Posts by Sarah Vonnegut:

open-source-static-code-analysis-security-tools

The Ultimate List of Open Source Static Code Analysis Security Tools

Nov 13, 2014 By Sarah Vonnegut | Doing security the right way demands an army – of developers, security teams, and the tools that each uses to help create and maintain secure code.   With the increasingly important mindset of creating quality, secure code from the start, we’ve seen a greater shift towards the adoption of tools designed to detect flaws as quickly as possible in the software development lifecycle (SDLC).   One of those tools is static code analysis. The true strength of static source code analysis (SCA) is in quickly and automatically checking everything “under the hood” without actually executing the code. Because it works to discover issues that can be hard to discover manually, it’s a perfect companion to the human eye. Even the most senior security people still miss security flaws. After all – we are still human, so the combination of machine and man make for better coverage.

</Read More>
chalkboard-300x225

7 Lessons We Should Take Away from the Drupal SQL Injection Flaw

Nov 04, 2014 By Sarah Vonnegut | What’s the Deal with Drupal?
Another month, another apocalypse-summoning security catastrophe – and October was no different. Just over two weeks ago, the security team behind Drupal’s free and open-source CMS released an ominous security advisory that shocked many in the security industry. The advisory, SA-CORE-2014-005, informed users that an SQL injection flaw in all Drupal 7 sites allowed attackers access to databases and more.

</Read More>
placeit-4

21 AppSec & Security Gurus You Should Be Following On Twitter

Oct 14, 2014 By Sarah Vonnegut |  Are you an AppSec Tweeter? 
  Whether you’re a newbie or an old-timer in the world of application security, Twitter is a great place to listen in and connect with some of the best and brightest in the industry. To help, we’ve compiled a list of some of our favorite tweeters to add to your own Twitter feed.    The list is a cross-section of people in Information Security and Application Security in specific – people whose Tweets we read daily. It’s in no way exhaustive, so please feel free to comment below with people we should add!   Many of these tweeters also maintain personal blogs revolving around application security, and we’ve included them in this post, as well. Build your blogroll along with who you follow on Twitter for double the industry insight!  
Bonus: Follow the whole list on our Twitter list!

</Read More>
Shellshock-300x300

All You Need to Know About Shellshock & What You Can Do About It

Oct 02, 2014 By Sarah Vonnegut | So, what happens when a core component of Mac, Linux and other Unix-based operating systems is found to be highly vulnerable and easily exploitable? 
Last week, we found out: On September 24th, the world was first introduced to a family of bugs in the Bash shell, being referred to both as ‘Shellshock’ and ‘Bashdoor’.
Here’s a breakdown of what the Bash bug is, how it can be exploited, and how you can protect yourself.
Background on Bash & the Bash Bug Being Called Shellshock
Bash (short for Bourne Again Shell) is a command-line shell used to type and execute commands. It is prevalent in Mac OS X, Linux, and other versions of UNIX operating systems. It’s also a mainstay on servers running Apache, accounting for about 51% of the world’s servers.

</Read More>
Sokols-Security-Takeaways-1-300x300

Risks and Rewards in Security: An Interview with Josh Sokol, InfoSec Program Owner and Creator of SimpleRisk

Sep 23, 2014 By Sarah Vonnegut | When you’re in the midst of a security issue, getting to the point of feeling on top of security again can seem a million miles away. Because in the end, security is about being aware of what’s going on in your environment and having a proactive approach to dealing with the threats. Being able to prioritize the severity of those threats and vulnerabilities that could impact the business is key to any security practitioner’s job. It’s in that vein that we recently spoke with Josh Sokol, an OWASP leader and the creator of SimpleRisk, an open source risk management tool he released to the community to help take some of the ‘obscurity’ out of security. With a background in computer science, a deep understanding of OWASP principles and as the owner of a security program at a large company, Sokol has a lot of great advice on how to do application security as well as security in general.

</Read More>
SC-Mag

Ensuring your developers love – or at least don’t hate – security

Aug 14, 2014 By Sarah Vonnegut | This post originally appeared on SCMagazine.com.  By Maty Siman, Checkmarx Founder & CTO
When it comes to an organization’s software security, there’s been a chronic disconnect between the developers who write and build the code and the security teams who audit and enforce the code’s security. This divide historically arose from common misunderstandings: programmers believe that security hinders their productivity, while security folks are frustrated that security is not at their top-of-mind.

</Read More>

Building Secure Applications: How Mature Are You?

Jul 29, 2014 By Sarah Vonnegut | Dave Ferguson is back with another guest blog! Make sure you check out his blog here, and read his original post, ‘Keeping Up With The Hackers: Where to Practice Your Web Hacking Skills,’ here. Testing your software for vulnerabilities is important.  There’s no doubt about it, but if there’s something I’ve learned over the years when it comes to application security, is that you can’t test yourself secure.  The reason is that development teams are writing new code all the time and if your main approach to securing the code is testing, it quickly becomes a never-ending cycle of testing –> fixing –> repeating. This is a lot like treating the symptoms of malady. What you really want is a cure for the malady.

</Read More>
Osanda-Swag-300x297

Hacking It Forward

May 30, 2014 By Sarah Vonnegut | How do security researchers stay motivated and interested? For some of us, it seems like one XSS flaw or SQL injection would look exactly like the next, but the thrill of discovering these security vulnerabilities is more than enough to keep the fire going for some researchers. Osanda Malith Jayathissa, a security researcher and graduate student from Sri Lanka, is among that group, helping to make the web apps we use on a daily basis more secure. We spoke with Osanda recently to talk about why he does what he does and what keeps him in the field.
  “I find it interesting to find solutions and learn by making mistakes. Each scenario is different from the next, so I learn something new each time,” Osanda says.

</Read More>
Screaming-at-Babies-Jamming-the-Roads-300x211

IoT-Hacking Horror Stories: Screaming at Babies & Jamming the Roads

May 05, 2014 By Sarah Vonnegut | In the ‘wonderful world’ of the Internet of Things, two interesting stories – one about hacking traffic systems and another about attackers screaming at babies in their cribs – have recently popped up that should make us stop and think about its current state of security.  Taking It To The Streets In the first story, a researcher at IoActive spoke to Wired about a recent vulnerability he found in traffic control systems throughout the U.S.’s biggest cities that could be manipulated “to snarl traffic or force cars onto different streets,” the article says. Instead of hitting the traffic lights directly, an attack using the flaw would be towards street sensors that wirelessly send unencrypted data to the systems which control traffic lights.  Hackers would be able to send haphazard commands and data to mess with the system, Cesar Cerrudo, the IoActive researcher, says. There are 50,000+ vulnerable wireless detection systems installed in metropolitan areas across the U.S., UK, France and more. A coordinated attack could truly wreak havoc.

</Read More>

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Follow us on Feedly

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.