Software Integrity Blog

Author Archive

John Steven

jsteven

John Steven is a former senior director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. After joining Synopsys as a security researcher in 1998, John provided strategic direction and built security groups for many multinational corporations, including Coke, EMC, Qualcomm, Marriott, and FINRA. His keen interest in automation contributed to keeping Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.


Posts by John Steven:

 

Securing password digests, or how to protect lonely unemployed radio listeners

As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our software security group mailing list. A few caveats

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Securing password digests, or how to protect lonely unemployed radio listeners

 

Caching security architecture knowledge with design patterns

We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for:

Continue Reading...

Posted in Software Architecture & Design | Comments Off on Caching security architecture knowledge with design patterns

 

Open source software maturity activities

Practice these open source software maturity activities to help ensure the open source you use and contribute to becomes as secure as your proprietary code.

Continue Reading...

Posted in Open Source Security | Comments Off on Open source software maturity activities

 

What is threat modeling? A vocabulary of threat model terms.

A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or common) terms used here.

Continue Reading...

Posted in Software Architecture & Design | Comments Off on What is threat modeling? A vocabulary of threat model terms.

 

When all you have is a hammer

We’ve probably all experienced organizations that rely principally on a single assessment technique (whether it be static analysis or dynamic analysis, manual or tool-based). Unfortunately, this is all too common for security practices. When this topic came up recently with the question (paraphrased), “Are there numbers that demonstrate the value of a security program making use of static, dynamic, and manual assessment techniques?” I thought some of our experience might apply.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on When all you have is a hammer

 

How to increase visibility for static and dynamic analysis

Sometimes, people talk loosely about an important difference between static and dynamic analysis. Static analysis tools, they say, achieve 100% coverage. They may complain that dynamic analysis tools struggle to get even double-digit statement coverage of an application under test.

Continue Reading...

Posted in Static Analysis (SAST), Web Application Security | Comments Off on How to increase visibility for static and dynamic analysis

 

Is pen testing security testing?

Some people start “Security Testing” by buying and using a pen-test tool on project. Such tools uncover security vulnerabilities (though they seldom help with root cause analysis or even obtaining double-digit code coverage).

Continue Reading...

Posted in Web Application Security | Comments Off on Is pen testing security testing?