Cigital Security Blog

Analysis, news and insights from Cigital’s team of security experts

August 31, 2015

I was a software developer for over 20 years before I switched to the application/software security field. Being a part of several software engineering teams in my early career, and later becoming a security analyst, has put me in a unique position to understand these two worlds. Although I Read more

September 3, 2015
Author: Paco Hope
Categories: Risk Management

There are a lot of terms and techniques for dealing with risk and we use them regularly in software security. Risk is a vector with two components: impact and likelihood. Impact is the bad stuff that is going to happen to us if the risk is realized. Likelihood is Read more

August 24, 2015
Categories: Software Security

Dynamic language and associated development and operations (DevOps) methodologies change and evolve constantly. Due to these intentionally ever-changing dynamic aspects of software, security measures must also be in a constant state of progression. The old-school software security approach relied on searching for defects at the very end of the Read more

August 14, 2015
Author: Paco Hope

Underlying Mary Ann Davidson’s incendiary blog post about reverse engineering and much of the debate about security vulnerabilities and bug bounties is the classic duality between the Cathedral and the Bazaar In 1997, Eric Raymond published a now-famous essay entitled “The Cathedral and the Bazaar,” which was exploring two Read more

August 6, 2015
Tags: ,

You know how AppScan Standard and other dynamic testing tools report a finding when an HTTPS page accesses some HTTP resources? How do you fix this issue effectively? Perhaps, the owners of those resources already did all the server-side legwork: obtaining a certificate, configuring the server and setting up Read more

August 4, 2015

What is Touch ID? Touch ID is Apple’s fingerprint technology for iOS mobile devices. It allows consumers to unlock their phones and make purchases conveniently using their fingerprint(s). As of iOS version 8.0, Apple opened up Touch ID to developers by making APIs available for use in the SDK. Read more

July 29, 2015

If you’re attempting to create and maintain secure software and you’re operating without a clear governance structure, here are five reasons you should reconsider. Read more

July 28, 2015
Author: Carter Jones

Red teaming is an iterative process that includes three main components: recon, enumeration and attack. First, we emulate a defined adversary (anything from a script kiddie to an APT threat actor). Then we iterate through the recon/enumeration/attack components repeatedly until we have obtained our defined goal, such as obtaining Read more

July 23, 2015

Putting together a game changing Red Team requires finding the right personnel with the malicious mindset, technical talent and vision to drive the program to success. This team must have a leader who can drive the program and technical staff who will perform the day-to-day activities. Putting together an Read more

July 20, 2015
Author: Jim Hartnett

The technical people who drive our innovation are, for most purposes, well meaning. They create technology which has shaped our way of life, and done what many would have previously considered unthinkable. These developers and engineers are wonderful at conceiving and building systems. However, they are horrible at understanding Read more

July 16, 2015
Categories: Software Security

Content Security Policy (CSP) is the newest technology for preventing cross-site scripting. Cross-site scripting has been a leading web application vulnerability for years, consistently found in many corporate applications, regardless of traditional defense techniques, such as input validation and output encoding. CSP presents a new approach to secure the Read more

Cigital is one of the world’s largest application security firms. We go beyond traditional testing services to help our clients find, fix and prevent vulnerabilities in the applications that power their business.

Our experts also provide remediation guidance, program design services, and training that empower you to build and maintain secure applications.

Learn More
Subscribe to our Blog
2015 (59)
2014 (44)
2013 (8)
2012 (3)
2011 (8)
2010 (2)
2009 (3)
2008 (3)
2007 (8)
2004 (2)