Category Archives: Security

Security related issues.

Static Analysis Webinars: AppSec and Prevention

Information Security Wordle: OWASP Guide to Building Secure Web Applications and Web Services Wednesday October 30th I’m doing the third part in the appsec static analysis webinar series for Parasoft. The topic for this session is “Strategies for Optimizing Application Security and Defect Prevention“. You can join for free online on Wednesday, October 30, 2013 10:00 AM – 10:30 AM PDT. Dont forget to register here.

Your application security (appsec) and defect prevention strategy is either a liability or a competitive advantage. Even if you are seeing a good ROI from your static analysis implementation, exploring strategies for optimizing application security and defect prevention is still essential for ensuring lowered risk, increased productivity, and brand protection.

In this webinar, I will discuss how organizations can take a proactive approach to securing its applications with a comprehensive tool set that will help development managers and stakeholders sleep better.

I look forward to seeing you there.

Webinar: Getting ROI from Static Analysis

Unlock the value Next week I’m doing a static analysis webinar for Parasoft about “Getting More FOI from Static Analysis” on Tuesday October 15th at 10:00 AM Pacific. What I’ve been seeing is that a lot of people either don’t know how to determine the value they’re getting from static code analysis, or aren’t actually getting the value they need.
I’ll talk about some ways to make sure that you can maximize the value as well as measure it. It’s 30 minutes and free as always. Join us



A lack of time, resources, or training often makes getting beyond basic static analysis implementations difficult. Development managers and stakeholders may not even realize that their current static analysis configurations are leaving a wealth of untapped risk-reducing options on the table, which may lead to abandoning the critical software quality practice.

In this webinar, Parasoft Static Analysis Expert Arthur Hicken will discuss tips and tricks for getting more value from your static analysis. Drawing from his 20+ years of field experience, Arthur aka CodeCurmudgeon will offer advice on using policy to connect static analysis to your business needs at the process level, which ensures that you get a better return on your static code analysis investment, while avoiding common pitfalls.

[Update – even if you missed this webinar you can still watch the recording by going to the registration link.]

Cloud Security Article in CrossTalk

Pack Horse and Cowboy
Pack Horse

Crosstalk has just published an article I wrote on cloud security in the September/October 2013 issue. The article is titled “Cloud Shifts the Burden of Security to Development“.

The abstract reads: The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Engineers are extremely well poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome.

The paper explores three ways to help development bear the burden of security that the cloud places on them:

  • Use penetration testing results to help engineers determine how to effectively “harden” the most vulnerable parts of the application.
  • Apply the emerging practice of “service virtualization” to provide engineers the test environment access needed to exercise realistic security scenarios from the development environment.
  • Implement policy-driven development to help engineers understand and satisfy management’s security expectations.

It’s an in-depth article with some practical suggestions for improving your code security in the cloud. If you’re not familiar with Crosstalk, it’s “The Journal of Defense Software Engineering” and is full of interesting articles but carries no advertising. Give it a try.

Hybrid Security Talk at Better Software Conference West

Better Software Conference West I’m speaking tomorrow at the Better Software Conference West at Caesars Palace in Las Vegas. If you’re going to be at the conference come join in.

The topic is security and I’ll be talking about Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In. The basic idea is how you coordinate and get value from the outside testing like penetration testing and then relate it to development efforts like unit test and static analysis.

If you can’t make the session, feel free to stop by our booth, plus I’m doing one of the Q&A sessions on Thursday at 10:15am as well. Hope to see you there.