Software Security
Invincea Named Most Innovative Startup at RSA
Cigital is proud to have helped Invincea create a secure security product. (See this post for more.) “What,” you say, “isn’t that redundant?” No, unfortunately many “security products” are not at all secure themselves. Surprising as it may be, software security is neither guaranteed nor common in security software. Invincea is bucking this trend by [...]
Increasing Static Visibility
Sometimes, people talk loosely about an important difference between static and dynamic analyzers. Static analyzers, they say, achieve 100% coverage. They may complain that dynamic tools struggle to get even double-digit statement coverage of an application under test. Dan Cornell wrote a blog post on static analysis coverage. He observed that while the static tool [...]
If it’s so hard why bother?
Recently, internal and external discussion hit on the topic of static tool comparison. The difficulty of this topic caused me to write up my thoughts as what became an InformIT article. This prompted some to respond, If selecting and adopting a tool is so hard, even for experts, why should I bother? Good question. The [...]
Malicious Code and Software Security
Malicious code is a bigger problem than ever before. Way back in 1996 when Ed Felten and I wrote Java Security, we thought that malicious code was an up and coming issue and we positioned it that way. These days with the likes of Stuxnet and Zeus, things are worse than we ever would have [...]
A Cloud Security Discussion without FUD
I was happy to read a very measured viewpoint about Cloud Security in the first couple of articles of Nov/Dec issue of IEEE Security and Privacy. The introduction sets a very constructive tone. I really appreciate the measured tone because I’ve been dealing with a lot of “knee jerk reactions” within our client-base around Cloud [...]
Howard Schmidt Keeps his eye on the Ball
I was recently invited by our Corporate Counsel to attend a local Virginia networking event hosted by the Northern Virginia Technology Council. Howard Schmidt was the speaker. I’ve run into Howard a few more times than I expected to this year, and each time it is interesting to see what he has to say. Howard [...]
Cyber War and US Policy
I spent more time this year in Washington talking to policy makers than I have in past years. I’ve been to the White House, to the Pentagon, and to a think tank or two. One thing became clear, cyber security is a confusing field full of FUD and nonsense! Oh yeah, and the government is [...]
BSIMM Community Conference
We just hosted the first ever BSIMM Community Conference in Annapolis, MD this week. I’m proud to say it was a smash hit. The schedule was packed full of interesting talks from leaders among the BSIMM Community including Microsoft, Intel, Salie Mae, JP Morgan Chase, QUALCOMM, Fidelity, Adobe and Cigital, but by far the most [...]
Securing URL Redirects
(This is a guest post by Cigital consultant Mike Ware. The original post appeared on his blog, good code, secure software.) Can attackers control URL redirection functionality exposed by your application? Unvalidated Redirects and Forwards is #10 on the 2010 OWASP Top Ten 10 List. Sites that are vulnerable often expose a servlet or server-side [...]
Technology Transfer: Static Analysis Enters the Main Stream
At Cigital we have always been concerned with moving software security into the main stream. One obvious way to do this is through technology transfer. I am particularly proud of the role that Cigital has played getting security-focused static analysis out into the “main stream.” Now that IBM owns Ounce and HP owns Fortify we [...]
