This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-16T16:01:05+00:00 www.secnews.physaphae.fr Veracode - Application Security Research, News, and Education Blog The Role of DAST in Modern DevSecOps Practices In the swiftly evolving landscape of AI-driven software development, DevSecOps helps strengthen application security and quality. Dynamic Application Security Testing (DAST) is a key tool that helps scale your DevSecOps program by facilitating continuous and accurate security tests on running applications. DAST simulates real-world attacks, enabling you to identify security weaknesses and evaluate your application\'s defenses in response to actual attacks. Let\'s explore some actionable best practices to leverage DAST effectively and strengthen your DevSecOps initiatives. Seamless Integration into CI/CD Pipelines Incorporating DAST scans right into your continuous integration and delivery (CI/CD) pipelines helps detect runtime vulnerabilities earlier in your development process. This integration allows for automatic security testing, with every code update, giving developers immediate feedback. Catching vulnerabilities early means less…]]> 2024-05-14T13:58:40+00:00 https://www.veracode.com/blog/secure-development/scaling-devsecops-dynamic-application-security-testing-dast www.secnews.physaphae.fr/article.php?IdArticle=8499782 False Tool,Vulnerability None None Veracode - Application Security Research, News, and Education Blog Are you looking to catch up on the latest in AI and cloud-native Application Security at RSAC 2024? Veracode is hosting a series of talks at our booth along with a series of programs at The W San Francisco. Here are all the details.  Veracode at RSAC 2024: A Preview  RSAC 2024 is around the corner and Veracode, a visionary provider of cloud-native Application Security testing solutions, will be at the forefront, showcasing groundbreaking innovations that are shaping the future of AppSec.   This year, we are particularly excited to showcase the recent acquisition of Longbow Security, a strategic move that strengthens our commitment to providing comprehensive code-to-cloud security.   According to App Developer Magazine, “The integration of Longbow into Veracode enables security teams to discover cloud and application assets quickly and easily assess their threat exposure using automated issue investigation and root cause analysis. Longbow provides a centralized…]]> 2024-04-29T10:49:21+00:00 https://www.veracode.com/blog/intro-appsec/your-must-know-ai-and-cloud-native-appsec-insights-rsac-2024 www.secnews.physaphae.fr/article.php?IdArticle=8490697 False Threat,Cloud None 1.00000000000000000000 Veracode - Application Security Research, News, and Education Blog We\'re excited to bring you two significant updates to Veracode Fix: our AI-powered security flaw remediation tool. Since we launched Fix nearly a year ago, two requests have dominated our customer feedback: Can we have it for ? Can you make it work for ? We recently launched a new version of Veracode Scan for VS Code that included Fix (with more IDE\'s to follow), which answered some of those requests, and now we\'re updating Fix to cover more languages and a new mode that will automatically apply the top-ranked fix.  Veracode Batch Fix Using Fix in the Veracode CLI tool with the new –-apply flag, you will be able to apply the top fix suggestion to the source code in one of two modes: Apply Single Finding to a Single File By supplying Veracode Fix with the results JSON file, the source code file to update, and the relevant issue ID (contained in the results file) you can apply the top-recommended fix to the source code file. ./…]]> 2024-04-25T14:54:20+00:00 https://www.veracode.com/blog/secure-development/new-veracode-fix-additional-language-support-and-batch-fix www.secnews.physaphae.fr/article.php?IdArticle=8499783 False Tool None None Veracode - Application Security Research, News, and Education Blog Traditional methods of flaw remediation are not equipped with the technology to keep pace with the rapid evolution of code generation practices, leaving developers incapable of managing burdensome and overwhelming security debt. Code security is still a critical concern in software development. For instance, when GitHub Copilot generated 435 code snippets, almost 36% of them had security weaknesses, regardless of the programming language. As it is, many developers are still unequipped with an automated method that can securely remediate issues in code.  This blog delves into the paradigm shift brought about by Veracode Fix, an innovative AI solution designed to revolutionize automated flaw remediation.  The Main Security Risks in Automated Code  The emergence of automated code-generation tools has brought in a new era of efficiency and innovation. However, this progress comes with a variety of security risks that threaten the integrity and safety of applications.…]]> 2024-04-23T10:54:54+00:00 https://www.veracode.com/blog/secure-development/enhancing-developer-efficiency-ai-powered-remediation www.secnews.physaphae.fr/article.php?IdArticle=8487447 False Tool None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Software development teams face a constant dilemma: striking the right balance between speed and security. How is artificial intelligence (AI) impacting this dilemma? With the increasing use of AI in the development process, it\'s essential to understand the risks involved and how we can maintain a secure environment without compromising on speed. Let\'s dive in.  The Need for Speed  Speed is of the essence. Organizations are constantly striving to deliver code faster and innovate quickly to stay ahead of the competition. This need for speed has led to the adoption of AI and large language models (LLMs), which can generate code at an unprecedented rate. However, as with any rapid development process, there are risks involved.  The Risks of AI in Software Development   During my keynote address at Developer Week 2024, I highlighted the potential risks of using AI and LLMs without implementing appropriate security measures. Leveraging AI for fast development…]]> 2024-04-17T09:25:20+00:00 https://www.veracode.com/blog/secure-development/speed-vs-security-striking-right-balance-software-development-ai www.secnews.physaphae.fr/article.php?IdArticle=8484169 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog As I travel around the world meeting with customers and prospects, we often discuss the tectonic shifts happening in the industry. At the heart of their strategic initiatives, organizations are striving to innovate rapidly and deliver customer value with uncompromising quality and security, while gaining a competitive edge in the market. They are embracing DevOps methodologies and leveraging open-source technologies, accelerating deployments across multi-cloud environments to enhance agility and responsiveness. The biggest challenge they face is acquiring a comprehensive view of all the assets in their portfolio as they are deployed across multi cloud end points.   Security teams are overwhelmed by alert fatigue coming from sometimes 20+ tools that each provide a different view of risk. The biggest challenge is aggregating this risk from disparate sources, prioritizing it and identifying the next best action to take to secure their software assets. Compounding these…]]> 2024-04-01T11:00:00+00:00 https://www.veracode.com/blog/security-news/veracode-advances-cloud-native-application-security-longbow-acquisition www.secnews.physaphae.fr/article.php?IdArticle=8474119 False Tool,Cloud None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog The US National Institute of Standards and Technology (NIST) has almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Through the first six weeks of 2024, NIST analyzed over 3,500 CVEs with only 34 CVEs awaiting analysis.1 Since February 13th, however, nearly half (48%) of the 7,200 CVEs received this year by the NVD are still awaiting analysis.2 The number of CVEs analyzed has dropped nearly 80% to less than 750 CVEs analyzed. Other than a vague reference to establishing a consortium, the reasons behind this disruption remain a mystery.  Thankfully, Veracode customers need not worry about this disruption because they have access to Veracode\'s proprietary database. Since the notice on February 13th, Veracode has released over 300 CVEs. Of these 300+, NVD has analyzed less than 15 of these CVEs. Read on to learn how Veracode SCA operates without NVD providing CVE analysis.     NVD Analysis …]]> 2024-03-28T10:05:47+00:00 https://www.veracode.com/blog/research/veracode-customers-shielded-nvd-disruptions www.secnews.physaphae.fr/article.php?IdArticle=8472023 False Vulnerability None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog In the last blog on fixing vulnerabilities with Veracode Fix, we looked at SQL Injection remediation in a Java application. Since then, we have released Fix support for Python (and PHP) and launched a new VS Code plugin that includes support for Fix. It seems appropriate, therefore, to look at resolving a problem in a Python app using Veracode Fix in the VS Code IDE. This time let\'s examine a simple cross-site scripting (XSS) weakness. What is an XSS Vulnerability? An XSS vulnerability occurs when an attacker injects malicious code into a trusted website, which is then executed by unsuspecting users. This can lead to unauthorized access, data theft, or manipulation of user sessions. XSS vulnerabilities are commonly found in input fields, comments sections, or poorly validated user-generated content.  A simple demonstration example is often to enter the following text in a user input field: If an application does not sanitize…]]> 2024-03-26T14:45:35+00:00 https://www.veracode.com/blog/intro-appsec/resolving-simple-cross-site-scripting-flaws-veracode-fix www.secnews.physaphae.fr/article.php?IdArticle=8471406 False Vulnerability None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Understanding Security Debt Security debt is a major and growing problem in software development with significant implications for application security, according to Veracode\'s State of Software Security 2024 Report. Let\'s delve a bit deeper into the scope and risk of security debt, and gain some insights for application security managers to effectively address this challenge. Security debt refers to software flaws that remain unfixed for a year or more. These flaws accumulate over time due to various factors, including resource constraints, technical complexity, or lack of prioritization. Security debt can be categorized as critical or non-critical and can exist in both first-party and, maybe more worrying, third-party code. Prevalence and Impact of Security Debt According to recent research, 42% of active applications have security debt, with 11% carrying critical security debt that poses a severe risk to organizations. Large applications are particularly susceptible, with 40% of…]]> 2024-03-18T12:25:43+00:00 https://www.veracode.com/blog/managing-appsec/security-debt-growing-threat-application-security www.secnews.physaphae.fr/article.php?IdArticle=8466191 False Threat,Technical None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog The release of the February 2024 White House Technical Report, Back to the Building Blocks: A Path Towards Secure Measurable Software, brings about a timely shift in prioritizing software security. Software is ubiquitous, so it\'s becoming increasingly crucial to address the expanding attack surface, navigate complex regulatory environments, and mitigate the risks posed by sophisticated software supply chain attacks.   Let\'s explore the key insights from the White House Technical Report and delve into recommendations for integrating security across the software development lifecycle (SDLC).  Securing Cyberspace Building Blocks: The Role of Programming Languages  The White House\'s report emphasizes the programming language as a primary building block in securing the digital ecosystem. It highlights the prevalence of memory safety vulnerabilities and the need to proactively eliminate entire classes of software vulnerabilities. The report advocates for the adoption of…]]> 2024-03-13T11:17:26+00:00 https://www.veracode.com/blog/security-news/timely-shift-prioritizing-software-security-2024-digital-landscape www.secnews.physaphae.fr/article.php?IdArticle=8463264 False Vulnerability,Technical None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog In today\'s fast-paced digital landscape, developers face increasing pressure to deliver secure applications within tight deadlines. With the emphasis on faster releases, it becomes challenging to prioritize security and prevent vulnerabilities from being introduced into production environments. Integrating dynamic application security testing (DAST) into your CI/CD pipeline helps you detect and remediate vulnerabilities earlier, when they are easier to fix. In this blog, we will explore the importance of DAST, provide a step-by-step guide on how to integrate Veracode DAST Essentials into your CI/CD pipeline, and show you how to get started with a free, 14-day trial of DAST Essentials today. The Significance of DAST DAST plays a vital role in securing modern applications. Shockingly, according to Veracode\'s State of Software Security Report, 80% of web applications have critical vulnerabilities that can only be identified through dynamic testing. By simulating real-world attacks, DAST…]]> 2024-03-04T13:29:00+00:00 https://www.veracode.com/blog/secure-development/integrating-veracode-dast-essentials-your-development-toolchain www.secnews.physaphae.fr/article.php?IdArticle=8459325 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Modern software development techniques are creating flaws faster than they can be fixed. While using third-party libraries, microservices, code generators, large language models (LLMs), etc., has remarkably increased productivity and flexibility in development, it has also increased the rate of generating insecure code. An automated and intelligent solution is needed to bridge the widening gap between the introduction and remediation of flaws.   Let\'s explore the potential dangers of modern methods of automated code generation and the need for a secure and automated mode of flaw remediation.   Automated Methods That Produce Insecure Code   Code Generators   These tools can generate code based on specific inputs or templates that developers provide, such as feature specifications, design patterns, or other parameters. This accelerates development cycles, reduces errors, and maintains consistency across an application. Examples include Swagger…]]> 2024-03-04T12:48:36+00:00 https://www.veracode.com/blog/secure-development/risks-automated-code-generation-and-necessity-ai-powered-remediation www.secnews.physaphae.fr/article.php?IdArticle=8458927 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Insecure software is significantly impacting our world. In a recent statement, CISA Director Jen Easterly declared: “Features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion. That has to stop... We are at a critical juncture for our national security.”  Our State of Software Security 2024 report explores a key area this trade-off of speed to market prioritized against security has resulted in: security debt. Our data shows that nearly half of organizations have persistent, high-severity flaws that constitute critical security debt. We also reveal what organizations without it are doing right. Here\'s how to leverage this new data to enhance application risk management practices in 2024.  Understanding the State of Software Security 2024   Though the world of technology is rapidly evolving, one thing hasn\'t changed: all software security comes back to code and vulnerabilities. New solutions, like Cloud-…]]> 2024-02-28T07:00:00+00:00 https://www.veracode.com/blog/research/data-driven-strategies-effective-application-risk-management-2024 www.secnews.physaphae.fr/article.php?IdArticle=8456489 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode\'s Generative AI-powered tools directly from their Integrated Development Environment (IDE). According to the Veracode State of Software Security, 45.9% of organizations have critical security debt. The fact that this data comes from organizations who are actively testing their software with a high-quality solution implies that it\'s not finding flaws that is the problem: it\'s fixing them. Last year we introduced Veracode Fix – an AI assistant that can take the results of a Veracode Static scan and allow developers to apply suggested fixes directly to their code. Veracode Fix cuts the time to research and implement a fix for a given finding to minutes, while still keeping the developer in control. Fix was implemented as part of the Veracode CLI utility, which is available for Linux, Windows, and MacOS.  A…]]> 2024-02-27T14:58:43+00:00 https://www.veracode.com/blog/customer-news/veracode-scan-vs-code-now-veracode-fix www.secnews.physaphae.fr/article.php?IdArticle=8456059 False Tool None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog In today\'s digital landscape, web applications and APIs are constantly under threat from malicious actors looking to exploit vulnerabilities. A common and dangerous attack is a SQL injection. In this blog, we will explore SQL injection vulnerabilities and attacks, understand their severity levels, and provide practical steps to prevent them. By implementing these best practices, you can enhance the security of your web applications and APIs. Understanding SQL Injection Vulnerabilities and Attacks SQL injection attacks occur when hackers manipulate an application\'s SQL queries to gain unauthorized access, tamper with the database, or disrupt the application\'s functionality. These attacks can lead to identity spoofing, unauthorized data access, and chained attacks. SQL injection is a technique where hackers inject malicious SQL queries into a web application\'s backend database. This vulnerability arises when the application accepts user input as a SQL statement that the database…]]> 2024-02-26T15:17:44+00:00 https://www.veracode.com/blog/secure-development/practical-steps-prevent-sql-injection-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8456060 False Vulnerability,Threat,Guideline,Technical None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Today, I\'m proud to share our 14th annual State of Software Security report. Our 2024 report shines a spotlight on the pressing issue of security debt in applications, and it provides a wake-up call to organizations worldwide. The demand for speed and innovation has resulted in the accumulation of risk known as security debt. As Chief Research Officer at Veracode, I\'m deeply committed to empowering businesses to confront the challenges posed by security debt. Let\'s dive in.  The Changing Landscape of Software and Cybersecurity   Our 2024 report research began based on findings from our 2023 report. We explored factors that affect flaw introduction, remediation times, and security debt. We found that applications grow by about 40% year on year irrespective of their original size. As these apps grow and age, flaws accumulate, further driving up security debt.  This year we sought to figure out, “How risky is security debt really? Is it worth tackling? And if it\'…]]> 2024-02-14T00:30:00+00:00 https://www.veracode.com/blog/research/addressing-threat-security-debt-unveiling-state-software-security-2024 www.secnews.physaphae.fr/article.php?IdArticle=8449989 False Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog The Critical of Role of Dynamic Application Security Testing (DAST) Web applications are one of the most common vectors for attacks, accounting for over 40% of breaches, according to Verizon\'s Data Breach Report. Dynamic application security testing (DAST) is a crucial technique used by development teams and security professionals to secure web applications in the software development lifecycle. In fact, Veracode\'s State of Software Security Report reveals that 80% of web applications have critical vulnerabilities that can only be found with a dynamic application security testing solution. But modern software development practices prioritize tight deadlines. The demand is for faster releases without introducing vulnerabilities, making it difficult for teams to prioritize security. Security testing needs to work and scale within your DevOps speed and release frequency.  Getting Started with Veracode DAST Essentials Veracode DAST Essentials is a dynamic application…]]> 2024-02-05T10:45:38+00:00 https://www.veracode.com/blog/intro-appsec/getting-started-guide-veracode-dast-essentials www.secnews.physaphae.fr/article.php?IdArticle=8449990 False Data Breach,Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Regulatory frameworks play a crucial role in ensuring the resilience and security of organizations. One such regulation that has garnered significant attention is the Digital Operational Resilience Act (DORA). Here are the key aspects of DORA, as well as guidance for how to ensure compliance with it while measurably reducing risk to your business.  DORA Timeline and Overview  DORA, governed by three European authorities - the banking authority, the insurance and pension authority, and the securities and markets authority - is set to come into force on 17 January 2025. This act aims to establish security requirements for companies within the financial sector and their third-party service providers.  One driving force behind why you need to pay attention to DORA is that it\'s a regulation and not a directive. A regulation means that come January 2025, it\'s in effect without anything else needing to happen as far as being translated into laws; a directive would mean it…]]> 2024-02-02T13:13:08+00:00 https://www.veracode.com/blog/security-news/digital-operational-resilience-act-dora-compliance-software-security-pov www.secnews.physaphae.fr/article.php?IdArticle=8446086 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Implementation of a DevSecOps approach is the most impactful key factor in the total cost of a data breach. Successful DevSecOps in a cloud-native world is aided by the right tools. Here are a handful of the most essential cloud security tools and what to look for in them to aid DevSecOps.  Top Essential Cloud Security Tool for DevSecOps: Software Composition Analysis  Software Composition Analysis (SCA) is the bread and butter of cloud security tools for effective DevSecOps and securing the software supply chain.   Why it matters: open-source software (OSS) is handy, but it comes with a few catches. There are vulnerabilities, missed updates, and license risk to be worried about. That\'s where SCA comes in.   SCA takes a proactive approach to finding these risks early. A few things you want to look out for when picking the right SCA tool for you:  Continuous Monitoring  Reporting & Analytics with Peer Benchmarking  Remediation Guidance & Fix Suggestions  Dependency…]]> 2024-01-22T05:10:56+00:00 https://www.veracode.com/blog/managing-appsec/essential-cloud-security-tools-effective-devsecops www.secnews.physaphae.fr/article.php?IdArticle=8441712 False Data Breach,Tool,Vulnerability,Cloud None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Veracode is pleased to announce the availability of a new Integrated Development Environment (IDE) Plugin-Veracode Scan. Veracode Scan combines both Veracode Static Analysis (SAST) and Software Composition Analysis (SCA) into a single plugin. This allows developers to quickly scan projects for security weaknesses and risks in both first-party code and third-party libraries.    The Benefits of a Combined SAST and SCA Plugin  Scanning projects with SCA and SAST is important to make sure that both the code and libraries are as safe as possible. Making these tools available natively in the IDE in a single plugin makes performing security checks both faster and easier to perform. Scanning code early in the software development process reduces both the cost of remediating flaws and the chances of flaws making it into production.   How Veracode Scan Works  Veracode Scan takes care of packaging and sending of artifacts to the Veracode static scanner,  and then returns the results of scans…]]> 2024-01-18T17:51:52+00:00 https://www.veracode.com/blog/customer-news/announcing-veracode-scan-unified-sast-and-sca-ide-plugin www.secnews.physaphae.fr/article.php?IdArticle=8440715 False Tool None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Artificial Intelligence (AI) and machine learning have become integral tools for organizations across various industries. However, the successful adoption of these technologies requires a careful balance between business objectives and security requirements. I sat down with Glenn Schmitz, the Chief Information Security Officer of the Department of Behavioral Health and Developmental Services in Virginia, as he shared valuable insights on implementing AI while ensuring safety, security, and ethical considerations. Here are some of the key takeaways.  Understanding Business Objectives and Security Requirements Starts with Fundamentals  When Schmitz joined the organization, he recognized the need to understand the overall security maturity level. By aligning business objectives with security requirements, he aimed to enable the business to achieve its goals in a safe and secure manner.  Schmitz shared: "I started at a very fundamental level. Security is here to protect the business and…]]> 2024-01-16T12:16:39+00:00 https://www.veracode.com/blog/managing-appsec/implementing-ai-balancing-business-objectives-and-security-requirements www.secnews.physaphae.fr/article.php?IdArticle=8439626 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Veracode has recently introduced a new feature called Dynamic Analysis MFA, which provides automated support for multi-factor authentication (MFA) setups during dynamic analysis scans. This eliminates the need for you to disable or manually support your MFA configurations when conducting security testing. Understanding Dynamic Analysis MFA When we log into applications, we usually use a username and password, which is considered one-factor authentication. However, to enhance security and reduce the risk of passwords being lost or stolen, multi-factor authentication (MFA) was introduced. MFA adds an extra layer of security by requiring an additional step, such as using a hardware key, receiving a text message, or entering a code from an authenticator app. MFA has become more common for web applications as web security becomes a higher priority, but some security testing tools require users to disable or manually support their MFA setups during application security testing. This can be…]]> 2024-01-08T10:54:45+00:00 https://www.veracode.com/blog/managing-appsec/introducing-dynamic-analysis-mfa-automated-support-mfa-setups www.secnews.physaphae.fr/article.php?IdArticle=8437171 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog JavaScript is the most commonly-used programing language, according to the most recent StackOverflow developer survey. While JavaScript offers great flexibility and ease of use, it also introduces security risks that can be exploited by attackers. In this blog, we will explore vulnerabilities in JavaScript, best practices to secure your code, and tools to prevent attacks.   Understanding JavaScript Vulnerabilities  This article explores the common vulnerabilities related to JavaScript security and provides best practices to secure your code. If you\'re short on time, you can begin by using Veracode DAST Essentials, a JavaScript security scanner, to identify potential vulnerabilities. Running this tool will quickly generate reports, highlight your specific vulnerabilities, and provide clear instructions on how to remediate them.  JavaScript Source Code Vulnerabilities JavaScript developers typically rely on integrating numerous public or open-source packages and libraries containing…]]> 2024-01-08T09:39:09+00:00 https://www.veracode.com/blog/intro-appsec/securing-javascript-best-practices-and-common-vulnerabilities www.secnews.physaphae.fr/article.php?IdArticle=8436672 False Tool,Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog One of the top security concerns we hear from technology leaders is about the security of open source software (OSS) and cloud software development. An open source vulnerability scanner (for scanning OSS) helps you discover risk in the third-party code you use. However, just because a solution scans open source does not mean you are ultimately reducing security risk with it. Here is what to look for in an open source vulnerability scanner and security testing solution to find and fix vulnerabilities in OSS.   Background on Vulnerabilities in Open Source and What the Risk Looks Like  Before we can talk about what to look for in a scanning solution, we need to talk about the vulnerabilities the tools are looking for. Born in 1999, the National Vulnerability Database (NVD) was a product of the National Institute of Standards and Technology (NIST) made to be “the U.S. government repository of standards based vulnerability management data.” It represents an index of known vulnerabilities…]]> 2024-01-04T13:35:17+00:00 https://www.veracode.com/blog/intro-appsec/what-look-open-source-vulnerability-scanner www.secnews.physaphae.fr/article.php?IdArticle=8434588 False Tool,Vulnerability,Cloud None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction  In this first in a series of articles looking at how to remediate common flaws using Veracode Fix – Veracode\'s AI security remediation assistant, we will look at finding and fixing one of the most common and persistent flaw types – an SQL injection attack. An SQL injection attack is a malicious exploit where an attacker injects unauthorized SQL code into input fields of a web application, aiming to manipulate the application\'s database. By manipulating input parameters, attackers can trick the application into executing unintended SQL commands. This can lead to unauthorized access, data retrieval, modification, or even deletion. Successful SQL injection attacks compromise data integrity and confidentiality, posing serious security risks. Example Code and Analysis Let\'s look at a weakness in the source code of the deliberately vulnerable (and freely available) Verademo application, specifically the UserController.java source file found in the application repository in…]]> 2024-01-02T18:16:59+00:00 https://www.veracode.com/blog/secure-development/using-veracode-fix-remediate-sql-injection-flaw www.secnews.physaphae.fr/article.php?IdArticle=8433067 False Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog As 2023 comes to a close, we aim to inspire excellence by highlighting our customers\' dedication to a more secure world. Thanks to you, we are honored to be (for the fourth consecutive year) recognized as a 2023 Gartner® Peer Insights™ Customers\' Choice. Let\'s explore some of the stories that make this recognition possible.  Veracode Named a 2023 Gartner® Peer Insights™ Customers\' Choice for the Fourth Consecutive Year  Veracode is recognized by Gartner® Peer Insights™ in 2023 as a Customers\' Choice for Application Security Testing – for the fourth consecutive year. This distinction, in more detail below, is based on meeting or exceeding user interest, adoption, and overall experience. We believe what makes Veracode a Gartner® Peer Insights™ Customers\' Choice for the fourth consecutive year is what we call: customer obsession. We constantly strive to understand both the problems and North Star our customers face so we can be the partner you truly need.  Our Partnership: Stories…]]> 2023-12-21T11:35:53+00:00 https://www.veracode.com/blog/customer-news/behind-recognition-why-we-believe-were-gartnerr-peer-insightstm-customers-choice www.secnews.physaphae.fr/article.php?IdArticle=8426873 False Commercial None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog In the fast-paced world of software development, too often security takes a backseat to meeting strict deadlines and delivering new features. Discovering software has accrued substantial security debt that will take months to fix can rip up the schedules of even the best development teams.   An AI-powered tool that assists developers in remediating flaws becomes an invaluable asset in this context. In Veracode Fix, we\'ve harnessed the capabilities of generative AI to build a specialized tool that allows developers to remediate flaws within minutes without manually writing a single line of code.   Watch this 3-minute demo of how you can easily take flawed code and use Veracode Fix to generate easily-implemented remediation suggestions.  4 Major Benefits of Veracode Fix in DevSecOps  Here are four ways that Veracode Fix supercharges DevSecOps and your SDLC with the swift remediation of security flaws.  1. Tackle Security Debt with Rapid Flaw Remediation  One of the most significant…]]> 2023-12-20T14:21:01+00:00 https://www.veracode.com/blog/managing-appsec/4-ways-veracode-fix-game-changer-devsecops www.secnews.physaphae.fr/article.php?IdArticle=8426298 False Tool None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog The landscape of coding is changing as developers embrace AI, automation, microservices, and third-party libraries to boost productivity. While each new approach enhances efficiency, like a double-edged sword, flaws and vulnerabilities are also introduced faster than teams can fix them. Learn about one of the latest innovations solving this in a recap of what our security experts discussed at AWS re:Invent 2023.  Veracode Fix: A Game Changer in Flaw Remediation for Developers During their AWS on Air segment, our experts, Vice President of Strategic Product Management, Tim Jarrett, and Senior Solutions Architect, Eric Kim, shared how Veracode Fix is a new game-changing tool that helps developers cut down the flaw remediation process from months to minutes.  Leveraging the power of AI, the tool allows developers to easily reduce security issues by generating suggested fixes for existing code that is flawed and vulnerable.   While many AI-powered coding tools are designed to help write…]]> 2023-12-14T12:07:06+00:00 https://www.veracode.com/blog/managing-appsec/what-our-security-experts-discussed-aws-reinvent-2023 www.secnews.physaphae.fr/article.php?IdArticle=8422759 False Tool,Vulnerability None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations.  If exploited, the zero-day vulnerability (CVE-2021-44228) in Log4j versions Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) would allow attackers to perform a remote code execution (RCE) attack and compromise the affected server.  It triggered a massive effort to patch affected systems, estimated to be in the hundreds of millions. The apocalypse that many feared didn\'t happen, but given its pervasiveness, the U.S. Department of Homeland Security\'s Cyber Safety Review Board determined that fully remediating Log4Shell would take a decade.  The two-year anniversary of Log4Shell is a good…]]> 2023-12-07T13:23:31+00:00 https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change www.secnews.physaphae.fr/article.php?IdArticle=8420198 False Vulnerability,Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Stepping in 2024, the dynamics of open source vulnerability management are shifting. Rapid changes to software development demand a more nuanced approach to open source security from practitioners. From redefining risk to the cautious integration of auto-remediation, here are the pivotal recommendations for successful open source vulnerability management in 2024 and beyond.  1. Embrace the Permanence of Open Source (& It\'s Vulnerabilities)  We\'ve known it for years; open source is here to stay. Github\'s Octoverse report tells us: “A whopping 97% of applications leverage open-source code, and 90% of companies are applying or using it in some way.”  The permanence (and risk) of open source is proven by the White House\'s Executive Order on Improving the Nation\'s Cybersecurity. It places huge importance on open source vulnerability management, calling it out specifically: “Developers often use available open source and third-party software components to create a product...…]]> 2023-12-04T12:06:25+00:00 https://www.veracode.com/blog/managing-appsec/open-source-vulnerability-management-recommendations-2024 www.secnews.physaphae.fr/article.php?IdArticle=8419121 False Vulnerability None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog DevSecOps, also known as secure DevOps, represents a mindset in software development that holds everyone accountable for application security. By fostering collaboration between developers and IT operations and directing collective efforts towards better security decision-making, development teams can deliver safer software with greater speed and efficiency.  Despite its merits, implementing DevSecOps can introduce friction into the development process. Traditional tools for testing code and assessing application security risk simply weren\'t built for the speed that DevOps testing requires. To navigate these challenges, development teams need to start with automated testing tools, as relying on manual processes can\'t possibly keep pace with accelerated development timelines. Automation is considered key to continuous integration of security analysis and threat mitigation of dynamic workflows. As an extension of DevOps principles, DevSecOps automation helps integrate security testing…]]> 2023-12-04T10:39:37+00:00 https://www.veracode.com/blog/secure-development/how-dynamic-analysis-helps-you-enhance-automation-devsecops www.secnews.physaphae.fr/article.php?IdArticle=8420199 False Tool,Threat None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Understanding Broken Access Control Access control is crucial for modern web development as it enables the management of how users, processes, and devices should be granted permissions to application functions and resources. Access control mechanisms also determine the level of access permitted and manifest activities carried out by specific entities. Broken access control vulnerabilities arise when a malicious user abuses the constraints on the actions they are allowed to perform or the objects they can access. Attackers typically leverage access control failures to gain unauthorized access to resources within the web application, run malicious commands, or gain a privileged user\'s permission.  This blog discusses broken access control vulnerabilities and common prevention techniques to better secure your web applications. Access control issues enable unauthorized users to access, modify, and delete resources or perform actions that exceed their intended permissions. Broken access…]]> 2023-12-01T13:50:00+00:00 https://www.veracode.com/blog/managing-appsec/preventing-broken-access-control-vulnerabilities-web-applications www.secnews.physaphae.fr/article.php?IdArticle=8418397 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Lurking in the open source software (OSS) that pervades applications around the world are open source security risks technology leaders must be aware of. Software is one of technology\'s most vulnerable subsets with over 70% of applications containing security flaws. Here are the open source security risks IT leaders must be aware of to protect technology and help it scale safely.  Why Address Open Source Software Security Risks  On December 9, 2021, a Tweet exposed a vulnerability in the widely-used OSS library Log4j. It didn\'t take long before attackers around the world were working to exploit the Log4j vulnerability. This incident was a wake-up call to how the security of a library can quickly change and proactive measures must be in place to protect from this danger.   Log4j is just one example of how vulnerabilities in open source pose significant risks that can impact operations, data security, and overall IT health. Strategic technology choices can make a big impact on how much…]]> 2023-11-27T16:01:16+00:00 https://www.veracode.com/blog/intro-appsec/top-5-open-source-security-risks-it-leaders-must-know www.secnews.physaphae.fr/article.php?IdArticle=8417632 False Vulnerability,Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog DevSecOps is a modern approach to software development that implements security as a shared responsibility throughout application development, deployment, and operations. As an extension of DevOps principles, DevSecOps helps your organization integrate security testing throughout the software development life cycle. In this blog, we discuss DevSecOps best practices and practical steps to producing secure software. Understanding DevOps  DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the development life cycle and help you deliver software faster. DevOps is complementary to agile software development; several DevOps aspects came from the agile methodology. The concept of DevOps practices and agility is nothing new for most companies and developers - most well-known frameworks (e.g., Scrum, XP, etc.) are applied in many teams throughout organizations.  The Power of DevSecOps  DevOps primarily aims to expedite the…]]> 2023-11-20T19:09:05+00:00 https://www.veracode.com/blog/secure-development/devsecops-best-practices-leveraging-veracode-dast-essentials www.secnews.physaphae.fr/article.php?IdArticle=8415582 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Across the globe, the financial services sector is affected by increased security regulations. To name a few, there is the United States\' Executive Order on Improving the Nation\'s Cybersecurity, the European Union\'s NIS2 Directive, the SEC\'s new rules on disclosures, and ISO 20022. With so much pressure on the sector, Veracode is proud to present new data, looking specifically at organizations in this industry, that reveals the top drivers security teams can employ to measurably reduce their software security risk.   "The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws,” shared our press release coverage of the research on 25 October, 2023.   Let\'s dissect this research from the State of Software Security 2023 in Financial Services in more detail.  Data…]]> 2023-11-15T12:31:18+00:00 https://www.veracode.com/blog/research/new-data-reveals-top-drivers-secure-software-financial-services-sector www.secnews.physaphae.fr/article.php?IdArticle=8412463 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Web applications are one of the most common vector for breaches, accounting for over 40% of breaches according to Verizon\'s 2022 Data Breach Report. Ensuring that your web applications are sufficiently protected and continue to be monitored once they are in production is vital to the security of your customers and your organization.  Staying Ahead of the Threat Attackers are constantly looking for new ways to exploit vulnerabilities and to breach web applications, which means that as their methods mature and they become more aggressive, even the most securely developed applications can become vulnerable. Organizations that only perform annual penetration tests on their web applications may be leaving themselves open to a breach that could be easily prevented with regular production scanning.  Application security outlines a collection of processes and tools focused on identifying, remediating, and preventing application-level vulnerabilities throughout the entire software development…]]> 2023-11-12T22:55:15+00:00 https://www.veracode.com/blog/managing-appsec/securing-your-web-applications-and-apis-veracode-dast-essentials www.secnews.physaphae.fr/article.php?IdArticle=8415095 False Data Breach,Tool,Vulnerability,Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog In the dynamic world of software development, Application Programming Interfaces (APIs) serve as essential conduits, facilitating seamless interaction between software components. This intermediary interface not only streamlines development but also empowers software teams to reuse code. However, the increasing prevalence of APIs in modern business comes with security challenges. That\'s why we\'ve created this blog post - to provide you with actionable steps to enhance the security of your APIs today.  Understanding API Security API Security extends beyond protecting an application\'s backend services, including elements such as databases, user management systems, and components interacting with data stores. It involves adopting diverse tools and practices to strengthen the integrity of your tech stack. A strong API security strategy reduces the risk of unauthorized access and malicious actions, ensuring the protection of sensitive information. Exploring API Vulnerabilities Despite the…]]> 2023-11-07T17:37:50+00:00 https://www.veracode.com/blog/managing-appsec/securing-apis-practical-steps-protecting-your-software www.secnews.physaphae.fr/article.php?IdArticle=8407931 False Tool,Guideline None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Application Security Testing (AST) encompasses various tools, processes, and approaches to scanning applications to uncover potential security issues. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are popularly used security testing approaches that follow different methodologies of scanning application codes across different stages of a software development lifecycle.   SAST follows a white-box testing approach to analyze the source code, byte code, and binaries to identify exploitable vulnerabilities and coding errors. On the other hand, DAST implements a black-box testing method, where security engineers parse simulated attack payloads through the application\'s front end without exposing internal information on the application\'s internal construct.   In this blog, we will discuss SAST and DAST testing approaches, how they help detect vulnerabilities and application failures, their differences, and best use cases.  Static Application…]]> 2023-11-02T13:45:06+00:00 https://www.veracode.com/blog/intro-appsec/sast-vs-dast-security-testing-unveiling-differences www.secnews.physaphae.fr/article.php?IdArticle=8404887 False Tool,Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Unlike in the 1800s when a safety brake increased the public\'s acceptance of elevators, artificial intelligence (AI) was accepted by the public much before guardrails came to be. “ChatGPT had 1 million users within the first five days of being available,” shares Forbes. Almost a year later, on October 30, 2023, President Biden issued an Executive Order “to ensure that America leads the way in seizing the promise and managing the risks of artificial intelligence (AI).” Here\'s what the Executive Order gets right about addressing cybersecurity risk and promise posed by AI.  Overview of Key Points in the Executive Order on Artificial Intelligence  Before diving more deeply into a few cyber-specific aspects of the Executive Order on Artificial Intelligence, let\'s look at some of the key points and goals included in this far-reaching order.   From requiring “developers of the most powerful AI systems share their safety test results and other critical information with the U.S. government” to…]]> 2023-11-01T14:51:15+00:00 https://www.veracode.com/blog/security-news/how-executive-order-artificial-intelligence-addresses-cybersecurity-risk www.secnews.physaphae.fr/article.php?IdArticle=8404298 False Legislation ChatGPT 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog In today\'s world, the importance of incorporating web application security best practices cannot be overstated. Recent studies show that web applications are the top attack vector in nearly 80% of incidents. The good news is DevOps processes lend themselves to integrated security practices. Here are the top six best practices for seamlessly weaving web application security into DevOps.  The Role of Web Application Security Best Practices in DevOps  The cornerstone of a successful DevOps practice is automation; this is why automating security within workflows (DevSecOps) makes so much sense. DevSecOps is lacing each step of the DevOps process and practice with security.   By adding security into each step of the software development lifecycle (SDLC) – from planning to coding and building to testing to staging to operating and monitoring – the most important outputs of the SDLC are assured to be secure when deployed and attestable for compliance. Integrating security into each DevOps…]]> 2023-10-30T13:54:34+00:00 https://www.veracode.com/blog/secure-development/top-6-devops-web-application-security-best-practices www.secnews.physaphae.fr/article.php?IdArticle=8402965 False Studies None 4.0000000000000000 Veracode - Application Security Research, News, and Education Blog As a CISO, securing web applications and ensuring their resilience against evolving cyber threats is a non-negotiable priority. Verizon\'s Data Breach Investigations Report 2023 cites web applications as the top attack vector by a long shot (in both breaches and incidents). Here\'s a simplified checklist for securing web applications that will help you improve your organization\'s security posture and the integrity of your technology.  Assessing Web Application Risk and Threats  A powerful first step in securing web applications is discovery. You can\'t secure what you don\'t know about! Start with an inventory of your software or application portfolio to understand sources of risk and what you want to prioritize.   For some this may be simple. For others it will be an essential inventory of what makes up your software and development process. Here are some questions to consider in your assessment of your portfolio:  How many applications do you have?   Where do they reside?   Who…]]> 2023-10-18T11:21:23+00:00 https://www.veracode.com/blog/intro-appsec/securing-web-applications-cisos-checklist-tech-leaders www.secnews.physaphae.fr/article.php?IdArticle=8397321 False Data Breach None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog As a software engineer in a cloud-native world, you\'re the first line of defense in web application security. Armed with a few best practices that have a huge impact, securing both the code you create and the code you compile can be simple. Here are five tips that make your role easier in protecting data with secure development.  Overview of Preventing Breaches with Web Application Security Practices  Growing threats in the digital landscape, like entering the era of AI-driven attacks, make proactive code security essential. A nonprofit organization focused on open-source software security, the Open Web Application Security Project (OWASP), maintains the OWASP Top 10, a list of the top 10 security risks faced by web applications. This is a foundational resource for ensuring secure code. Many of these risks can be handled using the tips that follow.  Tip 1: Start Building Apps with Security in Mind  Consider security from the beginning. Here\'s how CISA defines Secure by Design: “Secure…]]> 2023-10-11T10:19:23+00:00 https://www.veracode.com/blog/secure-development/web-application-security-5-security-tips-software-engineers www.secnews.physaphae.fr/article.php?IdArticle=8394369 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog To secure our world, Cybersecurity Awareness Month encourages four steps that make it easy to stay safe online. As a CISO, my team and I advocate for these practices constantly within our organization. If you are a security practitioner looking to bolster cybersecurity awareness, here\'s a brief look at how we explain these steps to help make staying safe online easier.  Before we dive in, making cybersecurity practices relatable and clear is key to the adoption at any organization. Consider the recent disclosure of a new vulnerability affecting web applications. This is the type of real-life scenario that can be used to make the following information more relatable. New vulnerabilities like this one are what makes the first step so important.  Software Updates – The Why & How  Software updates are essential for keeping your computer secure and up-to-date. They can fix bugs, improve performance, add new features, and make your software compatible with new hardware and software. …]]> 2023-10-02T11:06:07+00:00 https://www.veracode.com/blog/security-news/ciso-explains-4-steps-make-it-easy-stay-safe-online www.secnews.physaphae.fr/article.php?IdArticle=8390590 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog What It Is  Webp is the backbone of the webp extension. Any image that is saved to the webp image format most likely was created using the webp library. The library was released in 2010 by Google.  The History of the Webp Vulnerability CVE-2023-4863 The first CVE for this webp vulnerability was disclosed in CVE-2023-41061, but note how the description does not mention the root of the issue anywhere. Then Google released CVE-2023-4863, which was the first actual mention of webp. Finally CVE-2023-5129 was released, but has since been rejected. The original description of CVE-2023-5129 was:   “With a specially crafted WebP lossless file, libwebp may write data out of bounds to the heap. The ReadHuffmanCodes() function allocates the HuffmanCode buffer with a size that comes from an array of precomputed sizes: kTableSize. The color_cache_bits value defines which size to use. The kTableSize array only takes into account sizes for 8-bit first-level table lookups but not second-level table…]]> 2023-09-29T10:12:09+00:00 https://www.veracode.com/blog/security-news/resolving-webp-zero-day-vulnerability-cve-2023-4863 www.secnews.physaphae.fr/article.php?IdArticle=8389509 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog New software security data demonstrates that Software Composition Analysis (SCA) will help bolster the safety and integrity of open-source software usage for organizations in the Europe, Middle East, and Africa (EMEA) region in particular. The EU Cyber Resilience Act makes this research especially crucial and timely. Let\'s dive in and look at recommendations for EMEA teams wanting to secure cloud-native development.  Understanding EMEA Software Security Landscape  The software security landscape in EMEA is shaken up by the Commission\'s proposal for a new Cyber Resilience Act (CRA) from 15 September 2022. It "aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.”   When it comes to making…]]> 2023-09-26T09:52:36+00:00 https://www.veracode.com/blog/research/new-emea-software-security-data-demonstrates-necessity-sca www.secnews.physaphae.fr/article.php?IdArticle=8388023 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the fifth and final part of the series, and it will teach you to handle credentials and secrets management best practices for securing cloud-native applications. Every organization has their way of managing credentials. In the past, with legacy application architectures, this was a bit more manual and arduous. With cloud-native applications, we have options open to us that are seamless for handling credentials and secrets management. The level of sensitivity of the data will designate the means we use to protect credentials.   Obviously, never check-in credentials to code repositories. But again, utilizing the cloud providers secret manager/vault can help us strengthen our security posture and minimize risk for leaked credentials within the architecture and application.   Best Practices for Secrets Management & Secure Cloud…]]> 2023-09-25T15:23:06+00:00 https://www.veracode.com/blog/research/secrets-management-best-practices-secure-cloud-native-development-series www.secnews.physaphae.fr/article.php?IdArticle=8387746 False Cloud None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Developing and maintaining secure code at scale is hard. Having the right Static Application Security Testing (SAST) solution makes it easier, but how are practitioners to choose? In the following interview, you\'ll learn about three emerging trends from detailed analysis of the SAST landscape in The Forrester Wave™: Static Application Security Testing, Q3 2023.  Veracode earns the top scores across the Current Offering, Strategy, and Market Presence (tied) categories. To quote the report, “Veracode differentiates with reporting, remediation, and a programmatic approach” with a forward-looking vision that “translates to an exciting roadmap with AI-powered features for flaw prevention, automated remediation, intelligent prioritization, and cross-correlation of application security testing (AST) scans.”  Why a Report on SAST Matters Today I sat down with Christy Smith, Veracode\'s Head of Analyst Relations, to talk about this timely report and what trends can be found in this quickly…]]> 2023-09-19T13:46:57+00:00 https://www.veracode.com/blog/intro-appsec/what-security-practitioners-can-learn-new-sast-vendor-analysis www.secnews.physaphae.fr/article.php?IdArticle=8386388 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Deploying software and hoping it\'s “safe enough” isn\'t a measurable security strategy. It\'s certainly not something that\'s going to bode well when the time comes to disclose processes and practices for managing cybersecurity risks. The latest Securities and Exchange Commission (SEC) Cyber Rules will “require registrants to describe the board of directors\' oversight of risks from cybersecurity threats and management\'s role and expertise in assessing and managing material risks from cybersecurity threats.”   Here\'s why I\'m optimistic this disclosure requirement begets the transparency and accountability needed to secure our digital future and promote maturity. I also share a critical action that executives can take now to align with the new cyber risk governance rules.  A Brief Introduction to the 2023 SEC Rules on Cybersecurity Risk  The much-anticipated announcement of newly adopted cyber rules arrived from the SEC on July 26, 2023. These rules require public companies to disclose…]]> 2023-09-18T13:39:59+00:00 https://www.veracode.com/blog/intro-appsec/why-new-sec-cyber-rules-promote-accountability-and-maturity www.secnews.physaphae.fr/article.php?IdArticle=8384964 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the fourth part of the series, and it will teach you why and how to easily enable encryption and save yourself headaches down the road. Here\'s a new motto: encrypt everything! When securely moving to cloud-native technologies, building encryption in from the start will save us a lot of headaches later. And it\'s actually anything but a headache to enable encryption while setting up your cloud-native development workflows. Here I\'ll explain why enabling encryption will come in so handy, and what tools will help you do this with the greatest ease.  A Scenario on Why You Need to Enable Encryption  Imagine the following scenario: you have been tasked with a quick and dirty POC for an upcoming service release. You design it and build something that works, but for reasons we don\'t need to go into, the release has been pushed up, and now we…]]> 2023-09-14T17:46:27+00:00 https://www.veracode.com/blog/research/easily-enable-encryption-secure-cloud-native-development-series www.secnews.physaphae.fr/article.php?IdArticle=8383733 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog There\'s a growing array of risks lurking within the supply chain of the digital solutions we increasingly depend upon. Leaving gaps in your software supply chain security (SSCS) could spell disaster for your organization. Let\'s explore how new analysis defines an end-to-end solution and why Veracode was ranked as an Overall Leader, Product Leader, Innovation Leader, and Market Leader in the Software Supply Chain Security Leadership Compass 2023 by KuppingerCole Analysts AG.  Leading the Charge: Software Supply Chain Security  Picture a world where your security is only as strong as your weakest link, and that link could be a single line of code buried deep within open-source software from an unknown contributor. This is the reality of today\'s software supply chain. Each component, whether it\'s custom code, third-party libraries, or the configuration of CI/CD tools and infrastructure, presents a potential entry point for an attacker.  Many players are working to provide solutions for…]]> 2023-09-12T14:07:47+00:00 https://www.veracode.com/blog/security-news/why-reduce-software-supply-chain-risks-intelligent-software-security www.secnews.physaphae.fr/article.php?IdArticle=8382683 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the third part of the series, and it will teach you how to secure cloud storage and handle access controls on S3 buckets. Each cloud provider has managed storage services that your organization is already probably utilizing.  Cloud storage such as Amazon Simple Storage Service (Amazon S3) or Azure storage tools are tightly integrated into the other managed services which makes it simple to manage. We will discuss specifically Amazon\'s S3 storage service and how it relates to secure cloud-native development.    An Introduction to Secure Cloud Storage and Access Control Configuration  Amazon recently turned-on default server-side encryption (SSE) for all users using AES-256. Though most likely we already (or at least should have) had encryption turned on, it\'s now one less thing to worry about. Additionally, tools such as Terraform can…]]> 2023-09-05T15:20:59+00:00 https://www.veracode.com/blog/research/managing-storage-access-secure-cloud-native-development-series www.secnews.physaphae.fr/article.php?IdArticle=8379290 False Tool,Cloud None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the second part of the series, and it will teach you how and why to enable logging from the start.  We\'re going to talk about enabling logging (cloud logging, to be specific). What\'s the difference? Not much, other than the fact that it\'s another managed service integrated with the tools we should already be utilizing.   Why Enable Logging?  All developers/engineers know we need logging. But other conflicting priorities and time constraints get in the way sometimes, and it becomes a “we\'ll do that on the next sprint”. I have worked on the engineering side of things as well as the security side, where I needed to track down network/application issues, or security incidents, only to find that we didn\'t have logs or logging enabled on specific services.    Enabling logging can be compared to our own health. Even when we are young, we…]]> 2023-08-28T14:07:53+00:00 https://www.veracode.com/blog/research/how-enable-logging-secure-cloud-native-development-series www.secnews.physaphae.fr/article.php?IdArticle=8375849 False Tool None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Shocking to no one: Artificial Intelligence (AI) was a huge topic at Black Hat USA 2023, but what did we learn about it? With no shortage of talks on it, there are many insights to take into account. We asked highly skilled Software Security Researchers who attended both Black Hat and DEFCON to weigh-in on the most insightful moments, particularly related to AI. Here\'s what we found.  AI is a Double-edged Sword for Security  AI presents society with a double-edged sword (especially when it comes to cybersecurity). John Simpson, Senior Security Researcher, explains: “AI is clearly the hot topic; at both Black Hat and DEFCON there was a lot of emphasis on the dangers but also significant talk about its potential usefulness.”  The intricate interplay between AI\'s benefits and risks underscores the complexity of our rapidly evolving digital age. On the one hand, attackers are using AI to enhance their exploit capabilities. Conversely, we are able to enhance defenses with AI through tools…]]> 2023-08-21T10:25:54+00:00 https://www.veracode.com/blog/research/security-researchers-share-insights-black-hat-2023-topics-and-trends www.secnews.physaphae.fr/article.php?IdArticle=8372800 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Artificial Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security.   Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code.  The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix built to excel at remediation insecure code bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development that meets functional and…]]> 2023-08-17T13:01:00+00:00 https://www.veracode.com/blog/secure-development/enhancing-code-security-generative-ai-using-veracode-fix-secure-code www.secnews.physaphae.fr/article.php?IdArticle=8371867 False Tool ChatGPT,ChatGPT 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Veracode recently released Static Analysis support for Dart 3 and Flutter 3.10. This makes it possible for developers to leverage the power of Dart and Flutter and deliver more secure mobile applications by finding and resolving security flaws earlier in the development lifecycle when they are fastest and least expensive to fix. The release also expanded Veracode\'s extensive support covering over 100 languages and frameworks, and we thought it presented a good opportunity to dive into the topic of language support: how we prioritize languages to support, the research process and what goes into actually developing support, what the team is currently working on – and how customers can influence that direction through our Community Ideas Portal. How Does Veracode Prioritize Languages and Frameworks to Support? There are more languages and frameworks than resources and time to support them. This means prioritization is key. Veracode takes a highly considered approach to selecting…]]> 2023-08-07T17:05:41+00:00 https://www.veracode.com/blog/secure-development/find-security-flaws-your-dart-flutter-applications-veracode-expands-mobile www.secnews.physaphae.fr/article.php?IdArticle=8366956 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Weaknesses within software supply chains create a foothold for exploitation from cyberattacks. The problem is so significant that even the White House released an Executive Order that speaks directly on this topic. “The Federal Government must take action to rapidly improve the security and integrity of the software supply chain,” states the Executive Order emphatically. Now, you may be wondering what your organization can do to mitigate this risk. Let\'s dive into understanding risk in the software supply chain and the solutions currently available for improving your supply chain security and overall cybersecurity posture.  Understanding Risk in the Software Supply Chain  To understand risk in the software supply chain, one must understand its components. These components include source code, version control, build systems, dependencies, testing deployment, continuous integration/continuous deployment (CI/CD), release management, and monitoring. Each of these components has different…]]> 2023-07-27T17:23:34+00:00 https://www.veracode.com/blog/intro-appsec/why-sca-critical-securing-software-supply-chain www.secnews.physaphae.fr/article.php?IdArticle=8362775 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog A staggering 96% of organizations utilize open-source libraries, yet fewer than 50% actively manage the security vulnerabilities within these libraries. Vulnerabilities are welcome mats for breaches from bad actors, and once they\'ve entered your system, the impact can be colossal. A software bill of materials (SBOM) is an important tool for managing the security of open-source software. Here we will explore how SBOMs help organizations understand what\'s in their applications, ensure regulatory compliance, and manage overall risk.   Where Do SBOMs Fit in Your Application Security Program? Think of an SBOM as a magnifying glass that allows you to get a closer look at what goes on in your cloud-native applications. SBOMs provide a detailed view of open-source components that developers and security professionals can use to understand the security of third-party libraries and dependencies used in an application. With that information, teams can create cyber hygiene campaigns against known…]]> 2023-07-20T11:35:59+00:00 https://www.veracode.com/blog/secure-development/sbom-explained-how-sboms-improve-cloud-native-application-security www.secnews.physaphae.fr/article.php?IdArticle=8359292 False Tool,Vulnerability None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog A high-functioning security program leverages data to drive optimization – by satisfying governance, reporting, and compliance (GRC) requirements efficiently, creating visibility for risk-based prioritization, and leveraging automation throughout the software development lifecycle. Often, however, the data needed to drive these processes is spread across a complex ecosystem. Fortunately, solutions like Veracode\'s new Reporting API provide data extensibility making it easy for you to leverage your rich application security testing data beyond the Veracode platform.  Here are three examples of how you can leverage Veracode\'s new Reporting API to simplify reporting, improve decision support, and drive automation in your DevSecOps program.  Using Application Security Testing Data Extensibility for Centralized Visibility and Reporting  Rarely does a single platform or solution generate all the data relevant to an organization\'s DevSecOps program. This means consumers of the data either…]]> 2023-07-12T11:17:50+00:00 https://www.veracode.com/blog/customer-news/improve-visibility-reporting-and-automation-veracodes-reporting-api www.secnews.physaphae.fr/article.php?IdArticle=8355557 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Software security vendors are applying Generative AI to systems that suggest or apply remediations for software vulnerabilities. This tech is giving security teams the first realistic options for managing security debt at scale while showing developers the future they were promised; where work is targeted at creating user value instead of looping back to old code that generates new work. However, there are certain concerns with the risks of utilizing Generative AI for augmenting vulnerability remediation. Let\'s explore this rapidly evolving landscape and how you can reap the benefits without incurring the risks.  What Risks Generative AI Augmented Vulnerability Remediation Solutions Could Pose  Legal challenges to data sourcing expose the risk of training Generative AI models on all code. Unfortunately, that hasn\'t stopped many vendors from taking the position that a model trained on open-source code is sufficiently safe from IP and code provenance concerns.   Not all code is equally…]]> 2023-07-10T12:57:59+00:00 https://www.veracode.com/blog/managing-appsec/how-decide-whether-vulnerability-remediation-augmented-generative-ai-reduces www.secnews.physaphae.fr/article.php?IdArticle=8355558 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Veracode Fix is now available as an add-on to Veracode Static Analysis for customers on the North American instance. Availability for customers on Veracode\'s EMEA and FedRAMP instances will be coming soon!  From nearly two decades of securing software, we know that fixing flaws, not just finding them, is what makes a profound impact on security posture. However, fixing flaws is one of the greatest challenges teams face when it comes to application security...until now. Veracode Fix marks a major leap forward in software security; it shifts the paradigm from application security testing tools that find flaws to intelligent solutions that generate fixes. Here\'s how you can save time and secure more with AI-generated fixes developers can easily review and implement without manually writing any code.   The Problem: Too much time. Too little security.  If we look at the current remediation workflows, developers are often asked to spend time they don\'t have, fixing flaws they don\'t…]]> 2023-06-28T15:47:09+00:00 https://www.veracode.com/blog/secure-development/how-measurably-reduce-software-security-risk-veracode-fix www.secnews.physaphae.fr/article.php?IdArticle=8350638 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog When the Public Sector wins, we all win. Rooting for the security of Public Sector software is something that comes naturally to Veracode. Federal agencies are tackling an incredibly difficult job, and the road to success is meaningful to us all – regardless of our sector or industry. The push for software security came strongly via specific requirements in the Executive Order on Improving the Nation\'s Cybersecurity in 2021. Here\'s a look at how Public Sector software security is doing two years later.  A Brief Background on the Executive Order on Cybersecurity  We believe the release of the Executive Order (EO) on Cybersecurity in May of 2021 is a long time coming (watch our co-founder explain why). What really stands out to us about this EO is how action-oriented it is. The EO gets specific about types of security controls government agencies must adhere to, and it also includes what to look for in software vendors selling to government agencies.  A key element of the EO is the Zero…]]> 2023-06-21T14:48:11+00:00 https://www.veracode.com/blog/research/public-sector-software-security-two-years-after-cybersecurity-executive-order www.secnews.physaphae.fr/article.php?IdArticle=8347830 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction   In the ever-evolving landscape of digital threats and cybersecurity challenges, organizations face a significant burden known as security debt. Just like financial debt, security debt accrues when organizations compromise security measures in favor of convenience, speed, or cost-cutting measures. Over time, this accumulated debt can pose serious risks to the organization\'s data, reputation, and overall stability. However, with a strategic approach and a commitment to proactive security practices, organizations can effectively reduce their security debt. In this blog post, we will explore the art of reducing security debt in three key steps, enabling organizations to strengthen their security posture and safeguard their valuable assets.   Step 1: Assess and Prioritize Security Risks   The first step in reducing security debt is to conduct a thorough assessment of your organization\'s security risks. This involves identifying vulnerabilities, evaluating existing security…]]> 2023-06-20T14:45:25+00:00 https://www.veracode.com/blog/intro-appsec/art-reducing-security-debt-3-key-steps www.secnews.physaphae.fr/article.php?IdArticle=8347442 False Patching,Guideline None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction   In today\'s digital landscape, the importance of application security cannot be overstated, as businesses worldwide face evolving cyber threats. Both defenders and attackers are now harnessing the power of Artificial Intelligence (AI) to their advantage. As AI-driven attacks become increasingly sophisticated, it is crucial for organizations to adopt a comprehensive approach to application security that effectively addresses this emerging threat landscape. In this blog post, we will explore the significance of adopting a robust application security strategy in the face of AI-driven attacks and provide concrete examples to support our claims.   The Evolving Threat Landscape: AI-powered Attacks   AI has transformed numerous industries, unfortunately including cybercrime. Hackers are leveraging AI to develop advanced and automated attacks that can bypass traditional security measures. Let\'s delve into some concrete examples of AI-powered attacks:   1. AI-powered Malware:…]]> 2023-06-09T12:10:38+00:00 https://www.veracode.com/blog/intro-appsec/application-security-era-ai-driven-attacks www.secnews.physaphae.fr/article.php?IdArticle=8343707 False Threat None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction   In the rapidly evolving digital landscape, ensuring robust application security is paramount for organizations. With the emergence of AI-powered attacks and other sophisticated threats, it is crucial to integrate comprehensive Application Security Testing (AST) into the Software Development Lifecycle (SDLC). By leveraging an effective AST platform that provides comprehensive coverage, organizations can seamlessly incorporate application security testing as a natural and essential part of the development process. In this blog post, we will explore the significance of an AST platform with comprehensive coverage in strengthening application security within the SDLC.   The Need for Comprehensive Application Security Testing   As applications become more complex and vulnerabilities continue to evolve, comprehensive application security testing is crucial. Traditional testing methods alone are often insufficient to identify all potential security weaknesses. By adopting an…]]> 2023-06-09T01:53:07+00:00 https://www.veracode.com/blog/intro-appsec/get-it-right-first-time-comprehensive-approach-application-security www.secnews.physaphae.fr/article.php?IdArticle=8343498 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction In today\'s digital landscape, ensuring the security of your applications is of paramount importance. AppSec, short for Application Security, involves safeguarding your software applications against potential threats and vulnerabilities. While implementing robust AppSec practices is crucial, effective leadership plays a vital role in setting up your business for AppSec success. In this blog, we will explore five key leadership tips to help you prioritize and establish a strong foundation for application security within your organization. Promote a Culture of Security Leaders should foster a culture where security is a top priority. Promote awareness of AppSec risks and provide regular training on secure coding practices. Encourage open communication about security concerns and involve all stakeholders in the process. By making security a core value, employees will understand its importance and actively contribute to AppSec efforts. Leveraging Veracode\'s platform, such as…]]> 2023-06-08T03:48:20+00:00 https://www.veracode.com/blog/intro-appsec/five-leadership-tips-set-your-business-appsec-success www.secnews.physaphae.fr/article.php?IdArticle=8343255 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog As the cyber threat landscape continues to evolve, you know there\'s a growing need to ensure applications and software are protected from malicious actors. A holistic and intelligent approach to threat and vulnerability management is essential for ensuring security against modern cyber risk. By leveraging AI-powered tools, especially for tasks like remediating security flaws, you can manage and reduce risk quickly and effectively. Let\'s explore why using AI to bolster and modernize your threat and vulnerability management strategies will pay off big time in the long run.  Reason 1: To Stay Ahead of Rapidly Evolving Cybersecurity Threats  Threat and vulnerability management helps businesses understand and respond to risk, but what about when the threat landscape is evolving so rapidly? When new threats emerge constantly, it\'s challenging to take a preventative approach to potential attacks in applications, software, and networks.  For example, one particularly concerning new trend is…]]> 2023-06-07T16:19:57+00:00 https://www.veracode.com/blog/intro-appsec/3-reasons-leverage-ai-enhanced-threat-and-vulnerability-management www.secnews.physaphae.fr/article.php?IdArticle=8343131 False Vulnerability,Threat,Prediction None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Introduction In today\'s interconnected world, securing the software supply chain is crucial for maintaining robust application security. Developers often rely on package managers to import third-party code and libraries, but this convenience comes with risks. Insecure code downloads can introduce vulnerabilities that compromise the integrity of your software. In this blog post, we will explore essential steps to secure the supply chain and prevent developers from downloading insecure code from package managers. Package Manager Security: Start by using a reputable package manager that prioritizes security. Popular package managers like npm, PyPI, and Maven have built-in security features, including package signing, vulnerability scanning, and dependency tracking. These measures help ensure the packages you download are from trusted sources. Code Auditing and Testing: Implement a rigorous code auditing and testing process to identify vulnerabilities within your codebase. Regularly…]]> 2023-05-27T10:43:28+00:00 https://www.veracode.com/blog/intro-appsec/securing-software-supply-chain-protecting-against-insecure-code-downloads www.secnews.physaphae.fr/article.php?IdArticle=8339878 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Over the past few months, our collective fascination with AI has reached unprecedented heights, leading to an influx of information and discussions on its potential implications. It seems that wherever we turn, AI dominates the conversation. AI has captivated the imaginations of tech enthusiasts, researchers, and everyday individuals alike. At the tender age of 11, I received my very first computer, the legendary ZX Spectrum. Looking back, it\'s hard to believe how much has changed since then. A few years later, I eagerly built my own 286 computer, a proud accomplishment that fueled my passion for technology and software engineering. Those early experiences left an indelible mark on me, instilling a sense of excitement and curiosity that has endured to this day. It is this very same enthusiasm that now fills me as I delve into the captivating realms of Artificial Intelligence (AI) and Machine Learning (ML). Those first experiences felt like a tectonic shift in my life. Now, as we…]]> 2023-05-25T06:50:21+00:00 https://www.veracode.com/blog/research/colliding-future-disruptive-force-generative-ai-b2b-software-0 www.secnews.physaphae.fr/article.php?IdArticle=8339315 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Over the past few months, our collective fascination with AI has reached unprecedented heights, leading to an influx of information and discussions on its potential implications. It seems that wherever we turn, AI dominates the conversation. AI has captivated the imaginations of tech enthusiasts, researchers, and everyday individuals alike. At the tender age of 11, I received my very first computer, the legendary ZX Spectrum. Looking back, it\'s hard to believe how much has changed since then. A few years later, I eagerly built my own 286 computer, a proud accomplishment that fueled my passion for technology and software engineering. Those early experiences left an indelible mark on me, instilling a sense of excitement and curiosity that has endured to this day. It is this very same enthusiasm that now fills me as I delve into the captivating realms of Artificial Intelligence (AI) and Machine Learning (ML). Those first experiences felt like a tectonic shift in my life. Now, as we…]]> 2023-05-25T06:50:21+00:00 https://www.veracode.com/blog/research/colliding-future-disruptive-force-generative-ai-b2b-software www.secnews.physaphae.fr/article.php?IdArticle=8339332 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Ten represents the completion of a cycle and the beginning of a new one, as there are ten digits in our base-10 number system. We\'ve scanned nearly 140 trillion lines of code, so we can\'t help but pick up on the one and the zero in our exciting announcement. It\'s the tenth publication of the Gartner® Magic Quadrant™ for Application Security Testing (AST), and we are pleased to announce we are a Leader for the tenth consecutive time. Here\'s a look at the new cycle we see beginning: the need for intelligent software security.  From Application Security Testing to Intelligent Software Security  This market isn\'t what it used to be, and we see a new cycle beginning which we see as the need for intelligent software security. What started as a recognized SaaS code scanning tool has evolved into an intelligent software security platform that prevents, detects, and responds to security flaws and vulnerabilities and manages risk and compliance for thousands of leading organizations around the…]]> 2023-05-22T10:41:02+00:00 https://www.veracode.com/blog/customer-news/new-era-appsec-10-times-leader-gartnerr-magic-quadranttm-application-security www.secnews.physaphae.fr/article.php?IdArticle=8338768 False Tool,Cloud None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog I look back on L0pht\'s testimony before Congress in 1998 with a mix of pride and reflection. It\'s been twenty-five years since our group of hackers (or vulnerability researchers, if you will) stepped up to raise awareness about the importance of internet security in front of some of the world\'s most powerful lawmakers. This event marked the beginning of a long journey towards increased cybersecurity awareness and implementation of measures to protect our digital world. Let\'s take a look at how far we\'ve come and what still needs to be done.  The Slow Burn: From L0pht\'s Testimony to Government Action  L0pht\'s 1998 testimony set the stage for the next 25 years of internet security awareness. However, it took years for change to start happening. Even my 2003 testimony to Congress still proved that we have a long way to go in building secure software. The wheels of progress began to turn when some recommendations from the 2020 Solarium Commission Report were implemented, calling for the…]]> 2023-05-18T11:24:49+00:00 https://www.veracode.com/blog/secure-development/25-years-later-reflecting-l0phts-1998-congress-testimonial-and-evolution www.secnews.physaphae.fr/article.php?IdArticle=8337681 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Back in 2022 while browsing through lists of recently disclosed vulnerabilities, I happened upon some Adobe Commerce/Magento Open Source vulnerabilities [1], that were reported to be exploited in the wild and can be exploited to achieve remote code execution, a combination which always motivates me to take a quick look at the vulnerability. Adobe provided a simple patch file that effectively removes {{ and }} characters when encountered in input provided to two specific components and it is reasonable to assume that the vulnerability involves Magento\'s built-in templating system. Although Magento uses its own custom templating system, these vulnerabilities got me thinking about the general challenges developers face when trying to ensure they are using a template engine in a way that does not introduce security flaws. After looking through mountains of documentation and even diving into the code of some of the most popular template engines, it became very clear that the amount of work…]]> 2023-05-09T09:12:11+00:00 https://www.veracode.com/blog/research/introduction-secure-coding-template-engines www.secnews.physaphae.fr/article.php?IdArticle=8335267 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Managing software security risk is a high-stakes race that\'s getting harder to win. Enter Veracode Fix: the intelligent remediation solution that helps you pay down security debt at scale and deliver more secure software, faster, for less effort and cost. Leveraging a GPT-based machine learning model trained on Veracode\'s proprietary dataset, Veracode Fix is a specialized AI trained by deep machine learning that excels at fixing insecure code and dramatically reduces the work and time needed to remediate flaws.  The Problem: Creating Flaws Faster than We Can Fix Them  Software security flaws are created faster than they are fixed. Many factors contribute to this – from the number and complexity of applications to the growth of applications over their lifetimes. The net effect is that security debt is growing. And, like any debt, it can only be deferred so long and accrue so much before it manifests in significant financial, strategic, and security consequences.   Remediation capacity…]]> 2023-04-18T07:00:00+00:00 https://www.veracode.com/blog/secure-development/introducing-veracode-fix-automate-fixes-insecure-software-ai-generated www.secnews.physaphae.fr/article.php?IdArticle=8328858 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog AI coding is here, and it\'s transforming the way we create software. The use of AI in coding is actively revolutionizing the industry and increasing developer productivity by 55%. However, just because we can use AI in coding doesn\'t mean we should adopt it blindly without considering the potential risks and unintended consequences. It\'s worth taking a moment to consider: what are the security implications of AI-assisted coding, and what role should AI play in how we both create and secure our software?  Exploring Two Security Implications of AI Coding  Truth be told, the full implications of generative AI and AI-assisted coding, often called companion coding, are unknown and unfolding by the week. However, here are two key areas we can explore today around the security implications of AI coding.  1. How AI Coding Affects the Security and Integrity of the Software it is Used to Create  Let\'s start with the security of AI-generated code suggestions. Over 70% of software applications…]]> 2023-04-13T13:42:44+00:00 https://www.veracode.com/blog/secure-development/what-are-security-implications-ai-coding www.secnews.physaphae.fr/article.php?IdArticle=8327516 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog Technology is a double-edged sword. On one hand, it can make new experiences possible and elevate productivity. On the other hand, it introduces new threats and attack vectors; and it can widen the gap even further between our ability to produce software and our ability to secure it. Getting faster at creating and finding security flaws does not make us faster at fixing them; data shows us that one in four vulnerabilities remain open well over a year after first discovery. Instead, as we increase productivity and get better at detecting flaws, we find ourselves in a situation where we create and find flaws faster than we can fix them.   The outcome: Security debt accrues, and organizations must slow development, spend money to increase their capacity to fix flaws, or instead increase risk and exposure to ever more frequent, sophisticated, and severe cybersecurity threats. Let\'s dive further into the problem and then look at potential solutions.  Three Factors Contributing to the…]]> 2023-03-30T13:14:38+00:00 https://www.veracode.com/blog/secure-development/were-good-finding-security-flaws-what-about-fixing-them www.secnews.physaphae.fr/article.php?IdArticle=8323554 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog Application security is about so much more than scanning. The Velocity Partner Program aligns Veracode and our Partners as together we deliver application security solutions and services that enable customers to build a secure DevOps program. The Velocity Partner Program empowers our partners in their trusted advisor role to address key security requirements and business challenges customers are facing throughout their application security journey.   Veracode provides key insights, market intelligence, skills development, and best practices for partners to help customers leverage security as a competitive edge. Customers have access to innovative application security solutions and services, managed by Veracode Partners, to enhance their security posture. By working with Veracode Partners, customers can effectively develop and deliver secure applications, reduce risks, and confidently comply with industry and government regulations and requirements.  Veracode has developed advanced…]]> 2023-03-27T18:25:46+00:00 https://www.veracode.com/blog/intro-appsec/it-takes-village-power-partnership-creating-secure-software www.secnews.physaphae.fr/article.php?IdArticle=8322537 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-03-08T04:08:04+00:00 https://www.veracode.com/blog/research/breaking-barriers-and-embracing-equity-stories-women-stem www.secnews.physaphae.fr/article.php?IdArticle=8316671 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-03-03T11:03:14+00:00 https://www.veracode.com/blog/research/resolving-cve-2022-1471-snakeyaml-20-release-0 www.secnews.physaphae.fr/article.php?IdArticle=8315341 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-03-02T13:39:02+00:00 https://www.veracode.com/blog/security-news/answering-call-3-software-security-pillars-addressed-national-cybersecurity www.secnews.physaphae.fr/article.php?IdArticle=8315063 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-02-28T12:25:03+00:00 https://www.veracode.com/blog/secure-development/sast-tools-how-integrate-and-scale-security-workflows-sdlc www.secnews.physaphae.fr/article.php?IdArticle=8314727 False Tool None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-02-06T11:01:16+00:00 https://www.veracode.com/blog/intro-appsec/how-leverage-veracode-container-security-secure-cloud-native-application www.secnews.physaphae.fr/article.php?IdArticle=8307771 False General Information None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-02-02T14:16:00+00:00 https://www.veracode.com/blog/secure-development/4-categories-container-security-vulnerabilities-best-practices-reduce-risk www.secnews.physaphae.fr/article.php?IdArticle=8306668 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-01-31T13:33:18+00:00 https://www.veracode.com/blog/intro-appsec/quick-start-guide-integrate-veracode-your-devops-pipeline www.secnews.physaphae.fr/article.php?IdArticle=8305969 False None None 1.00000000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-01-16T18:06:02+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/secure-development/6-reasons-you-need-run-sca-scans-projects-vs-code_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8301669 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2023-01-11T06:03:06+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/research/3-key-takeaways-state-software-security-2023-report_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8299990 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-12-19T07:30:00+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/customer-news/gratitude-our-customers-we-couldnt-do-any-without-you_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8299991 True None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-12-19T07:30:00+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/customer-news/holiday-customer-gratitude-blog_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8292725 False None None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-12-07T13:15:44+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/security-news/what-weve-learned-about-reducing-open-source-risk-log4j_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8289535 False Vulnerability None 2.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-12-05T11:55:00+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/research/despite-security-scrutiny-tech-industry-nearly-one-fourth-applications-have-high_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8289110 False None None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-11-21T12:57:33+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/research/holiday-season-begins-73-retail-and-hospitality-apps-have-flaw_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8154472 False Threat None 3.0000000000000000 Veracode - Application Security Research, News, and Education Blog 2022-11-18T15:03:25+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/secure-development/anatomy-stored-cross-site-scripting-vulnerability-apache-spark_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8095717 False Tool,Vulnerability,Guideline None None Veracode - Application Security Research, News, and Education Blog 2022-11-15T13:53:58+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/secure-development/4-reasons-scan-results-may-differ-over-time-advice-application-security_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=8032369 False None None None Veracode - Application Security Research, News, and Education Blog 2022-11-07T18:43:58+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/managing-appsec/power-manual-penetration-testing-securing-your-attack-surface_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7884330 False None None None Veracode - Application Security Research, News, and Education Blog 2022-11-02T12:48:33+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/intro-appsec/how-government-agencies-can-secure-mission-critical-software-cloud_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7784908 False Guideline None None Veracode - Application Security Research, News, and Education Blog 2022-11-01T10:23:26+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/research/what-you-need-know-about-openssl-307_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7767810 False Vulnerability None None Veracode - Application Security Research, News, and Education Blog 2022-10-25T12:41:33+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/intro-appsec/why-security-central-citizen-experience-part-3-helping-hand-private-sector_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7673408 False None None None Veracode - Application Security Research, News, and Education Blog 2022-10-24T11:17:45+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/intro-appsec/why-security-central-citizen-experience-part-2-changing-cyber-landscape_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7666881 False None None None Veracode - Application Security Research, News, and Education Blog 2022-10-21T13:16:35+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/secure-development/why-mitigate-flaws-manage-risk-advice-application-security-consultant_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7609960 False None None None Veracode - Application Security Research, News, and Education Blog 2022-10-20T11:15:29+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/intro-appsec/why-security-central-citizen-experience-part-1-lessons-federal-executive_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7587297 False None None None Veracode - Application Security Research, News, and Education Blog 2022-10-18T13:08:45+00:00 https://www.veracode.com/__%3C%21--%20THEME%20DEBUG%20--%3E_%3C%21--%20THEME%20HOOK%3A%20%27views_view_field%27%20--%3E_%3C%21--%20BEGIN%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E_/blog/research/despite-lowest-software-flaw-frequency-manufacturings-fix-times-lag-and-create_%3C%21--%20END%20OUTPUT%20from%20%27core/modules/views/templates/views-view-field.html.twig%27%20--%3E__ www.secnews.physaphae.fr/article.php?IdArticle=7562024 False Ransomware None None