Software Integrity Blog

Author Archive

Jamie Boote

jamieboote

Jamie Boote is a security consultant at Synopsys. He works with organizations to ensure their developers understand how to write secure code. Jamie believes that software security doesn't happen in isolation and needs effective communication between all levels of a company. When he's not advocating for the dinosaurs in any Perl vs. Python argument, Jamie can be found chasing his sons around Southern Florida.


Posts by Jamie Boote:

 

4 simple steps to encourage online safety at your company

October is Cyber Security Awareness Month.

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on 4 simple steps to encourage online safety at your company

 

Checklist: Kick off your software integrity program with a bang

We are coming up on fall here in the States, and for most of us, that means two big types of kickoffs are happening: new business initiatives and football. Budgets tend to land around the same time as football season, so if you want to enjoy your Sunday kickoffs, follow this list of four impactful activities to make your software integrity program kickoff a success. 1. Build your team Everyone on the field has a role. Pick your captains, coaches, and quarterbacks wisely.

Continue Reading...

Posted in General | Comments Off on Checklist: Kick off your software integrity program with a bang

 

Why should every eCommerce website have an SSL certificate?

In the world of data security, a critical element of working with users is earning their trust. Obtaining, implementing, and properly using an SSL certificate is one way to protect user data. Without a certificate, there is also no easy way to keep the communications between the user and an eCommerce website private from attackers. What is encryption? Encryption protects data and keeps secrets out of reach from eavesdroppers. It seems like the stuff of movies and television dramas. It’s often portrayed in the media as some impenetrable obstacle that can’t be overcome without keys. Or, as an easy challenge to solve with rapid typing and a few progress bars.

Continue Reading...

Posted in Software Architecture and Design, Web Application Security | Comments Off on Why should every eCommerce website have an SSL certificate?

 

How to prevent SQL injection attacks: A cheat sheet

Prevent SQL injection attacks by using special database features to separate commands from data, or by keeping code vulnerable to SQLi out of your codebase.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on How to prevent SQL injection attacks: A cheat sheet

 

Getting to the bottom of the top 5 vendor risk management best practices

“We cannot enter into alliances until we are acquainted with the designs of our neighbors.”

Continue Reading...

Posted in General | Comments Off on Getting to the bottom of the top 5 vendor risk management best practices

 

How to choose between closed source and open source software

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on How to choose between closed source and open source software

 

5 questions to ask yourself when deciding on the best static code analysis tool

Buying a house is interesting because it forces you to take a look at everything that you may have taken for granted and ignored. Recently, while I was packing my tools in preparation for a move, I realized that I have eight different hammers in my toolbox. Each hammer serves a different purpose and not all of them include driving nails. Some of these hammers were handed down from my grandpa. I bought others to complete recent projects. As I was packing them up, I had to evaluate whether I still had a use for each one. Moving is a chance to go through your belongings and decide if what you have still works for you. Just like my physical toolbox, my security toolbox has a variety of tools that may all look alike at first glance but actually serve very different purposes.

Continue Reading...

Posted in Open Source Security, Static Analysis (SAST) | Comments Off on 5 questions to ask yourself when deciding on the best static code analysis tool

 

Are you making software security a requirement?

Have you ever heard the old saying “You get what you get and you don’t get upset”? While that may apply to after school snacks and birthday presents, it shouldn’t be the case for software security. When a software feature is deployed, it isn’t simply accepted by the software owner; there’s a strategic process of critique, justification, and analysis before it’s deployed. Security should be treated with the same attention to detail. After all, secure software doesn’t just happen out of nowhere—it has to be a requirement of the strategic development process. The requirements should be clear, consistent, testable, and measurable to effectively deploy secure software. Why do you need software security requirements? Traditionally, requirements are about defining what something can do or be. A hammer has to be capable of driving nails. A door lock needs to keep a door closed until it’s unlocked with a specific key. A car needs to move travelers from point A to point B along the nation’s roads. It also needs to work with the modern gasoline formulation. These types of requirements work fine for physical objects, but fall short when designing software.

Continue Reading...

Posted in General | Comments Off on Are you making software security a requirement?

 

The top hacking techniques of 2015 and how they work

This year has been another banner year both in terms of security and vulnerability discovery. There have been many leaks and attacks, most of which were probably executed with older techniques. But, there are also a few new attack patterns worth highlighting which were revealed this year. Reflected file download (RFD) Let’s say that one morning you wake up and try to print some last minute work notes out on your home printer. Without luck, you decide to re-install the print driver. While browsing the Internet, looking for a driver, you find that someone has linked to a file on a forum that may suit your needs. As a good internet user, you check where the link really leads and find that it does point to a legitimate site. You click and run the file; however, your computer is compromised and an attacker gets in. What happened? The site was legit. There’s no way your manufacturer would host malware on their site, and you weren’t redirected to a malicious domain. Instead, you were hit by a reflected file download (RFD).

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design, Web Application Security | Comments Off on The top hacking techniques of 2015 and how they work

 

How proactive is your software security initiative?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security initiative (SSI) have processes and guidance in place that go beyond a basic “penetrate and patch” approach. These processes will set up a prevention approach that stops some defects from ever being created and ensures other defects are fixed during development rather than right before, or even after, release. So, how proactive is your software security initiative?

Continue Reading...

Posted in General, Maturity Model (BSIMM), Web Application Security | Comments Off on How proactive is your software security initiative?