Software Integrity

Search Results for 'code review'

 

Why secure code reviews matter (and actually save time!)

Modern websites and applications are feature-rich. They provide the user with an intuitive flow through business logic and data. Application developers write these features, rely on their operation, and may even re-use them in their code. Due to rapid, feature-driven development and code sharing, when a vulnerability is introduced in code (and goes undetected) it […]

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design | Comments Off on Why secure code reviews matter (and actually save time!)

 

Squash more bugs with this code review checklist

“All software projects are guaranteed to have one artifact in common—source code. Because of this guarantee, it makes sense to center a software assurance activity around code itself.” -Gary McGraw, Software Security: Building Security In Conducting secure code reviews during the software development life cycle (SDLC) helps reduce security bugs in code. The following six steps […]

Continue Reading...

Posted in Security Training, Static Analysis (SAST) | Comments Off on Squash more bugs with this code review checklist

 

When and how to support static analysis tools with manual code review

Analyzing source code for security bugs gets a lot of attention and focus these days because it is so easy to turn it over to a static analysis tool that can look for the bugs for you. The tools are reasonably fast, efficient, and pretty good at what they do. Most can be automated like […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on When and how to support static analysis tools with manual code review

 

Benefits of secure code review: Developer education

The value of code review, having been well-studied and documented, is generally accepted by most development managers, if not always by the developers themselves. While the primary goal of code review is to improve the quality of the code itself, a secondary goal is often to improve the knowledge and skills of the developers so […]

Continue Reading...

Posted in Security Training, Static Analysis (SAST) | Comments Off on Benefits of secure code review: Developer education

 

Benefits of code scanning for code review

“All software projects are guaranteed to have one artifact in common – source code. Because of this guarantee, it make sense to center a software assurance activity around code itself.” -Gary McGraw, Software Security: Building Security In When an author sits down to write today, they have great tools available to automatically check their spelling […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Benefits of code scanning for code review

 

Insight into scaling automated code review

Nearly every organization tackling software security today is working on automating code review. However, the challenge most firms are running into now is how to scale this process with industrial-strength static analysis code review tools like HP Fortify, IBM AppScan, and Coverity. The latest SearchSecurity article from Gary McGraw, Synopsys, and Jim Routh, CISO, Global […]

Continue Reading...

Posted in Agile, CI/CD & DevOps, Financial Services Security, Static Analysis (SAST) | Comments Off on Insight into scaling automated code review

 

Automated code review tools for security

Computer security has experienced important fundamental changes over the past decade. The most promising developments in security involve arming software developers and architects with the knowledge and tools they need to build more secure software. Among the many security tools available to software practitioners, static analysis tools for automated code review are the most effective. Here’s how they work—and why all developers should use them. The rise of […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Automated code review tools for security

 

Codenomi-con speakers agree: Bringing back privacy requires citizen action

We keep hearing that privacy is dead. But there is a good chance that a lot of us still aren’t aware of just how dead. So this week Synopsys presented codenomi-con, in connection with the Black Hat conference in Las Vegas, offering reminders about that reality in both government and the private sector. At the […]

Continue Reading...

Posted in Events, Healthcare Security, Privacy, Webinars | Comments Off on Codenomi-con speakers agree: Bringing back privacy requires citizen action

 

Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

Any tradesperson, specialist, expert, aficionado, or technologist will tell you that the key to a quality outcome is a set of tools specific to the project and oriented to the goal. The realm of software security and secure DevOps is no exception to this truth, and in Black Duck’s version 4.5 release, we further hone […]

Continue Reading...

Posted in Open Source Security, Software Composition Analysis | Comments Off on Fine-tuning roles, controlling licenses, and matching code snippets in Black Duck 4.5

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new […]

Continue Reading...

Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code