Breaking News




Source: Veracode.com

Sep 16, 2016
Last week, US-CERT (the U.S. Computer Emergency Readiness Team) issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it. The initial problem was that SAP had apparently fixed the hole some six years ago, but gave users the choice whether to protect themselves or not. Candidly, that's an odd choice to offer IT execs, but it's easier to understand...

If you’re going to spend time, money and effort implementing an application security program, don’t lose your progress by neglecting to collect and share metrics. With strong metrics, you not only prove that your program is making a positive impact, but also identify where and how it’s working – or not working. What happens if you don’t measure? Bad things like these: 1 - You don’t get money A...

Perceived security threats motivate IT people the same way they do everyone else. People react to how much a threat scares them, which sometimes has little relation to how truly threatening that threat is. Consider rank-and-file U.S. citizens and fears of terrorism. The potential damage by a terrorist is horrendous, but there are consumers who consider terrorist a far bigger threat then burgla...


Source: Veracode.com

Sep 16, 2016
If you type ‘Benchmarking’ into Google, the top definition is “evaluating something by comparison with a standard”. Seems simple enough, but the bigger question here is – who sets that standard? In the past, we may have looked to the big enterprise size companies, however breaches such as; Talk Talk, and Target show us that it’s easy to see that even the biggest companies might not have concen...


Source: Veracode.com

Sep 16, 2016
Every few months, another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting. And yet, just like the proverbial ...


Source: Veracode.com

Sep 16, 2016
You have a great idea for a new product – what could possibly go wrong? One of my favorite games in business[1] is to have a pre-mortem wherein you imagine that you are a year older and wiser and whatever it is you are working on right now fails miserably. I mean, spectacularly – we are talking pets.com-style. This game plays into my hyperbolic nature, but also is useful in identifying your bi...

More enterprises than ever before are recognizing that software is inherently insecure. Yet, they cannot slow down their development cycles to accommodate this reality. Doing so would compromise their innovation and competitiveness. As a tradeoff, many companies end up sacrificing security. RASP technology holds the promise of protecting applications without touching code As a category, runtim...


Source: Veracode.com

Sep 16, 2016
Way back in April, Securosis published a whitepaper “Building a Vendor (IT) Risk Management Program. While the paper is informative and practical – do you know what is noticeably missing? Information on how to manage the risk that comes with using vendor applications. This is surprising because Securosis frequently writes about the importance of application security. Companies are relying on s...