Software Integrity

Archive for the 'Penetration Testing' Category

 

BURP’s proxy tool and the case of the missing cipher suites

During a recent iOS application penetration test, I was attempting to proxy network traffic using the BURP proxy tool. In doing so, I configured my device to use BURP as proxy, and voila, I was able to see the traffic (oh, the joys of certificate pinning). However, my excitement was short-lived. I noticed that I […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | Comments Off on BURP’s proxy tool and the case of the missing cipher suites

 

Top 10 free pen tester tools

A craftsman requires the appropriate skills and tools to work in tandem in order to create a masterpiece. While tools are an important enabler in the process of creating the best piece of work possible, the process also requires relevant experience and expertise on the part of the craftsman. Much like craftsman’s toolbox, a pen […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | Comments Off on Top 10 free pen tester tools

 

Software security initiative capabilities: Getting started

A software security initiative (SSI) often begins with one of three common security capabilities: Penetration testing Code review Some sort of secure design review (e.g., threat modeling) During this year’s OWASP AppSec California, Synopsys’ Jim DelGrosso presented on the benefits and drawbacks of these software security initiative capabilities. Watch as he illustrates how each capability fits into building a […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Conference or Event, Software Security Program Development, Threat Modeling | Comments Off on Software security initiative capabilities: Getting started

 

How effective is your vulnerability detection methodology?

In order to develop secure software, an organization must take several steps throughout the software development life cycle (SDLC) to ensure that security is built-in from the beginning. Here, we’ll explore these security touchpoints and discuss how they are applied to a piece of software under development to identify, resolve, and prevent vulnerabilities early in the […]

Continue Reading...

Posted in Penetration Testing, Security Risk Assessment, Software Development Life Cycle (SDLC), Vulnerability Assessment | Comments Off on How effective is your vulnerability detection methodology?

 

Pen testing best practices to take the pain out of penetration testing

I encounter many techies who love the science of penetration testing. They’re captivated by the technology stack, the vulnerabilities, and the tools at their disposal. But, at the same time, they find the task of pen testing itself aggravating and stressful. A real pain. Why is that? I noticed a common theme in their explanations […]

Continue Reading...

Posted in Penetration Testing, Software Security Testing | Comments Off on Pen testing best practices to take the pain out of penetration testing

 

Software security myth #4: Software security is a cryptography problem

Software security isn’t the same thing as security software. You can use a crypto library to add a security feature to an application, but that’s not the same thing as making an application secure. The liberal application of magic crypto fairy dust to your code will provide no security by magic. (In fact, the same […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Security Program Development | Comments Off on Software security myth #4: Software security is a cryptography problem

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.) You’ve also decided you want to start actively doing some […]

Continue Reading...

Posted in Penetration Testing, Software Architecture and Design, Software Security Testing | Comments Off on Understanding architecture analysis and secure design review

 

Software security myth #3: Penetration testing solves everything

Security testing is important. Conducting specialized penetration tests at the end of the software development life cycle (SDLC) can be a rewarding security activity for your organization. Penetration testing is, after all, the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing. This is why penetration testing […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Architecture, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Software security myth #3: Penetration testing solves everything

 

How proactive is your software security initiative?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Development Life Cycle (SDLC), Software Security Program Development | Comments Off on How proactive is your software security initiative?

 

Agile methodology and application security: A promising pair

Agile and application security are often spoken of together as oil and water, but are they really? Agile software development happens fast. The high frequency of iterations and releases often translates to wildly dynamic application build structures, with new components/modules added regularly throughout the software development life cycle (SDLC). This iterative approach enables teams to […]

Continue Reading...

Posted in Agile Methodology, Application Security, Dynamic Analysis (DAST), Penetration Testing, Software Development Life Cycle (SDLC), Static Analysis (SAST), Threat Modeling | Comments Off on Agile methodology and application security: A promising pair