Software Integrity Blog

Author Archive

Mike Lyman

mlyman

Mike Lyman is a senior security consultant at Synopsys. He works with customers on secure code reviews, vulnerability assessments, and trains developers in secure development. Prior to Synopsys, Mike spent 12 years with SAIC and helped create their software assurance offering for DoD customers at Redstone Arsenal, AL; pioneering most of the processes and procedures used by the practice. He learned IT security in the trenches with Microsoft's network security team throughout the heady days of SQL Slammer, Code Red and Nimda. Prior to that, he was a software developer supporting US Army project offices at Redstone Arsenal and served on active duty as an officer in the US Army. He has been a CSSLP since 2008 and a CISSP since 2002.


Posts by Mike Lyman:

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new […]

Continue Reading...

Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code

 

Squash more bugs with this code review checklist

“All software projects are guaranteed to have one artifact in common—source code. Because of this guarantee, it makes sense to center a software assurance activity around code itself.” -Gary McGraw, Software Security: Building Security In Conducting secure code reviews during the software development life cycle (SDLC) helps reduce security bugs in code. The following six steps […]

Continue Reading...

Posted in Security Training, Static Analysis (SAST) | Comments Off on Squash more bugs with this code review checklist

 

How to avoid the blind spot in static analysis tools caused by frameworks

More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on How to avoid the blind spot in static analysis tools caused by frameworks

 

When and how to support static analysis tools with manual code review

Analyzing source code for security bugs gets a lot of attention and focus these days because it is so easy to turn it over to a static analysis tool that can look for the bugs for you. The tools are reasonably fast, efficient, and pretty good at what they do. Most can be automated like […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on When and how to support static analysis tools with manual code review

 

Benefits of secure code review: Developer education

The value of code review, having been well-studied and documented, is generally accepted by most development managers, if not always by the developers themselves. While the primary goal of code review is to improve the quality of the code itself, a secondary goal is often to improve the knowledge and skills of the developers so […]

Continue Reading...

Posted in Security Training, Static Analysis (SAST) | Comments Off on Benefits of secure code review: Developer education

 

Benefits of code scanning for code review

“All software projects are guaranteed to have one artifact in common – source code. Because of this guarantee, it make sense to center a software assurance activity around code itself.” -Gary McGraw, Software Security: Building Security In When an author sits down to write today, they have great tools available to automatically check their spelling […]

Continue Reading...

Posted in Static Analysis (SAST) | Comments Off on Benefits of code scanning for code review