Company Blog
Third-Party Software, Vendor Control, and the BSIMM Community
Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes. Firms participating in the BSIMM include: Adobe Aon Bank of America Capital One The Depository Trust & Clearing Corporation (DTCC) EMC Fannie Mae Fidelity Google Intel Intuit [...]
Building Versus Breaking: A White Hat goes to Blackhat
Is Blackhat worth attending? Kinda. My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the [...]
Cloud Security Panel at NIST and informIT Reaction
On April 7th, NIST convened a conference on cloud computing in Gaithersburg, MD. One of the featured sessions was a panel on cloud security. I participated in the panel with Steve Lipner of Microsoft, JC Moses of Amazon, Jonathan Smith of Penn, and Jeremy Epstein of SRI. The panel was moderated by Donna Dodson and [...]
US Policy, Cyber Security and the Future of Cyberspace
Because Cigital’s corporate headquarters are near Washington, DC, you might think that we’re deeply involved with the federal government. Surprise! Though we do have a federal subsidiary called (creatively enough) Cigital Federal, a vast majority of our business is with the private sector. Whenever we get the opportunity to interact with the federal sector we [...]
Automate security tests and build security in from day one
Or: The ugly baby phenomenon and why you should not focus on false positives Dr. Markus Schumacher has served as CEO and Co-Founder of Virtual Forge GmbH since 2006. The company specializes in the security of SAP applications. Dr. Schumacher was previously a representative of the Fraunhofer Institute for Secure Information Technology (SIT) and worked [...]
More on Malware (Including Bad Ads)
Just two months ago, I invoked the malicious code problem in a Justice League blog entry. The growth in malicious code is caused by the Trinity of Trouble (connectivity, complexity and extensibility) which incidentally is also what makes the software security problem more interesting to work on every day. My most recent informIT article, titled [...]
The Stuxnet Payload
I met Silver Bullet #59 victim Ralph Langner at Joe Weiss’s Applied Control Solutions Conference in Rockville last Fall. That was when (much to the surprise of the Siemens guys there) Ralph first revealed that the Stuxnet payload was aimed directly at physical control systems. In some sense, Stuxnet has changed the world by showing [...]
Invincea Named Most Innovative Startup at RSA
Cigital is proud to have helped Invincea create a secure security product. (See this post for more.) “What,” you say, “isn’t that redundant?” No, unfortunately many “security products” are not at all secure themselves. Surprising as it may be, software security is neither guaranteed nor common in security software. Invincea is bucking this trend by [...]
Malicious Code and Software Security
Malicious code is a bigger problem than ever before. Way back in 1996 when Ed Felten and I wrote Java Security, we thought that malicious code was an up and coming issue and we positioned it that way. These days with the likes of Stuxnet and Zeus, things are worse than we ever would have [...]
Howard Schmidt Keeps his eye on the Ball
I was recently invited by our Corporate Counsel to attend a local Virginia networking event hosted by the Northern Virginia Technology Council. Howard Schmidt was the speaker. I’ve run into Howard a few more times than I expected to this year, and each time it is interesting to see what he has to say. Howard [...]
