Company Blog

Start A FREE Trial
« Back to Resources

CISO Insights: How the CISO of San Diego Secures His City

Interview with a CISOThis article is the first in a series of interviews with CISOs in various industries. Our goal is to share our conversations with different Chief Information Security Officers about how they deal with daily tasks as well as the bigger picture of innovating security practices around business operations.

Gary Hayslip is currently the Deputy Director and Chief Information Security Officer for the city of San Diego, a role he’s held for the past two years. Previous to that, Gary spent over 25 years as a Information Security professional in the US Navy Command, working his way up to becoming CISO.

We had the opportunity to interview Gary about the risks and rewards of securing a major city, as well as what he’s learned over his many years in the industry and shared the highlights below. You can also grab the full interview here and be sure to follow Gary on Twitter!

(more…)

Tags: , , , , ,

The AliExpress XSS Hacking Explained

LogoAs you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the Cross-Site Scripting (XSS) vulnerability, I would like to discuss and elaborate on it in the following post.

A few months ago, I purchased some items from AliExpress. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert at AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally without harming the system or its users.

After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the vulnerable “Contact Now” feature. This feature can be abused by any registered buyer who could send a message to the seller containing a malicious payload.

(more…)

Tags: , , , , , ,

AppSec 101: The Secure Software Development Life Cycle

Secure Software Development Life CycleDue to the growing demand for robust applications, the secure Software Development Life Cycle methodology is gaining momentum all over the world. Its effectiveness in combating vulnerabilities has made it mandatory in many organizations. The objective of this article is to introduce the user to the basics of the secure Software Development Life Cycle (also known as sSDLC).

Before we cover the various steps of development in the Secure Software Development Life Cycle, it’s important to understand why a SDLC is needed in the first place. I will then present an overview of secure Software Development Life Cycle and why it’s becoming so helpful in developing safe web and mobile applications.

This article is written keeping in mind CISOs, project managers, program managers, architects and developers interested in improving the security standards of the applications developed by their organizations. It is intended to be a starter for people who want to integrate security into their existing software development processes. First we’ll understand the various phases of the SDLC. Then we’ll look into the importance of having a secure SDLC.

(more…)

Tags: , , ,

Open Source vs. Commercial Tools: Static Code Analysis Showdown

commercial open source static code analysis toolsIt’s the never-ending dilemma; the ‘Coke or Pepsi’ debate of the software and security world, and there’s still no definitive answer.

As the application security market grows, so too does the variety of tools available to organizations seeking to secure their applications. And with both open source and commercial tools popping up and solid options on either side, the decision isn’t made any easier to the question emerging in organizations around the world: When it comes to selecting tools for source code analysis, should we choose open source or commercial?

A few months ago, we released The Ultimate List of Open Source Static Code Analysis (SCA) Tools and heard that many found it useful when deciding between the options for open source SCA platforms.

Now we’re taking a look at the pros and cons of open source static code analysis tools versus commercial source code analysis tools. Each has its’ own benefits and downsides, but there are worthy tools with both commercial and open source licenses. What it comes down to are the needs of the organization looking to secure the apps they are building and releasing.

(more…)

Tags: , , , , ,

3 Things to Know About Managing Open Source Components in Your App

open sourceManage your software where it’s created. It is in your continuous integration environment where the various pieces of code become software. While some of the software is proprietary, much of it (probably over 50%) is open source components, as your development teams use open source components to boost their productivity and make better products.

You most likely have your proprietary software thoroughly tested, QAed and reviewed via static code analysis on a regular basis. But what about the open source components?  Open source components may have a direct impact on the quality of your software or service.

Open source components may have a direct impact on the quality of your software or service. Security vulnerabilities in open source components are discovered from time to time, and while often fixed very quickly, you need to make sure that you know of them when they are discovered and can apply the right measures when necessary.

(more…)

Tags: , , ,

16 CISOs and Security Leaders You Should be Following on Twitter

CISO and Security Leaders to follow on Twitter

A few months ago we published an article, ’21 AppSec & Security Gurus You Should Be Following on Twitter,’ and even we were surprised with the buzz it created. It seems we had hit a chord with our readers, who are apparently pining for new security people to follow on Twitter. So, to feed your hunger for ‘security twits’, we decided to double down and create a list of the best tweeters of security related news and info by security leaders heading organizations – the CISOs and CSOs.

These security leaders have had years of experience both securing and leading, and have great insights, advice, and news to share with their followers. We’ve even created a handy Twitter list for you to follow and easily keep up with the CISOs recognized here.

What other CISOs and CSOs are great to follow? Leave your suggestions below and we’ll add them to our list on Twitter!

(more…)

Tags: , , , , , , ,

What’s Holding You­­­­ Back from Securing Your Code?

Securing your codeOrganizations today are aware of security risks they can be exposed to as a result of bad or wrong code practice.  However, while awareness is the first step, being able to act is a whole other ballgame.

After witnessing more and more companies being hit by attacks based on well-known vulnerabilities, we sought to understand what’s holding organizations back when it comes to implement secure coding practices.

Checkmarx gathered a slew of professionals from organizations around the globe in the same room and asked them one simple question:

“What is holding you back from ensuring your Application code is secure?”

(more…)

Tags: , , , , , ,

Safer Swift Development With Checkmarx’s New API

SwiftAfter using Objective-C for decades, Apple is swaying towards its newer and safer Swift programming language. The latter is compatible with Apple’s Cocoa/Cocoa Touch frameworks and works with almost all of the Objective-C code written for Apple computing and mobile devices. This shift has not been smooth and Swift development still has some security issues.

Checkmarx researcher Denis Krivitski, a seasoned Objective-C and Swift expert, has created KeychainSwiftAPI to rectify a glaring issue developers are facing today. These issues are related to the security vulnerabilities created by Swift-to-C interoperability classes. Ironically, accessing the Keychain secure database requires using those classes.

“Swift, when used exclusively, is a great programming language that solves many of the security issues found in C and Objective-C,” Krivitski commented while speaking about the latest developments in the Apple software ecosystem. “But once we bridge it to code written in C or Objective-C, we create exploitable buffer overflow vulnerabilities. Using the wrapper I created can help eliminate these issues and ensure secure Swift development.”

(more…)

Tags: , , , , , , , , ,

Checkmarx RASP Security serves a deadly blow to application vulnerabilities

Checkmarx RASPHackers are relentless in their quest for infiltrating organizations – especially through applications. No matter what size organization you’re a part of, having security built into the applications you build and use is no longer an option.

After a year like 2014, now considered ‘The Year of the Data Breach’, security professionals can no longer be stubborn when it comes to application security. But for organizations dealing with a lack of resources, security-minded personnel, or developers with sufficient security knowledge, building and maintaining secure applications and remediating insecure ones can seem challenging.

There is a solution, however, and it is in empowering your applications to protect themselves. As Gartner’s 2014 Hype Cycle for Application Security report stated, it’s time that applications stop relying on external tools to identify attacks and flaws and it’s time that applications start protecting themselves.

(more…)

Tags: , , , , ,

5 Habits of Highly Effective Application Security Leaders

Effective Application Security LeadersIn our global, digital world, data is king – and malicious attackers are on a constant lookout for ways to conquer the throne. With a rapidly changing business landscape,the old, reactive approaches to security are no longer enough – if they ever were. Effective application security leaders are changing their tactics to keep up with the transformations. 

It shouldn’t take a security incident to make an organization pay attention to securing the applications and other areas that are so important to the business. With our ever-increasing reliance on data and the applications that carry it – and hackers ever-growing capabilities in causing more and deeper damage – this truth will only ever become more accurate.

Breaches, most notably the big name hacks that occurred over the past year, are costly. They cost in lost time, wasted efforts, reputation, customer losses and, of course, untold financial setbacks.

It’s time to settle this: Security IS a business enabler. The concept of mapping security initiatives to business objectives is still a somewhat novel idea, but it’s catching on.

(more…)

Tags: , , , , ,