October is Cyber Security Awareness Month.
Jamie Boote is a security consultant at Synopsys. He works with organizations to ensure their developers understand how to write secure code. Jamie believes that software security doesn't happen in isolation and needs effective communication between all levels of a company. When he's not advocating for the dinosaurs in any Perl vs. Python argument, Jamie can be found chasing his sons around Southern Florida.
October is Cyber Security Awareness Month.
We are coming up on fall here in the States, and for most of us, that means two big types of kickoffs are happening: new business initiatives and football. Budgets tend to land around the same time as football season, so if you want to enjoy your Sunday kickoffs, follow this list of four impactful activities to make your software integrity program kickoff a success. 1. Build your team Everyone on the field has a role. Pick your captains, coaches, and quarterbacks wisely.
Posted in General | Comments Off on Checklist: Kick off your software integrity program with a bang
In the world of data security, a critical element of working with users is earning their trust. Obtaining, implementing, and properly using an SSL certificate is one way to protect user data. Without a certificate, there is also no easy way to keep the communications between the user and an eCommerce website private from attackers. What is encryption? Encryption protects data and keeps secrets out of reach from eavesdroppers. It seems like the stuff of movies and television dramas. It’s often portrayed in the media as some impenetrable obstacle that can’t be overcome without keys. Or, as an easy challenge to solve with rapid typing and a few progress bars.
Prevent SQL injection attacks by using special database features to separate commands from data, or by keeping code vulnerable to SQLi out of your codebase.
Posted in Software Architecture and Design | Comments Off on How to prevent SQL injection attacks: A cheat sheet
“We cannot enter into alliances until we are acquainted with the designs of our neighbors.”
Posted in General | Comments Off on Getting to the bottom of the top 5 vendor risk management best practices
“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”
Posted in Static Analysis (SAST) | Comments Off on How to choose between closed source and open source software
Buying a house is interesting because it forces you to take a look at everything that you may have taken for granted and ignored. Recently, while I was packing my tools in preparation for a move, I realized that I have eight different hammers in my toolbox. Each hammer serves a different purpose and not all of them include driving nails. Some of these hammers were handed down from my grandpa. I bought others to complete recent projects. As I was packing them up, I had to evaluate whether I still had a use for each one. Moving is a chance to go through your belongings and decide if what you have still works for you. Just like my physical toolbox, my security toolbox has a variety of tools that may all look alike at first glance but actually serve very different purposes.
Have you ever heard the old saying “You get what you get and you don’t get upset”? While that may apply to after school snacks and birthday presents, it shouldn’t be the case for software security. When a software feature is deployed, it isn’t simply accepted by the software owner; there’s a strategic process of critique, justification, and analysis before it’s deployed. Security should be treated with the same attention to detail. After all, secure software doesn’t just happen out of nowhere—it has to be a requirement of the strategic development process. The requirements should be clear, consistent, testable, and measurable to effectively deploy secure software. Why do you need software security requirements? Traditionally, requirements are about defining what something can do or be. A hammer has to be capable of driving nails. A door lock needs to keep a door closed until it’s unlocked with a specific key. A car needs to move travelers from point A to point B along the nation’s roads. It also needs to work with the modern gasoline formulation. These types of requirements work fine for physical objects, but fall short when designing software.
Posted in General | Comments Off on Are you making software security a requirement?
This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year. Reflected file download (RFD) Let’s say that one morning you wake up and try to print some last minute work notes out on your home printer. Without luck, you decide to re-install the print driver. While browsing the Internet, looking for a driver, you find that someone has linked to a file on a forum that may suit your needs. As a good internet user, you check where the link really leads and find that it does point to a legitimate site. You click and run the file; however, your computer is compromised and an attacker gets in. What happened? The site was legit. There’s no way your manufacturer would host malware on their site, and you weren’t redirected to a malicious domain. Instead, you were hit by a reflected file download (RFD).
The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security initiative (SSI) have processes and guidance in place that go beyond a basic “penetrate and patch” approach. These processes will set up a prevention approach that stops some defects from ever being created and ensures other defects are fixed during development rather than right before, or even after, release. So, how proactive is your software security initiative?