Forrester Report: Why to automate AppSec now.

Application Security Glossary

Ethical Hacking For Company Security

Ethical hacking explained

Ethical hacking is typically an authorized attack on a system in order to determine flaws and vulnerabilities which could lead to unauthorized access of company data and assets if the flaws are not properly patched. An ethical hack typically comes from white hat hackers, skilled professionals who will attack company networks and infrastructure, but they do not do so maliciously.


Facebook Security

Facebook is the largest social network in the world, currently boasting over 1.3 billion users. There are also over 9 million applications integrated into the Facebook platform. This has resulted in huge increase in spyware, malware and other security threats that are being spread via Facebook applications. While Facebook security has improved in recent years, there are still a high number of malware applications that are able to slip through the security barriers and reach end-users. This can lead to serious data breaches including data theft, account compromising and more.


Flash Security

Flash is a popular Adobe platform frequently used for creating games,multimedia interaction, animated visualizations, videos and much more. Every time you visit a web page that loads a video, animation or interactive content, it is typically Flash that is the driving force behind the visual interaction. While Flash has been used on a large-scale since 1996, the security community has expressed concerns over the abundance of malware and vulnerabilities that have plagued the Flash platform in recent years.


Gartner Magic Quadrant

Magic Quadrant

The Gartner Magic Quadrant includes the Magic Quadrant for AST (Application Security Testing) report published by the advisory firm Gartner Group. The goal of this Gartner Magic Quadrant is to deliver qualitative analysis of Application Security Testing vendors and indicate where the Application Security Testing market is headed. The market is analyzed either once per year or once every two years. Gartner analysis for application security is part of Gartner Cyber Security coverage.


GIT Static Code Analysis

GIT enables simultaneous revision of projects. It allows for multiple developers to work on the same fork or different forks of a code and then simultaneously return them all to the same branch when you need to deliver a change. There’s no version control in GIT environments but each member has access to commit changes and then merge code as cleanly as possible. Each developer owns the right to first-class revisions and the process is as democratic as can be permitted within a development environment. GIT Static Code Analysis is not something that is supported out of the box with GIT type repositories.


How to Avoid Wireless Sniffers

Wireless sniffers are customized packet analyzers specifically designed to capture data over wireless networks. Packet analyzers are software programs, occasionally hardware tools, which will detect, intercept and decode data over a wireless connection. Wireless sniffers are used for many legitimate actions, including detecting, investigating and diagnosing network problems; filtering network traffic; monitoring network security, usage and activity; detecting and identifying network bottlenecks and configuration issues; detecting network vulnerabilities, malware and attempted security breaches and much more. However, they can also be used by malicious attackers to harvest confidential data and sensitive company information.


How to Prevent Malicious Code

What is malicious code?

Malicious code is created to intentionally harm computers, systems or other devices. Malicious code often takes the form of a legitimate action, often hidden in application code of a program that performs a legitimate task. This makes malicious code more difficult to eliminate than typical viruses because common antivirus applications are unable to pick up the malicious code until it has been identified and stored in the antivirus database. There are many different types of malicious codes, but the three most common types are viruses, worms and trojan horses.


Hudson Static Code Analysis

Hudson is a Java based tool for continuous integration of software projects. It runs inside a servelet-based container such as GlassFish or Tomcat. It’s designed to deliver a development environment in which builds are quickly and easily compiled, and either released or put into testing. However, when it comes to Hudson Static Code Analysis it’s necessary to add an integration kit  as Hudson does not support static code analysis in its native format.

Checkmarx provides an integration kit for this very purpose, and ensures that when you use Hudson for your continuous integration,  you can continue to report on static code at all levels of granularity. In particular, it’s simple to run a build summary which delivers a report on the numbers of warnings (both new and fixed) within the build. There’s also good support for overall trend reporting so builds can be compared against each other to see if there are specific areas that are adding more than their fair share of coding issues.

When the integration kit is in use, you can use a remote API to export the reports on build quality and the warnings identified to other applications. Hudson Static Code Analysis also allows you access to a colored HTML console that identifies which areas of the source code a particular warning applies to. Your development team can also set “failure thresholds” that enable a build to be automatically tagged as either a failure or one that is inherently unstable. This means that you can choose Hudson to compile your code on a regular basis without compromising your test cycle. Regular tests are the key to delivering bug-free, usable code time and time again.

Insecure Cryptographic Storage

Storing encrypted files is critical for companies that offer sensitive information online. But improperly encrypted files can be an equally risky scenario as it leads to a false sense of security. The process of having improperly encrypted files in storage is known as Insecure Cryptographic Storage (ICS). There is a variety of factors that can lead to ICS, including these:

  • Bad algorithms
  • Improper key management and storage
  • Encryption of the wrong data
  • Insecure cryptography (such as encryption developed in-house, etc.)


Internet Security

Why companies need internet security

Online applications offer companies many benefits, but they also increase the risk of web attacks and vulnerability exploits. The internet by itself is a very insecure platform, but network security has improved drastically in recent years. This has resulted in many attackers turning to application-layer attacks, as many applications are permeated with insecure code, vulnerabilities and/or malicious code. Network security and application security are the two major areas of internet security, but other critical areas include firewalls, antivirus, email, social networking, chat/instant messaging and more.