Posts Tagged ‘Security’

  • Upcoming webinar: Top tactics to reduce your open source security risk

    on Jul 21, 14 • by Roy Sarkar • with No Comments

    Upcoming webinar: Top tactics to reduce your open source security risk

    Open source is embedded in over 50% of enterprise applications and development environments today yet very few developers are aware of the inherent security risks. What steps should you take to maximize the benefits of open source software while substantially reducing risk? Join us on Wednesday, July 30th for our “Top tactics to reduce your open source security risk” webinar that will explore policies and tools to help identify where issues can happen and discuss strategies to deliver safer, more secure software. We’ll look at a combination of open source governance and management tools along

    Read More »
  • Secure Coding Learning Center

    on Sep 13, 12 • by Brendan Harrison • with No Comments

    Secure Coding Learning Center

    One of the common challenges we hear from customers regarding their software security assurance programs is developer education. Sure, there are many great tools out there that can help with security, but when it comes down to it, if you’re going to truly build a culture of secure software (and not just audit your system now and then), your development team needs to be well versed on key security concepts, defensive coding principles, common attack vectors, not to mention the ins and outs of specific coding vulnerabilities like buffer overflows. Well, we agree. That’s why

    Read More »
  • CWE Compatibility Program

    on Sep 5, 12 • by Alen Zukich • with No Comments

    CWE Compatibility Program

    If you’re an organization that cares about security and the repercussions that come with that, then you probably already know all about Common Weakness Enumeration (CWE). CWE is a community project sponsored by the MITRE Corporation. As a software vendor providing security vulnerability detection, it’s important to be part of the CWE Compatibility Program.  This program identifies vendors that are officially CWE-compatible. This means you can count on the vendor to provide guidance in their product with respect to CWE identifiers, including direct links to the wealth of information that is kept up to date

    Read More »
  • Hacking an automobile: When software security is life-critical

    on Aug 21, 12 • by Brendan Harrison • with 1 Comment

    Hacking an automobile: When software security is life-critical

    Software security assurance for embedded software is a big challenge. This article on embedded systems and automobile security summarizes it nicely: White hats are increasingly looking beyond PCs and data centres for security vulnerabilities that have plagued the computer industry for decades and focusing on products like cars, medical devices and electricity meters that run on tiny computers embedded in those products. For embedded software teams to become the target of hackers is a big change. While website owners and developers of cloud applications or PC software are used to all this attention from hackers,

    Read More »
  • Klocwork Insight 9.5 Continues to Roll…

    on Mar 6, 12 • by Brendan Harrison • with No Comments

    Wow, what a week last week. We’ve been busy spreading the word about Klocwork Insight 9.5 and all its on-the-fly-analysis goodness since late January and the reaction has been amazing, but last week took the cake. First, Klocwork Insight 9.5 won its first award: the Military Embedded Systems Editor’s Choice. Here’s an excerpt from their write-up: Software developers have enough on their plates without having to spend undue time analyzing their code. Sure, there is traditional source code analysis, whether done manually or by using techniques such as static or dynamic analysis, but Klocwork’s Insight

    Read More »
  • Security Issues with Apple iOS?

    on Nov 8, 11 • by Todd Landry • with No Comments

    Security Issues with Apple iOS?

    As a pretty avid Apple user (2 iPhones, 1 iPad2, iMac, iPod Touch, MacBook Pro, etc.), and the fact that I work in the business of software quality and security, I must admit that this article caught my attention. The article outlines how a well-known security researcher, who focuses on Apple, has found a software flaw in the iPhone and iPad, which could allow hackers to build malicious apps.What makes this even more scary is that the Apple Store may not catch these malicious apps. To add another twist to this story, the researcher in

    Read More »
  • Electronic imports contain security threats

    on Jul 19, 11 • by Alen Zukich • with No Comments

    Electronic imports contain security threats

    I read an interesting post on electronic imports that could contain security threats.  I can only speak from the software perspective, but I can say that most customers I’ve dealt with usually integrate some sort of software security audit process with any 3rd-party integrator and from my experience that means adopting static analysis.  How many organizations are there that haven’t jumped on board with static analysis?  Probably more than I can count. It would be very interesting to hear of some of the Armed Services and Intelligence cyber threats that the government has not publicly

    Read More »
  • New programs for software security

    on Jul 5, 11 • by Alen Zukich • with No Comments

    New programs for software security

    The U.S. Department of Homeland Security, in conjunction with the SANS Institute and Mitre have been hard at work again.  See the article.  There are two new programs called the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS).  Using these two in conjunction will help users identify the most important weaknesses for their business.  It will be interesting to see adoption in the upcoming weeks. In addition to CWRAF and CWSS the 2011 CWE/SANS Top 25 list has been updated.  There has been a number of position changes and a

    Read More »
  • The Evolution of Static Code Analysis – Part 3: The Present Day

    on Jun 8, 11 • by Todd Landry • with 1 Comment

    The Evolution of Static Code Analysis – Part 3: The Present Day

    My first 2 posts looked at 2 different eras of Static Code Analysis, the Early Years and the Early 21st Century. The SCA solutions of these times were revolutionary, and helped software development teams a great deal. But they had their warts. In the final post in this series, I’m going to introduce you to the present day Static Code Analysis technology and how it is impacting developers. The Present Day I’m a huge fan of Reece’s Peanut Butter Cups. I love them. I keep active so I don’t feel guilty eating them. In a

    Read More »
  • To report, or not to report…

    on Jun 6, 11 • by Gwyn Fisher • with No Comments

    To report, or not to report…

    Creating a source code analysis (SCA) engine is a balancing act, a decision process of where you believe the most value can be found along the spectrum that is the signal-to-noise ratio of the detection process. At one end lies the realm of massive noise and hopefully complete coverage, whilst at the other is the quiet calm of the theoretically useful but ultimately useless realm of no noise, but ultimately no signal either. That may sound counter-intuitive. Shouldn’t a zero noise point on the spectrum be accompanied by an infinitely strong signal? Perhaps in the

    Read More »
Scroll to top