Defense in Depth: Why You Need DAST, SAST, SCA, and Pen Testing
When it comes toツ?applicationツ?security (AppSec),ツ?most experts recommend usingツ?Dynamic Application Security Testingツ?(DAST)ツ?andツ?Static Application Security Testingツ?(SAST)ツ?as ???complementary??? approaches for robust AppSec. However, these experts rarely specifyツ?howツ?to run them in a complementary fashion.ツ? At Veracode, we use SAST, DAST,ツ?SCA,ツ?andツ?penツ?testing as theツ?fourツ?pillars of ourツ?defenseツ?in-depthツ?strategy to deliver a ???secure-by-design??? AppSec methodology across the entireツ?softwareツ?developmentツ?lifeツ?cycle.ツ?ツ? Manualツ?penetrationツ?testingツ? ... Read More
How to Secure Single-Page Applications
Let???s face it; consumers??? attention spans are getting shorter by the day. Gone are the days of people willing to wait several minutes for a clunky website with a poor user experience to load. In fact, 47 percent of users expect the average page to load in less than 2 ... Read More
Security and Development Agree, Coordinated Disclosures Are a Public Service
Shifting security left so that security testing becomes an integrated part of the development process helps companies improve software security. With software running our world, it is important to empower developers with the tools and processes they need to make security a part of their overall development process. Yet, even ... Read More
Veracode Customers Improve Mean Time to Remediation by 90%
Bill Gates is well known for treating time as a scarce resource, and in 1994, John Seabrook published a piece in The New Yorker detailing an email exchange he carried on with the famous technologist. Seabrook notes that Gates’ reverence for time was evident in his correspondence – skipping salutations ... Read More
Veracode Now Available on the Digital Marketplace G-Cloud UK
There is a deepening awareness that cyberthreats can never be eliminated completely, and digital resilience is an absolute necessity – and this is true for both private and public sector organizations and agencies. With this understanding, the UK Government created its G-Cloud Framework, which has transformed the way that public ... Read More
New Research: Apache Solr Parameter Injection
Apache Solr is an open source enterprise search platform, written in Java, from the Apache Lucene project. Its major features include full-text search, hit highlighting, faceted search, dynamic clustering, and document parsing. You treat it like a database: you run the server, create a collection, and send different types of ... Read More
Live From Black Hat USA: Making Big Things Better the Dead Cow Way
When Reuters’ investigative reporter Joseph Menn confirmed that presidential candidate Beto O’Rourke was an early member of The Cult of the Dead Cow (cDc), it seemed as though folks had two viewpoints on it. They either had more respect for him because they understood what cDc was trying to accomplish, ... Read More
Live From Black Hat USA: The Inevitable Marriage of DevOps & Security
During her briefing with Kelly Shortridge, vice president of product strategy at Capsule8, Dr. Nicole Forsgren, research and strategy at Google, did a beautiful job of adding imagery to the story she told of the attendee reactions during the now-famous talk Paul Hammond and John Allspaw gave at Velocity in ... Read More
Live From Black Hat USA: Four Key Takeaways from Dino Dai Zovi’s Keynote
"Did you know that your 20th Black Hat is when you get to give the keynote at Black Hat?" Dino Dai Zovi, head of security for Cash App at Square, joked to the packed ballroom. While it may have been Dai Zovi's 20th conference, the topic of his keynote has ... Read More
Live From Black Hat USA: Communication’s Key Role in Security
The kick-off keynote for the 23rd Black Hat USA Conference in Las Vegas set the stage for the conversations that will undoubtedly be discussed in great detail over the next two days - and likely the next two years - if Black Hat founder Jeff Moss’ opening remarks are indicative ... Read More
