Category Archives: Security

Security related issues.

Webinar: Getting ROI from Static Analysis

Unlock the value Next week I’m doing a static analysis webinar for Parasoft about “Getting More FOI from Static Analysis” on Tuesday October 15th at 10:00 AM Pacific. What I’ve been seeing is that a lot of people either don’t know how to determine the value they’re getting from static code analysis, or aren’t actually getting the value they need.
I’ll talk about some ways to make sure that you can maximize the value as well as measure it. It’s 30 minutes and free as always. Join us



A lack of time, resources, or training often makes getting beyond basic static analysis implementations difficult. Development managers and stakeholders may not even realize that their current static analysis configurations are leaving a wealth of untapped risk-reducing options on the table, which may lead to abandoning the critical software quality practice.

In this webinar, Parasoft Static Analysis Expert Arthur Hicken will discuss tips and tricks for getting more value from your static analysis. Drawing from his 20+ years of field experience, Arthur aka CodeCurmudgeon will offer advice on using policy to connect static analysis to your business needs at the process level, which ensures that you get a better return on your static code analysis investment, while avoiding common pitfalls.

[Update – even if you missed this webinar you can still watch the recording by going to the registration link.]

Cloud Security Article in CrossTalk

Pack Horse and Cowboy
Pack Horse

Crosstalk has just published an article I wrote on cloud security in the September/October 2013 issue. The article is titled “Cloud Shifts the Burden of Security to Development“.

The abstract reads: The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Engineers are extremely well poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome.

The paper explores three ways to help development bear the burden of security that the cloud places on them:

  • Use penetration testing results to help engineers determine how to effectively “harden” the most vulnerable parts of the application.
  • Apply the emerging practice of “service virtualization” to provide engineers the test environment access needed to exercise realistic security scenarios from the development environment.
  • Implement policy-driven development to help engineers understand and satisfy management’s security expectations.

It’s an in-depth article with some practical suggestions for improving your code security in the cloud. If you’re not familiar with Crosstalk, it’s “The Journal of Defense Software Engineering” and is full of interesting articles but carries no advertising. Give it a try.

Hybrid Security Talk at Better Software Conference West

Better Software Conference West I’m speaking tomorrow at the Better Software Conference West at Caesars Palace in Las Vegas. If you’re going to be at the conference come join in.

The topic is security and I’ll be talking about Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In. The basic idea is how you coordinate and get value from the outside testing like penetration testing and then relate it to development efforts like unit test and static analysis.

If you can’t make the session, feel free to stop by our booth, plus I’m doing one of the Q&A sessions on Thursday at 10:15am as well. Hope to see you there.

SQL Injection Hall of Shame updated

Shameful Eyes Just a reminder for those who aren’t aware – I maintain a list here I like to call the “SQL Injection Hall of Shame“. There was a quiet period at the first of the year, but now we seem to be back at it. I’ve added a couple of updates – one a large breach that was probably SQL injection and one a small one in healthcare that was for sure.

CodeCurmudgeon’s SQL Injection Hall of Shame

Check it out and let me know if I’ve missed any security breaches that you’re aware of.