What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-07-31 16:28:12 | Why is Dynamic Analysis an Important Part of Your AppSec Mix? (lien direct) |  By now, most are familiar with the concept of DevSecOps. With DevSecOps, application security (AppSec) is moved to the beginning of the software development lifecycle (SDLC). By scanning earlier in the SDLC, you are able to find and fix flaws earlier. This can result in significant time and cost savings. Most organizations understand the importance of static analysis, which scans for flaws during development, but dynamic application security testing (DAST) is just as important.
Unlike static analysis, DAST scans for flaws during runtime. It???s able to detect configuration errors and validate vulnerabilities found through other AppSec testing techniques. It???s vital to scan your applications in runtime because the vulnerabilities found are not just theoretical, they are proven to be exploitable. This means that the likelihood of a false positive with DAST is very low.
How does DAST work?
DAST interacts with the application like an attacker. It starts by performing a crawl to understand the application???s architecture, including links, text, form fills, and other page elements that a user could potentially interact with. It also picks up on attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scanner then audits the objects and attributes discovered by the crawl and sends attacks ??? like Cross-Site Scripting and SQL Injection ??? to the objects/attributes to see if they have any exploitable vulnerabilities.
What are the benefits of Veracode???s DAST solution?
Veracode???s DAST solution, dynamic analysis, can be easily automated, provides accurate and actionable results, and returns results in a timely manner. This is very beneficial for both security professionals and developers because it doesn???t add extra work for developers, and it isn???t a time-consuming scan that will significantly slow-down time to deployment. In fact, 65 percent of our dynamic analysis scans finish in five hours, and 70 percent finish in eight hours. Best of all? Our false positive rate is less than one percent, so developers can start on remediation right away.
What is an AppSec mix and why is it important?
No two scans types are created equal. They are all designed with a different area of focus, along with various speeds and costs. For example, if you only use static analysis and dynamic analysis, you won???t uncover third-party vulnerabilities. If you only use penetration testing, you won???t be able to automate the process which will slow down your time to deployment and cost a substantial amount of money. A major benefit of Veracode is that all of our solutions are on one platform. So whichever scan types you decide to add to your AppSec program, it will be cost-efficient and low maintenance, and you will have a cohesive reporting toolset that shows your security posture in one place.
ツ?
For more information on Veracode???s Dynamic Analysis, including common challenges associated with production scanning and how to find the right mix of assessment types, download our technical whitepaper. ツ?
ツ? |
★★ | ||
|
2020-07-30 10:25:39 | Announcing Veracode Security Labs Community Edition (lien direct) |  We recently partnered with Enterprise Strategy Group (ESG) to survey software development and security professionals about modern application development and how applications are tested for security. The soon-to-be-announced survey found that 53% of organizations provide security training for developers less than once a year, which is woefully inadequate for the rapid pace of change in software development. At the same time, 41% say that it???s up to security analysts to educate developers to try to prevent them from introducing significant security issues. So, where???s the disconnect?
Communication breakdowns and misaligned training priorities between security and development teams are part of the problem. As developers are being asked to ???Shift Left??? to take on more responsibility for secure code earlier in the software development lifecycle, it???s increasingly more important for developers to get the training they need to not just create world-class applications ??? ones that have security designed in from the beginning.
Enterprise-grade tools for all developers
Veracode Security Labs Enterprise Edition is perfect for engineering teams, but we wanted every individual developer to have access to the same quality of training, from casual hobbyists to professionals interested in improving their secure coding skills. I???m excited to announce Veracode Security Labs Community Edition, where developers worldwide can hack and patch real applications to learn the latest tactics and security best practices with guidance while exploring actual code on their own time; and it???s free!
With Veracode Security Labs Community Edition, you now have the tools you need to close any gaps in security knowledge that are holding you back. It???s a module that fits within the Veracode Developer Training product family, featuring tools and robust programs built with interactivity in mind so that developers can get their hands on a practical training tool at a moment???s notice.
Here are the differences between the Community Edition and Enterprise Edition:
 ???
While the Enterprise Edition has features that support the efforts of development teams with full compliance-based curricula, rollout strategies, and progress reporting, the Community Edition offers selected topics and one-off labs for individuals who are looking to strengthen their security knowledge. Though there are differences that enable scalability for organizations and teams, the benefits for individual developers remain the same:
The ability to exploit and remediate real-world vulnerabilities to learn what to look for in insecure code.
Fast and relevant remediation guidance in the context of the most popular programming languages.
Easy and fun hands-on training that provides professional growth.
Improved security knowledge while building confidence through interactive trial and error.
When you practice breaking and fixing real applications using real vulnerabilities, you become a sharper, more efficient developer ??? especially with a variety of challenges to choose from as you go. We plan to expand the number of labs and challenges over time but initially, the Community Edition will cover topics ranging from beginner to advanced, including:
|
Hack Tool Vulnerability | ★★★★ | |
|
2020-07-15 12:48:58 | The Texas Cybersecurity Act: What You Need to Know (lien direct) |  Texas passed House Bill 8 relating to cybersecurity for state agency information resources. The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems, adds protections for student data privacy, and updates the penalties for cybercrimes.
As Texas House Speaker, Joe Straus, commented, state agencies are now expected to be ???good stewards of private data.??? There is a cybersecurity council that oversees the state agencies to ensure that the agencies are following all new requirements and researching and reporting back on cybersecurity threats on a regular basis. Cybersecurity practices are now considered by the Sunset Advisory Commission, an agency of the Texas Legislature, when determining whether to reform, continue, or abolish a Texas state agency.
The bill also requires the Department of Information Resources, or DIR, to implement a five-year plan to address cybersecurity risks. The DIR will establish an information sharing and analysis center (ISAC) to share news regarding cybersecurity threats, best practices, and remediation advice. It will also provide mandatory training for state agencies.
According to Texas Government Code ツァ 2054.515(a-b), state agencies are now required to ???conduct an information security assessment of the agency???s network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR.??? State agencies are also required to submit a data security plan and show proof of penetration tests of their website and mobile applications every other year. Colleges and Universities in Texas are also required to protect the confidentiality of information on their website or mobile applications. If an agency or institution experiences a data breach, they are mandated to inform all affected parties of the incident.ツ?
Lastly, the Texas secretary of state is required to test the election infrastructure for vulnerabilities and report back on findings. The findings need to be made publicly available.
For more information on the Texas Cybersecurity Act, please download House Bill 8 or read the synopsis provided by the Texas Comptroller.ツ?ツ?
Veracode can help.
If you are a state agency or educational institution operating in Texas, Veracode can provide you with the application security testing tools necessary to remain compliant with state regulations. As Nikki Veit, Director of Application Development for the State of Missouri expressed, ???When we first started scanning, there were a lot of non-compliant applications. But Veracode was really easy to use, and developers were able to go in and scan early and often. In the first eight months, we had 18,000 flaws fixed. It was just phenomenal.???
Check out our success story for the State of Missouri to see how we helped them scale an AppSec program across 365 applications and 14 state agencies. |
★★★ | ||
|
2020-07-14 11:22:25 | What Does it Take to be a Rockstar Developer? (lien direct) |  If there???s one thing you need to value as you move through your career as a modern software developer, it???s the importance of security. With application layers increasing and the shift left movement bringing security into the picture earlier on the development process, security should be top of mind for every developer working to write and compile successful code.
But many developers leave school without the security knowledge they need to write secure code ??? something nearly 80 percent of developers from our DevSecOps Global Skills Survey can attest to. As with any profession, there???s always room to learn and grow on the job, especially in software development where projects move at the speed of ???I need that fixed yesterday.??? To be a rockstar developer in today???s world, you have to be fast to fix flaws, smart about your prioritization, and quick to release secure software your customers can count on.
For most organizations, hitting tight deployment deadlines without compromising security means shifting scans left in the software development lifecycle (SDLC) by integrating security into the IDE with fast feedback that helps developers learn as they write their code. It also involves bolstering development team members who are passionate about the health of their code and focusing on educating the entire organization about the importance of security.
Treating security as an afterthought is no longer an option, and as a dynamic developer, it???s something you can help change. Shifting security left lessens the risk of needing to fix found flaws down the road (which can cost your business a pretty penny). But there???s a lot that can be done, both by developers and security leadership, to trickle knowledge down and bridge the gap that so often leaves team members siloed. ツ?ツ?
Whether you???re just starting out as a more junior-level developer or you???re wondering how you can take your established career to the next level, there are eight key things that you can do to enhance your security skills ??? from hands-on learning courses to thinking like an attacker and becoming a security champion on your team. Read on:
By arming yourself with the knowledge you need to write more secure code and becoming a security champion you???ll be a more dynamic developer who can help facilitate coding and scanning needs during production, and you???ll stand out as a leader on your team who takes the health of your applications seriously.
Ready to help your organization shift left by unifying security and development? Browse the developer resources section of the Veracode Community to gain more insight into secure coding and help improve your organization???s application security by becoming a rockstar developer.ツ? |
Guideline | ★★★★ |
To see everything:
Our RSS (filtrered)
