Software Security
2011 CTO Year in Review
Part of my job as software security pundit and “hood ornament” of Cigital is spreading the word about software security far and wide. 2011 was a year like many others in that respect. Here is a “tripometer” graph showing talks I give and trips I take each year going back a decade. The good news [...]
UK Spooks’ Recruiting Tactic: Very Low Pound to Genius Ratio
(This is a guest post by Adam Zabrocki, a consultant at Cigital.) The UK intelligence agency, GCHQ, (roughly analogous to the US’s NSA) posted an online challenge recently at http://canyoucrackit.co.uk/ (read more). Given essentially no information other than what are pretty obviously hex digits, candidates are invited to attempt to “crack” an opaque puzzle. It [...]
Third-Party Software, Vendor Control, and the BSIMM Community
Cigital recently hosted a second BSIMM Community Conference near Portland, Oregon. The Conference was outstanding, and was a great opportunity for like-minded software security professionals to compare notes. Firms participating in the BSIMM include: Adobe Aon Bank of America Capital One The Depository Trust & Clearing Corporation (DTCC) EMC Fannie Mae Fidelity Google Intel Intuit [...]
Training by the Numbers
1992: Cigital (then Reliable Software Technologies) gets started and also delivers some training on software quality “a few hundred”: ILT days delivered from 1992 through 2006 5,000: ILT students trained from 1992 through 2006 575: ILT and tutorial days delivered from 2007 through today 9,000: ILT students trained from 2007 through today 100,000: current students [...]
Cigital helps to create cyber security plans
(This is a guest post by Evgeny Lebanidze, a managing consultant at Cigital.) Cigital has been working one-on-one with Rural Electric Co-ops across the US to help them raise their cyber security bar, starting with the creation of their own custom cyber security plan. To facilitate this process, Cigital provided the Co-ops with several artifacts, [...]
Announcing BSIMM3
We announced BSIMM in March 2009 and BSIMM2 in May 2010. It’s now time for BSIMM3. Long live the BSIMM. Since the first BSIMM interview in October 2008, we’ve progressed from nine to 30 to 42 firms (and more, at this point). We’ve also measured 11 firms twice—about 19 months between measurements on average—and that [...]
BEAST and SSL/TLS
This is a guest post by Amit Sethi, Technical Manager at Cigital. There has been a lot of talk about BEAST (Browser Exploit Against SSL/TLS) lately. The attack against SSL 3.0 / TLS 1.0 was recently publicized by Thai Duong and Juliano Rizzo. Do you know what the risks are, and how to protect yourself? [...]
An OWASP Interaction Model
Out at AppSecUSA, the OWASP board met and decided that it was valuable to support a partnership model with private industry. The aim: figure out a way to allow private (or federal) organizations to shape existing OWASP assets to better meet their needs. Better meeting an organization’s needs will likely involve: Integration with standard-fare open [...]
Building Versus Breaking: A White Hat goes to Blackhat
Is Blackhat worth attending? Kinda. My philosophy of software security and security in general has plenty of room for the art of the exploit. The icon that I have adopted to “brand” my work, the yin/yang with cowboy hats includes a black hat for a reason! Here’s what I said about the icon in the [...]
Art of InfoJacking – What Lies Beneath
This is a guest post by Aditya K. Sood, a Security Practitioner at Cigital. Information gathering is considered as one of the most critical step in performing aggressive penetration testing in all types of environment. With the proliferation of web vulnerabilities, the online world has introduced new protection mechanisms such as web applications firewalls. It [...]
