Software Security

Archive for the 'Code Review' Category

 

Does software quality equal software security? It depends.

Software quality and security assurance both concern risk to the organization, but they do so for different reasons. Risk might be mission critical such as software on a scientific robot crawling another planet. Or risk might be associated with sensitive financial information. In the first example the integrity of the software is paramount; it is […]

Continue Reading...

Posted in Code Review, Secure Coding Guidelines, Security Risk Assessment, Software Composition Analysis, Software Security Testing, Vulnerability Assessment | Comments Off on Does software quality equal software security? It depends.

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them […]

Continue Reading...

Posted in Code Review, Embedded Software Testing, Fuzz Testing, Network Security, Software Security Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, […]

Continue Reading...

Posted in Application Security, Code Review, Fuzz Testing, Software Composition Analysis, Software Security Testing, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Why secure code reviews matter (and actually save time!)

Modern websites and applications are feature-rich. They provide the user with an intuitive flow through business logic and data. Application developers write these features, rely on their operation, and may even re-use them in their code. Due to rapid, feature-driven development and code sharing, when a vulnerability is introduced in code (and goes undetected) it […]

Continue Reading...

Posted in Code Review, Vulnerability Assessment | Comments Off on Why secure code reviews matter (and actually save time!)

 

Protecode SC scans over 1 million applications

On Tuesday, Protecode SC, the online software composition analysis product from Synopsys, scanned its one millionth customer submitted app. “This is a significant milestone,” said David Chartier, VP of Marketing, Synopsys Software Integrity Group. “This is a strong showing of scalability and widespread adoption of Protecode SC and of it’s ability to meet the demands […]

Continue Reading...

Posted in Code Review, Software Composition Analysis, Vulnerability Assessment | Comments Off on Protecode SC scans over 1 million applications

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the […]

Continue Reading...

Posted in Code Review, Software Security Testing, Threat Modeling | Comments Off on Goal-oriented security threat modeling approaches

 

Avoiding false positives in application security through customization

With the current increase in tool-based scans throughout the security industry, it becomes all-the-more challenging to identify the right issues and reduce false positives. For example, with static and dynamic code scanning there are tools and plugins like Fortify, AppScan, and FindBugs. These come with a standard set of default rules to identify the issues. However, […]

Continue Reading...

Posted in Code Review, Dynamic Analysis (DAST), Software Security Testing, Static Analysis (SAST) | Comments Off on Avoiding false positives in application security through customization

 

Software security initiative capabilities: Getting started

A software security initiative (SSI) often begins with one of three common security capabilities: Penetration testing Code review Some sort of secure design review (e.g., threat modeling) During this year’s OWASP AppSec California, Synopsys’ Jim DelGrosso presented on the benefits and drawbacks of these software security initiative capabilities. Watch as he illustrates how each capability fits into building a […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Conference or Event, Software Security Program Development, Threat Modeling | Comments Off on Software security initiative capabilities: Getting started

 

Squash more bugs with this code review checklist

“All software projects are guaranteed to have one artifact in common—source code. Because of this guarantee, it makes sense to center a software assurance activity around code itself.” -Gary McGraw, Software Security: Building Security In Conducting secure code reviews during the software development life cycle (SDLC) helps reduce security bugs in code. The following six steps […]

Continue Reading...

Posted in Code Review, Security Training, Software Development Life Cycle (SDLC), Static Analysis (SAST) | Comments Off on Squash more bugs with this code review checklist

 

How to avoid the blind spot in static analysis tools caused by frameworks

More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of […]

Continue Reading...

Posted in Code Review, Software Security Testing, Static Analysis (SAST) | Comments Off on How to avoid the blind spot in static analysis tools caused by frameworks