With the beginning of the New Year comes lots of reflection for the past 365 days. Here at Checkmarx, we had a fantastic and busy year – and it definitely shows on the blog. If you’re looking for some good security info to sink in to or want to catch up on the stories you missed, look no further. To wrap up the year and start out 2015 on a strong note, we’re sharing our top 12 most popular stories on our blog from the past year.
Happy New Year and we look forward to sharing the next year with you, our loyal readers!
Anyone on Twitter has felt the pain of trying to find new and relevant people to follow and with this being our most read post of the year, it appears the InfoSec crowd is no different. We heard lots of great suggestions of gurus we didn’t quite get to in that post, so be on the lookout for a follow-up in early 2015!
Twitter users can simply follow the list we created for the easiest way to keep tabs on your favorite AppSec & Security tweeters.
With so many security tools available, it’s hard to know which ones are the best at doing what you need them to do. To help those interested in using an open source tool for static code analysis testing, we wrote a very well-read post on the top 7 such tools – check it out for yourself on the blog.
With SO much info out there about InfoSec, it can be hard to know what the most helpful resources are. We shared the seven sites we most often use and which others have found to be helpful, so that you can spend less time looking for info and more time actually reading and utilizing it. Enjoy happier hunting with these sites!
We had the opportunity to interview or speak with lots of white hat hackers this year, and one of the best outcomes of these conversations is getting to hear their important insights into InfoSec and their advice on how organizations can get and stay secure. Speaking with five ethical hackers, we shared their insightful tips. With all the security nightmares we dealt with last year, these are important takeaways to make 2015 a total turnaround.
Osanda Malith Jayathissa is a Computer Science student in Sri Lanka with a huge love for participating in bug bounties and responsible disclosure. We had the chance to interview Osanda about what keeps him interested and motivated to find new security bugs – even when he knows he won’t earn money from many of his discoveries.
Read about Osanda’s rare insights into the world of bug bounties here.
With a constant top-spot in the OWASP Top 10, SQL Injection is a pesky, avoidable vulnerability that continues to creep up in a huge percentage of critical applications. In April 2014, for example, Ponemon released a survey which stated that 65% of organizations surveyed last year had experienced an “SQL injection attack that successfully evaded their perimeter defenses.”
In this post, we discussed why SQL injection continues its prevalence today and broke down the top 5 ways to avoid SQL injections in your own applications. If you’re still struggling to rid your apps from this potentially costly security issue or want to learn more about how to keep them out of future apps, this post is for you.
In our friend Dave Ferguson’s first guest post, the AppSec professional offered solid advice for those novices looking for a bit more experience. It’s not exactly easy finding safe, up-to-date sites where you can practice your hacking skills without getting arrested, so Dave created a helpful list of his recommendations for improving your hacking skills, no matter how much experience you have.
Rafay Baloch, AKA “Pakistanis Top Ethical Hacking Prodigy,” shared his insights into the application security issues he found in the default browser used on Android phones. With the proliferation of bug bounties and responsible disclosure, Baloch is a symbol of what InfoSec’s future looks like – not to mention an interesting person to interview.
We were thrilled when Simon Bell, a computer science student conducting a very cool experiment agreed to an interview with us. His project, a Secure Shell honeypot – a decoy server or system designed to track malicious intrusions – enabled hackers to think they were attacking Simon’s server through whichever preferred method they used. Little did the hackers know they were being watched – by anyone who visited Simon’s website, SecureHoney.net, where Simon logged and analyzed the malicious uploads and attempts to attack.
Simon’s research and contributions to the InfoSec community have scored him an award from the British Computer Society this past fall for the project and was offered a full scholarship for a PhD in cyber security. Check out our interview with Simon from April.
One of the biggest Capture the Flag competitions in the world, the annual iCTF, or International Capture the Flag event, brought 123 teams together from all around the globe. Participants, mostly undergraduate students, learn critical security lessons by taking the lessons they’re learning in classes and applying them to real-life scenarios.
We spoke with Giovanni Vigna, the chief iCTF organizer, previous DefCon CTF winner (Team Shellfish) and a professor at UCSB (where Shellphish was founded) about how he prepares for such a massive event and the importance of putting theory in to practice by participating in CTFs – and how they can help shape the future of InfoSec.
We were thrilled when another favorite guest-poster, Malik Messelem, shared a post with us about his security education tool, bWAPP. Standing for buggy web application, Malik built the open-source tool to help teach anyone working with code – auditors, developers, security teams – to better equip themselves in securing their applications. From OWASP Top 10 vulnerabilities like SQL injection and XSS to backdoor flaws a’ la NSA, bWAPP covers the most important security issues to be on the lookout for when writing or reviewing code.
Read about Malik’s vision for bWAPP and best-use practices here.
This past summer, Apple introduced their new language called Swift, designed specifically for development on their iOS and OS X platforms. Inevitably, as with the introduction of any new language, security issues crept in. This post details the research Checkmarx did on specific vulnerabilities and related to Swift and best ways to mitigate the issues, which include integer overflow, buffer overflow, and Format String Attack and presented them in this post, originally published on Dr. Dobbs.
What kind of stories would you like to see on the blog in 2015? Comment below – we’d love to hear what you think!
Images designed at Canva.com.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.