ADT's Programmers Report occasionally looks at security
issues from the point of view of source code analysis and better coding
practices. We recently met with Chris Wysopal, vice president of R&D for
@stake Inc., and thought he had a different take on this issue. What follows are
excerpts from an e-mail interview.
A recent security vulnerability suggests that maybe the once a month Microsoft
patch cycle wasn't such a good idea after all.
Fortify Software offers a high-end static analysis tool set dedicated to checking security issues.
JAAS is based on the Pluggable Authentication Modules model and provides authentication and authorization services. Check out its many security benefits for Java applications.
Microsoft is urging developers working on or maintaining applications running on Windows XP to get up to speed on Service Pack 2 (SP2), currently a Release Candidate 1 (RC1).
The Web Services Interoperability (WS-I) Organization has released the working-group draft of its Basic Security Profile for public comment.
There are lots of ways to think about good software. Is the balance seriously
off in recent years?
Don't leave application security for tomorrow.
Malicious exploitations of Windows vulnerabilities have become such a common occurrence that Gartner is advising its Windows-using customers to plan for them in their budgets.
Since 1996, security guru Dr. Gary McGraw has been admonishing software developers to consider threats and vulnerabilities early in the development cycle. For attackers, it's all about getting to exploitable code, McGraw believes, which ultimately puts the security onus on programmers.
CAS/Tester is an innovative product for the .NET developer that shows how your code will react under a variety of security limitations.
Hewlett-Packard (HP) Co. last week signed a definitive agreement to buy TruLogica, a Dallas-based provider of identity management software. HP plans to integrate the privately owned company's ID management technology into its OpenView Select Access software to form "a complete federated identity management offering."
Windows XP Service Pack 2 is coming. Are you ready to rewrite your
applications...again?
Web application security software vendor Sanctum Inc., Santa Clara, Calif., has announced a partnership with Sunnyvale, Calif.-based Mercury Interactive Corp. to integrate security testing tools into the QA environment.
Microsoft is offering a bounty for writers of malicious code. Maybe they should
take some of that money and spend it internally.
Announcement of new support for Web services security across IBM's WebSphere infrastructure and Tivoli identity management middleware.
New versions of three products address data availability, accountability and integrity without having to write additional code.
Launch of BEA WebLogic Enterprise Security (WLES) first new product resulting from February acquisition of CrossLogix.
Analysis of the recent wave of virus attacks.
For many reasons, enterprise application security is an inefficient and expensive model. Obviously there''s no such thing as a completely secure application, but enterprises must target an acceptable level of risk.