Collaborate Disseminate
I work at a small software company, and we are working with another company that wants to use our software. However, their InfoSec team want us to have a 3rd party source code review completed, with static and dynamic scanning pipelines cr… Continue reading Safe sharing source code with 3rd party for security review?
After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones. “So much of the world’s development happens on GitHub that s… Continue reading GitHub envisions a world with fewer software vulnerabilities
I recently came across the SECCURE tools for simple encryption of data, but I’m uncertain about how up-to-date their security is. On the page, the author points out that the tools have been audited by Ulf Harnhammar and Brian M. Carlson of… Continue reading Is SECCURE (still) safe enough for public backups
I’m new in the area of security. I’ve never really been taught the subject, but as I gain experience, I understand that this is something that we have to keep in mind more and more but we don’t know exactly how to do it. I think a lot of d… Continue reading How devs can code with confidence about security [closed]
I would kindly ask you to review the following code and tell me if it’s enough to prevent most of SQL injection and XSS attacks.
SQL injection: treated via PDO prepared statements;
XSS: All user’s inputs are parsed in every documents thr… Continue reading SQL injection and XSS prevention
GitHub has made available two new security features for open and private repositories: code scanning (as a GitHub-native experience) and secret scanning. With the former, it aims to prevent vulnerabilities from ever being introduced into software and, … Continue reading GitHub Code Scanning aims to prevent vulnerabilities in open source software
What are the subtle differences in both – as one could say that both are almost the same…
Static Code Analysis (also known as Source Code Analysis) is usually
performed as part of a Code Review (also known as white-box testing)
… Continue reading What is the difference between "secure code review" and "secure static code analysis"?
I was reviewing code of an application that uses the following piece of Java code and wanted to know if the the use of exec() was susceptible to command injection.
public class FindFileInDir {
public static void main(String[] args){
… Continue reading Safe usage of Runtime.getRuntime.exec(String[])
The future of business relies on being digital – but all software deployed needs to be secure and protect privacy. Yet, responsible cybersecurity gets in the way of what any company really wants to do: innovate fast, stay ahead of the competition, and … Continue reading Automate manual security, risk, and compliance processes in software development
The SEI CERT Coding Guidelines assign a priority to each rule, formed from the product of three factors: severity, likelihood, and remediation cost. Each of these three factors is assigned a value from 1-3, and the highest priority formed … Continue reading Counterintuitive remediation cost scale within SEI CERT Coding Guidelines for priority