Software Integrity

Archive for the 'Static Analysis (SAST)' Category

 

Swift: Close to greatness in programming language design, Part 3

Welcome back Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. Before digging into Part 3, I recommend reading Part 1 and Part 2 in this series if you have not already. Defect patterns part […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 3

 

Swift: Close to greatness in programming language design, Part 2

Ahead of Coverity Static Analysis support for the Swift programming language, we are examining design decisions in the language from the perspective of defect patterns detectable with static analysis. To kick things off, I recommend reading Part 1 in this series if you have not already. Defect patterns continued: More basics Now we consider additional […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 2

 

Zeroing in on zero day vulnerabilities

Earlier this month WikiLeaks announced it had in its possession a cache of zero days allegedly from the Central Intelligence Agency. These unpatched vulnerabilities, it said, could affect Apple and Android devices (including TVs). It is suspected that exploitation of these vulnerabilities could allow the spy agency – or anyone else who knows about them […]

Continue Reading...

Posted in Code Review, Embedded Software Testing, Fuzz Testing, Network Security, Software Security Testing, Static Analysis (SAST) | Comments Off on Zeroing in on zero day vulnerabilities

 

Swift: Close to greatness in programming language design, Part 1

As we are taking our first steps toward a Coverity Static Analysis solution for the Swift programming language, I am discovering one of the most challenging languages yet for Coverity. This is simply because many of the easy-to-make, easy-to-find mistakes in other programming languages were designed to be difficult or impossible in Swift. However, some mistakes […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST), Vulnerability Assessment | Comments Off on Swift: Close to greatness in programming language design, Part 1

 

Bug elimination: Code scanning, fuzzing, and composition analysis

When it comes to software vulnerabilities, Dr. Jared DeMott knows his stuff. Formerly a vulnerability analyst with the National Security Agency (NSA), Dr. DeMott holds his Phd. from Michigan State University. He has been on three winning DEF CON capture-the-flag (CTF) teams and talks about his vulnerability research at conferences like DerbyCon, BlackHat, ToorCon, GrrCon, […]

Continue Reading...

Posted in Application Security, Code Review, Fuzz Testing, Software Composition Analysis, Software Security Testing, Static Analysis (SAST), Web Application Security | Comments Off on Bug elimination: Code scanning, fuzzing, and composition analysis

 

Moving beyond ‘moving left’: The case for developer enablement

Originally posted on SecurityWeek.  For far too long software security has been comprised of a curious bifurcation of roles. Developers develop and IT security testers test for security issues. Fortunately, a confluence of circumstances has forced a recalibration of the developer’s role in software security. In fact, I think we are about to see a new […]

Continue Reading...

Posted in Security Training, Software Development Life Cycle (SDLC), Software Security Program Development, Static Analysis (SAST) | Comments Off on Moving beyond ‘moving left’: The case for developer enablement

 

5 reasons to outsource your authentication like you do your credit card processing

You may have noticed that we don’t create credit card processing solutions here. We use what already exists, as we do for authentication services, and there are some good reasons for that: Designing these systems is not our core competency – we’re good at researching languages and frameworks to design static analysis tools that help […]

Continue Reading...

Posted in Application Security, Static Analysis (SAST) | Comments Off on 5 reasons to outsource your authentication like you do your credit card processing

 

How to respond to application security incidents

Application security incidents cause serious disruption and scrutiny for any company. Fingers will be pointed, blame will be cast, and heads will roll. But right now all that matters is how you respond. Security incidents are also far more common than you think. To illustrate this point, set up a baseline CentOS VM and give […]

Continue Reading...

Posted in Application Security, Ethical Hacking, Static Analysis (SAST) | Comments Off on How to respond to application security incidents

 

How to choose between closed source and open source software

“I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” – Abraham Maslow When it comes to commercial and open source tools (i.e., paid and free software) the debate as to which category of software is better continues, leaving egos, careers, and […]

Continue Reading...

Posted in Open Source Security, Software Security Testing, Static Analysis (SAST) | Comments Off on How to choose between closed source and open source software

 

A spell check equivalent for building security in

Originally posted on SecurityWeek I can honestly say that spell check is the reason I now know how to spell “separate.” It only took about 20 years of patient and faithful repetition from Microsoft Word. The concept of spell check is intriguing when considered in the context of security. There is a significant benefit to […]

Continue Reading...

Posted in Agile Methodology, Security Training, Static Analysis (SAST) | Comments Off on A spell check equivalent for building security in