Posts by Sarah Vonnegut:

What was the worst InfoSec Fail of 2014?

Dec 08, 2014 By Sarah Vonnegut |
It’s December, and thus the perfect time to reflect on the events of the past twelve months. In InfoSec, there’s a lot to contemplate, having been one of the worst years in terms of data breaches and security breakdowns. According to the 2015 PwC State of InfoSec Survey, there were an estimated 28.9 million breaches in 2013, and an estimated 42.8 million in 2014: An increase of 48% in just one year. From major retail incidents to open-source vulnerabilities like Heartbleed and Shellshock, hardly a week went by without another InfoSec disaster.

</Read More>

The Ultimate List of Open Source Static Code Analysis Security Tools

Nov 13, 2014 By Sarah Vonnegut | Doing security the right way demands an army – of developers, security teams, and the tools that each uses to help create and maintain secure code.   With the increasingly important mindset of creating quality, secure code from the start, we’ve seen a greater shift towards the adoption of tools designed to detect flaws as quickly as possible in the software development lifecycle (SDLC).   One of those tools is static code analysis. The true strength of static source code analysis (SCA) is in quickly and automatically checking everything “under the hood” without actually executing the code. Because it works to discover issues that can be hard to discover manually, it’s a perfect companion to the human eye. Even the most senior security people still miss security flaws. After all – we are still human, so the combination of machine and man make for better coverage.

</Read More>

7 Lessons We Should Take Away from the Drupal SQL Injection Flaw

Nov 04, 2014 By Sarah Vonnegut | What’s the Deal with Drupal?
Another month, another apocalypse-summoning security catastrophe – and October was no different. Just over two weeks ago, the security team behind Drupal’s free and open-source CMS released an ominous security advisory that shocked many in the security industry. The advisory, SA-CORE-2014-005, informed users that an SQL injection flaw in all Drupal 7 sites allowed attackers access to databases and more.

</Read More>

21 AppSec & Security Gurus You Should Be Following On Twitter

Oct 14, 2014 By Sarah Vonnegut |  Are you an AppSec Tweeter? 
  Whether you’re a newbie or an old-timer in the world of application security, Twitter is a great place to listen in and connect with some of the best and brightest in the industry. To help, we’ve compiled a list of some of our favorite tweeters to add to your own Twitter feed.    The list is a cross-section of people in Information Security and Application Security in specific – people whose Tweets we read daily. It’s in no way exhaustive, so please feel free to comment below with people we should add!   Many of these tweeters also maintain personal blogs revolving around application security, and we’ve included them in this post, as well. Build your blogroll along with who you follow on Twitter for double the industry insight!  
Bonus: Follow the whole list on our Twitter list!

</Read More>

All You Need to Know About Shellshock & What You Can Do About It

Oct 02, 2014 By Sarah Vonnegut | So, what happens when a core component of Mac, Linux and other Unix-based operating systems is found to be highly vulnerable and easily exploitable? 
Last week, we found out: On September 24th, the world was first introduced to a family of bugs in the Bash shell, being referred to both as ‘Shellshock’ and ‘Bashdoor’.
Here’s a breakdown of what the Bash bug is, how it can be exploited, and how you can protect yourself.
Background on Bash & the Bash Bug Being Called Shellshock
Bash (short for Bourne Again Shell) is a command-line shell used to type and execute commands. It is prevalent in Mac OS X, Linux, and other versions of UNIX operating systems. It’s also a mainstay on servers running Apache, accounting for about 51% of the world’s servers.

</Read More>

Risks and Rewards in Security: An Interview with Josh Sokol, InfoSec Program Owner and Creator of SimpleRisk

Sep 23, 2014 By Sarah Vonnegut | When you’re in the midst of a security issue, getting to the point of feeling on top of security again can seem a million miles away. Because in the end, security is about being aware of what’s going on in your environment and having a proactive approach to dealing with the threats. Being able to prioritize the severity of those threats and vulnerabilities that could impact the business is key to any security practitioner’s job. It’s in that vein that we recently spoke with Josh Sokol, an OWASP leader and the creator of SimpleRisk, an open source risk management tool he released to the community to help take some of the ‘obscurity’ out of security. With a background in computer science, a deep understanding of OWASP principles and as the owner of a security program at a large company, Sokol has a lot of great advice on how to do application security as well as security in general.

</Read More>

Ensuring your developers love – or at least don’t hate – security

Aug 14, 2014 By Sarah Vonnegut | This post originally appeared on  By Maty Siman, Checkmarx Founder & CTO
When it comes to an organization’s software security, there’s been a chronic disconnect between the developers who write and build the code and the security teams who audit and enforce the code’s security. This divide historically arose from common misunderstandings: programmers believe that security hinders their productivity, while security folks are frustrated that security is not at their top-of-mind.

</Read More>

Building Secure Applications: How Mature Are You?

Jul 29, 2014 By Sarah Vonnegut | Dave Ferguson is back with another guest blog! Make sure you check out his blog here, and read his original post, ‘Keeping Up With The Hackers: Where to Practice Your Web Hacking Skills,’ here. Testing your software for vulnerabilities is important.  There’s no doubt about it, but if there’s something I’ve learned over the years when it comes to application security, is that you can’t test yourself secure.  The reason is that development teams are writing new code all the time and if your main approach to securing the code is testing, it quickly becomes a never-ending cycle of testing –> fixing –> repeating. This is a lot like treating the symptoms of malady. What you really want is a cure for the malady.

</Read More>

Hacking It Forward

May 30, 2014 By Sarah Vonnegut | How do security researchers stay motivated and interested? For some of us, it seems like one XSS flaw or SQL injection would look exactly like the next, but the thrill of discovering these security vulnerabilities is more than enough to keep the fire going for some researchers. Osanda Malith Jayathissa, a security researcher and graduate student from Sri Lanka, is among that group, helping to make the web apps we use on a daily basis more secure. We spoke with Osanda recently to talk about why he does what he does and what keeps him in the field.
  “I find it interesting to find solutions and learn by making mistakes. Each scenario is different from the next, so I learn something new each time,” Osanda says.

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.