2014 CTO Year in Review

by gem on Wednesday, December 3, 2014

Somehow I find myself on an airplane today even though it is supposedly “no fly Noel.” I’m on my way to a healthcare and software security summit in San Francisco. Healthcare is an up and coming domain for software security. What’s cool about this airplane is wifi! 2014 was another banner year at Cigital. We… Read More

Understanding Python Pickling and How to Use it Securely

by Cigital on Tuesday, November 18, 2014

written by Ashutosh Agrawal, Senior Consultant and Arvind Balaji, Associate Consultant Pickle in python is primarily used in serializing and de-serializing a python object structure. In other words it’s the process of converting a python object into a byte stream in order to store it in a file/database, maintain program state across sessions, or to… Read More

Are You Red Team Secure?

by Cigital on Monday, November 10, 2014

written by Robert Wood, Technical Manager Data breaches can result in severe damages to an organization’s brand, financial standing, or customer trust. Many of these, including recent breaches in the news, are not the result of a single, easy to find weakness that just happened to be overlooked or the common “low hanging fruit” that… Read More

Alphabet Soup: SAST, DAST, IAST, and RASP Explained

by gem on Friday, November 7, 2014

Turns out that the most important part of a software security initiative is FIXing the bugs that you FIND no matter how you find the bugs. So just what do all of the alphabet soup tools do? How do they help you fix what you find? And how do they scale? FWIW, tools of all… Read More

POODLE – yet another attack on SSLv3 (SSL 3.0)

by Chandu Ketkar on Monday, October 20, 2014

Post written by Chandu Ketkar, Technical Manager and David Johansson, Senior Consultant. POODLE Introduction The POODLE (Padding Attack On Downgraded Legacy Encryption) attack was published by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of Google in a security advisory last month (September 2014). The attack is on SSL 3.0 (SSLv3), an obsolete and insecure protocol,… Read More

Software Security and the User Interface

by Jim DelGrosso on Wednesday, October 8, 2014

We had an internal discussion the other day about the pros and cons of connecting professionally with random folks. During that discussion a separate thread was started about how to hide who you are connected to from your other connections. The idea was that it is OK to connect with someone but not allow that… Read More

Red Teaming a Holistic View of Security

by Cigital on Wednesday, October 1, 2014

Post written by Aladdin Elston, Consultant Software pervades our everyday lives: cellphones, tablets, fitness monitors, websites, networked home appliances, medical equipment, drones and automated vehicles. We expect software to work, often overlooking the need for the software running these systems to be secure. While Cigital stresses the importance of building security in throughout the SDLC… Read More

A Guide to Gary McGraw’s AppSecUSA Keynote

by gem on Monday, September 22, 2014

I had a blast delivering the Friday morning keynote at AppSecUSA this year. The only uncomfortable part was the 8am start. Whose idea was that?! You can watch the keynote here on YouTube or download the audio only version from SoundCloud. I watched the keynote myself this morning (which for what it’s worth is a… Read More

Minimizing Exposure from the iCloud

by Cigital on Wednesday, September 3, 2014

Post written by Jamie Boote, Associate Consultant This Labor Day weekend, a number of photographs of a personal nature were released to the public. The data leak can be traced back to personal devices and the Apple iCloud, but even though businesses aren’t usually the target of this kind of leak, there are still lessons… Read More

Page 1 of 2512345...1020...Last »