Software Integrity Blog

Archive for the 'Security Training' Category

 

How can you tell if your software security strategy is working?

Let’s say you tested 46 web applications, 19 mobile apps, and 20 client-server apps this year alone. You also purchased a new application security testing tool in the process. You found 112 vulnerabilities and all-in-all you’re feeling pretty good.

Continue Reading...

Posted in General, Security Standards and Compliance, Security Training | Comments Off on How can you tell if your software security strategy is working?

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new approaches. A study published earlier this year shows that insecure code samples in tutorials, that are vulnerable to things like SQL injection and cross-site scripting (XSS), manage to find their way into real-world production code. Flawed tutorials leading to large-scale vulnerabilities In April 2017, Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, and Fabian Yamaguchi published “Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery.” They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub.

Continue Reading...

Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code

 

Security topics every software developer should know

Software developers and information security professionals have almost always been two mutually exclusive groups. However, with the increase in security awareness, developers have started integrating security into the development process. To further bridge the gap between development and security, it is essential for developers to have a good understanding of security principles. In this post, we’ll talk about the basic security concepts that every developer should be aware of while building applications. Topic #1: Input validation An application obtains data from various trusted and untrusted sources during its workflow. It is important to perform input validation of data obtained from all sources to ensure that only properly formed data gains entry into the application workflow. If not properly validated, malformed input can lead to attacks such as SQL injection and cross-site scripting (XSS). Always conduct input validation on the server—even if client-side validation is also present. Syntactic and semantic validation It’s important to validate data both syntactically and semantically. Syntactic validation ensures that the input data has the correct elements such as structure, data type, and length. On the other hand, semantic validation ensures the correctness of data per business logic (e.g., checking for negative price). Blacklisting and whitelisting The two primary approaches for performing input validation are blacklisting and whitelisting. Blacklisting involves detecting dangerous characters and patterns in the input (e.g., an apostrophe character or the <script> tag) and filtering them out. Since blacklisting does not account for all attack vectors, it is relatively easy to bypass these checks and controls. Also, the blacklist needs to be updated every time a new attack vector is discovered. This isn’t very manageable. As such, they should not be used for validating data.

Continue Reading...

Posted in Security Training, Software Architecture and Design | Comments Off on Security topics every software developer should know

 

How secure is AngularJS?

Synopsys Principal Security Consultant, Ksenia Dmitrieva-Peguero, recently posed the question at the information security conference, Securi-Tay: How secure is AngularJS? With seven years of experience in the AppSec space, and five years of software development experience, Ksenia’s current concentration centers on the analysis of JavaScript frameworks–researching their security implications, vulnerability discovery, and remediation.

Continue Reading...

Posted in Security Training, Software Architecture and Design, Web Application Security | Comments Off on How secure is AngularJS?

 

Hands-on strategies to counter common web application attacks

We’re excited to announce a new addition to our eLearning library: Attack & Defense. What’s this course all about? Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their “street cred.” There is no shortage of publicly known attack tools and techniques, and software developers are outnumbered at the front line of defense.

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on Hands-on strategies to counter common web application attacks

 

Moving beyond ‘moving left’: The case for developer enablement

Originally posted on SecurityWeek. 

Continue Reading...

Posted in General, Security Training, Static Analysis (SAST) | Comments Off on Moving beyond ‘moving left’: The case for developer enablement

 

Learn defensive programming for HTML5 in a day

HTML5 is the fifth revision of the HTML standard. HTML5 and its integration with JavaScript introduce new security risks that require careful consideration when writing web front-end code.

Continue Reading...

Posted in Security Standards and Compliance, Security Training | Comments Off on Learn defensive programming for HTML5 in a day

 

Gary McGraw’s Shmoocon keynote recaps security career with advice

Gary McGraw provided this year’s keynote address at Shmoocon, held January 13-15 at the Washington Hilton in Washington, D.C. His talk, Seven Things: Frank Zappa, T. Coraghessan Boyle, and 21 Years in Security” touches upon valuable insights gleaned over his more than 21 years in software security. It also reflects his many interests.

Continue Reading...

Posted in General, Security Training, Software Architecture and Design | Comments Off on Gary McGraw’s Shmoocon keynote recaps security career with advice

 

Are you following the top 10 software security best practices?

While it is a common misnomer that many firms rely on, it’s never a good security strategy to simply buy the latest security tool and call it a day. Your organization may need to invest in focused employee education and tool deployment before seeing a return on investment. Software security isn’t simply plug and play.

Continue Reading...

Posted in Security Training | Comments Off on Are you following the top 10 software security best practices?

 

Think like an attacker during 2-day red team workshop

Most developers focus their day-to-day thought processes on building software rather than breaking it. Meanwhile, organizations face growing and evolving threats against their digital assets and infrastructure. That’s why it’s critically important for security operations and development teams to think defensively. Thinking of any and every possible attack is what red teaming is all about.

Continue Reading...

Posted in General, Security Training | Comments Off on Think like an attacker during 2-day red team workshop