Neil MacDonald

My previous post on the value of linking web application vulnerability scanning tools with web application firewalls generated a lot of discussion. Take a look through the post and the lengthy comment string.
Let me state up front that I firmly believe we should change our development processes (and developer culture) to produce more secure code. [...]

[Read more →]

All static application security testing (SAST) tools work in basically the same way – they generate an intermediate representation (model) of the application that they then analyze for conditions indicative of security vulnerability. For clients, our in depth research on the SAST tool vendors is in this research note.
However, just because a SAST vendor supports [...]

[Read more →]

If a web application security testing tool tells me I have a vulnerability in an application, what do I do? “Fix it” is the right answer, but not always so easy if my development organization is backlogged or, worse, I don’t have access to the source code. Another answer is to shield the application from [...]

[Read more →]

A computing paradigm based on the exchange and execution of arbitrary code is inherently risky.Yet, that’s pretty much the foundation of what we do today with personal computers. Consider that this model is the primary reason we pay billions of dollars to AV vendors to scan our machines for known malicious executable code. Consider that [...]

[Read more →]

As I talked about in this post, I am a proponent of maturity models in general as they help organizations understand that there is a progression of capabilities as organization become more proficient in a discipline (in this case application security/assurance). Maturity models help people understand that changing people and processes takes time, its never [...]

[Read more →]

Our full analysis of the acquisition will be published for clients shortly along with advice for customers of Ounce Labs and IBM’s Rational software offerings. IBM acquired a leading dynamic application security testing tool with Watchfire in 2007. With the acquisition of Ounce announced today, IBM adds a lesser known (smaller, but still positioned as [...]

[Read more →]

I’ve posted many times on the importance of application security. Recently, my colleague Joseph Feiman and I published a magic quadrant for static application security testing tools – rating the vendors and tools that analyze an application from the “inside out” looking for coding conditions indicative of a security vulnerability. In the research we describe [...]

[Read more →]

I saw this in an article today on Bloomerberg:
July 7 (Bloomberg) — Goldman Sachs Group Inc. may lose its investment in a proprietary trading code and millions of dollars from increased competition if software allegedly stolen by a former employee gets into the wrong hands, a prosecutor said.

Full details of the theft were not disclosed, [...]

[Read more →]

In a previous post, I discussed IBM’s latest X-Force malware report that showed a significant increase in disclosed web application vulnerabilities (one of those curves that is heading geometrically upwards).
Here’s similarly sobering chart from the latest Symantec Internet Threat Report:

In 2008, 63 percent of identified vulnerabilities affected Web applications. This is an increase over [...]

[Read more →]

Let me summarize my security no-brainers to date:
The first was in reference to a global, industry-wide effort to create a shareable, standards-based application whitelist database built directly from feeds from ISVs.
The second was in reference to the use of whitelisting in the hypervisor/VMM (especially the “parent” or Dom0 partition) layer to prevent the execution of [...]

[Read more →]