Software Integrity

Archive for the 'Penetration Testing' Category

 

The 4 most important secure development disciplines

Being the most innovative and successful cloud monitoring company on the market, developing new features to production every day, it’s not only crucial to deliver the best user experience, performance and high reliability, but also guarantee the highest SECURITY for our customers. To not let security measures slow down our agile and innovative value creation […]

Continue Reading...

Posted in Cloud Security, DevOps, Penetration Testing, Static Analysis (SAST)

 

BURP’s proxy tool and the case of the missing cipher suites

During a recent iOS application penetration test, I was attempting to proxy network traffic using the BURP proxy tool. In doing so, I configured my device to use BURP as proxy, and voila, I was able to see the traffic (oh, the joys of certificate pinning). However, my excitement was short-lived. I noticed that I […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing

 

Top 10 free pen tester tools

A craftsman requires the appropriate skills and tools to work in tandem in order to create a masterpiece. While tools are an important enabler in the process of creating the best piece of work possible, the process also requires relevant experience and expertise on the part of the craftsman. Much like craftsman’s toolbox, a pen […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing

 

Software security initiative capabilities: Getting started

A software security initiative (SSI) often begins with one of three common security capabilities: Penetration testing Code review Some sort of secure design review (e.g., threat modeling) During this year’s OWASP AppSec California, Synopsys’ Jim DelGrosso presented on the benefits and drawbacks of these software security initiative capabilities. Watch as he illustrates how each capability fits into building a […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Conference or Event, Software Security Program Development, Threat Modeling

 

How effective is your vulnerability detection methodology?

In order to develop secure software, an organization must take several steps throughout the software development life cycle (SDLC) to ensure that security is built-in from the beginning. Here, we’ll explore these security touchpoints and discuss how they are applied to a piece of software under development to identify, resolve, and prevent vulnerabilities early in the […]

Continue Reading...

Posted in Penetration Testing, Security Risk Assessment, Software Development Life Cycle (SDLC), Vulnerability Assessment

 

Pen testing best practices to take the pain out of penetration testing

I encounter many techies who love the science of penetration testing. They’re captivated by the technology stack, the vulnerabilities, and the tools at their disposal. But, at the same time, they find the task of pen testing itself aggravating and stressful. A real pain. Why is that? I noticed a common theme in their explanations […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing

 

Software security myth #4: Software security is a cryptography problem

Software security isn’t the same thing as security software. You can use a crypto library to add a security feature to an application, but that’s not the same thing as making an application secure. The liberal application of magic crypto fairy dust to your code will provide no security by magic. (In fact, the same […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Security Program Development

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.) You’ve also decided you want to start actively doing some […]

Continue Reading...

Posted in Penetration Testing, Software Architecture and Design, Software Security Testing

 

Software security myth #3: Penetration testing solves everything

Security testing is important. Conducting specialized penetration tests at the end of the software development life cycle (SDLC) can be a rewarding security activity for your organization. Penetration testing is, after all, the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing. This is why penetration testing […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Architecture, Software Development Life Cycle (SDLC), Software Security Testing

 

How proactive is your software security initiative?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Development Life Cycle (SDLC), Software Security Program Development