Category Archives: Security

Security related issues.

Cloud Security Article in CrossTalk

Pack Horse and Cowboy
Pack Horse

Crosstalk has just published an article I wrote on cloud security in the September/October 2013 issue. The article is titled “Cloud Shifts the Burden of Security to Development“.

The abstract reads: The move to the cloud brings a number of new security challenges, but the application remains your last line of defense. Engineers are extremely well poised to perform tasks critical for securing the application—provided that certain key obstacles are overcome.

The paper explores three ways to help development bear the burden of security that the cloud places on them:

  • Use penetration testing results to help engineers determine how to effectively “harden” the most vulnerable parts of the application.
  • Apply the emerging practice of “service virtualization” to provide engineers the test environment access needed to exercise realistic security scenarios from the development environment.
  • Implement policy-driven development to help engineers understand and satisfy management’s security expectations.

It’s an in-depth article with some practical suggestions for improving your code security in the cloud. If you’re not familiar with Crosstalk, it’s “The Journal of Defense Software Engineering” and is full of interesting articles but carries no advertising. Give it a try.

Hybrid Security Talk at Better Software Conference West

Better Software Conference West I’m speaking tomorrow at the Better Software Conference West at Caesars Palace in Las Vegas. If you’re going to be at the conference come join in.

The topic is security and I’ll be talking about Hybrid Security Analysis: Bridging the Gap between Inside-Out and Outside-In. The basic idea is how you coordinate and get value from the outside testing like penetration testing and then relate it to development efforts like unit test and static analysis.

If you can’t make the session, feel free to stop by our booth, plus I’m doing one of the Q&A sessions on Thursday at 10:15am as well. Hope to see you there.

SQL Injection Hall of Shame updated

Shameful Eyes Just a reminder for those who aren’t aware – I maintain a list here I like to call the “SQL Injection Hall of Shame“. There was a quiet period at the first of the year, but now we seem to be back at it. I’ve added a couple of updates – one a large breach that was probably SQL injection and one a small one in healthcare that was for sure.

CodeCurmudgeon’s SQL Injection Hall of Shame

Check it out and let me know if I’ve missed any security breaches that you’re aware of.

Resources

Development Testing for Compliance Seminar in DC

412748_EventImage
I’m doing a free seminar next week in the DC area “Development Testing can help you comply with government regulations and security guidelines”. Entry is free and you can register here

This will be an informative lunch seminar on Thursday, May 16th from 10am to 12pm at FCN, Inc in Reston, VA. During this event we will be discussing trends, strategies and best practices for NIST compliance.

Discover how to best utilize your company investments to deliver compliance throughout your organization. Participate in a presentation by industry expert Arthur Hicken as he facilitates a discussion on how to continuously integrate software quality into the development process with Parasoft’s comprehensive Development Testing platform.

What you will learn:

  • Consistently apply static analysis, unit testing, peer code review, coverage analysis, runtime error detection, etc.
  • Accurately and objectively measure productivity and application quality
  • Drive the development process in the context of business expectations – for what needs to be developed as well as how it should be developed
  • Gain realtime visibility into how the software is being developed and where it is satisfying expectations
  • Reduce costs and risks across the entire SDLC

Following the presentation Parasoft will demonstrate Parasoft’s development testing solutions for C/C++, Java and .Net applications.

Hope to see you there. If you’ve always wanted to meet the CodeCurmudgeon in person, sign up here.