Checkmarx Launches Infrastructure as Code Scanning Solution to Secure Cloud-Native Applications: KICS

What’s HOT in Application Security Vol #40

Shape Security: Getting Down to the Root of Hacking

When treating an illness, it is generally more effective to treat the source of the problem rather than the symptoms. Shape Security is trying to do the same in the field of website security. While all other products are geared towards a faster, cheaper, and better way of preventing and stopping attackers, Sumit Agarwal, co-founder and vice president of Shape claims that they are “striking at the core mechanics of how those things work and making them harder to do in the future” by focusing on cutting edge attackers and crimeware ecosystem. Basically, it won’t be “offensive security” but defensive security, making it harder and more costly to do any damage.

With computer science at the core of their research and development, Shape, though relatively new in the field, has caught the eyes of many big names such as Google, Facebook, and Twitter. They have recently announced that their investments total at least $26 million. If they do succeed in their goals, this will greatly change the face of internet security.

Established in 2011 by executives from Google, major defense contractors, and the Defense Department, Shape Security now also employs Google’s former click-fraud czar, Cisco Systems’ former vice president of application security, and Walmart’s former CISO.

For more information, visit:

Staying Secure on the Cloud

This just in for all those Dell Public Cloud customers and VMware vCenter 5.0 environments customers… Dell SecureWorks is proud to announce a new Vulnerability Management Service (VMS) and a new Web Application Scanning (WAS) Service for the Cloud. But that’s not all, they are also offering customers a Global Threat Intelligence Service, which analyzes data in order to find new threats and vulnerabilities. In coming months, they will be launching even more security solutions, so be sure to keep updated.

The Web Application Scanning (WAS) service includes both regularly scheduled or “on demand” scans to determine whether any threats or vulnerabilities are present on any of the web applications, which is where the Cloud has been shown to be more vulnerable. In addition, the VMS service includes scans by Dell SecureWorks security personnel. Customers will be alerted immediately if anything was found during the scan and they will be told how to resolve the problem. Similarly, all Threat Intelligence reports and analysis from the Global Threat Intelligence Service can be accessed through the Dell SecureWorks Portal.These new developments are crucial as many companies are migrating from IT to the Cloud and they need to be sure that their data stays secure.

For more information visit: 
Government Agencies and Web Security in 2013

Though many predict 2013 to be a year of cloud and mobile device hacking, researchers for the Verizon Data Breach Investigations Report (DBIR) foresee threats involving authentication attacks, continued “hacktivism”, and Web application exploits and social engineering to be what we can expect in the coming year. These conclusions are not simply guesses, they are based in empirical evidence which can be used to help organizations focus on the right methods to stay secure.

Verizon’s RISK (Research, Intelligence, Solutions, Knowledge) team has deemed the following to be the most likely data threats:

  1. Authentication Failure: 90% probability – these are attacks due to vulnerable or stolen usernames and passwords. Hackers will use these vulnerabilities for initial breaches. It’s therefore important for government agencies and other organizations to be sure to secure all their user accounts and credentials for all systems, devices, and networks in order to avoid such breaches.
  2. Web Application Exploits: These refer to larger organizations, such as the government. It’s very important for larger organizations to secure their web applications this year or they are at high risk for serious attacks.
  3. Social Engineering: This is a tricky one since it uses social tactics like phishing to get into larger government organizations and enterprises. In order to protect and prevent these breaches, every employee must be aware of such schemes and how to stop them.

For more information visit

Developers with Security in Mind

Everyone knows that data breaches are increasingly rising and their damage is increasingly costly. The question is: what the source of such vulnerability and how is it preventable? The answer: human error due to poor application design and faulty programming.

With great advancements made in the hacking world, it’s essential to program secure web applications as early as possible in the development phase, according to Pieter Danhieux of the SANS Institute. However, most programming students are ill-equipped when it comes to security. So when it comes to developing, often even the most brilliant have only attended a lecture or two during a course. Consequently, they are unable to develop with security in mind.  In all stages of web development, developers, architects, and designers, must be educated in-depth with the methods for keeping their sites secure. In this case, by the time the program is complete, it will be less likely to have vulnerabilities. Though there are other problems, this is the source of the major problem. Danhieux proposes that all web developing courses involve the issue of the security in order to better prepare the students and future developers for the real world.

For more information, visit

Jump to Category