Checkmarx Acquires Custodela to Bring Enhanced Automation to DevSecOps Programs!

In the News

OWASP Top 10 & Open Source Code: Why Watching Your Back Means Watching Everyone Else’s

6 Jun 2016 | By Admin

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 

At times, being a developer can feel a little bit like being back in school and getting partnered up on projects. You would work your butt off, fastidiously checking and rechecking your part of the assignment until you’re sure it’s perfect only to show up at school on Monday and find that your partner hasn’t fulfilled his end of the deal. And there goes the project.

The open source components you can tap into as a developer are, for the most part, wonderful things. But while you’ve doubtlessly spent endless hours checking the security of your own code, you’re often put in a position where you have to trust that all of that third party code was checked as closely as yours was. Sometimes, those open source components that saved you all kinds of time and trouble may have glaring security issues. The good news is, there is a solution.

Continue reading this article on IT Briefcase

 


</close>

Don’t wait for the police: plugging holes in your website forms to avoid SQL injection

6 Jun 2016 | By Naomi Webb

It’s been a while since the last major Florida election controversy but at long last the sunshine state has delivered. A cybersecurity researcher exposed serious vulnerabilities in the Lee County Supervisor of Elections Office website…and was promptly arrested after detailing those vulnerabilities in a YouTube video that bizarrely featured a man running for the supervisor of elections position.

SQL injections are the number one threat in the OWASP top 10 and have been a favored tool of hackers for over 15 years. Tried, true, effective, and able to be automated using third party tools. What more could a hacker want? When your application is attacked using SQLi, the attacker sends malformed SQL statements using forms or even querystring values in the hopes that you don’t validate and check them before you execute them on the server. SQLi is unique from other attacks such as XSS because the statements run on the database server and not in the user’s browser.

Continue reading this article on Tech Guru Daily.

It’s been a while since the last major Florida election controversy but at long last the sunshine state has delivered. A cybersecurity researcher exposed serious vulnerabilities in the Lee County Supervisor of Elections Office website…and was promptly arrested after detailing those vulnerabilities in a YouTube video that bizarrely featured a man running for the supervisor of elections position.

SQL injections are the number one threat in the OWASP top 10 and have been a favored tool of hackers for over 15 years. Tried, true, effective, and able to be automated using third party tools. What more could a hacker want? When your application is attacked using SQLi, the attacker sends malformed SQL statements using forms or even querystring values in the hopes that you don’t validate and check them before you execute them on the server. SQLi is unique from other attacks such as XSS because the statements run on the database server and not in the user’s browser.

Continue reading this article on Tech Guru Daily.


</close>

5 Ways to Create a Secure Software Development Life Cycle (sSDLC)

5 Jun 2016 | By Kamn

Enterprise level software needs a tightly bound software development life cycle (SDLC) to ensure deployed applications follow business requirements and stay bug-free. In the Hollywood blockbuster version of this high-stakes process, that secure SDLC would require exactly five things: lasers, a group of witty nerds, a security program that features fast moving green type on a black screen, a large digital clock and Jason Statham.

Unfortunately, securing an SLDC isn’t so simple in real life. Standard SDLC guidelines often don’t include all-important security, and this oversight can leave the resultant software vulnerable to a variety of common attacks. Like in the Hollywood version, however, these costly data breaches and devastating cyber-attacks can be combatted with five things. Keep reading to find out the details on SDLCs and the ways to ensure your organization’s software is secure.

Building software requires structure

Smaller individual apps can be built without needing much structure and it all tends to go fine. But once any application graduates from a simple app to enterprise level and the words project management enter the picture, it’s going to require structure in its development. This need for organization through the various stages of development is what gave rise to the standard SLDC template.

The basic steps are:

  1. Requirements: gather the requirements that define the way an application will function
  2. Design: design the application and a functional user experience and layout
  3. Coding: use the requirements to then code the application’s functionality
  4. Testing: test the application for any bugs
  5. Deployment: push the application from development or staging to the production server

Continue reading this article on DesignCanyon.com.

Enterprise level software needs a tightly bound software development life cycle (SDLC) to ensure deployed applications follow business requirements and stay bug-free. In the Hollywood blockbuster version of this high-stakes process, that secure SDLC would require exactly five things: lasers, a group of witty nerds, a security program that features fast moving green type on a black screen, a large digital clock and Jason Statham.

Unfortunately, securing an SLDC isn’t so simple in real life. Standard SDLC guidelines often don’t include all-important security, and this oversight can leave the resultant software vulnerable to a variety of common attacks. Like in the Hollywood version, however, these costly data breaches and devastating cyber-attacks can be combatted with five things. Keep reading to find out the details on SDLCs and the ways to ensure your organization’s software is secure.

Building software requires structure

Smaller individual apps can be built without needing much structure and it all tends to go fine. But once any application graduates from a simple app to enterprise level and the words project management enter the picture, it’s going to require structure in its development. This need for organization through the various stages of development is what gave rise to the standard SLDC template.

The basic steps are:

  1. Requirements: gather the requirements that define the way an application will function
  2. Design: design the application and a functional user experience and layout
  3. Coding: use the requirements to then code the application’s functionality
  4. Testing: test the application for any bugs
  5. Deployment: push the application from development or staging to the production server

Continue reading this article on DesignCanyon.com.


</close>

Easy and Cost-Effective Secure App Development

4 Jun 2016 | By Diogo Costa

Every year, we see a considerable increase in the number and severity of cybersecurity incidents from which companies suffer major financial losses, harm to their reputation, and irreparable damage to their customers. In 2015 alone, cybercriminals raked in billions of dollars from data breaches, as well as account information for hundreds of millions of users meant to be sold on the black market and used for further fraudulent activities.

There are several methods and tools that can help you to adopt a secure application development process and better understand and fix security issues in your applications before release. One of the most effective is the use of Static Application Security Testing (SAST) tools, such as the CheckMarx CxSAST.

In essence, SAST solutions are suites of tools that integrate into the Software Development Lifecycle (SDLC) and enable developers to vet and scan their codes as they program. The most important benefit of SAST solutions is that bug detection and removal is streamlined and seamlessly integrated into the overall development process.

Continue reading this article on Tech.co

Every year, we see a considerable increase in the number and severity of cybersecurity incidents from which companies suffer major financial losses, harm to their reputation, and irreparable damage to their customers. In 2015 alone, cybercriminals raked in billions of dollars from data breaches, as well as account information for hundreds of millions of users meant to be sold on the black market and used for further fraudulent activities.

There are several methods and tools that can help you to adopt a secure application development process and better understand and fix security issues in your applications before release. One of the most effective is the use of Static Application Security Testing (SAST) tools, such as the CheckMarx CxSAST.

In essence, SAST solutions are suites of tools that integrate into the Software Development Lifecycle (SDLC) and enable developers to vet and scan their codes as they program. The most important benefit of SAST solutions is that bug detection and removal is streamlined and seamlessly integrated into the overall development process.

Continue reading this article on Tech.co


</close>

Hacking: The Case for Prevention Rather Than Cure

2 Jun 2016 | By Amit Ashbel

When the movie Sneakers came out in 1992, hacking wasn't considered a real threat; it was almost something cool that really clever kids did just to prove they could.  More than two decades later, hacking has taken on a far more sinister tone and become a much more profitable profession. With breaches continuing to happen at an alarming rate, the proliferation of cyber-crime is a huge threat to corporate organisations and individual consumers alike. In a bid to counter this current trend, and threat, we go back five centuries to the Dutch philosopher, Desiderius Erasmus to borrow his idea of 'prevention is better than cure'.

The pace of technology

One of the reasons why there are so many breaches is because of the increasing volume of connected devices - a result of technological advances. We live in a world where new devices, platforms, applications or systems are launched every day, each of which presents a new surface attack area and unfortunately without any regulation or industry standards, security has been less of a priority than getting these new products to market. Developers are still measured by how quickly they can write application code and therein lies the problem; security, unfortunately, is often an afterthought and developers are usually involved in the process far too late.

Continue reading this article on SCMagazine.com.

When the movie Sneakers came out in 1992, hacking wasn’t considered a real threat; it was almost something cool that really clever kids did just to prove they could.  More than two decades later, hacking has taken on a far more sinister tone and become a much more profitable profession. With breaches continuing to happen at an alarming rate, the proliferation of cyber-crime is a huge threat to corporate organisations and individual consumers alike. In a bid to counter this current trend, and threat, we go back five centuries to the Dutch philosopher, Desiderius Erasmus to borrow his idea of ‘prevention is better than cure’.

The pace of technology

One of the reasons why there are so many breaches is because of the increasing volume of connected devices – a result of technological advances. We live in a world where new devices, platforms, applications or systems are launched every day, each of which presents a new surface attack area and unfortunately without any regulation or industry standards, security has been less of a priority than getting these new products to market. Developers are still measured by how quickly they can write application code and therein lies the problem; security, unfortunately, is often an afterthought and developers are usually involved in the process far too late.

Continue reading this article on SCMagazine.com.


</close>

The OSI model, your security, and giving special consideration to the application layer

2 Jun 2016 | By Patrick Vernon

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.

There’s a certain poignant disappointment that occurs when your expectations do not align with reality. Especially when your expectations are both reasonable and logical. Take the topic of securing an application based on the Open Systems Interconnection (OSI) model, for instance. The OSI model is a way of thinking about computer networking that efficiently and effectively lays out the seven layers of computer networking, showing how they are neatly connected, each layer making use of the functions of the layer both above and below it. “Perfect,” you think. “If these seven layers are so tidily intertwined, surely there must be one security solution that takes care of them all.”

As security organization Checkmarx points out, for effective application layer security, static code analysis is a security solution that can be seamlessly integrated into the developer environment. It makes application layer security a component of the daily development schedule, allowing developers to receive nearly real-time scan results and fix vulnerabilities (as well as coding problems and other issues) as the application is being developed. Not only does this help create a secure software development life cycle, but it also saves untold time and effort by identifying problems as they appear instead of after a build is complete.

Continue reading this article on Digitalisation World.


</close>

How to Integrate Application Security Testing Into the Agile Development Process

2 Jun 2016 | By Daan Pepijn

Testing and rooting out bugs are integral parts of any successful application development process. Most prominent software development standards, including the popular Agile method, include provisions for making sure the end-product operates according to the use cases that define the required functionality.

But by focusing solely on functional requirements, the organizations that use these methods fail to address non-functional issues, including application security testing.

Static Application Security Testing (SAST) tools are a software development team’s best friend. As opposed to dynamic testing tools (DAST), which only work on compiled and executable binaries, SAST scans at the source code level, which makes it easier for individual members of a development team to apply.

Continue reading this article on Business.com.

Testing and rooting out bugs are integral parts of any successful application development process. Most prominent software development standards, including the popular Agile method, include provisions for making sure the end-product operates according to the use cases that define the required functionality.

But by focusing solely on functional requirements, the organizations that use these methods fail to address non-functional issues, including application security testing.

Static Application Security Testing (SAST) tools are a software development team’s best friend. As opposed to dynamic testing tools (DAST), which only work on compiled and executable binaries, SAST scans at the source code level, which makes it easier for individual members of a development team to apply.

Continue reading this article on Business.com.


</close>

The Internet of Things will only ever be as secure as its application

1 Jun 2016 | By Amit Ashbel

The pace at which the Internet of Things (IoT) is entering our homes and workplaces is phenomenal. This proliferation brings lots of potential benefits to users but it also presents numerous security risks. There is currently no common IoT platform; instead there are various tech giants competing to own the IoT platform of choice with securing that platform seeming to be a lesser consideration.

The Open Web Application Security Project (OWASP)'s top ten IoT list of vulnerabilities gives recommendations on how to develop IoT applications that will help fight off hacking attempts. In the IoT space, releases are generally quick and often so OWASPs top ten is certainly helpful but they can only have a positive affect if the underlying application code itself is secure.

Continue reading this article on Digitalization World.

The pace at which the Internet of Things (IoT) is entering our homes and workplaces is phenomenal. This proliferation brings lots of potential benefits to users but it also presents numerous security risks. There is currently no common IoT platform; instead there are various tech giants competing to own the IoT platform of choice with securing that platform seeming to be a lesser consideration.

The Open Web Application Security Project (OWASP)’s top ten IoT list of vulnerabilities gives recommendations on how to develop IoT applications that will help fight off hacking attempts. In the IoT space, releases are generally quick and often so OWASPs top ten is certainly helpful but they can only have a positive affect if the underlying application code itself is secure.

Continue reading this article on Digitalization World.


</close>

Why websites are so vulnerable to hackers

31 May 2016 | By Ben Dickson

Hackers just can’t get enough of hacking websites. Malicious actors break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to steal sensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.

“Industries that have adopted and increased web applications usage for their business in the past year are seeing the impact on the attack patterns,” says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security solutions. “Financial and transportation verticals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile attack surface.”

“The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak points of the web application,” Ashbel explains.

Continue reading this article on The Daily Dot

Hackers just can’t get enough of hacking websites. Malicious actors break into them to upload infected copies of operating systems or distribute malware. Fraudsters use website vulnerabilities to steal sensitive credentials and financial info. The feds take them over to track down child porn consumers. Hacktivists take them down to fight controversial bathroom bills. And a lot more.

“Industries that have adopted and increased web applications usage for their business in the past year are seeing the impact on the attack patterns,” says Amit Ashbel, director of product marketing at Checkmarx, a cybersecurity startup that offers application security solutions. “Financial and transportation verticals are the top targets when it comes to web Application attack vectors. Both these industries have ramped up their web and mobile application services in the past years creating a very fertile attack surface.”

“The sheer fact that web applications are available for everyone to use drives attackers to design their attacks based on the weak points of the web application,” Ashbel explains.

Continue reading this article on The Daily Dot


</close>

Update: 117 million LinkedIn email credentials found for sale on the dark web

26 May 2016 | By Doug Olenick

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.

The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about $2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn's poor handling of its customer's data four years ago lead directly to today's situation.

“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.

 

Continue reading this article on SCMagazine.com.

The 2012 LinkedIn data breach may be the breach that just keeps on giving with the news that 117 million customer email credentials originating from that hack were found for sale on the dark web prompting the professional social network to invalidate the account passwords.

The initial story came from Motherboard, which reported it was contacted by someone going by the name “Peace” who said he was selling the data set on an illegal market place called The Real Deal for 5 Bitcoins, or about $2,200. The 117 million credentials come from a larger 167 million data dump of accounts that were supposedly grabbed when LinkedIn was breached in 2012.

Amit Ashbel, Checkmarx director of product marketing and cyber security evangelist, said LinkedIn’s poor handling of its customer’s data four years ago lead directly to today’s situation.

“LinkedIn could have definitely prevented the impact of this breach four years ago if they were using strong encryption techniques. That might not have prevented the breach itself but the data would be of much less use,” he told SCMagazine.com in an email.

 

Continue reading this article on SCMagazine.com.


</close>