Problem solve

Secure software development

• How to prevent buffer overflow attacks

  Read up on types of buffer overflow attacks, and learn secure coding best practices that prevent such vulnerabilities, as well as post-deployment steps to keep apps and websites safe. Continue Reading

• How to encrypt and secure a website using HTTPS

  The web is moving to HTTPS. Find out how to encrypt websites using HTTPS to stop eavesdroppers from snooping around sensitive and restricted web data. Continue Reading

• How concerned should I be about a padding oracle attack?

  Padding oracle attacks have long been well-known and well-understood. Find out how they work and why using modern encryption protocols can reduce the risks. Continue Reading

• What issues can arise from hardware debug exception flaws?

  Misinterpretation of Intel's System Programming Guide resulted in a hardware debug exception vulnerability. Expert Michael Cobb explains how attackers can gain unauthorized access. Continue Reading

• Secure code review tips: How many review rounds are needed?

  Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading

• Foxit Reader vulnerabilities: What can be done to mitigate them?

  Two critical, zero-day Foxit Reader vulnerabilities haven't been patched and pose a threat to enterprises. Judith Myerson explains the vulnerabilities and how to mitigate them.Continue Reading

• How can DevOps application lifecycle management protect digital keys?

  Better DevOps application lifecycle management can help protect cryptographic and digital keys. Expert Judith Myerson explains the right approaches to secure DevOps.Continue Reading

• Why the citizen developer trend is bugging infosec teams

  Automated tools are making it easier for citizen developers to build and deploy applications quickly. But is that a good thing for enterprise security teams?Continue Reading

• Building an application security program: Why education is key

  Education and training are crucial parts of a strong application security program. Sean Martin explains how enterprises should build these elements into their programs.Continue Reading

• How can common mobile application security risks be reduced?

  A new Veracode report offers details on common mobile application security risks. Expert Michael Cobb explains these flaws, and what developers can do to reduce them.Continue Reading

• How can software transplants fix bad code?

  Copying and pasting bad code into an application is a big problem for developers, but software transplants can help. Expert Michael Cobb explains the technology.Continue Reading

• Code security: Can a continuous delivery model be secured?

  Continuous code delivery is critical in certain scenarios, but it's not always the most secure approach. Michael Cobb explains how to secure code in a continuous delivery model.Continue Reading

• McGraw: Seven myths of software security best practices

  According to expert Gary McGraw, you're not helping yourself by believing the things -- all seven of them -- you've heard about secure software development.Continue Reading

• Formal verification is the oldest new game in town

  Security gamification puts formal verification back in play.Continue Reading

• Are HTML5 mobile apps an enterprise security concern?

  Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb discusses.Continue Reading

• Is RASP the answer to secure software delivery?

  Traditionally, ensuring secure software delivery has meant relying on static scanning and dynamic fuzzing. There’s now an alternative: the runtime application self-protection, or RASP, method. This ISM Insider Edition looks at all that's gone...Continue Reading

• Algorithm substitution attacks: Ensuring encryption algorithm security

  Algorithm substitution attacks can decrypt secure communications and potentially expose enterprise data in plaintext. Learn how to mitigate the threat.Continue Reading

• Preventing SQL injection attacks when using outsourced developers

  SQL injection attacks continue to plague enterprises. However, performing audit code validation when using outsourced developers can be a challenge. Expert Nick Lewis explains how to prevent these attacks.Continue Reading

• The value of compliance-ready Web application security assessments

  Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.Continue Reading

• Sandboxing security: A cure-all strategy for virtual environments?

  Sandboxing is a limited technology. Expert Brad Casey explores the margins and supplemental products organizations can use in virtual environments.Continue Reading

• App security: Decompiling Android APK files

  Find hidden malware or security weaknesses by decompiling Android applications into Java source code.Continue Reading

• How to develop software the secure, Gary McGraw way

  Building security into the software development process lowers both risks and costs in the long term. This collection explains how it can be done.Continue Reading

• How to advocate the benefits of information security threat modeling

  Expert Nick Lewis discusses how best to advocate the benefits of a new security initiative like threat modeling to the key enterprise players.Continue Reading

• Open source code reuse: What are the security implications?

  Reusing open source code can present a security risk. Application security expert Michael Cobb explains why and how to protect applications.Continue Reading

• The 2013 OWASP Top 10 list: What's changed and how to respond

  Expert Michael Cobb highlights the changes made in the 2013 OWASP Top 10 list, including new vulnerabilities and what they mean for enterprises.Continue Reading

• Open source code management: How to safely use open source libraries

  Expert Michael Cobb explains why enterprises need better open source code management to negate the security risks posed by open source libraries.Continue Reading

• Why securing internal applications is as important as Web-facing apps

  Securing internal applications requires the same due diligence as their Web-facing counterparts. Expert Michael Cobb explains why.Continue Reading

• Application security risks posed by open source Java frameworks

  Expert Michael Cobb says security issues with open source Java applications have more to do with misconfigurations than the frameworks themselves.Continue Reading

• The effects of secure application development practices

  Selling the CIO and others on secure application development requires understanding how it will impact the development process.Continue Reading

• Use the Android static analysis tool Dexter to safely deploy apps

  Video: Keith Barker of CBT Nuggets demos Dexter, the Android static analysis tool that examines and securely deploys Android applications.Continue Reading

• Remediation planning for Ruby on Rails security vulnerabilities

  The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning.Continue Reading

• Is sandboxing the answer to Adobe Acrobat, Adobe Reader security woes?

  Expert Michael Cobb assesses the impact of sandboxing on Adobe Acrobat and Adobe Reader security. Can enterprises trust Adobe's new security methods?Continue Reading

• How to negate business logic attack risk: Improve security in the SDLC

  Expert Nick Lewis details the threat posed by business logic attacks and how stressing the importance of security in the SDLC can reduce that threat.Continue Reading

• Implement software development security best practices to support WAFs

  WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why.Continue Reading

• Replace technical debt-laden Adobe Reader with alternative PDF readers

  Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers.Continue Reading

• H.264 vs Flash: Using the H.264 codec as a secure Flash alternative

  Can the H.264 video codec serve as a more secure Flash alternative? Expert Nick Lewis provides a security breakdown of H.264 vs Flash.Continue Reading

• HTML5 security: Will HTML5 replace Flash and increase Web security?

  Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure.Continue Reading

• An intro to free Microsoft security tools for secure software development

  Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software.Continue Reading

• How to secure websites using the HSTS protocol

  Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks.Continue Reading

• Windows ASLR: Investing in your secure software development lifecycle

  Implementing Windows ASLR can be a worthwhile investment in your enterprise’s secure software development lifecycle.Continue Reading

• What is a virtual directory? The essential application deployment tool

  What is a virtual directory? As expert Michael Cobb explains, it can be an extremely helpful secure application deployment tool.Continue Reading

• Java Virtual Machine architecture: Applet to applet communication

  In a Java Virtual Machine architecture, is it possible for two machines to communicate with one another? Expert Michael Cobb describes how the applet-to-applet communication process works.Continue Reading

• Managing application permissions through isolated storage

  Application permissions are essential in securing application data. Learn how isolated storage allows secure, controlled access to application files.Continue Reading

• Secure coding best practices: PHP and programming language security

  Michael Cobb explains how proper secure coding training is much more important than PHP programming language security.Continue Reading

• How to mitigate the risk of a TOCTTOU attack

  Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them.Continue Reading

• UTM features: Is a UTM device right for your layered defense?

  Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership.Continue Reading

• Can threat modeling tools help with securing mobile applications?

  When developing enterprise applications, do you know the quickest way to bridge the gap between an information security team and a development group?Continue Reading

• Creating a third-party security policy to prevent a software exploit

  Third-party software vulnerabilities are one of the most likely attack vectors in the information security landscape today. In this expert response, Nick Lewis discusses how to prevent these vulnerabilities from becoming exploits.Continue Reading

• Static source code analysis tools: Pros and cons

  Static source code analysis tools can greatly improve application security, but it takes knowledge and expertise to use them correctly. Expert Michael Cobb explains why.Continue Reading

• Is it safe to use third-party code when developing database applications?

  Michael Cobb explains how you can safely use third-party code, such as DLLs, when developing database applications.Continue Reading

• Securing naming and directory services for application defense-in-depth

  There are several aspects of naming and directory services when it comes to security. In this tip, part of the SearchSecurity.com Application Security School lesson, learn how to secure LDAP, as well as how application security teams can work with ...Continue Reading

• Improving software with the Building Security in Maturity Model (BSIMM)

  Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)?Continue Reading

• Tips for writing secure SQL database code

  Writing secure code is always a challenge, but it is particularly necessary for SQL databases that would otherwise be vulnerable to SQL injection attacks. Get tips on how to write secure SQL database code in this expert response.Continue Reading

• How to detect software tampering

  In their book Surreptitious Software, authors Christian Collberg and Jasvir Nasvir reveals how to tamperproof your software and make sure it executes as intended.Continue Reading

• Should security tests be part of a software quality assurance program?

  Application security expert Michael Cobb reviews the essentials of any software quality assurance process.Continue Reading

• Does an EULA make it truly illegal to decompile software?

  Michael Cobb explores a legal minefield: the legality of software decompilation.Continue Reading

• Verifying the security of software with static and dynamic verification

  Secure software is critical to all businesses, and security verification is an important part of that process. In this expert response, learn the difference between static and dynamic verification of security in software engineering.Continue Reading

• Common PCI questions: Web application firewalls or source code review?

  Is it better to use Web application firewalls, automated source code security reviews or vulnerability scans? Michael Cobb reviews your options.Continue Reading

• Fuzzing tool helps Oracle DBAs defend against SQL injection

  A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.Continue Reading

• Should static analysis be a part of the software development process?

  When the cost of addressing security issues increases as the software design lifecycle proceeds, see why expert Michael Cobb says that using static analysis early on can benefit your bottom line.Continue Reading

• How can quality assurance tools aid software development?

  There are an increasing number of tools aimed at improving software quality control and assurance, and they can certainly play a role in producing higher quality software. In this expert Q&A, Michael Cobb explains why the QA products may not be ...Continue Reading

• How can gap analysis be applied to the security SDLC?

  When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis into software development, and how it can help stop data leaks at your enterprise.Continue Reading

• Which automated quality assurance tools can be used to test software?

  If your application development process is not yet addressing security at all six phases of the lifecycle, now is the time to start. Application security expert Michael Cobb explains which quality assurance tools can help.Continue Reading

• Best practices for using restriction policy whitelists

  Ed Skoudis discusses which systems should be considered for software restriction policy whitelists, and unveils how whitelisting can improve security.Continue Reading

• What software development practices prevent input validation attacks?

  Improper input validation leads to numerous kinds of attacks, including cross-site scripting, SQL injection and command injection. In this expert Q&A, Michael Cobb reviews the most important application development practices.Continue Reading

• Cross-build injection attacks: Keeping an eye on Web applications' open source components

  Web application developers' growing dependence on open source components has opened the door for attackers to insert malicious code into applications even as they are being built. Michael Cobb explores the emerging attack method called cross-build ...Continue Reading

• Can fuzzing identify cross-site scripting (XSS) vulnerabilities?

  Fuzzing may find weaknesses in software, but the testing process can't find every flaw. Ed Skoudis explains what other tools are necessary when looking for cross-site scripting vulnerabilities.Continue Reading

• How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities

  For years, many have said that there is no practical way to exploit a dangling pointer, a common application programming error. But these software bugs should no longer be thought of as simple quality-assurance problems. Michael Cobb explains how ...Continue Reading

• Should third-party software tools be used to customize applications?

  Many features and functions required for today's network-ready applications can be purchased at a fraction of the cost that it would take to build them independently. But are they safe enough? Application security expert Michael Cobb explains.Continue Reading

• Should fuzzing be part of the secure software development process?

  Fuzzing, a common software-testing method, should not be your only vulnerability assessment technique. In this SearchSecurity.com Q&A, Michael Cobb reviews how passing a fuzz test does not always mean that a program is bug-free.Continue Reading

• Dynamic code obfuscation: New threat requires innovative defenses

  Dynamic code obfuscation used to be a taxing effort, but now even the most junior-level malicious hackers have learned how to effectively hide their code. In this tip, Michael Cobb examines how dynamic code obfuscation works, why it's on the rise ...Continue Reading

• Ten dos and don'ts for secure coding

  Security practitioners should understand how developers introduce security vulnerabilities into applications and work to support the developers in improving code quality and security. Encouragement and support for improvement must be a fundamental ...Continue Reading

• Java programming resources

  Find Java-specific resources here.Continue Reading

• Checklist for building better software

  Learn how to reduce the number of security vulnerabilities introduced to software during the development process.Continue Reading

• Security issues of using shared code

  Security pros need to be aware of code that is being "borrowed" for custom applications.Continue Reading

• Software Forensics: Chapter 2 -- The Players: Hackers, Crackers, Phreaks, and Other Doodz

  This chapter examines the players involved in software forensics.Continue Reading

• How do we protect development code from being stolen over the Internet?

  Continue Reading

• Oracle's Mary Ann Davidson: Secure coding? Absolutely!

  Mary Ann Davidson, CSO of Oracle, responds to Andy Briney's commentary on secure coding.Continue Reading

• Exploiting Software: How to Break Code, Chapter 7 -- Buffer Overflow

  This excerpt is from Chapter 7, Buffer Overflow of Exploiting Software: How to Break Code written by Greg Hoglund and Gary McGraw.Continue Reading

• Secure software: The source of the problem is the solution

  The solution to almost all insecure coding is right before our very eyes. Programmers just need to take the proper precautions and carefully write out the code.Continue Reading

• Secure coding essential to risk mitigation planning

  Information Security magazine's editorial director Andrew Briney talks about the lack of incentive for making code more secure.Continue Reading

• The security costs of outsourcing software development

  Before outsourcing software development, enterprises should make sure they perform due diligence and understand the associated security costs.Continue Reading

• Security in the software development life cycle

  Small changes in the software development life cycle can substantially improve security without breaking the bank or the project schedule.Continue Reading

• Educational growth in security industry for developer

  Continue Reading

• Most secure method for allowing remote access to source code

  Continue Reading

• Secure reads: Building Secure Software

  Building Secure Software covers new vulnerabilities and explains how software vendors can stop attacks with secure coding practices.Continue Reading

• Access control issues: The unsolvable problem

  Access control issues can be remedied when properly implemented tools are used and today's developers avoid the mistakes made by their predecessors.Continue Reading

• Software security standards

  Continue Reading

• Developing security applications with Java

  Continue Reading