appsec – Page 4 – Code Curmudgeon

Why We View AppSec Vulnerabilities As False

Posted on July 29, 2015 by Code Curmudgeon

I’d like to say a few things as a follow-up to my article on theoretical appsec vulnerabilities last week. The article generated some interesting...

Unscientific AppSec Pain Poll

Posted on July 28, 2015 by Code Curmudgeon

Here’s another one of my completely unscientific polls – this time about AppSec. I find it interesting to know what others think about these...

Theoretical AppSec Vulnerabilities

Posted on July 23, 2015 by Code Curmudgeon

As you’re well aware cybersecurity and appsec incidents are a regular feature in the news. I try to avoid jumping immediately on the analysis...

Closing the Barn Door – Software Security

Posted on October 23, 2014 by Code Curmudgeon

In the second part of my series on what we can do to contain and combat the recent rash of security breaches I’d like...

‹ Prev 1 2 3 4 5 Next ›

Definitioner

CWE: CWE stands for "Common weakness enumeration" and is a way to define a particular security issue in programming code. CWE is a security effort lead by the US government and industry to define a taxonomy for coding problems that lead to security vulnerabilities. Each vulnerability reported has an CVE ID and should be linked to the underlying CWEs that lead to the issue. There are currently approximately 800 items defined in CWE and efforts are underway to map their technical impacts to what kinds of problems the weakness may cause, as well as ISO 27010. CWE is often known for it's CWE Top 25 and On the Cusp lists of the most common software security problems. See https://cwe.mitre.org
CAN (Controller Area Network): Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.
denial-of-service: Attackers try to make a computer, network, or application unavailable to end-users. For example by overloading it with too much traffic as in a distributed denial of service.
code review: Code review is a process where programmers look at each others code and evaluate it's fitness for the intended purpose. It can find mistakes in design and implementation beyond simple syntax problems and improve quality.
peer code review (code review): Code review is a process where programmers look at each others code and evaluate it's fitness for the intended purpose. It can find mistakes in design and implementation beyond simple syntax problems and improve quality.
BASIC: Beginners All Purpose Symbolic Instruction Code. A programming language designed specifically for beginners.
static analysis: Any form of software analysis that can be done on the code without actually executing the code. Encompasses techniques like pattern-based analysis, metrics, code review, etc.