organizations have a well-oiled machine with the sole purpose to create, release, and maintain functional software. However, the increasing concerns and business risks associated with insecure software have brought increased attention to the need to integrate security into the development process. Implementing a proper Secure Software Development Life Cycle (SDLC) is important now more […]

Continue Reading...

Posted in Maturity Model (BSIMM), Software Development Life Cycle (SDLC) | Comments Off on SSDLC 101: What is the secure software development life cycle?

 

Pen testing best practices to take the pain out of penetration testing

I encounter many techies who love the science of penetration testing. They’re captivated by the technology stack, the vulnerabilities, and the tools at their disposal. But, at the same time, they find the task of pen testing itself aggravating and stressful. A real pain. Why is that? I noticed a common theme in their explanations […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | Comments Off on Pen testing best practices to take the pain out of penetration testing

 

Hide and seek: The game of security breach detection and disclosure

Since the launch of the popular Verizon Breach Investigations Report (VBIR) and its subsequent imitators, I have been asking what I believe to be a simple and fundamental question: Do the reported breaches actually just represent attacks that are less well-conceived and/or constructed? The basic assumption is that these reports include these breaches because they […]

Continue Reading...

Posted in Data Breach, Maturity Model (BSIMM), Software Security Testing | Comments Off on Hide and seek: The game of security breach detection and disclosure

 

FDA clarifies medical device security

Hoping to end manufacturer responsibility around the issuance of software updates for medical devices, and whether or not such updates change the device’s compliance status, the Food & Drug Administration (FDA) last Friday released a new draft document that also calls for greater collaboration among medical device manufacturers around cybersecurity in general. The document looks […]

Continue Reading...

Posted in Application Security, Healthcare Security, Medical Device Security | Comments Off on FDA clarifies medical device security

 

5 essentials of cloud-based application security testing

If the applications can move to cloud, why can’t security testing? This is a question often asked by proponents of the cloud movement. In this article, I will highlight what, how, why, and when to choose a cloud-based approach for application security testing through the five essential factors. Cloud-based (aka on-demand) application security testing is […]

Continue Reading...

Posted in Application Security, Cloud Security | Comments Off on 5 essentials of cloud-based application security testing