Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

What’s HOT in Application Security Vol #8

Would you Trade your freedom for Application Security?Application Security News

OWASP’s Dan Greer recently gave the keynote speech at the “Application Security Matters’ conference where he delved into the problems and issues arising from the inconsistencies in application security.

There are many things which contribute to lousy application security- not taking the necessary steps to protect your code, protect your data and poorly written and bloated code. What can one do about it?

For more information please go to:

http://www.networkworld.com/community/node/80291

Are firms correct in outsourcing their code for flaws?

There are several benefits in offering on demand software over scanning managed in the company’s own office; the costs can be shared amongst several customers, there is a high availability of experts which are completely monopolized in running the application etc

However- scanning applications should be required as a general approach to the security of an organization’s software. Outsourcing code scanning is accepted by several regulatory bodies – PCI SSC but scanning in house ensures that developers are learning from their mistakes and getting tuned into frequently occurring vulnerabilities, scanning as they go and detecting these vulnerabilities early on in the development lifecycle.

For more please go to:

http://www.it-director.com/business/compliance/content.php?cid=13267

Ohio Police fall victim to SQL Injection Attack

The Ohio police fell victim to one of the infamous SQL injection attacks by hacking group ‘Anonymous’. This method is a favourite amongst cyber criminals the world over and has cost organisations millions to date. The suspect- John Anthony Borell, is being tried for two counts of felony cyber terrorism crimes after breaking in to the local law enforcements websites a few months ago.

Borell, who was first arrested by the FBI, was found using social media sites. The investigation continued and it later transpired that Borell was actually a member of the infamous hacking group ‘Anonymous’ who have been exposed much on this blog and throughout the world for their brand of politically inspired cyber terroristm.

This latest attack is one in a string of known attacks commited by the group- the group are infamous for SQL Injection attacks on web applications from victims in China to the United States.

For more information please go to:

http://venturebeat.com/2012/04/16/anonymous-utah-hacker/

Web application vulnerabilities fall, but hackers are too sophisticated

Whilst the number of coding mistakes found on websites has continuted to fall, companies are seen to be slow to mend issues that cyber criminals could use to their advantage.

The majority of vulnerabilities are found within customised website code which can’t be found by appying patches. On average, it can take an organization around 100 days to actually fix a web application vulnerability.

Companies need to have on site availability of code scanning early in the development life cycle in order to maintain a good standard of security in their code.

For more information please go:

http://www.pcworld.com/businesscenter/article/253927/website_vulnerabilities_fall_but_hackers_become_more_skilled.html

Managing Security

Security managers are busy preventing hackers from breaking into the corporate network and employees leaking sensitive data on the Internet with their smartphones. Information security threats are rising and set to rise significantly over the next couple of years. The three most essential risks that businesses must watch out for as they attempt to deal with these increasingly complex threats are external threats, regulatory threats and internal threats.

http://www.forbes.com/sites/ciocentral/2012/04/11/risky-business-managing-security-when-threats-collide/

Discover and hide software vulnerabilities

VUPEN is a research company that discovers “zero day” vulnerabilities and then sells them to organizations, government for installing spyware. Several issues arise from this problem; these organizations may pass on this confidential information to organizations and many of these countries are from governments that have less or no human-rights records.

http://www.spamfighter.com/News-17610-Security-Agencies-and-Governments-Plot-to-Keep-Software-Vulnerabilities-Secret.htm

Written Information Security Program

Every company must have a Written Information Security Program or WISP. This is a new law that was passed in the Massachusetts area about two years ago. In other words if your company undergoes any kind of security breach and does not have a WISP you’re in trouble

Last year The Briar Group was fined 110K$ because they “failed to take reasonable steps to protect its patrons’ personal information, thereby putting the payment card information of tens of thousands of consumers at risk.”

http://blog.eset.com/2012/04/11/wisp-your-companys-written-information-security-program

Jump to Category