In this week’s episode of the podcast (#168), sponsored by Signal Sciences, Chris Eng of Veracode joins us to talk about the 10th annual State of Software Security Report and the problem of application security debt. Also, Brendan Macaraeg of Signal Sciences talks about the expanding landscape of web application attacks and defenses.
Tag: application security
Here at The Security Ledger, we’ve written often about the barriers to improving the security practices of software development organizations. It is simple enough to say things like “we have to teach people to write code that is secure. But to actually accomplish that across the myriad of companies that do software development is akin to boiling the ocean. Still, it is a far more manageable problem at the level of a single organization. In fact: it is quite do-able. How? That’s the subject of a Google Hangout Security Ledger is doing this afternoon in conjunction with Veracode. The topic: creating a culture of security within your organization. In the hangout, I will be speaking with Veracode’s Chris Eng and Greg Nicastro about how Veracode, itself, built its secure development culture from the ground up. This is going to be a great discussion. Greg is the Executive Vice President of […]
A non-profit group that represents prominent computer security researchers has issued an open letter to the automotive industry calling for more collaboration on cyber security issues. The group, I Am The Cavalry said the automotive industry needs to elevate cyber security to put it on par with other vehicle safety issues. The announcement, on Friday at DEF CON 22 in Las Vegas – an annual hacker conference – included a letter to CEOs in the automotive industry, calling for the adoption of “five key capabilities that create a baseline for safety relating to the computer systems in cars.” The letter asks for safety to be built into the design of computer systems in vehicles. “Increasing reliance on computer systems and internet connectivity in cars is opening up a whole new area of consumer risk, much of which is still being investigated and understood,” the group said. “Modern cars are computers […]
A four year-old vulnerability in an open source component that is a critical part of Google’s Android mobile operating system could leave mobile devices that use it susceptible to attack, according to researchers at the firm Bluebox Security. The vulnerability was disclosed on Tuesday. It affects devices running Android versions 2.1 to 4.4 (“KitKat”), according to a statement released by Bluebox. According to Bluebox, the vulnerability was introduced to Android by way of the open source Apache Harmony module. It affects Android’s verification of digital signatures that are used to vouch for the identity of mobile applications, according to Jeff Forristal, Bluebox’s CTO. He will be presenting details about the FakeID vulnerability at the Black Hat Briefings security conference in Las Vegas next week.
One of the most powerful (and substantive) realizations to come out of the news about the ‘Heartbleed’ OpenSSL vulnerability was that open source projects need help and attention from the tech community that relies on their fruits. I’ve written about this before – noting Apple’s reluctance to put some of its considerable cash hoard towards supporting open source projects it relies on (like the Apache Software Foundation), as have others. [Read Security Ledger’s coverage of the Heartbleed vulnerability here.] Now that idea appears to have taken root. On Thursday, the Linux Foundation announced the creation of the Core Infrastructure Initiative, a multi-million dollar project to fund open source projects that are in the critical path for core computing functions. The CII group has some substantial backing. Google, Cisco, Microsoft, Facebook, Amazon, IBM, Intel, Samsung, Fujitsu and VMWare all signed on to the CII Steering Committee. (Surprising (or not): Apple was not one of the firms supporting […]