What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-02-26 15:17:44 | Étapes pratiques pour prévenir les vulnérabilités d'injection SQL Practical Steps to Prevent SQL Injection Vulnerabilities (lien direct) |
Dans le paysage numérique d'aujourd'hui, les applications Web et les API sont constamment menacées par des acteurs malveillants qui cherchent à exploiter les vulnérabilités.Une attaque commune et dangereuse est une injection SQL.
Dans ce blog, nous explorerons les vulnérabilités et les attaques de l'injection de SQL, comprendrons leur niveau de gravité et fournirons des étapes pratiques pour les empêcher.En mettant en œuvre ces meilleures pratiques, vous pouvez améliorer la sécurité de vos applications Web et API.
Comprendre les vulnérabilités et les attaques de l'injection SQL
Les attaques d'injection SQL se produisent lorsque les pirates manipulent les requêtes SQL d'une application \\ pour obtenir un accès non autorisé, altérer la base de données ou perturber la fonctionnalité de l'application \\.Ces attaques peuvent entraîner une usurpation d'identité, un accès aux données non autorisé et des attaques enchaînées.
L'injection SQL est une technique où les pirates injectent des requêtes SQL malveillantes dans la base de données backend d'une application Web.Cette vulnérabilité survient lorsque l'application accepte la saisie de l'utilisateur comme une instruction SQL que la base de données…
In today\'s digital landscape, web applications and APIs are constantly under threat from malicious actors looking to exploit vulnerabilities. A common and dangerous attack is a SQL injection. In this blog, we will explore SQL injection vulnerabilities and attacks, understand their severity levels, and provide practical steps to prevent them. By implementing these best practices, you can enhance the security of your web applications and APIs. Understanding SQL Injection Vulnerabilities and Attacks SQL injection attacks occur when hackers manipulate an application\'s SQL queries to gain unauthorized access, tamper with the database, or disrupt the application\'s functionality. These attacks can lead to identity spoofing, unauthorized data access, and chained attacks. SQL injection is a technique where hackers inject malicious SQL queries into a web application\'s backend database. This vulnerability arises when the application accepts user input as a SQL statement that the database… |
Vulnerability Threat Guideline Technical | ★★★ | |
|
2023-11-07 17:37:50 | Sécuriser les API: étapes pratiques pour protéger votre logiciel Securing APIs: Practical Steps to Protecting Your Software (lien direct) |
Dans le monde dynamique du développement de logiciels, les interfaces de programmation d'applications (API) servent de conduits essentiels, facilitant l'interaction transparente entre les composants logiciels.Cette interface intermédiaire rationalise non seulement le développement, mais permet également aux équipes logicielles de réutiliser le code.Cependant, la prévalence croissante des API dans les affaires modernes est accompagnée de défis de sécurité.C'est pourquoi nous avons créé ce billet de blog - pour vous fournir des étapes exploitables pour améliorer la sécurité de vos API aujourd'hui.
Comprendre la sécurité de l'API
La sécurité de l'API s'étend au-delà de la protection des services backend d'une application, y compris des éléments tels que des bases de données, des systèmes de gestion des utilisateurs et des composants interagissant avec les magasins de données.Il s'agit d'adopter divers outils et pratiques pour renforcer l'intégrité de votre pile technologique.Une forte stratégie de sécurité des API réduit le risque d'accès non autorisé et d'actions malveillantes, assurant la protection des informations sensibles.
Explorer les vulnérabilités API
Malgré la…
In the dynamic world of software development, Application Programming Interfaces (APIs) serve as essential conduits, facilitating seamless interaction between software components. This intermediary interface not only streamlines development but also empowers software teams to reuse code. However, the increasing prevalence of APIs in modern business comes with security challenges. That\'s why we\'ve created this blog post - to provide you with actionable steps to enhance the security of your APIs today. Understanding API Security API Security extends beyond protecting an application\'s backend services, including elements such as databases, user management systems, and components interacting with data stores. It involves adopting diverse tools and practices to strengthen the integrity of your tech stack. A strong API security strategy reduces the risk of unauthorized access and malicious actions, ensuring the protection of sensitive information. Exploring API Vulnerabilities Despite the… |
Tool Guideline | ★★ | |
|
2023-06-20 14:45:25 | L'art de réduire la dette de sécurité en 3 étapes clés The Art of Reducing Security Debt In 3 Key Steps (lien direct) |
Introduction
Dans le paysage en constante évolution des menaces numériques et des défis de la cybersécurité, les organisations sont confrontées à un fardeau important connu sous le nom de dette de sécurité.Tout comme la dette financière, la dette de sécurité revient lorsque les organisations compromettent les mesures de sécurité en faveur des mesures de commodité, de vitesse ou de réduction des coûts.Au fil du temps, cette dette accumulée peut présenter de graves risques pour les données, la réputation et la stabilité globale de l'organisation.Cependant, avec une approche stratégique et un engagement envers les pratiques de sécurité proactives, les organisations peuvent réduire efficacement leur dette de sécurité.Dans cet article de blog, nous explorerons l'art de réduire la dette de sécurité en trois étapes clés, permettant aux organisations de renforcer leur posture de sécurité et de protéger leurs précieux actifs.
Étape 1: évaluer et hiérarchiser les risques de sécurité
La première étape dans la réduction de la dette de sécurité consiste à effectuer une évaluation approfondie des risques de sécurité de votre organisation.Cela implique d'identifier les vulnérabilités, d'évaluer la sécurité existante…
Introduction In the ever-evolving landscape of digital threats and cybersecurity challenges, organizations face a significant burden known as security debt. Just like financial debt, security debt accrues when organizations compromise security measures in favor of convenience, speed, or cost-cutting measures. Over time, this accumulated debt can pose serious risks to the organization\'s data, reputation, and overall stability. However, with a strategic approach and a commitment to proactive security practices, organizations can effectively reduce their security debt. In this blog post, we will explore the art of reducing security debt in three key steps, enabling organizations to strengthen their security posture and safeguard their valuable assets. Step 1: Assess and Prioritize Security Risks The first step in reducing security debt is to conduct a thorough assessment of your organization\'s security risks. This involves identifying vulnerabilities, evaluating existing security… |
Patching Guideline | ★★ | |
|
2022-11-18 15:03:25 | Anatomy of a Stored Cross-site Scripting Vulnerability in Apache Spark (lien direct) | One of the services that Veracode offers is a consultation with an Application Security Consultant – a seasoned software developer and application security expert. In the context of a consultation, my team works with the software engineers of Veracode's customers to understand and, ideally, remediate security flaws found by the Veracode tool suite. There is a well-defined difference between a security flaw (a defect that can lead to a vulnerability) and a vulnerability (an exploitable condition within code that allows an attacker to attack it). While working with potentially dozens of different customer applications every week, we usually have a strong gut feeling for when a security flaw might constitute an exploitable vulnerability and should receive extra attention. During one of our consultations, a set of similar Cross-site Scripting (XSS) flaws was discovered by Veracode Static Analysis in what turned out to be 3rd party JavaScript files belonging to Apache Spark. After some… | Tool Vulnerability Guideline | ||
|
2022-11-02 12:48:33 | How Government Agencies Can Secure Mission Critical Software in the Cloud (lien direct) | Government agencies are instructed by Executive Order to improve the delivery of digital services to citizens while also safeguarding critical data and systems. Often, this leads to a difficult decision between speed of application production and software security. However, as recent events have shown, sacrificing security in the name of speed compromises the safety of citizens and government infrastructure. Here's why the government is prioritizing software security and how agencies can reliably secure software development in the cloud and on-premises. Why is the Government More Focused than Ever on Improving Software Supply Chain Security? The following executive orders and memoranda make it clear that cybersecurity, and software security in particular, is a national priority. Let's explore why they were created and what they require from you. Executive Order on Improving the Nation's Cybersecurity In 2021, the Biden administration issued an executive order on cybersecurity that… | Guideline | ||
|
2022-10-04 11:20:28 | How to See Yourself in Cyber: Top Tips from Industry Leaders (lien direct) | It's 2022 and as we all know, the world is a very different place. However, one thing that has not changed is the importance of cybersecurity. In fact, it's more important now than ever before, as the SolarWinds hack and Executive Order prove. That's why for Cybersecurity Awareness Month this year, we asked cybersecurity pioneers and leaders to get their insights on staying cyber safe. Here are their thoughts on CISA's 4 Things You Can Do to See Yourself in Cyber. Enable Multi-Factor Authentication “With the continued rise in cybercrime, there are a few simple steps every person should take to protect themselves, if they aren't already. CISA's first recommended step to stay 'cyber-safe' is to implement multi-factor authentication. It significantly lessens the likelihood of being hacked via unauthorized access and compromised credentials, which, according to Verizon's 2021 Data Breach Investigations Report, were the gateway for 61% of data breaches. Enabling multi-factor… | Data Breach Hack Guideline | ★★ | |
|
2022-09-26 12:43:57 | 8 Ways Secure Coding Lets You Work on the Best Projects, Advance Your Career, and Do More of What You Love (lien direct) | As a developer, DevOps engineer, Infrastructure & Operations lead, or similar, you are on the frontlines of application security. You are also on the frontlines of performance, functionality, stability, user experience…the list goes on. Often it seems like security is just one more requirement, one more box to check, one more obstacle between you, your deadline, and what you really care about. But I see it differently. Security probably is not the reason you love coding, but I bet the reason you love coding is made all the richer by embracing security. Or at least it can be. Hear me out. I have been fortunate enough to work in development and to work with developers for decades. Through that experience, I have come to recognize different developer archetypes and their motivations. There are the creators who thrive on creating something that never existed before the day they wrote it into existence. The often falsely labeled “lazy developers” who are efficiency experts and automate… | Guideline | ||
|
2022-08-15 12:25:27 | Announcing the New Veracode® Velocity™ Partner Program (lien direct) | Veracode is pleased to announce the launch of the new Veracode Velocity Partner Program. We've crafted a 3-step approach to align, enable, and engage with our partners so together we can make the world's software secure. What is the Veracode Velocity Partner Program? The Veracode Velocity Partner Program enables our valued Solution Providers to accelerate their application security revenues leveraging the Veracode Platform. Through a role-based strategy and approach, partners can engage and collaborate with Veracode to achieve our mutual goals and objectives. The knowledge, skills, insights, competencies, and best practices gained enhance our partners' ability to deliver industry-leading security solutions and services. This comprehensive program offers our partners tools, resources, and programs to help ensure success at every stage of the customer journey. The goal is to empower our partner teams so they can effectively sell, market, and support the Veracode Platform in our joint… | Guideline | ||
|
2022-07-20 05:00:05 | Veracode Achieves Public Sector Milestone with FedRAMP Authorization (lien direct) | The software security landscape has drastically evolved over the past few years. Think back to the start of COVID-19. The sudden shift to virtual operations expediated digital transformations. Government agencies now have to release new digital products and services in tighter timeframes, causing public sector leadership to choose between speed of deployments or verifiably secure code. The data says it all... According to research conducted by the Enterprise Strategy Group (ESG), 85 percent of organizations push vulnerable code to production and 54 percent do so in order to meet critical deadlines. This need for speed isn't only driving government agencies and contractors to push vulnerable code to production – it's changing the way applications are developed. Increased reliance on microservices and open-source libraries means that applications are assembled as much as they are written. This is made evident in version 12, our most recent, State of Software Security (SOSS) report by… | Guideline | ||
|
2022-06-16 14:15:06 | Musings of a Former State CTO Part 2: Public Service Meets Cybersecurity (lien direct) | Claire Bailey has made a career of improving cybersecurity and the delivery of citizen services in the public sector. As Director of the Arkansas Department of Information Systems and the State Chief Technology Officer (CTO) starting in the early 2000s, Claire leveraged government systems to work for citizens. What's more, she made it possible for government organizations to share data across multiple platforms – easily and securely. “The minute you have that appointment [to a position of leadership] is the minute you're responsible for all citizen cybersecurity risks,” says Claire, Regional Vice President (RVP) of Governmental Affairs at Veracode. “You don't get to say, 'I'm sorry, I don't know the answer to that,' and move on. You're there to get things done for the public you serve.” Getting things done requires diligence. To improve upon service and security, for example, begin by forging strong partnerships in the private sector. “Working with industry partners helps to maximize… | Guideline | ||
|
2022-05-02 16:55:28 | Official Close of TA Investment Sparks Next Step of Veracode Journey (lien direct) | Recently I shared with you our excitement about our agreement with TA Associates (TA) to make a significant growth investment in Veracode. I am pleased to share that the deal is now closed, opening up a tremendous new chapter in Veracode's journey. In the weeks since the announcement, people I speak with every day – customers, prospective customers, analysts, journalists who cover the critical software security space, and other Veracoders – ask me, “What do you envision together with TA for this next chapter?” Veracode's history is rooted in bringing awareness to the topic of software security and leading the market to action in this area. Going back to 1998, our founder and CTO Chris Wysopal, also known as Weld Pond, along with his colleagues from the hacker group The L0pht, testified to the US Congress about the importance of securing the software and networks that run the internet. Their forward-thinking led to the formation of Veracode, with a vision to provide a scalable,… | Guideline | ||
|
2022-03-15 09:58:36 | Veracode Announces Significant Growth Investment From TA Associates (lien direct) | I am pleased to share the exciting news that TA Associates (“TA”), a leading global growth equity firm, has signed an agreement to make a strategic growth investment in Veracode, taking a majority equity position in the business. Thoma Bravo will also continue to be an investor alongside TA. This new partnership is forming at a critical moment in the evolution of the software security market. Enterprises across all industry verticals need a platform and a partner that can help them secure the software that runs our world. We are excited to partner with TA and Thoma Bravo to do exactly that for our customers and deliver the best outcomes for both their development and security teams. Today's news represents another step on the journey that began even before Veracode was incorporated, when Weld Pond, our founder and CTO Chris Wysopal, and his colleagues at L0pht testified to the US Congress about the need to secure software. Since our founding, Veracode has consistently led the way to… | Guideline | ||
|
2022-02-28 17:04:51 | New in Security Labs: Kotlin & Swift Mobile Courses (lien direct) | Secure coding with Kotlin & Swift This week we've added new Kotlin & Swift Courses to the Security Labs catalog! The update includes 4-5 Kotlin (Android) labs and 4 Swift (iOS) labs that cover common mobile security topics such as secret storage, authorization, and custom URL handling. Developers (and anyone curious about how to write secure code) can now try out hands-on exercises in real applications that help highlight coding mistakes that can lead to security vulnerabilities as well as steps to take to avoid and/or fix them. What is Kotlin? Kotlin is an open-source, statically typed programming language developed by JetBrains designed for JVM, Android, JavaScript, and Native. Kotlin combines object-oriented and functional constructs, focusing on interoperability, safety, clarity, and tooling support, and can be used for any kind of development, be it server-side, client-side web, or Android. It tends to be more concise, so if you're looking to cut down on the number… | Guideline | ||
|
2022-02-17 12:24:35 | SQL Injection in Today\'s Landscape (lien direct) | What is SQL injection? A SQL injection flaw allows for an attacker to modify or inject SQL syntax into the request to make the application behave in a manner that was not initially intended. In other words, an attacker can change a database query to: Read sensitive data Modify the database Execute other database functions Break authentication Lead to remote code execution Now with almost all web applications having integrations with databases in some way, this flaw has the potential to arise often. However, many frameworks and libraries are available to make database connections and queries safe. That said, SQL injection still exists and is very common. Injection flaws were the number one flaw category under the OWASP 2017, and, currently, injection flaws hold the number three spot in the OWASP 2021. SQL injection flaws have impacted every industry as well as enterprises that already have a mature information security program in place. It can happen, and it can be catastrophic! How… | Guideline | ||
|
2021-11-18 21:38:14 | EWF Conference: Plotting the Course for Your Personal Brand (lien direct) | “Why focus on building your personal brand?” This was the first question that Elana Anderson, Chief Marketing Officer at Veracode, asked during her presentation Plotting the Course for Your Personal Brand at the recent Executive Women's Forum (EWF). Anderson, a lifelong student of marketing, and a former analyst at Forrester Research, has a deep understanding of the importance of both corporate and personal brands and the steps necessary to both build and maintain a brand. To help the viewers grasp the impact that a brand can have on your image, Anderson used a series of words or phrases and asked the audience to guess the well-known women she described. Starting with “humble, holy, self-less, and devoted,” do you think you know who that is? The audience guessed Mother Teresa almost instantaneously. The next one was a bit more challenging: “Powerful, ultra-competitive, willing to take a stand, bold style.” Most guessed the correct answer, Serena Williams. Anderson described the last woman using two very different sets of adjectives: “Disney, tween idol, sunshine and rainbows, wholesome” and “rebellious, provocative, radical transformation, happy hippie.” The answer – of course – is Miley Cyrus. It's quite amazing that two seemingly opposite brand descriptions describe one person. Anderson pointed out that, while there were certainly some excesses of youth along the way, Miley's brand transformation also illustrates a bit of purposeful genius. And, it is also a great illustration of how important it is to take control of your own narrative. Whatever you might think about Miley, there is no question that she has transformed her brand from Disney tween idol to independent woman and musician who cannot be taken for granted. Ready to build out your personal brand? There are steps you can take, starting with defining your purpose: Purpose: Before you can start defining the actions of your personal brand, you need to figure out the end goal for your brand. As Elana stated, “What is it that you're trying to achieve? Are you trying to seek growth and upward mobility at your job? Are you seeking to drive momentum for your own business? Maybe you're trying to develop your personal persona and network and become a market influencer.” Core values: Think about what really matters to you. What do you stand for as an individual? Strengths: What are the core strengths that set you apart from your peers? Try to think outside the box about what makes you unique. Skills: Your skills should be broader than your strengths. Consider both the hard (writing, public speaking) and soft skills (good listener, timely) that you have to support your brand purpose. Looking at past performance reviews can be very helpful in determining your skills. You'll be able to see what others define as your top hard and soft skills. Proof points: Your value, strengths, and skills shouldn't just be “perceived,” you should have evidence to support these attributes. Core brand artifacts: Not everyone has artifacts when they're in the early stage of establishing a brand, but think about any articles or academic papers you have written, any videos or webinars that you have participated in, or a blog or website, that can support your brand. Brand personality and tone: This all ties back to your purpose. How do you want your brand to be perceived? If you're trying to become an influencer, you might want a more playful and fun tone. If you're looking for career advancement, you might opt for a more formal, thought-leader tone. Anderson then explained that work doesn't end after you build out your brand. You have to establish a plan to introduce your new brand. Google yourself to see what your current brand looks like, then start working on establishing your brand via social media, speaking engagements, articles, etc. Once you start integrating your new brand, continuously measure your outcomes and sol | Guideline | ||
|
2021-11-15 15:38:12 | Veracode Named Top 100 Women-Led Business in Massachusetts by the Commonwealth Institute and The Boston Globe (lien direct) | Veracode was recently recognized by the Commonwealth Institute and Boston Globe Magazine as a Top 100 Women-Led Business in Massachusetts. The honor, which was awarded to Veracode's CEO, Sam King, is given to female leaders across multiple industries who are at the helm of Massachusetts' most noteworthy companies. Sam, who was also recently named a Tech Top 50 recipient by the Mass Technology Leadership Council (MassTLC) for her exemplary leadership over the past twelve months, is helping to make Veracode one of the most noteworthy cybersecurity companies. “It's a great honor for Veracode to be recognized as a Top 100 Women-Led Business in Massachusetts, and I am especially proud that we are the only software company to make the list. This award is a true testament to our teams, who are dedicated to helping our customers secure the software applications that are integral to their business. The passionate people driving Veracode's mission every day are who make this achievement possible.” was the only software company to receive a spot on the prestigious list. Leaders are chosen based on their revenue and operating budget, number of full-time employees in the state, workplace and management diversity, and innovative projects, among other variables. For more information on Veracode's recent awards, including EY Entrepreneur Of The Year® New England, please visit the Veracode blog. And to see the full list of Top 100 Women-Led Businesses in Massachusetts, check out the Boston Globe. Want to stay up to date on the latest Veracode news? Sign up for our monthly newsletter. | Guideline | ||
|
2021-10-12 15:31:43 | MassTLC Names Sam King a Tech Top 50 Recipient (lien direct) | Sam King, CEO of Veracode, was recently named a Tech Top 50 recipient by the Mass Technology Leadership Council (MassTLC) for her exemplary leadership over the past twelve months. The Mass Technology Leadership Council (MassTLC), the region's leading technology association and premier network for tech executives, entrepreneurs, investors and policy leaders, recognizes tech companies and leaders for their achievements across multiple categories. “The resiliency and determination of the tech ecosystem in this region enables the innovation and leadership that makes Massachusetts so special,” remarked MassTLC CEO Tom Hopcroft. “It is an honor to recognize the people and companies and their amazing stories.” The candidates were awarded based on their contributions in one of the following eight categories: Best Pivot to Meet the New World, Business Accomplishment, Company Culture, Inclusivity Impact, Leadership, New Company of the Year, Tech for Good: Social Responsibility, and Tech to Watch. Sam was recognized in the “leadership” category. “The category recognizes CEOs for their leadership throughout this past year,” said MassTLC. “[These] six outstanding CEOs were able to not only shepherd their employees through difficult times but emerge stronger than before.” This recognition comes just months after Sam was named a winner of the EY Entrepreneur Of The Year® New England award. “I'm thrilled to be included in the Tech Top 50 by the Mass Technology Leadership Council. Massachusetts is well known for its inclusive and innovative technology landscape, and to see Veracode awarded for leading the charge as a software security company is fantastic. This award recognizes our entire team, whose continued dedication and resilience over the past year has helped our customers stay focused on their mission and drive digital transformation securely.” To keep up with Veracode's recent achievements, please visit the Veracode blog. And to hear stories from MassTLC Tech Top 50 winners, including their accomplishments and impact on customers, partners, employees, and the broader community, check out the MassTLC homepage. | Guideline | ||
|
2021-09-27 18:27:30 | Recap: Virtual Boston Globe Summit (lien direct) | Veracode CEO Sam King had the opportunity to speak at this year's inaugural virtual Boston Globe Summit, “The Great Recovery.” Sam was invited to join the panel, How Boston is Tackling the Biggest Cyber Threats Facing Society, moderated by Gregory T. Huang, Business Editor at the Boston Globe, with guests Greg Dracon of .406 Ventures and Christopher Ahlberg of Recorded Future. The group began by discussing the evolving landscape of software today. Sam noted that the COVID-19 pandemic, a forcing function to remote work environments, kicked digital transformation into action for many organizations, whether or not they were prepared. In fact, a survey from Verizon detailing sentiment among business leaders about the impacts of COVID-19 found that 38 percent of respondents had implemented virtual collaboration technology and a third chose to temporarily close to allow for transitions to new systems that would enable new ways of working. There was also increased adoption of cloud and software as a service. Sam also touched on issues raised by Veracode's co-founder and CTO Chris Wysopal in his testimony to Congress in 2003 which are still as relevant as ever: large amounts of software are still not designed in a defensive way, nor are they built with security testing directly embedded in the software development process. This is especially problematic for businesses and government, so it's vital that organizations pay attention to initiatives like the current administration's Executive Order on Improving the Nation's Cybersecurity. “President Biden came out with the Executive Order a couple of months ago and that is a step in the right direction for two reasons: he is asking federal agencies to do a better job, and he is also using the purchasing power of the federal government to try and secure the extended software supply chain,” Sam noted. As we move forward, what should the role of the government be in security, and which policies did the panel think are most useful? Worth mentioning are the recent Massachusetts state senate hearings in which we learned that residents had lost nearly $100 million from cyberattacks in 2020 according to the FBI Internet Crime Complaint Center annual report. In these cases, the role of government in driving policy may be best achieved by providing resources and educational training so that state and local institutions can improve their systems and build thoughtful security plans that protect their data – and the data of the people who use their services. As Sam commented during the summit, establishing guidelines and then creating some incentives to drive policy is a step in the right direction. Ideally, government should work with the private sector to share information around requirements, ratings, and labels so that software is held to the same standards across the board. Sam once again applauded the executive order, explaining how critical it is for the government to take proactive steps to ensure the security and safety of software by establishing standards around accessing vulnerabilities and implementing security processes. When asked about what we might see in the future of cyberattacks, Sam noted that she hopes the current moment in time is a call to action for everyone, especially those implementing policy and strategy within their organizations. “I think it's going to take a wholesale effort where people that are guiding the strategies of companies and looking at the risks are creating structural change in the organizations they're responsible for,” she continued. Stay up to date on the latest tools, trends, and vulnerabilities in software security by reading our annual State of Software Security report, and watch a recording of the panel. | Guideline | ||
|
2021-09-10 08:25:31 | 2003 Testimony to Congress Proves That We Still Have a Long Way to Go In Building Secure Software (lien direct) | Back in May 1998, as a member of the hacker think tank, L0pht, I testified under my hacker name, Weld Pond, in front of a U.S. Senate committee investigating government cybersecurity. It was a novel event. Hackers, testifying under their hacker names, telling the U.S. government how the world of cybersecurity really was from those down in the computer underground trenches. Many in the security community know of the famous L0pht Senate testimony, but very few know that one of the L0pht members testified on Capitol Hill 5 years later. That member was me. This time I testified as a cybersecurity professional using my real name. I was the director of research and development at @stake, an information security consulting company. Back in the summer of 2003, the internet was plagued with worms such as Blaster and Sobig. The U.S. House of Representatives Committee on Government Reform wanted to hold hearings to understand the problem. Why had 400,000 computers been infected with Blaster in less than five days when the patch that would have prevented the attack had been available for over a month? I was asked to testify to help the committee understand vulnerability research. How were the vulnerabilities discovered that lead to worms like Blaster, and why were these latent vulnerabilities there in the first place? The problems I spoke of in 2003, sadly, are still here with us 18 years later. Large amounts of software are still not designed defensively… and not built with security testing embedded in the development process. The economics of software development still leads to the reuse of old insecure software. Computer users still loath updating to new, more secure versions of software due to costs and resources required. I discussed how the root cause of viruses and worms was security flaws in the design or implementation of software. I still believe this today (even though most vulnerabilities are not “wormable” or attackers choose to attack with more precision). I discussed the problems with a ship-it-vulnerable, patch-it-later approach. Even now with some products using auto-updating, patching is often late or doesn't happen at all due to the resources required to patch in an enterprise IT environment. Most of what I spoke of was the world of vulnerability research. Who were the people – like the researchers from the Last Stage of Delirium – that discovered the Blaster vulnerability? Why would they do this? How did they do this? How is it possible that they found a security bug when the vendor didn't? Then I spoke about the safe vulnerability disclosure process: How researchers could work with vendors to keep the internet safer despite vulnerable software everywhere. This type of process is now widely followed by researchers and vendors and is codified into an ISO standard. We have made progress on the challenge of building software more securely, distributing patches better, and handling vulnerability disclosure better. But the gains are far less substantial than they should be after 18 years. In my 2003 testimony, I said, “The current flawed computing infrastructure is not going to change for the better overnight. It will take many years of hard work.” We are still in the “many years” phase and perhaps will be for another decade. Take a look at my 2003 testimony and see for yourself just how far we still need to go. | Vulnerability Patching Guideline | ||
|
2021-09-07 16:31:28 | Digital Signatures Using Java (lien direct) | This is the ninth entry in blog series on using Java Cryptography securely. We started off by looking at the basics of Java Cryptography Architecture, assembling one crypto primitive after other in posts on Cryptographically Secure Random Number Generator, symmetric & asymmetric encryption/decryption & hashes. In the meantime, we had to catchup with cryptographic update in latest versions of Java. Having looked at some of the most common symmetric cryptography based applications a.k.a. Message Authentication Codes and Password Storage, let's take a slight diversion and look at asymmetric cryptography applications starting with Digital Signatures in this post. Skip to the TL; DR Overview: What Is a Digital Signature Digital Signatures are in many ways analogous to physical signatures, providing assurance to the receiver that the received message was created and sent by claimed sender (authentication), binds sender to the data in the received message (non-repudiation) and message was received unaltered (integrity). It doesn't provide any confidentiality of the messages being exchanged. Digital Signatures are asymmetric key based operation, in which private key is used to digitally sign a message and corresponding public key is used to verify the signature. Message Authentication Code as well as Digital Signatures both are used for signing messages. MACs are generated and verified by a shared symmetric key, in contrast digital signature is generated by PrivateKey generated by Asymmetric Encryption (public key cryptography) and verified only by the corresponding PublicKey. This private key would be possessed only by the signing authority. Thus, Digital Signatures provide non-repudiation service which MAC can't. HowTo: How Does It Work? Similar to Message Authentication Codes (MAC), core concept of digital signature revolves around, computing signature on the sender side using PrivateKey applied on hash of the message(M), sending original message and computed signature to receiver. Receiver verifies the signature using PublicKey. If signatures match, non- repudiation, authenticity and integrity of message from intended sender has been verified. Digital Signature Steps: Asymmetric Keys; PrivateKey and PublicKey are generated. Sender safely stores PrivateKey, PublicKey is publicly available. Sender computes Sign of message(M): Sign = SignatureAlgorithm(M, PrivateKey, Hash Algorithm). M || Sign sent to reciever. On receiver side, Sign is verified by computing: Sign' = SignatureAlgorithm(M,PublicKey,Hash Algorithm). If Sign == Sign' , non-repudiation, authenticity and integrity of message from intended sender has been verified. HowTo: Construction of a Digital Signature HowTo: Design Before we dive into full-fledged implementation discussions, we need to make a few design decisions: HowTo: Decide Which Signature Algorithm to Choose? RSA has been de-facto algorithm being used in Digital Signature. However, over time it has been proved fragile[9]. DSA is on its path of deprecation[4] in favor of ECDSA. By steering clear of these two Signature algorithms, we would eliminate more than 50% of Signature algorithms supported by JCA. As we were discussing in our Java Crypto Catch-up post, later Java versions provide us with very mature Elliptic Curve (ECC) support, we should be embracing those schemes. If you want to learn more about how ECC works and compares against other public key generation mechanisms, I have listed some links in references section below. Over time there are many curves floating around, not all are good for cryptographic purposes. You should pick between: Edward Curves: For any new development, I would suggest using Edward Curve based schemes. Both Ed25519 and Ed448 schemes provided by JCA are excellent options. Not yet standardized by government authorities (NIST), but it's on its way. NIST Standardized Curves: If at all[11], you have to abide by government standards, go for ECDSA with an approved curve providing at least 128 bits of security strength. But how to choose a secure curve from 25 options pr | Guideline | ||
|
2021-08-19 08:10:39 | Veracode Ranked as a Strong Performer in Forrester Wave™ Software Composition Analysis Report (lien direct) | Veracode has been recognized in a report Forrester Research recently released, The Forrester Wave™: Software Composition Analysis, Q3 2021. The report helps security professionals select a software composition analysis (SCA) vendor that best fits their needs. The report, which evaluates 10 SCA vendors against 37 criteria, ranks Veracode as a strong performer. The Forrester Wave™ states, “Veracode is a strong choice for customers that are most interested in remediating vulnerabilities in open source components.” Noted in the report is our roadmap, which “...focuses on unifying the SAST and SCA capabilities in the developer environment and enhancing container and IaC security capabilities.” The report also highlighted, “Veracode has concentrated its SCA solution on finding and remediating open source vulnerabilities, with dependency graphs and guidance on a fix's likelihood to break the code - one customer's reference called the dependency graph 'amazing'.” Why is SCA such a critical element of software development? As Forrester explains, “Open source use has exploded, with the average percentage of open source in audited code bases increasing from 36% in 2015 to 75% in 2020.” But we know from Veracode's recent State of Software Security (SOSS): Open Source Edition report that about 79 percent of developers never update third-party libraries after including them in their codebase, which leads to unnecessary breaches. With tools like Veracode Software Composition Analysis in hand, developers have the power to assess and manage the risk of their open source components by scanning open source dependencies for known flaws and leaning on data-driven recommendations for version updating. In fact, our SOSS research unveiled that 92 percent of third-party flaws can be remediated with an update and 69 percent of the updates are minor. Learn more Download The Forrester Wave™: Software Composition Analysis, Q3 2021 report to learn more about what to look for in a software composition analysis vendor and for additional information on Veracode's strong performer ranking in vulnerability detection and remediation. | Vulnerability Guideline | ||
|
2021-08-02 10:56:59 | Champion Spotlight: Hans Dam (lien direct) | This interview was cross-posted from the Veracode Community. With his third consecutive championship in the Secure Coding Challenge – the monthly coding competition in the Veracode Community – Hans Dam is the first in the community to clinch the title of Secure Code Champion. We spoke with him about his experience in the coding competitions and his career growth from a software developer to a DevSecOps manager. As DevSecOps manager currently working at Explorance, Hans manages the DevOps and AppSec teams and is responsible for managing internal application security scans, improving internal processes with automation, and developing tools for deployment and monitoring. His strong passion for DevOps and automation is at the core of his current role. What makes Hans the first Secure Code Champion and how did he get application security under his belt? In this interview, Hans shares his takeaways from the Secure Coding Challenges and his advice for developers looking to break into the security world. About your experience in the Secure Coding Challenge What brought you to Veracode's Secure Coding Challenge? The company I work for, Explorance, was offered a demo of Veracode Security Labs, and I found the gamification aspect of Security Labs exciting. Unfortunately, during the demo, we did not set it up as a competition. Because of this, when Veracode announced a competition involving security best practices and programming, I was hooked. What did you find most valuable in participating in the Challenge? I really like the diversity of programming languages and frameworks used in Veracode Security Labs. I had not touched Go, Flask, or Scala code before I participated in the Secure Coding Challenges. Additionally, it's always nice to brush up on the basics including OWASP TOP 10 vulnerabilities. What's your suggestion for participants to stand out in the competition? Know that you don't have to complete every step described in each Lab. For example, if you make a code change you don't always have to run and test your solution. Many times, it is enough to simply save the file. About your experience becoming a DevSecOps Engineer How have you grown from a software developer into a DevSecOps engineer? What are the skillsets and knowledge required for this career change? How did you acquire those skills? I started at Explorance as a software developer, developing new features for our main product. Based on my experience in previous companies, I saw some areas where we could improve the processes and increase automation. I started creating build scripts, developing internal tools, and playing around with the possibilities of continuous integration. I was then offered to lead our maintenance team, whose main objective was to quickly diagnose and resolve customer issues, in unison with our customer support engineers and operations team. This gave me the perspective of different departments on the product features, reliability, debuggability, deployment, and documentation. I got the opportunity to switch focus and started a role in application security within Explorance. We wanted to increase our focus on security by doing internal security scanning, increasing the application security awareness among developers, and reacting to emerging trends more rapidly. Working with Veracode to identify and mitigate security issues in our products helped me open my eyes to best practices and the many ways things can go wrong when trying your best to rapidly meet customers' needs. My latest role change at Explorance was to become a DevSecOps Manager, which means that I am managing our DevOps and AppSec teams. Within Explorance, the transition from software developer to DevSecOps manager has been a product of me trying out a bunch of different things and the organization believing in me. The main skillsets would be tenacity and listening to your colleagues about how to improve every day. Wha | Threat Guideline | ||
|
2021-07-29 10:06:37 | Veracode CEO Sam King Crowned a Winner in the EY Entrepreneur of the Year® New England Award (lien direct) | For the past 35 years, EY's Entrepreneur of the Year® program has honored leaders from around the world who continue to make positive impacts within their industries. We're thrilled to share that, this year, Veracode's CEO Sam King has been named a winner in the Entrepreneur of the Year® New England award! This prestigious program celebrates entrepreneurs like Sam who are leading successful companies, underscoring each nominee's innovation, financial aptitude, and commitment. Sam is among 15 audacious winners from 10 companies in New England. Awarded to executives who work hard to build leading businesses that create jobs and contribute to their communities, the Entrepreneur of the Year® honor celebrates Sam's dedication to cementing Veracode as a leader of the pack in software security. Sam was selected for her integral role in Veracode's growth, success, and innovation over the past 15 years, initially as a founding team member and then as CEO. Her inspiring leadership, ability to succeed in a complex economic environment and commitment to community, diversity, and mentorship were recognized for their lasting effects on both Veracode and the New England area. Under King's leadership, Veracode has become the fifth largest cybersecurity employer in MA, the #1 women-led software company in MA (The Boston Globe), an eight-time Leader in the Gartner Magic Quadrant for Application Security Testing, and a Leader in the Forrester Wave for Static Analysis Security Testing. Entrepreneur of the Year® regional winners are inducted into the Hall of Fame, which is an “…elite roster of business leaders who have been recognized for their exceptional entrepreneurial achievements” according to EY. As a New England award winner, Sam joins an esteemed multi-industry, international community of unstoppable creators and disrupters from around the globe who are shaking up their industries by breaking boundaries. While the number of awards varies year to year, nominees go through both a regional panel and a national panel of judges to select the strongest candidates and then, if selected, move forward to become national finalists. Sam is now eligible for consideration for the Entrepreneur Of The Year 2021 National Awards. Award winners, including the Entrepreneur Of The Year National Overall Award winner, will be announced in November at the Strategic Growth Forum®, one of the nation's most prestigious gatherings of high-growth, market-leading companies. Watch the full video of the ceremony here. | Guideline | ||
|
2021-07-26 09:56:06 | Announcing the Veracode Security Labs FREE Trial (lien direct) | We're excited to announce a new free trial option of Veracode Security Labs that allows new users to try the full Enterprise Edition for 14 days. Why is this hands-on training solution so critical? Developers are the backbone of the software that powers our world today, but when they lack security skills, it's harder for them to keep up with the rapid pace of modern software development while still producing secure code. Veracode Security Labs helps close these skill gaps by giving developers that inimitable hands-on experience, and now with this two-week trial, you'll have plenty of time to try out these hands-on-keyboard labs with your developers and see just how effective it is in real-time. “Veracode Security Labs engages and actively teaches developers by giving them a containerized space to work with real code and demonstrates how to avoid flaws that have led to some of the headline-making vulnerabilities of the last few years,” says Ian McLeod, Chief Product Officer at Veracode. “With this approach, in as little as five to 10 minutes, developers can learn new skills and deliver secure code on time.” Developer training with tools like Security Labs is critical as vulnerabilities in code are easily weaponized-and they're not going away anytime soon. Verizon's 2021 Data Breach Investigations Report (DBIR) showed that web applications make up 39 percent of all breaches today. And with the recent cybersecurity executive order from the United States government, it's more important than ever that organizations pay attention to the security of their code. Data from a survey by the Enterprise Strategy Group (ESG) shows that a sizeable 53 percent of organizations provide security training to their developers less than once a year. With the responsibility falling on the shoulders of software engineers to keep up with the latest threats and secure coding skills on their own time, Veracode Security Labs can help check those critical training boxes. Training for teams large and small Veracode Security labs Enterprise Edition is great for engineering teams that need hundreds of short labs on a wider range of topics, with included features like a leaderboard and reporting. The Veracode Security Labs Community Edition is a complimentary version with select topics for individual developers who want to start learning on their own. The most inexpensive bug to fix is the one that never gets created. Veracode Security Labs helps developers shift critical security knowledge “left,” or sooner in the software development lifecycle (SDLC) so that their code is checked early and often. In doing so, they're able to leverage those critical nuggets of security knowledge into each step of the development process. Over time, the code developers produce is more secure with fewer flaws and potential exploits, with DevSecOps principles sticking with developers from project to project. That means your team can: Grow essential skills that will help them patch real-world vulnerabilities while coding Maintain an understanding of what cyber attackers like to exploit, and how they go about doing so Quickly apply remediation guidance to the popular programming languages they use most Improve their security knowledge overall while gaining more confidence in their coding skills With features like assignments, progress reports, LinkedIn certification badges, and a leaderboard, the platform fosters healthy competition that encourages developers to level-up alongside their peers. Veracode Security Labs helps satisfy compliance requirements, too, enabling development and security teams to meet ongoing security training requirements and adjust course as industry needs change. If you're ready to get started, sign up for your free two-week trial of Veracode Security Labs here. | Data Breach Guideline | ||
|
2021-06-29 11:30:29 | Speed or Security? Don\'t Compromise (lien direct) | “Speed is the new currency of business.” Chairman and CEO of Salesforce Marc R. Benioff's words are especially potent today as many organizations small and large look for ways to speed up production during their shifts to digital. In software development, speed is a critical factor. Everything from shifting priorities to manual processes and siloed teams can seriously impede deployment schedules. One of the biggest obstacles, however, is a lack of security throughout every step of the production process to ensure that coding mistakes and flaws are found and fixed before they turn into project-derailing problems. A lack of an efficient and flexible AppSec program becomes an issue when you look at the data: Cyberattacks occur every 39 seconds. 60 percent of developers are releasing code 2x faster than before. 76 percent of applications have least at least one security flaw on first scan. 85 percent of orgs admit to releasing vulnerable code to production because of time restraints. A mere 15 percent of orgs say that all of their development teams participate in formal security training. But there's good news, too. We know from our annual State of Software Security report that frequent scanning with the right tools in the right parts of your software development lifecycle can help your team close security findings much faster. For example, scanning via API alone cuts remediation time for 50 percent of flaws by six days, slamming that window of opportunity shut for cyberattackers. The Veracode Static Analysis family helps you do just that. It plugs into critical parts of your software development lifecycle (SDLC), providing automated feedback right in your IDE and pipeline so that your developers can improve the quality of their code while they work. You can also run a full policy scan before deployment to understand what your developers need to focus on and to prove compliance. Together, these scans throughout My Code, Our Code, and Production Code boost quality and security to reduce the risk of an expensive and time-consuming breach down the road. Automation and developer education In addition to having the right scans in the right places, there are supporting steps you can take to ensure the quality of your code without sacrificing speed. Automation through integrations is an important piece of the puzzle because it speeds everything up and boosts efficiency. The automated feedback from Veracode Static Analysis means your team of developers has clear insight into existing flaws so they can begin prioritization to eliminate the biggest risks first. Automation also sets the standard for consistency which, as you go, improves speed. Developer education also helps close gaps in information and communication with security counterparts so that they can work towards a common goal. It goes both ways – if the security leaders at your organization can walk the walk and talk the talk of the developer, everyone will have an easier time communicating goals and solving security problems. One way to close those gaps is through hands-on developer education with a tool like Veracode Security Labs. The platform utilizes real applications in contained environments that developers can hack or patch in real-time so that they learn to think like an attacker and stay one step ahead. Like Static Analysis, Security Labs helps meet compliance needs too, with customized education in the languages your developers use most. The prioritization conundrum Security debt can feel like a horror movie villain as it lingers in the background. But it isn't always teeming with high-risk flaws that should be tackled first, and so it's important to carefully consider how to approach prioritization. A recent analyst report, Building an Enterprise DevSecOps Program, found that everything can feel like a priority: “During our research many security pros told us that all vulnerabilities started looking like high priorities, and it was incredibly difficult to differentiate a vulnerability with impact on the organization from one which | Hack Tool Vulnerability Guideline | ||
|
2021-06-25 08:57:23 | Key Takeaways From State of Software Security v11: Open Source Edition (lien direct) | We recently published a special open source edition of our annual State of Software Security (SOSS) report. The State of Software Security v11: Open Source Edition analyzed the data collected from 13 million scans of more than 86,000 repositories, containing more than 301,000 unique libraries. We also added some color and context to the data this year by surveying our customer base and adding the data from 1,744 responses to the report. In last year's open source report, we looked at a snapshot of library usage in applications. This year, we looked beyond the point-in-time snapshot to examine the dynamics of library development and how developers react to library changes, including the discovery of flaws. Here are some of the key takeaways for security professionals: The most popular libraries from last year are not the most popular libraries this year. And the most secure libraries from last year are not the most secure libraries this year. Some languages saw little to no change in library popularity from 2019 to 2020, like Java. But other languages underwent significant changes in their library landscapes. For example, Swift's top two libraries from 2019, Crashlytics and Fabric, did not even break the top 20 in 2020. This is due to the fact that Google (the parent company behind Firebase) acquired both companies and integrated the functionality into Firebase, leading to the meteoric rise in two Firebase libraries. The most secure libraries have also changed. The Twisted library in Python was very secure last year, but this year it's far from secure. This is likely attributable to the expanding capabilities of the built-in functionality in Python, with the built-in library asyncio receiving significant updates in 2016 and late 2018, and perhaps more importantly has only seen one CVE associated with it (CVE-2021-21330), in contrast to Twisted's seven. Security takeaway: What's popular and what's secure in your library landscape can change dramatically within the span of a year. Keeping an inventory of what's in your application is important. 79 percent of developers never update third-party libraries after including them in a codebase. Once developers pick a library or version, they tend to stick with it. 65 percent of libraries appear in the first scan of the repository and are never updated. An additional 14 percent of libraries are added at some point during development and are never updated to a new version. The languages that are most likely to be “set and forgotten about” include Ruby, JavaScript, and Java. Security takeaway: Most third-party libraries aren't updated once added to a codebase. This is especially alarming considering that, in last year's open source report, we found that almost one-third of applications have more security findings in third-party libraries than in the native codebase. And even if a library is secure when you add it to your codebase, we saw above that the security of libraries changes frequently. Open source libraries are not a set-it-and-forget-it activity, but rather one that requires maintenance. When alerted to vulnerabilities, developers act quickly. But that maintenance is not necessarily overly taxing. We found that once alerted to a vulnerability in a library, developers fix nearly 17 percent of vulnerable libraries within an hour and 25 percent within seven days. Security takeaway: With the right information and prioritization, security vulnerabilities in open source libraries can be addressed quickly. Without knowledge of how vulnerabilities relate to their applications, developers struggle to address them. Vulnerabilities can be addressed quickly, but if developers don't have the right contextual information, such as how a vulnerability impacts their application, it can take more than seven months to fix 50 percent of flaws. Those that have the information they need fix 50 percent of flaws in just three weeks. Security takeaway: 92 percent of library flaws can be fixed with an update, and 69 percent of updates are a minor version change or less. But lac | Vulnerability Guideline | ||
|
2021-06-01 16:45:52 | Veracode Named a Leader in 2021 Gartner Magic Quadrant for Application Security Testing (lien direct) |  Veracode has been named a Leader in the 2021 Gartner Magic Quadrant for Application Security Testing (AST) for the eighth consecutive year. Gartner evaluates vendors based on their completeness of vision and ability to execute in the application security testing (AST) market. This recognition comes just months after we were named Gartner Peer Insights Customers??? Choice for AST, proving, in our opinion, the strength of our AST offerings according to both experts and users.
 ???
In addition, we received the highest score for the Enterprise and Public-Facing Web Applications Use Cases in the 2021 Gartner Critical Capabilities for Application Security Testing report.
We???re thrilled to be recognized as a Leader in the Magic Quadrant once again. Committed to helping organizations in every industry code with confidence in our increasingly digital world, we spent the last year striving to enable developers to code securely, and security teams to easily measure and report on the security posture of their organizations.
Veracode has increased its focus and investment in DevSecOps and developer enablement and education, with expanded integrations into developer ecosystems, including AWS CodeStar, secure coding best practices, and expert consultations. The platform offers support for GitHub Actions and GitHub Security Console and issues and pipelines, as well as a pipeline approach that optimizes scan times throughout the software development process. Through the introduction of Veracode Security Labs in early 2020, the company also offers hands-on, interactive security training to developers that aims to enable developers to code securely. As the director of engineering at OneLogin recently remarked, ???Veracode [Security Labs] has significantly reduced the number of defects introduced during the development process and has ingrained security best practices as a primary pillar of creating production-quality code.???
A true enterprise offering includes a comprehensive approach to application security. Veracode credits its high scores for Enterprise and Public-Facing Web Applications in the Critical Capabilities report to a single platform that scans for vulnerabilities in both first-party and open source code with multiple testing types, quick time to deployment without absorbing infrastructure costs, constant updates, and machine learning that facilitates remediation. Unique in the market, Veracode SCA doesn???t rely solely on the National Vulnerability Database (NVD) but also uses machine learning, data mining, and natural language processing to identify potential vulnerabilities inツ?open sourceツ?libraries from commit messages and bug reports.
Software security will be increasingly critical as the world becomes even more connected and digital, and as high-profile cyberattacks prompt more stringent regulations. In fact, nearly a quarter of the Biden administration???s newly launched executive order on cybersecurity is focused on securing the software supply chain, and the 2021 Gartner Magic Quadrant authors highlight that ???Gartner estimates end-user spending in the AST market reached $2.2 billion worldwide in 2020. We have also increased our growth rate proj |
Vulnerability Guideline | ||
|
2021-05-24 10:02:18 | Veracode and Finite State Partner to Address Connected Device Security (lien direct) |   ツ?This article was co-authored by Matt Wyckhouse, CEO ofツ?Finite State.
Over the past decade, we have seen the rapid adoption and expansion of connected devices and embedded systems among businesses. This includes anything from the Internet of Things (IoT) to connected medical devices, building systems, Industrial Control Systems (ICS), and other devices that power our lives and our infrastructure.
In recent years, improved connectivity and the rollout of expanded 5G service is providing an even bigger opportunity for organizations to untether these devices and deliver a rich experience across the enterprise. The result is a swell of highly sophisticated and complex devices; by 2025, the number of connected devices is expected to hit 55.7 billion globally.
Veracode has long been a leader in application security, offering static analysis, software composition analysis, and dynamic analysis, and has now entered into a partnership with Finite State, an expert in connected device security, to help our customers fully address their product security needs.ツ?ツ?ツ?ツ?
While advances in connected device technology have opened the door to new capabilities with greater operational scale and increased efficiencies, devices come with a unique set of security challenges.
Key challenges in securing connected devices
Complex and opaque supply chains make it difficult to assess risk. With a globalized economy and expanding use of open source software in the creation of these devices, it???s becoming more difficult for device manufacturers and their customers to know what exactly is running inside their products and the scope of the security and license risk lurking within.
Only about 20% of code in these devices is first party, on average. Sometimes it???s as little as 5%. Open source makes up a huge amount of the components in connected devices ??? anything from libraries to operating systems can be open source or created by a third party. Traditionally, device manufacturers analyze their first-party code (a difficult process in and of itself) as part of their security program requirements. However, as first-party code has become a smaller component of the underlying code in these devices, manufacturers are often left in the dark when it comes to the majority of their device components.
Greater use of open source presents heightened license risk and compliance adherence. Development teams want to make use of open source componentry to increase speed and scalability of development. However, prolific use of open source expands the tracking and reporting requirements on organizations to maintain compliance with license obligations. Legal and Compliance Teams need near continual update and ongoing assessment of open source license use for audit and other compliance purposes. Manual efforts to do so no longer meet the scaled use of modern product development organizations.
An increase in publicly reported vulnerabilities and security breaches around connected devices is |
Guideline | ★★★★ | |
|
2021-05-21 14:27:34 | Live From RSAC: Disinformation: As Dangerous as Cyber and Physical Threats (lien direct) |  In today???s digital world, we practically live on our phones or computers. Chances are, you don???t go more than 15 minutes without checking your email or social media. And you probably get most of your news from the Internet.
But how do you know what information is real? Two different news sites might be giving a different opinion of the same story. Take the presidential election, for example. There was a frenzy of fake news trying to sway voters in one direction or the other. Covid-19 also brought about a fair share of conspiracy theories and misinformation ??? like the Covid-19 vaccine microchip theory. These theories and propaganda were planted by threat actors to stir chaos and instill fear or doubt.
In an RSA Conference fireside chat this week, Chris Krebs, former director of the U.S. Cybersecurity and Infrastructure Security Agency and co-founder of Krebs Stamos Group, and Alan Shimel, CEO of MediaOps, explained how to weed through disinformation, what threats fake news pose to cybersecurity teams, and what we can do to help.
As Krebs says, ???I???m leading a commission at the Aspen Institute on the information disorder and there are no silver bullets right now for stopping, for halting, for changing the ecosystem. Whatever the solutions are ??? now or in the future ??? it???s going to take the whole of society, like government, industry, civil society ??ヲ it???s going to take a full effort.???
How do you build your information ecosystem?
It???s challenging to figure out what information to believe when there are so many news outlets. And people tend to be more attracted to drama or stories that align with their views, even if the information is not accurate. Real news is ???boring??? as Krebs says, and fake news is more appealing.
Unfortunately, there is no central source of truth at the moment, so there is no way to say what information is accurate or not. We need to fix this.
How do we counter disinformation?ツ?
Krebs and Shimel discussed the idea of creating one source of truth. Whether it???s at a company, or in government, you need one central repository with the facts.
Take Germany for example. Germany has a monoculture of news that gives them the advantage of one source of ???truth.??? There is one source where you can get your news, and there is no commentary. That doesn???t mean that they don???t still deal with some disinformation, but it???s a lot less than in the United States.
How do you deal with disinformation in cybersecurity?
Disinformation attacks are when threat actors manipulate information to cause unrest. Software companies that work with the government deal with disinformation attacks all the time. For example, threat actors changing the outcome of an election.
The new executive order should help with some of these attacks, but it still doesn???t solve the problem. The government needs more information, especially regarding ransomware. But what companies want to disclose their security problems? And it???s not as if the government can help them with security. Krebs and Shimel noted that we need to incentivize organizations, and we need to make it easy and convenient to report security defects and breaches.
Organizations should also be conducting an analysis of their systems to keep an eye out for potential attacks, and should consider hiring a senior executive to concentrate solely on countering disinformation. Since the world is becoming increasingly digital, this role is more important than ever.
For more on the cybersecurity executive order, and other RSA Conference 2021 sessions, check the Veracode Blog. |
Threat Guideline | ||
|
2021-05-20 17:34:42 | Live From RSAC: AppSec\'s Future and the Rise of the Chief Product Security Officer (lien direct) |  Chris Wysopal, Co-Founder and CTO at Veracode, and Joshua Corman, Chief Strategist of Healthcare and COVID at CISA, presented at the 2021 RSA Conference on AppSec???s future and the need for a new Chief Product Security Officer (CPSO) role.
Wysopal started by quoting entrepreneur Marc Andreessen saying, ???Software is eating the world,??? to express just how much we rely on technology. From our iPhones and laptops to our cars and even our refrigerators ??ヲ software is everywhere.
If we look back at the rise of software, it was largely used originally to automate manual processes in the back office of businesses, like banking software for a teller. But now, we are using software to deliver products to a customer, like a mobile banking application. So as Wysopal stated, ???There???s not just more software. There are different kinds of software.???
And this software that???s being released as products to customers has added risk. Using the mobile banking application as an example, Wysopal noted that it???s riskier to use a customer-facing application to conduct your banking than it is to go to the bank and have a teller use the back-end software. More people have access to the mobile banking application, and anyone in the world could connect to the APIs.
And the risk associated with software products is only going to continue to grow. Consider the way we are creating apps now: APIs are the bloodstream. Each microservice, serverless, container, or public API is more attack surface. Applications that connect with social networking create more attack surface. Migrating to new software and forgetting to retire legacy software leads to more attack surface.
And there is risk with new software trends as well. For example, ubiquitous connectivity is the standard mode for any product now. Abstraction and componentization are also big trends. Instead of writing code, we now frequently use a library or write a script to instruct something else to be built. It???s great to build applications quickly, but it changes the way you have to think about security and supply chain.
That???s why we need a CPSO role, not just a Chief Information Security Officer (CISO). A CISO is concerned about compliance and protecting the company???s brand, but a CPSO would be responsible for managing product risk. Product risk spans so many departments ??? like engineering, compliance, supplier management, and information risk ??? and will likely span even more departments over the next few years. CISOs have too much on their plate to be able to take on product risk.
Corman mentions that many healthcare organizations have started adding a CPSO-type role to their organizations and others should follow suit. Especially given the increase in software breaches. As mentioned in our blog outlining Anne Neuberger???s RSAC address, cyberattacks have increased by 67 percent in the past five years. And many of these breaches ??? like SolarWinds and Microsoft Exchange ??? are having national security implications. In fact, the Biden administration recently released an executive order to safeguard U.S. cybersecurity. So having a role that is dedicated to managing product risk is not only beneficial but arguably essential.
For more summaries of RSA Conference 2021 sessions, check the Veracode Blog, |
Guideline | Uber | ★★ |
|
2021-04-23 12:58:34 | Are You Targeting These Risky Red Zone Vulnerabilities? (lien direct) |  Modern software development is full of security risk. Factors like lingering security debt, insecure open source libraries, and irregular scanning cadences can all impact how many flaws dawdle in your code, leading to higher rates of dangerous bugs in susceptible and popular languages. For example, we know from State of Software Security v11 that PHP has a high rate (nearly 75 percent) of cross-site scripting flaws on initial scan, which is also the most common type of open source code vulnerability across nearly every language. It???s a dangerous one.
CRLF injection ??? which is commonly seen in Java and JavaScript ??? can lead to maliciously manipulated web applications if a threat actor is able to inject a CRLF sequence into an HTTP stream. CRLF injection is dangerous and appears in a sizeable 65 percent of applications with a flaw on initial scan, posing a decent risk to apps written in Java and JavaScript if left unchecked.
 ???
But not all flaws are so high-risk for common languages; Information Leakage, for example, is most often seen in .NET, PHP, and Java, typically stemming from a lack of secure code training. To stay one step ahead of even the low-risk (and high-risk) flaws, developers need to be armed with the right knowledge and tools so that they can produce more secure code to reduce the chance of a breach ??? whether low risk or in the danger zone.
 ???
Understanding how flaws impact programming languages across the board is crucial to preventing them. Take note of which languages tend to carry the most high-risk flaws first; whether or not yours in the mix, it???s a good idea to brush up on secure coding best practices and try your hand at hacking and patching real applications with Veracode Security Labs.
You can???t fake it when it comes to security: hands-on-keyboard education is critical to jumping these (and other) hurdles as you create innovative applications. If you want to keep data safe and squash these risky bugs, you have to think like an attacker and avoid flaw-filled curveballs in the future.
To learn more about which vulnerabilities are in the danger zone (and how to go about preventing them), check out our infosheet here. |
Vulnerability Threat Patching Guideline | ||
|
2021-04-06 12:22:43 | Introducing the Veracode Technology Alliance Program (lien direct) |  At Veracode, we have long promoted and nurtured strong partnerships. Through our network of strategic partners, technical alliances, and integration partners, we believe that by working together, we can bring even more value to our customers. ツ?
That???s why we???re excited to introduce our Technology Alliance Program (TAP). Through TAP, we make it easier forツ?organizationsツ?to implement, manage, and scale their software security programs.ツ?
The new program emphasizes our commitment to developing partnerships with adjacent technology providers that produce best-in-class technology integrations. With TAP, partners will be able to empower their customersツ?with a structured frameworkツ?to develop secure software at scale, modernize their environments with SaaS-based software security, and cost-effectively demonstrate the clear business value of secure coding.
???Modern business applications are more complex than ever before, and even in the most rigorous Software Development Life Cycle (SDLC), the complexity of development means vulnerabilities will be introduced.ツ? As part of the Veracode Technology Alliance Program, we can deliver solutions for customers that protect the software supply chain and secures data from the most sophisticated cyberattacks facing organizations today.???ツ? -ツ?Michael McCollough, Global Vice President, Strategic Growth at Imperva
Our Technology Alliance Program represents a new path forward in how we collaborate with our technology partners, driving the best possible integrations to delight customers and providingツ?program benefits such as:
Association with the leader in software security
In-depth access to products
A developer toolkit with APIs
Technical validation
Co-marketing opportunities
Simply put, by having the best-of-breed scanning tools integrated into their software, Veracode TAP partners will have an easier time helping their customers deliver secure software faster.
And this is just the start. Over time, we???ll add more integrations and evolve our Technology Alliance Program to provide even greater resources, tools, and business opportunities for our partners.
For more information on our TAP, including becoming a partner, contact us today. |
Guideline | ||
|
2021-04-01 09:00:21 | AppSec with LolCats: Click2Cat - the Security Extension to Veracode You Didn\'t Realize You Needed (lien direct) |  Fixing security findings in your code can be hard. Sometimes you need help from other developers who have solved these problems before. Veracode provides one-on-one time with ex-developers who can coach you through different approaches to address security findings.
But sometimes, you don???t really want advice. Instead, you need a boost to help you get through the day of reducing risk in your software. Enter Veracode???s Click2Cat feature ??? a quick pick-me-up while you are preparing that report about the security of your software.
 ???
In 2017, Willa Riggins recognized a gap in Veracode???s product offering: a lack of lolcats. As a leader of the manual penetration testing team, she took it upon herself to close this gap during a Veracode Hackathon. So Click2Cat chrome extension was born and it makes getting a lolcat from the Veracode UI quick and easy.
Download now to improve your flaw fixing experience today: https://github.com/willasaywhat/click2cat
Real quotes from real Click2Cat users:
I was struggling with how to fix a particularly nasty SQLi issue. Digging through the code in Veracode???s Triage Flaw viewer I could see the taint source and the actual sink. Before I dug into the fix, I got myself a coffee and a quick lolcat, then I was ready to go! ??? Jennifurr B.
There is nothing better to start my day of CRUSHING SECURITY DEBT than a lolcat - Katy Purry
I ship customer value all day, so a little Click2Cat gives me the edge in solving tricky security problems that slow me down ??? Paul McCatney
*note: lolcats can be fickle and sometimes wander away from the Veracode UI.ツ?
 |
Guideline | ||
|
2021-03-29 13:04:14 | Veracode Hacker Games: The Results Are In! (lien direct) |  The first everツ?Veracode Hacker Gamesツ?competition hasツ?come to a close, but were the flaws inツ?favor of our brave competitors? Read on to find out.ツ?
Over the course of the two-weekツ?challenge, students from several universities in the U.S. and the U.K. came together to explore vulnerabilities and threatsツ?that they???ll one day face on the job.ツ?Competitorsツ?racedツ?to exploit and patch real applications inツ?Veracode Security Labs,ツ?a hands-on training platform that helps developers prepare for the threats they face daily.ツ?ツ?ツ?
The top teams earnedツ?someツ?epicツ?prizesツ?too;ツ?aツ?$10,000ツ?charitable donationツ?to theツ?first-placeツ?school andツ?aツ?$5,000ツ?donationツ?to the second-place school, along with individual prizes and complimentary Veracode software for participating universitiesツ?for a wholeツ?year,ツ?soツ?students can continue sharpening skills while in school.ツ?ツ?
In short, the stakes were high,ツ?butツ?the students did not disappoint! When all was said and done, competitors participating in the inaugural Veracode Hacker Games spentツ?51,859ツ?minutesツ?on labs in Veracode Security Labs ??? that???sツ?aboutツ?864ツ?hours orツ?36ツ?days of secure codingツ?awesomeness!ツ? |
Guideline | ★★★ | |
|
2021-03-09 16:37:31 | Veracode Wins IT Central Station\'s 2021 Peer Award for AST (lien direct) |  
Veracode was recently named the winner of IT Central Station???s 2021 Peer Award for application security testing (AST). Winners were chosen based on reviews from verified customers to help prospective buyers make well-informed, smart business decisions.
???Receiving positive feedback from our customers on the leading technology review site for cybersecurity, DevOps, and IT is a true testament to our products and services,??? said Mark Bissell, Chief Customer Officer at Veracode.
The fact that our products are SaaS-based carries a lot of weight with our customers.
As the manager of information technology at a Broadcom corporation stated, ???[Veracode] is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning takes a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage.???
???We were skeptical about running scans with a cloud-based solution, but then we saw the benefits,??? said a cybersecurity expert from an IT consultancy company. ???Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance.???
Our customers also appreciate that we help fix, not just find, flaws.
A senior security analyst at a wellness & fitness companyツ?remarked, ???If a scan fails to meet our standard, the build breaks and the flaws are remediated before releasing to stage and, ultimately, production where the potential impact is much more costly. We have discovered opportunities to make our code even better thanks to Veracode!???
Aside from being the first native cloud-based AppSec vendor with a best-in-class secure coding tool and expert remediation, IT Central Station recently recognized us as a leading AST vendor for being DevSecOps friendly, offering multiple testing types, and keeping false positives to a minimum.
To learn more about our recent awards, or to read customer reviews, please visit our page on IT Central Station. And for additional customer testimonials, check out our recent success stories. |
Guideline | ||
|
2021-03-04 15:37:03 | AppSec Bites Part 4: What Do Teams Implementing DevOps Practices Need to Know? (lien direct) |  The key to successfully implementing DevOps practices is relationships. It???s about breaking down the existing silos between different functions that deliver software, like development and operations. These functions need to work toward a common goal, efficient software delivery.
The other relationship that is key to implementing DevOps is the relationship between security professionals and developers. Developers have had a historically strained working relationship with security professionals. Developer???s performance is often linked to speed of deployments, but security professionals are more concerned with the security of the software. So, when security slows down production to conduct scans or remediate flaws, it can be stressful for developers.
The first thing you should do to help strengthen the relationship is to establish a common goal. Both security professionals and developers should be working toward fast, secure deployments. Next, since part of DevOps is shifting security left, it needs to be done in a way that won???t add too much extra work for developers. For example, automate and integrate the security scans into developers??? existing processes. ツ?
Finally, consider promoting people from within to lead the DevOps initiative. If you hire someone from outside that doesn???t know the structure of your organization, it could cause increased tension and unnecessary delays. Count on your team to work together and find ways to successfully implement the new process.
For additional information on implementing DevOps, listen to part 4 of our AppSec Bites podcast series with Threadfix.ツ? |
Guideline | ||
|
2021-03-02 10:55:24 | Top Security Anti-Patterns in ASP.NET Core Applications (lien direct) |  Microsoft's ASP.NET Core enables users to more easily configure and secure their applications, building on the lessons learned from the original ASP.NET. The framework encourages best practices to prevent SQL injection flaws and cross-site scripting (XSS) in Razor views by default, provides a robust authentication and authorization solution, a Data Protection API that offers simplicity of configuration, and sensible defaults for session management.
What could possibly go wrong? Let's break down a few scenarios where misusing security features and improperly overriding defaults may lead to serious vulnerabilities in your applications. We'll focus on MVC-based ASP.NET Core applications; however, most of the scenarios are equally applicable to Razor Pages.
Not validating anti-forgery tokens properly
Cross-Site Request Forgery (CSRF) attacks allow an attacker to trick a user into performing an action on a trusted web application, typically through getting the user to click on a link created by the attacker that will call the vulnerable application. A vulnerable application would have no idea that the malicious request triggered by the user was not intentional, and it would perform it. If the user was logged in during this time, the web browser would likely send the cookies with the request.
To protect against this, tokens should be created by the web application that are then passed back on each request to the server. These tokens change regularly, so a link provided by an attacker would be detected due to the outdated or missing token, and subsequently discarded by the application. Because CSRF relies on a stateful, pre-existing session and that the session information will be automatically passed via cookies, it is less likely to be required for API endpoints which are typically stateless.
ASP.NET Core provides a powerful toolset to prevent attacks using anti-forgery tokens. POST, PUT, PATCH and DELETE HTTP methods are the most likely to have significant side effects if REST guidelines have been followed, because these verbs are reserved for actions that alter state or data, and therefore they will require and validate anti-forgery tokens. For the sake of brevity we???ll use POST as an example from here on.
There are multiple ways to apply attribute-based filters to configure anti-forgery token validation, and the approaches may seem overwhelming:
ValidateAntiForgeryToken??ッapplied to each POST action in the controllers that would be exposed to requests.
ValidateAntiForgeryToken??ッapplied at the Controller level, exempting specific methods (most prominently those with GET actions) from validation using IgnoreAntiforgeryToken.
AutoValidateAntiforgeryToken??ッapplied globally to validate tokens on all relevant requests by default, and using IgnoreAntiforgeryToken to opt out of validation for specific actions if necessary.
ASP.NET Core project templates and the code generation command-line interface creates controller actions that use approach (1) using the ValidateAntiForgeryToken attribute attached to every action associated with updating data - that is, ValidateAntiForgeryToken and HttpPost attributes are always used together:
[HttpPost]
[ValidateAntiForgeryToken]
public async Task CreateSomething(Something something)
While the result of the approach is valid, if the developer is writing the methods manually, they may easily forget to include the ValidateAntiForgeryToken??ッattribute alongside the attribute designating the action such as [HttpPost]. By default, neither ASP.NET Core nor the code editor wi |
Tool Guideline | ★★★ | |
|
2021-02-25 13:05:37 | Announcing the First-Ever Veracode Hacker Games (lien direct) |  ???Destroying things is much easier than making them.??? This quote from The Hunger Games rings true in software; developers spend months perfecting their innovative applications only to see it all crumble at the nimble fingers of a speedy cyberattacker. So how do you beat them? Improve your secure coding know-how early on and keep it sharp. ツ?
More than half of organizations in North America provide developers with some level of security training annually, or less often. A lack of consistent, accessible, and meaningful developer training can easily cause roadblocks as you???re asked to shift security left and write more secure code earlier in your workflow.
And as most coders graduate from college without foundational secure coding knowledge, it???s increasingly important that developers (and developers-in-training) can access effective educational platforms throughout their careers to keep up with changes in vulnerabilities and coding best practices.
That???s why, to inspire the next generation of coders, we???re excited to announce the Veracode Hacker Games!
 ???
The newly-launched competition from Veracode brings together students from top universities in the U.S. and the U.K. over the course of two weeks to test their secure coding skills. Packed with real-world challenges, the games will be hosted using Veracode Security Labs, and will challenge the teams to quickly solve as many labs as possible to rack up points for their teams.
Over the course of two weeks, contestants will explore vulnerabilities and threats that they???ll face on the job, learning how a cyberattacker might exploit an application and then discovering how to fix and prevent those flaws in the future. It???s practical training and valuable experience that they can take with them through their studies and beyond.
Because it???s no easy feat to beat a serious flaw, we didn???t skimp on the prizes. We???re giving away over $15,000 overall, including a $10,000 donation to the first-place school and a $5,000 donation to the second-place school. We???re also offering generous monetary prizes for individual contestants, and complimentary Veracode scanning software for participating universities so that students can continue refining their skills even after the games are over.ツ?
Which schools are in? Here???s a list of the universities participating in the inaugural Veracode Hacker Games:
University of Virginia
Stonehill College
Queen???s University Belfast
Northeastern University
University of Warwick
Tufts University
Indiana University
University of Birmingham
While winning students might not get to take a lap around Victor???s Village like in The Hunger Games, they???ll walk away with bragging rights and some fresh secure coding skills to take with them into their careers.
If you missed the signup for this competition, don???t worry! You can reach out to us here and let us know that you???re interested in getting your school involved. Start practicing early in the complimentary version of Veracode Security Labs.
You can also track progress during the challenge by |
Studies Guideline | ||
|
2021-02-01 12:07:49 | Customer Q and A: Advantasure Developers Talk AppSec (lien direct) |  Before selecting Veracode, Advantasure, a leader in the healthcare technology industry, was on the hunt for an AppSec program that would not only protect them against cyberattacks, but also prove compliance with laws and regulations in several states. After integrating Veracode???s solutions and methodologies into their software development process, Advantasure reduced its time to remediation for high-severity flaws, sped up deployment, alleviated training burdens with Veracode eLearning, and enabled compliance with state and federal regulations.
To dig into some of these successes, we recently sat down with members of the Advantasure development team to discuss how our AppSec solutions and methodologies have helped them improve their development processes, reduce risk, and foster a more collaborative environment. Those team members included Sue McTaggart, Senior Application Security Architect; Bindiya Pradhan, DevOps/Release Engineer II; Vladimir Shuklin, Senior Software Engineer; Yuri Shcherbakov, Senior Software Developer/Software Engineer III; and Clay Corrello, Lead Software Engineer. Read on to read about the current state of AppSec from developers who face it every day.
What does your role look like at Advantasure?
Sue: I???m a Senior Application Security Architect at Advantasure and the product owner of Veracode. We use Static Analysis (including IDE Scan), Dynamic Analysis, Software Composition Analysis, and eLearning as well in our day-to-day work. When it comes to the several hundred developers I work with, it???s important for me to empower them through training while coaching them to be successful. I???m passionate every day about making sure my program is successful while empowering the ???doer.???
Bindiya: I???m a DevOps/Release Engineer II working as a Lead Configuration Engineer and Admin for the Veracode platform at Advantasure. I???ve been with this company for 12 years now, and I have been in software development and engineering for 20 years. I???ve had all sorts of experience in this company from design to development, and I worked on the initial development of all the software. I was first involved with Client Implementation before I moved to Client Operations, then I shifted to a DevOps team for all of our automations and CI/CD pipeline implementation.
I???m currently leading the Veracode configuration where I???m integrating Veracode with our CI/CD pipeline from development to integration of the scans. I can see how important security is. It used to be that developers thought security wasn???t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it???s a great opportunity for me.ツ?
???It used to be that developers thought security wasn???t their problem and the security team would say the developers are coding so it should fall on them, but now with this shift to DevSecOps I can see both sides, so it???s a great opportunity for me.???
Clay: I???ve been with Advantasure for a year, and the current role I have is Lead Software Engineer. I???ve been in the field for about 27 years. As a developer and as an architect, I spent a lot of time designing cloud-based microservices the past several years. Security is a big part of that, especially in the healthcare field given the sensitive nature. As a developer, we feel a lot of pressure to get things done, especially with the SAFe Agile model, and I???ve had experiences where security runs the risk of being overlooked ??? which it shouldn???t be. So, I try to bring the focus on security to the work I do for Enrollment, and previously Billing, here at Adva |
Vulnerability Guideline | ||
|
2021-01-19 13:02:38 | Retail and Hospitality Sector Has Impressive Fix Rate, but Room to Improve (lien direct) |  Over the past year, the retail and hospitality industries have been forced to adapt to the ???new normal.??? Since lockdowns and health concerns have prevented or dissuaded in-person shopping or dining, the new normal has been e-commerce. Smaller businesses not equipped for the increase in e-commerce have had to undergo rapid digital transformation in order to stay afloat. But, unfortunately, e-commerce was not the only thing to increase in 2020. Cyberattackers have been taking advantage of the influx of digital activity.
This is especially concerning because, according to our recent State of Software Security (SOSS) report, 76 percent of applications in the retail and hospitality sector have a security vulnerability and 26 percent have high-severity security vulnerabilities.
But, on a positive note, our SOSS findings also revealed that when compared to other industries, retail and hospitality have the second-best fix rate and the best median time to remediate security flaws. This means that even though the industries might have a higher than usual number of flaws, they are quick to act and remediate those flaws. As Chris Eng, Chief Research Officer at Veracode explains, ???If retailers are constantly having to push out code containing business logic to support new promotions, that might account for the fix times.???
The SOSS report also examined how the ???nature??? of applications and how we ???nurture??? them contribute to the time it takes to close out a security flaw. We found that the ???nature??? of applications ??? like organization or application size, application age, or flaw density ??? can affect how long it takes to remediate a security flaw. But, taking steps to ???nurture??? the security of applications ??? like using multiple application security (AppSec) testing types, scanning frequently and steadily, and utilizing APIs ??? can also influence how long it takes to remediate security flaws.
For the retail and hospitality industries, we found that they have a low flaw density relative to other sectors, but the applications tend to be old and larger. We also found that the sector is not consistently using DevSecOps best practices like scanning frequently in an automated way. If developers start following the best practices regularly, the retail and hospitality industries can remediate flaws and chip away at security debt faster.
Flaws that the retail and hospitality sector should keep a close eye on include encapsulation, SQL injection, and credential management issues. These flaw types seem to be more prevalent in the retail and hospitality sector compared to other industries, and they can lead to a serious breach. In fact, injection flaws are considered by OWASP Top 10 to be the number one, most critical security risk to web applications.
For more information on software security trends in the retail and hospitality industries, check out The State of Software Security Industry Snapshot.
ツ? |
Vulnerability Guideline | ||
|
2021-01-12 15:14:33 | Veracode Named a Leader in The Forrester Wave: Static Application Security Testing, Q1 2021 (lien direct) |  If you???re looking to start or optimize an AppSec program in 2021, the Forrester WaveTM report is a good place to begin your research. The report not only details essential elements of AppSec solutions, but also ranks 12 static application security testing (SAST) vendors based on their current offering, strategy, and market presence.
Development speeds and methods are changing and the requirements for a SAST solution are evolving as well. Forrester notes that SAST providers need to build their security solutions into the software development lifecycle (SDLC); integrate them into the CI/CD pipeline; protect new architectures like containers; and provide accurate, actionable results.
To help development teams and security and risk professionals identify the industry???s foremost SAST providers, Forrester conducted a 28-criterion evaluation. The research and analysis identified Veracode as a leader among SAST providers. The Forrester report noted, ???For firms looking for an enterprise-grade SAST tool, Veracode remains a top choice.???
The Forrester report specifically mentions, ???Veracode has invested in the developer experience.??? Veracode???s SAST offering is fully cloud-based and offers three different levels of scans that aid developers:
IDE Scan provides focused, real-time security feedback while the developer codes. It also helps developers remediate faster and learn on the job through positive reinforcement, remediation guidance, code examples, and links to Veracode application security (AppSec) tutorials.
Pipeline Scan happens in the build phase. It directly embeds into teams??? CI tooling and provides fast feedback on flaws being introduced on new commits. It helps answer the question, ???is the code my team is writing secure????
Policy Scan reviews code before production to ensure that applications are meeting policy compliance and industry standards. It helps answer the question, ???are my organization's applications secure????
Veracode also offers Security Labs, which trains developers to tackle evolving security threats by exploiting and patching real code. Through hands-on labs that use modern web apps, developers learn the skills and strategies that are directly applicable to their organization's code. Detailed progress reporting, email assignments, and a leaderboard encourage developers to continuously level up their secure coding skills.
We believe prioritization is another important strength for Veracode. As the Forrester report states, ?????ヲVeracode???s graphical representation of code flaws according to risk and ease of fix [are] unmatched in the market.??? In addition, the report states, ???References complimented Veracode's premium support,??? and Veracode is highly rated by customers for remediation guidance. As one customer stated, ???the relationship [with Veracode] really stands out.???
Learn more
Download The Forrester WaveTM: Static Application Security Testing, Q1 2021 report to learn more on what to look for in a SAST vendor and for more information on Veracode???s position as a Leader. |
Patching Guideline | ★★★★★ | |
|
2021-01-07 09:18:28 | How to Communicate Application Security Success to Your Executive Leadership (lien direct) |  Over the past several years, there have been many changes to software development and software security, including new and enhanced application security (AppSec) scans and architectural shifts like serverless functions and microservices. But despite these advancements, our recent State of Software Security (SOSS) report found that 76 percent of applications have security flaws. Yet CISOs and application security program owners still find themselves having to justify and defend application security initiatives.
Members of the Veracode Customer Advisory Board (CAB), a group of AppSec professionals in several industries, faced this challenge as well. In response, a working group subset of the CAB collaborated to establish a set of metrics that security professionals can use to establish, drive adoption, and operationalize their application security program. These data points should help inform decisions at different stages of program maturity while answering the basic question: is the application security program effective or not?
How to determine and justify the required resources for an application security program
AppSec managers need a justi?ャ?able AppSec approach and dataset that set parameters around the program, give a starting point, and set up how the program will grow over time. That approach starts with providing evidence that an application security program is necessary and that it will reduce risk.
To show that an AppSec program is necessary, call attention to data points around flaw prevalence in applications (76 percent) or the average cost of a data breach ($3.86 million).
To show that AppSec programs reduce risk, consider stats like the one from our SOSS report that found that organizations scanning for security the most (more than 300 times per year) fix flaws 11.5x faster than organizations scanning the least.
How to determine and prove that development teams are adopting software security practices
AppSec success hinges on development buy-in and engagement. Therefore, proving that your AppSec program is effective requires evidence of developer adoption.
Consider highlighting the rate at which development teams are taking advantage of APIs to integrate security into their processes Then prove that developers are taking the time to fix the identified flaws by showing your developer???s fix rate (the # of findings closed / the # of findings open).
By examining the fix rate, you can see if developers are actively adopting AppSec practices by fixing ??? not just finding ??? vulnerabilities. The fix rate also shows you where additional training or resourcing investment is needed.
How to determine if the application security program is operating efficiently
AppSec programs are meant to be ongoing ??? not a one-off project with an end date. An effective AppSec program is ultimately a component of the software development process, just like QA, and the measures of success need to reflect that.
A key metric here is the correlation between security activities early in the development process and the number of security flaws found in a release candidate or in production. For example, the figure below shows the relationship between security test |
Data Breach Guideline | ||
|
2021-01-05 11:05:58 | Announcing Veracode in AWS Marketplace: Streamlining Secure Software Development for AWS Customers (lien direct) |  Digital transformation continues to accelerate, and with it, businesses continue to modernize their technological environments, leveraging developer-first cloud-native solutions to build, host, and secure their software. At Veracode, we continue to see customers leveraging large cloud providers, such as AWS, as a central platform to conduct these activities. Customers can take advantage of the many native services available from AWS as well as procure and manage relationships with AWS-certified partner solutions, such as Veracode, through the AWS Marketplace.
Which is why we are pleased to announce the launch of our public listing of Veracode Security Labs on the AWS Marketplace. This listing also enables us to sell our full portfolio of solutions through AWS Marketplace Private Offers. Buying through Marketplace creates more buying options for customers and enables AWS customers to quickly purchase and deploy Veracode???s leading SaaS software security solutions while centralizing billing through AWS. For AWS customers participating in AWS??? Enterprise Discount Program (EDP), purchasing Veracode through the marketplace can drive additional benefits and potential savings with AWS as a portion of the cost of Veracode can be applied towards the [your] overall annual spending obligations with AWS.
Since launch, several large customers in North America and Europe were successful in purchasing Veracode???s solutions via the AWS Marketplace, and are recognizing the variety of benefits offered to them by AWS.
Why Veracode?
When it comes to building effective and secure applications on a tight schedule, security tools need to be flexible enough to integrate and automate seamlessly into existing processes and workflows, but capable enough to get the job done. Through Veracode???s cloud-native application security (AppSec) solutions we aim to enable the speed, automation, and top-level scanning tools needed to write more secure code and continue hitting deadlines.
With Veracode???s solutions integrated into established processes, AppSec quickly becomes a competitive edge. In addition to the right scanning and testing tools embedded into critical stages of the software development lifecycle, Veracode enables organizations like yours to improve customer confidence through enhanced security, reduced risk, and proven compliance.
AppSec management and measurement is simplified through reliable metrics, progress demonstration, and clear goals. In addition, Veracode???s 1% false-positive rate means less time spent chasing the wrong flaws and more time ensuring your DevSecOps efforts stay on track to keep projects on schedule. It also means a shortened sales cycle that keeps businesses one step ahead of the competition.
There???s no need for lengthy security questionnaires with an established and functioning AppSec program, and sales are not lost due to security concerns from prospects. When Veracode???s cloud-native SaaS platform is in place, it???s possible to start scanning on day one to begin proving compliance and ensuring the quality of your code without missing a beat.
Secure software from the start
Having critical flexibility in the cloud with robust testing at your fingertips means that the security of your software is easier to manage to deployment and beyond. Through our integrations with AWS CodeStar and other developer tools, we deliver the critical functionality that developers need to initiate security scans ??? including right from AWS CodePipeline and AWS CodeBuild, saving vital remediation time. We also offer support for AWS Software Development Kits in Python, Node.js, and JavaScript, as well as support for Lambda functions.
Re |
Guideline | ||
|
2020-12-21 13:32:11 | Veracode CEO on the Relationship Between Security and Business Functions: Security Can\'t Be Effective in a Silo (lien direct) |  Veracode CEO Sam King says that security can???t be successful, and in fact will become a blocker, if it operates in a silo. She recently sat down for a fireside chat with Mahi Dontamsetti, State Street CTRO, and Jim Routh, MassMutual CISO, to share her thoughts and observations on communicating about security to the Boardツ?and the overall connection between the security function and business functions.
She notes that even though there are often designated technical experts on the Board, there is now an increased awareness around cybersecurity, even among the traditionally business-oriented members. So, it???s important to tailor messages to the business functions so that they too can understand the organizations??? risk posture. This doesn???t mean that you should try to make everyone on the Board a cybersecurity expert, but King remarks that there should be a ???baseline knowledge that all Board members have around cybersecurity.??? ツ?
Mahi Dontamsetti agrees with King that cybersecurity should be communicated to all members of the Board in an easy-to-understand manner. Dontamsetti goes on to say that sometimes it???s the non-technical experts who ask the best questions or have important insights into cybersecurity. They???re sometimes able to fill in the ???known unknowns.???
Jim Routh adds that Board members are actively seeking out cybersecurity knowledge. ???Board members today go to classes to improve their skill through NACD or other associations,??? he said. ???They're re-skilling and retooling themselves at a pretty significant pace, so that will give us more Board members with cybersecurity expertise.???
Routh also mentions the importance of level setting cybersecurity expectations with the Board. It shouldn???t be about eliminating all cybersecurity incidents because that???s unrealistic. The goal should be to ???recover quickly when you have security incidents and minimize the business impact.??? And the whole organization needs to work toward that goal. ???Every enterprise at any level of maturity today has to recognize that incident response for cybersecurity has to be a fabric for the entire enterprise. It's not just a siloed function in IT or in cybersecurity.???
How can you ensure that cybersecurity isn???t siloed? Routh recommends identifying your top 10 cybersecurity risks and making sure that they are well known throughout the company, especially with senior leaders. Resources should be allocated to the top 10 risks and projects and initiatives around those risks should be prioritized.
Not only should you come up with your top 10 cybersecurity risks, but it???s also worth identifying your top 10 business strategies. King makes the point that ???when you're looking at the top 10 of your business strategies as a company, regardless of whether you're a cybersecurity company like Veracode or you're a financial services company, or whatever industry you're in, cybersecurity has to be in that top 10.??? By making cybersecurity a top 10 business strategy, you ensure that executives and senior leaders are prioritizing risk mitigation strategies and, hopefully, integrating the strategies company-wide.
If cybersecurity is siloed, departments may try to ignore security best practices for the sake of speed. King remarks that without cybersecurity integration, you may hear a lot of, ???We're super excited about this project, but once we go to the security person there's going to be all of these different things that we have to be concerned about. And, will we be able to get it done or not????
But cybersecurity integration doesn???t have to slow down processes. If you start your project with security best practices in mind from the very beginning, there won???t be time-consuming or expensive rework down the line.
And how about obtaining cybersecurity resources a |
Guideline | ||
|
2020-12-11 11:15:19 | How Password Hashing Algorithms Work and Why You Never Ever Write Your Own (lien direct) |  Are you fascinated with cryptography? You're not alone: a lot of engineers are. Occasionally, some of them decide to go as far as to write their own custom cryptographic hash functions and use them in real-world applications. While understandably enticing, doing so breaks the number 1 rule of the security community:??ッdon't write your own crypto.ツ?
How do hashing algorithms work and what's special about password hashing? What does it take for an algorithm to get ready for widespread production use? Is security through obscurity a good idea? Let's see.ツ?
How does password hashing work?ツ?
Before storing a user's password in your application's database, you're supposed to apply a cryptographic hash function to it. (You're not storing passwords in plain text, right? Good. Just asking.)ツ?
Any cryptographic hash function converts an arbitrary-length input (a.k.a. "message") into a fixed-length output (a.k.a. "hash", "message digest"). A??ッsecure cryptographic hash function??ッmust be:ツ?
Deterministic: hashing the same input should always render the same output.ツ?
One-way: generating an input message based on a given output should be infeasible.ツ?
Collision-resistant: finding two input messages that hash to the same output should also be infeasible.ツ?
Highly randomized: a small change in input should lead to a significant and uncorrelated change in output (a.k.a. "the avalanche effect"). Without this property, applying cryptoanalysis methods will allow making predictions about the input based on the |
Vulnerability Guideline | ★★★ | |
|
2020-10-29 13:04:48 | A Software Security Checklist Based on the Most Effective AppSec Programs (lien direct) |  Veracode???s Chris Wysopal and Chris Eng joined Enterprise Strategy Group (ESG) Senior Analyst Dave Gruber and award-winning security writer and host of the Smashing Security podcast, Graham Cluley, at Black Hat USA to unveil the findings from a new ESG research report, Modern Application Development Security. The research is based on a survey of nearly 400 developers and security professionals, which explored the dynamic between the roles, their trigger points, the extent to which security teams understand modern development, and the buying intentions of application security (AppSec) teams.
As the presenters went through the data, it led to a larger discussion about AppSec best practices and what steps organizations can take to mature their programs. Here are the best practices laid out during the presentation as an easy-to-follow checklist as well as supporting data from the ESG report.
Application security controls are highly integrated into the CI/CD toolchain.
In the ESG survey, 43 percent of organizations agreed that DevOps integration is most important to improving AppSec programs, but only 56 percent of respondents answered that they use a highly integrated set of security controls throughout their DevOps process. Integrating security measures into the CI/CD toolchain not only makes it easier for developers to run AppSec tests, but it also helps organizations discover security issues sooner, which speeds up time to deployment.
Application security best practices are formally documented.
In order to have a successful AppSec program, everyone needs to be on the same page regarding best practices. The CISO should help facilitate the formal documentation of AppSec best practices. Developers and security professionals can reference the list and use it to guide their decisions.
Application security training is included as part of the ongoing development security training program.
Developers have been increasingly tasked with implementing security measures, including writing secure code and remediating vulnerabilities. Most developers don???t receive secure code training courses in college, so it is up to organizations to offer security training. But according to the survey, more than 20 percent of organizations only provide training when developers join the team.
Developers should have multiple, at-leisure training opportunities throughout the year, like virtual or hands-on programs ??? such as Veracode Security Labs. Chris Wysopal pointed out the importance of human touchpoints as part of ongoing developer training. If someone is checking in on developers to make sure they???re completing their training, they???ll likely take it more seriously. Consider a security champions program. The security champions are developers who have an interest in learning about security. If you have at least one security champion on every scrum team, that person can help ensure that their peers are up to speed on the latest security training and best practices.
Ongoing developer security training includes formal training programs, and a high percentage of developers participate.
At-leisure security training is a great way for developers to learn on their own time. But it is also important to implement formal security training with a set completion date and a skills assessment. Without formal security training, developers may not develop the skills they need to write secure code and remediate vulnerabilities. This could lead to slower and more expensive deployments because of rework or vulnerable code being pushed to production.
Accordin |
Tool Vulnerability Guideline | Uber | |
|
2020-10-27 11:33:42 | Announcing the 11th Volume of Our State of Software Security Report (lien direct) |  Today, we released the 11th volume of our annual State of Software Security (SOSS) report. This report, based on our scan results, always offers an abundance of insights and information about software vulnerabilities ??? what they are, what???s causing them, and how to address them most effectively. This year is no different.
With last year???s SOSS Volume 10, we spent some time looking at how much things had changed in the decade spanning Volume 1 to Volume 10. With Volume 11, we are going to look forward and consider the direction software development is headed. We are not trying to decide if we are doing better or worse than before, but looking at what kind of impact the decisions developers make have on software security.
Some key takeaways:
Most applications are vulnerable. Our analysis this year found that among 130,000 apps, 76 percent had at least one security flaw. But in the good news department, most apps do not have severe vulnerabilities. Only 24 percent had high-severity security flaws. Back to the bad news: fix rate is still an issue ??? half of security findings are still open 6 months after discovery.
Open source code is expanding the attack surface. Applications increasingly include open source libraries; in fact, many now include more open source than first-party code. This year, we found that 97 percent of a typical Java application is made up of third-party code. And when we looked at our analysis of open source code through Software Composition Analysis vs. first-party code through Static Analysis, we found that almost one-third of all applications have more findings in third-party libraries than in the native code base.
There are ways to ???nurture??? software security, even if the ???nature??? of your software is less than ideal. This year, we thought about what leads to the state of software security ??? is it ???nature??? or ???nurture???? Is it the attributes of the app that the developer inherits ??? its security debt, its size ???or is it the actions of the developers ??? how frequently they are scanning for security, or how security is integrated into their processes? And if it???s ???nature,??? is there anything developers or security pros can do to improve security outcomes? This year???s research unearthed some surprising ??? and promising ??? data surrounding ways to ???nurture??? the security of your applications, even if the ???nature??? is less than ideal. For example, those who scan via API (and therefore are integrating and automating security testing) shorten the time to address half their flaws by 17.5 days.
See below for the data highlights, and check out theツ?full reportツ?for all the data details, plus our advice on how to use the story told by the numbers to improve your own application security program.
|
Guideline | ||
|
2020-10-14 10:35:14 | Hot off the Press: Veracode Named a 2020 Gartner Peer Insights Customers\' Choice for AST (lien direct) |  Veracode has been officially recognized by Gartner Peer Insights as a 2020 Customers??? Choice for Application Security Testing. The report includes Veracode???s aggregate score of 4.6 out of 5 stars out of 95 independent customer reviews (as of July 31, 2020), and of the reviewers, 92 percent said that they would recommend Veracode???s AST solutions.
Veracode, the largest global provider of application security (AST) solutions. We received the Customers??? Choice distinction, just months after Veracode was named a Leader for the seventh consecutive time in the Gartner Inc. 2020 Magic Quadrant for Application Security Testing, is a true testament to our solutions.
???There is no greater endorsement than the voice and passion of our customers,??? said Sam King, CEO of Veracode. ???This Customers??? Choice distinction by Gartner Peer Insights reflects the impact of our best-in-class solutions and customer service. Veracode is committed to helping our customers navigate the ever-evolving application security landscape, with an impassioned focus on empowering developers to both find and fix code defects early in the development process. Thank you to all the Veracode customers worldwide that have made us their trusted partner in secure software delivery.???
What are our customers saying in their reviews on Gartner Peer Insights? Many tout Veracode???s SaaS-based solution as a key benefit. ???They operate a ???service-based solution??? removing many of the obstacles typical of on-premises scan solutions,??? stated a May 22, 2020 review by the director of security and risk at a manufacturing company. Our customers also talk about how Veracode empowers developers to find and fix code defects early in the development process. A director of application development for the government sector remarked in a review on July 24, 2020 ???[Veracode] was incredibly easy to implement and we had a high rate of developer adoption. We saw phenomenal results in reducing our security risk within the first six months. We are now several years into product implementation and have grown our adoption with both product and automation.???
To learn more about Gartner Peer Insights 2020 Customers??? Choice for AST and what our customers have to say about our leading application security testing solutions, download the Peer Insights Voice of the Customer report.
Disclaimer: Gartner Peer Insights Customers??? Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
Gartner Peer Insights ???Voice of the Customer???: Application Security Testing, Peer Contributors, 9ツ? October 2020 |
Guideline | ||
|
2020-10-14 10:00:02 | Introducing Veracode\'s New Partner Training and Certification Paths (lien direct) |  We are excited to announce the launch of our new partner training and certification paths, open to all authorized Veracode partners.
Based on partner feedback, we have designed these paths to provide a deeper understanding of the Veracode story and technical details around application security (AppSec). By enlisting in our training and certification paths, we enable partners to expand their business and support customers in developing a comprehensive AppSec program.
Some of the benefits of this new program:
Free-of-charge, best-in-class trainings and certifications focused on AppSec.
On-demand, self-paced paths that enable partners to learn what they want, when they want.
Added visibility for individuals earning their certification with designated badges, showcasing the partner???s AppSec expertise.
Greater access to leads and joint opportunities for partners with certified individuals.
These new training and certification paths give partners a choice of three levels of learning. Through on-demand, self-paced courses they can advance to the level of training that best suits their role ??? ultimately growing their business through application security offerings.
With this deeper level of knowledge, partners can expand their customer base, and sales and technical teams can support their prospects and customers more effectively in building and managing their AppSec program.
As always, we remain committed to our partners who do the important work of caring for customers ??? whether across the globe or in local and regional markets. We hope these new training and certification paths inspire further collaboration, increased business growth, and an even better experience for customers and prospects. ツ?
For more information on our partner training and certification, please contact your Veracode regional channel manager or send an email to partners@veracode.com. |
Guideline | ||
|
2020-10-05 11:42:27 | Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning (lien direct) |  Developers face a bevy of roadblocks in their race to meet tight deadlines, which means they often pull from risky open source libraries and prioritize security flaws on the fly. In a recent ESG survey report, Modern Application Development Security, we saw that 54% of organizations push vulnerable code just to meet critical deadlines, and while they plan for remediation on a later release, lingering flaws only add to risky security debt. With speed a critical factor in what makes or breaks the success of your application deployments, that means the health of your code ??? and your security ??? is on the line.
GitHub Actions are an intuitive way to solve the need for speed without sacrificing quality, helping your developers stay on schedule by enabling them to build, test, and deploy code directly from GitHub. And with over 50 million developers on GitHub, plus more than 200,000 automated fixes merged into GitHub repositories since May of 2019, it???s clear that GitHub is a hotspot for developers. When paired with the right application security (AppSec) scan types and SaaS-based approaches, this integration makes GitHub Actions an invaluable part of your development team???s workflow.
That???s why we???re excited to announce our new GitHub Action to help streamline your AppSec workflow for the developers on your team. The action is directly embedded within the native GitHub code scanning user interface, ensuring your DevSecOps practices are seamless, efficient, and effective. By making Veracode???s AppSec tools accessible in a familiar interface like GitHub, developers on your team can jump right into secure coding with critical testing and analysis that won???t halt projects or slow production down.
The Veracode solution to enhanced workflows
Developers can perform Veracode???s Static Policy Scan or Pipeline Scan and see the results of that scan within the GitHub Security tab. The ability to invoke Veracode???s Static Analysis (SAST) scans from within their own GitHub projects significantly expands the testing capability for developers leveraging GitHub workflows, and allows them to build security into their DevOps processes to scale development across their team.
That???s less downtime and fewer bottlenecks for faster innovation. With such a high frequency of commits flowing through GitHub (more than 2,000 direct contributors made commit contributions to TensorFlow alone in 2019), Veracode???s multi-scan and SaaS-based solutions mean that our customers have a leg-up when it comes to harnessing GitHub Actions for speed and efficiency.ツ?ツ?
This functionality comes as part of GitHub code scanning launch, with our GitHub Action available in the GitHub Marketplace. ???Veracode is a leader in application security and truly understands the importance of shifting left in the development lifecycle to enable teams to find and fix flaws at scale,??? says John Leon, VP of Business Development at GitHub. ???With software development moving at breakneck speed, this new GitHub Action further enables our joint customers to develop secure software, without compromising speed or quality ??? all within a familiar interface.???
|
Guideline |
To see everything:
Our RSS (filtrered)
