Software Integrity Blog

Archive for the 'Security Training' Category

 

Get the latest resource helping development teams overcome widespread challenges

Only when security is treated with the same importance as quality can your software’s integrity drive a proactive strategy rather than a reactive response. In addition to ensuring software quality, development teams are under increasing pressure to address software security concerns. The high-profile data breaches that continuously arise are raising awareness of security issues. Because of this, customers, stakeholders, and boards of directors are asking questions of development teams that they never have before. Questions like:

Continue Reading...

Posted in Fuzz Testing, Interactive Application Security Testing (IAST), Security Training, Static Analysis (SAST), Web Application Security | Comments Off on Get the latest resource helping development teams overcome widespread challenges

 

Learning from KRACK and ROCA: Here’s how to equip your firm

Last week’s news introduced us to another pair of vulnerabilities hitting right at the foundation of everything we place our trust in. Named KRACK and ROCA, these flaws target specific facets of Wi-Fi networks and cryptographic keys, meaning that attackers can potentially sneak into networks we consider private, and decipher things we consider secret. Who’s affected? If you’re in enterprise IT, you’re likely familiar with the cycle of waiting for a patch, then planning and coordinating the rollout of the patch across your estate. What’s interesting in this case is that a lot of the space to be covered includes non-PC devices, so you have to figure out how those will get patched too. (Your plan covers that, right?)

Continue Reading...

Posted in Data Breach, Security Training, Software Architecture and Design | Comments Off on Learning from KRACK and ROCA: Here’s how to equip your firm

 

4 simple steps to encourage online safety at your company

October is Cyber Security Awareness Month.

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on 4 simple steps to encourage online safety at your company

 

How can you tell if your software security strategy is working?

Let’s say you tested 46 web applications, 19 mobile apps, and 20 client-server apps this year alone. You also purchased a new application security testing tool in the process. You found 112 vulnerabilities and all-in-all you’re feeling pretty good.

Continue Reading...

Posted in General, Security Standards and Compliance, Security Training | Comments Off on How can you tell if your software security strategy is working?

 

Insecure example code leads to insecure production code

There is a sad reality in the software world that developer education and training not only neglect software security, but often teach developers the wrong activities to secure it. This ranges from the ‘get it to work and move on’ habit to insecure code samples in the tutorials and forums we all use when learning new approaches. A study published earlier this year shows that insecure code samples in tutorials, that are vulnerable to things like SQL injection and cross-site scripting (XSS), manage to find their way into real-world production code. Flawed tutorials leading to large-scale vulnerabilities In April 2017, Tommi Unruh, Bhargava Shastry, Malte Skoruppa, Federico Maggi, Konrad Rieck, Jean-Pierre Seifert, and Fabian Yamaguchi published “Leveraging Flawed Tutorials for Seeding Large-Scale Web Vulnerability Discovery.” They used known insecure code samples from popular tutorials on the web to find similar weaknesses in actual software projects on GitHub.

Continue Reading...

Posted in Security Standards and Compliance, Security Training, Web Application Security | Comments Off on Insecure example code leads to insecure production code

 

Security topics every software developer should know

Software developers and information security professionals have almost always been two mutually exclusive groups. However, with the increase in security awareness, developers have started integrating security into the development process. To further bridge the gap between development and security, it is essential for developers to have a good understanding of security principles. In this post, we’ll talk about the basic security concepts that every developer should be aware of while building applications. Topic #1: Input validation An application obtains data from various trusted and untrusted sources during its workflow. It is important to perform input validation of data obtained from all sources to ensure that only properly formed data gains entry into the application workflow. If not properly validated, malformed input can lead to attacks such as SQL injection and cross-site scripting (XSS). Always conduct input validation on the server—even if client-side validation is also present. Syntactic and semantic validation It’s important to validate data both syntactically and semantically. Syntactic validation ensures that the input data has the correct elements such as structure, data type, and length. On the other hand, semantic validation ensures the correctness of data per business logic (e.g., checking for negative price). Blacklisting and whitelisting The two primary approaches for performing input validation are blacklisting and whitelisting. Blacklisting involves detecting dangerous characters and patterns in the input (e.g., an apostrophe character or the <script> tag) and filtering them out. Since blacklisting does not account for all attack vectors, it is relatively easy to bypass these checks and controls. Also, the blacklist needs to be updated every time a new attack vector is discovered. This isn’t very manageable. As such, they should not be used for validating data.

Continue Reading...

Posted in Security Training, Software Architecture and Design | Comments Off on Security topics every software developer should know

 

How secure is AngularJS?

Synopsys Principal Security Consultant, Ksenia Dmitrieva-Peguero, recently posed the question at the information security conference, Securi-Tay: How secure is AngularJS? With seven years of experience in the AppSec space, and five years of software development experience, Ksenia’s current concentration centers on the analysis of JavaScript frameworks–researching their security implications, vulnerability discovery, and remediation.

Continue Reading...

Posted in Security Training, Software Architecture and Design, Web Application Security | Comments Off on How secure is AngularJS?

 

Hands-on strategies to counter common web application attacks

We’re excited to announce a new addition to our eLearning library: Attack & Defense. What’s this course all about? Web applications are becoming an increasingly high-value target for hackers looking to make a quick buck, damage reputations, or just boost their “street cred.” There is no shortage of publicly known attack tools and techniques, and software developers are outnumbered at the front line of defense.

Continue Reading...

Posted in Security Training, Web Application Security | Comments Off on Hands-on strategies to counter common web application attacks

 

Moving beyond ‘moving left’: The case for developer enablement

Originally posted on SecurityWeek. 

Continue Reading...

Posted in General, Security Training, Static Analysis (SAST) | Comments Off on Moving beyond ‘moving left’: The case for developer enablement

 

Learn defensive programming for HTML5 in a day

HTML5 is the fifth revision of the HTML standard. HTML5 and its integration with JavaScript introduce new security risks that require careful consideration when writing web front-end code.

Continue Reading...

Posted in Security Standards and Compliance, Security Training | Comments Off on Learn defensive programming for HTML5 in a day