swsec Archives - Page 2 of 3

Software Cybersecurity Podcast

Posted on February 9, 2016 by Code Curmudgeon

My friend Kevin Greene is devoted to improving the state of software security in the United States and he’s passionate about it. Kevin now...

AutoSec Automotive CyberSecurity

Posted on February 2, 2016 by Code Curmudgeon

Last week with Alan Zeichick and I did a webinar for Parasoft on automotive cybersecurity. Now Alan thinks that cybersecurity is an odd term,...

Halloween Security Slashers Webinar

Posted on October 28, 2015 by Code Curmudgeon

I’m doing a Halloween themed Parasoft webinar this Friday on Stopping Software Security Slashers with Static Analysis. As always it’s a free webinar and...

Why We View AppSec Vulnerabilities As False

Posted on July 29, 2015 by Code Curmudgeon

I’d like to say a few things as a follow-up to my article on theoretical appsec vulnerabilities last week. The article generated some interesting...

‹ Prev 1 2 3 Next ›

Definitioner

CAN (Controller Area Network)

Controller Area Network aka CAN aka CAN Bus is a wiring standard for vehicles that enables communication between various components and devices without having a host computer. For example doors, brakes, transmission.

SAST

SAST is security testing that is done on source, byte-code, or binaries but without actually executing them - thus the "static" testing. Typically this includes things like software metrics, static code analysis and even peer review. SAST provides a white-box or inside view to the application. It can both find possible vulnerabilities and weaknesses by looking for anti-patterns as well as enforcing secure software engineering standards by looking for proper patterns.

false positive

A result that is incorrect. Strictly speaking, it means that the tool providing the answer got it wrong. Generally it has a broader usage, meaning an error message that the developer doesn't think is important or real, either because of context or misunderstanding by the developer.

static analysis

Any form of software analysis that can be done on the code without actually executing the code. Encompasses techniques like pattern-based analysis, metrics, code review, etc.