-
Hybrid Analysis - The Answer to Static Code Analysis Shortcomings Given my previous article and the buzz it generated (both for and against the ideas I set forth)... I needed to hurry-up and write the follow-on article for "Static Code Analysis Failures". I've had so many conversations with people about Hybrid Analysis, and "why static
-
ComputerWorld is running an article from Paul Ferguson of TrendMicro claiming that there is a massive hack going on as you read this - via the phpBB bulletin-board software. Truth be told, phpBB has been known to be bug-ridden over the years (simply Google "phpBB vulnerability" and you'll get more than you wanted) but I believe that these
-
Static code analysis failures are costing enterprises money and reputation. White-box security testing is inherently a flawed proposition for many reasons -but it all comes down to a very simple concept: Machines do not execute source code, they execute machine code (compiled code). --Paul Anderson ( GrammaTech ) If you think this through for a minute
-
It's a classic problem of which came first... the chicken or the egg? politics or corruption? security or compliance? While I admit, it's not such a strange thing to see the two groups working together these days... I would like to point of some of the issues that I've come across between these two very important groups in today's enterprises
-
For those of you who keep up with the PCI DSS standard, the coucil today has issued an update titled: Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified . The standard item 6.6 has been further clarified in one of two options, as before, being either Application Code Reviews or an Application Firewall. I'll
-
It's 2:34am, local time. You're snoring up a storm after a hard day at the office. You've patched all your servers, your lockdown scripts have been verified, and your IDS is humming along perfectly. Oh, and by the way, someone named "R0kk1t" just stole your customer database. A quick check of the "Security Dashboard"
-
It's the words that keep IT Security Managers up at night - "We have a problem, I think we've been hacked". Of course, there are few possible responses... Acknowledge Responsibly - You can acknowledge what has happened, open an investigation, and communicate with the public and your customers. While this may be initially bad PR, in
-
Over the last 8 years in IT Security, I've had at least a professional interest in the idea of penetration testing and the opinion of this service has evolved as the IT Security market niche matures and grows. I wanted to take a minute to discuss it with the readers out there, and maybe solicit some opinions on the topic if you're willing to
-
It's one of those obvious things. A defect is a defect, right? Whether the airbag is faulty, or the gas cap doesn't hold pressure... a defect is a defect. The strange thing is - it hasn't been that way, and still isn't that way, in most of the IT shops I've been in. Why? The reason is simple. Historically, security vulnerabilities
-
First, let me say thanks for clicking and taking a minute to read my column. I hope to keep your attention while teaching you something you hopefully already don't know so come back often, bookmark me, or feed it into your RSS reader. Let me use this first article to explain the types of content you'll find in this column, and some of my thought