FEED Validator

Sorry

This feed does not validate.

• line 13, column 573: XML parsing error: <unknown>:13:573: undefined entity [help]

  ... t can securely remediate issues in code. 
                                               ^

In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

• line 2, column 0: Use of unknown namespace: http://ogp.me/ns# [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

• line 2, column 0: Use of unknown namespace: http://schema.org/ [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

• line 2, column 0: Use of unknown namespace: http://rdfs.org/sioc/ns# [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

• line 2, column 0: Use of unknown namespace: http://rdfs.org/sioc/types# [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

• line 2, column 0: Use of unknown namespace: http://www.w3.org/2004/02/skos/core# [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

• line 2, column 0: Use of unknown namespace: http://www.w3.org/2001/XMLSchema# [help]

  <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://pur ...
  

Source: http://www.veracode.com/blog/feed/

1. <?xml version="1.0" encoding="utf-8"?>
2. <rss version="2.0" xml:base="https://www.veracode.com/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:og="http://ogp.me/ns#" xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#" xmlns:schema="http://schema.org/" xmlns:sioc="http://rdfs.org/sioc/ns#" xmlns:sioct="http://rdfs.org/sioc/types#" xmlns:skos="http://www.w3.org/2004/02/skos/core#" xmlns:xsd="http://www.w3.org/2001/XMLSchema#">
3.  <channel>
4.    <title>Application Security Research, News, and Education Blog</title>
5.    <link>https://www.veracode.com/</link>
6.    <description></description>
7.    <language>en</language>
8.        <pubDate>Tue, 23 Apr 2024 10:54:54 -0400</pubDate>
9.  
10.    <item>
11.  <title>Enhancing Developer Efficiency With AI-Powered Remediation</title>
12.  <link>https://www.veracode.com/blog/secure-development/enhancing-developer-efficiency-ai-powered-remediation</link>
13.  <description>Traditional methods of flaw remediation are not equipped with the technology to keep pace with the rapid evolution of code generation practices, leaving developers incapable of managing burdensome and overwhelming security debt. Code security is still a critical concern in software development. For instance, when GitHub Copilot generated 435 code snippets, almost 36% of them had security weaknesses, regardless of the programming language. As it is, many developers are still unequipped with an automated method that can securely remediate issues in code.&nbsp;
14. This blog delves into the paradigm shift brought about by Veracode Fix, an innovative AI solution designed to revolutionize automated flaw remediation. 
15. The Main Security Risks in Automated Code 
16. The emergence of automated code-generation tools has brought in a new era of efficiency and innovation. However, this progress comes with a variety of security risks that threaten the integrity and safety of applications.…</description>
17.  <pubDate>Tue, 23 Apr 2024 10:54:54 -0400</pubDate>
18.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
19.                            <guid isPermaLink="true">https://www.veracode.com/ver65476</guid>
20.                            </item>
21. <item>
22.  <title>Speed vs Security: Striking the Right Balance in Software Development with AI </title>
23.  <link>https://www.veracode.com/blog/secure-development/speed-vs-security-striking-right-balance-software-development-ai</link>
24.  <description>Software development teams face a constant dilemma: striking the right balance between speed and security. How is artificial intelligence (AI) impacting this dilemma? With the increasing use of AI in the development process, it's essential to understand the risks involved and how we can maintain a secure environment without compromising on speed. Let’s dive in.&nbsp;
25. The Need for Speed 
26. Speed is of the essence. Organizations are constantly striving to deliver code faster and innovate quickly to stay ahead of the competition. This need for speed has led to the adoption of AI and large language models (LLMs), which can generate code at an unprecedented rate. However, as with any rapid development process, there are risks involved. 
27. The Risks of AI in Software Development  
28. During my&nbsp;keynote address at Developer Week 2024, I highlighted the potential risks of using AI and LLMs without implementing appropriate security measures. Leveraging AI for fast development…</description>
29.  <pubDate>Wed, 17 Apr 2024 09:25:20 -0400</pubDate>
30.                            <dc:creator>broche@veracode.com (broche)</dc:creator>
31.                            <guid isPermaLink="true">https://www.veracode.com/ver65266</guid>
32.                            </item>
33. <item>
34.  <title>Veracode Advances Cloud-Native Application Security with Longbow Acquisition</title>
35.  <link>https://www.veracode.com/blog/security-news/veracode-advances-cloud-native-application-security-longbow-acquisition</link>
36.  <description>As I travel around the world meeting with customers and prospects, we often discuss the tectonic shifts happening in the industry. At the heart of their strategic initiatives, organizations are striving to innovate rapidly and deliver customer value with uncompromising quality and security, while gaining a competitive edge in the market. They are embracing DevOps methodologies and leveraging open-source technologies, accelerating deployments across multi-cloud environments to enhance agility and responsiveness. The biggest challenge they face is acquiring a comprehensive view of all the assets in their portfolio as they are deployed across multi cloud end points.&nbsp;&nbsp;
37. Security teams are overwhelmed by alert fatigue coming from sometimes 20+ tools that each provide a different view of risk. The biggest challenge is aggregating this risk from disparate sources, prioritizing it and identifying the next best action to take to secure their software assets. Compounding these…</description>
38.  <pubDate>Mon, 01 Apr 2024 11:00:00 -0400</pubDate>
39.                            <dc:creator>broche@veracode.com (broche)</dc:creator>
40.                            <guid isPermaLink="true">https://www.veracode.com/ver65156</guid>
41.                            </item>
42. <item>
43.  <title>Veracode Customers Shielded from NVD Disruptions</title>
44.  <link>https://www.veracode.com/blog/research/veracode-customers-shielded-nvd-disruptions</link>
45.  <description>The US National Institute of Standards and Technology (NIST) has almost completely stopped analyzing new vulnerabilities (CVEs) listed in its National Vulnerability Database (NVD). Through the first six weeks of 2024, NIST analyzed over 3,500 CVEs with only 34 CVEs awaiting analysis.1 Since February 13th, however, nearly half (48%) of the 7,200 CVEs received this year by the NVD are still awaiting analysis.2 The number of CVEs analyzed has dropped nearly 80% to less than 750 CVEs analyzed. Other than a vague reference to establishing a consortium, the reasons behind this disruption remain a mystery.&nbsp;
46. Thankfully, Veracode customers need not worry about this disruption because they have access to Veracode’s proprietary database. Since the notice on February 13th, Veracode has released over 300 CVEs. Of these 300+, NVD has analyzed less than 15 of these CVEs. Read on to learn how Veracode SCA operates without NVD providing CVE analysis.    
47. NVD Analysis&nbsp;…</description>
48.  <pubDate>Thu, 28 Mar 2024 10:05:47 -0400</pubDate>
49.                            <dc:creator>Nova Trauben@veracode.com (Nova Trauben)</dc:creator>
50.                            <guid isPermaLink="true">https://www.veracode.com/ver65181</guid>
51.                            </item>
52. <item>
53.  <title>Security Debt: A Growing Threat to Application Security</title>
54.  <link>https://www.veracode.com/blog/managing-appsec/security-debt-growing-threat-application-security</link>
55.  <description>
56.  
57. Understanding Security Debt
58. Security debt is a major and growing problem in software development with significant implications for application security, according to Veracode's State of Software Security 2024 Report. Let’s delve a bit deeper into the scope and risk of security debt, and gain some insights for application security managers to effectively address this challenge.
59. Security debt refers to software flaws that remain unfixed for a year or more. These flaws accumulate over time due to various factors, including resource constraints, technical complexity, or lack of prioritization. Security debt can be categorized as critical or non-critical and can exist in both first-party and, maybe more worrying, third-party code.
60. Prevalence and Impact of Security Debt
61. According to recent research, 42% of active applications have security debt, with 11% carrying critical security debt that poses a severe risk. Large applications are particularly susceptible, with 40% of them having non-…</description>
62.  <pubDate>Mon, 18 Mar 2024 12:25:43 -0400</pubDate>
63.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
64.                            <guid isPermaLink="true">https://www.veracode.com/ver65066</guid>
65.                            </item>
66. <item>
67.  <title>A Timely Shift: Prioritizing Software Security in the 2024 Digital Landscape</title>
68.  <link>https://www.veracode.com/blog/security-news/timely-shift-prioritizing-software-security-2024-digital-landscape</link>
69.  <description>The release of the February 2024 White House Technical Report, Back to the Building Blocks: A Path Towards Secure Measurable Software, brings about a timely shift in prioritizing software security. Software is ubiquitous, so it’s becoming increasingly crucial to address the expanding attack surface, navigate complex regulatory environments, and mitigate the risks posed by sophisticated software supply chain attacks.&nbsp;&nbsp;
70. Let’s explore the key insights from the White House Technical Report and delve into recommendations for integrating security across the software development lifecycle (SDLC). 
71. Securing Cyberspace Building Blocks: The Role of Programming Languages 
72. The White House's report emphasizes the programming language as a primary building block in securing the digital ecosystem. It highlights the prevalence of memory safety vulnerabilities and the need to proactively eliminate entire classes of software vulnerabilities. The report advocates for the adoption of…</description>
73.  <pubDate>Wed, 13 Mar 2024 11:17:26 -0400</pubDate>
74.                            <dc:creator>cwysopal@veracode.com (cwysopal)</dc:creator>
75.                            <guid isPermaLink="true">https://www.veracode.com/ver65046</guid>
76.                            </item>
77. <item>
78.  <title>Integrating Veracode DAST Essentials into Your Development Toolchain</title>
79.  <link>https://www.veracode.com/blog/secure-development/integrating-veracode-dast-essentials-your-development-toolchain</link>
80.  <description>In today's fast-paced digital landscape, developers face increasing pressure to deliver secure applications within tight deadlines. With the emphasis on faster releases, it becomes challenging to prioritize security and prevent vulnerabilities from being introduced into production environments.
81. Integrating dynamic application security testing (DAST) into your CI/CD pipeline helps you detect and remediate vulnerabilities earlier, when they are easier to fix. In this blog, we will explore the importance of DAST, provide a step-by-step guide on how to integrate Veracode DAST Essentials into your CI/CD pipeline, and show you how to get started with a free, 14-day trial of DAST Essentials today.
82. The Significance of DAST
83.  
84. DAST plays a vital role in securing modern applications. Shockingly, according to Veracode's State of Software Security Report, 80% of web applications have critical vulnerabilities that can only be identified through dynamic testing.
85. By simulating real-world attacks, DAST…</description>
86.  <pubDate>Mon, 04 Mar 2024 13:29:00 -0500</pubDate>
87.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
88.                            <guid isPermaLink="true">https://www.veracode.com/ver65016</guid>
89.                            </item>
90. <item>
91.  <title>The Risks of Automated Code Generation and the Necessity of AI-Powered Remediation</title>
92.  <link>https://www.veracode.com/blog/secure-development/risks-automated-code-generation-and-necessity-ai-powered-remediation</link>
93.  <description>Modern software development techniques are creating flaws faster than they can be fixed. While using third-party libraries, microservices, code generators, large language models (LLMs), etc., has remarkably increased productivity and flexibility in development, it has also increased the rate of generating insecure code. An automated and intelligent solution is needed to bridge the widening gap between the introduction and remediation of flaws.&nbsp;&nbsp;
94. Let’s explore the potential dangers of modern methods of automated code generation and the need for a secure and automated mode of flaw remediation.  
95. Automated Methods That Produce Insecure Code  
96. Code Generators  
97. These tools can generate code based on specific inputs or templates that developers provide, such as feature specifications, design patterns, or other parameters. This accelerates development cycles, reduces errors, and maintains consistency across an application. Examples include Swagger…</description>
98.  <pubDate>Mon, 04 Mar 2024 12:48:36 -0500</pubDate>
99.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
100.                            <guid isPermaLink="true">https://www.veracode.com/ver65011</guid>
101.                            </item>
102. <item>
103.  <title>Data-driven Strategies for Effective Application Risk Management in 2024</title>
104.  <link>https://www.veracode.com/blog/research/data-driven-strategies-effective-application-risk-management-2024</link>
105.  <description>Insecure software is significantly impacting our world. In a recent statement, CISA Director Jen Easterly declared: “Features and speed to market have been prioritized against security, leaving our nation vulnerable to cyber invasion. That has to stop... We are at a critical juncture for our national security.”&nbsp;
106. Our State of Software Security 2024 report explores a key area this trade-off of speed to market prioritized against security has resulted in: security debt. Our data shows that nearly half of organizations have persistent, high-severity flaws that constitute critical security debt. We also reveal what organizations without it are doing right. Here's how to leverage this new data to enhance application risk management practices in 2024. 
107. Understanding the State of Software Security 2024  
108. Though the world of technology is rapidly evolving, one thing hasn’t changed: all software security comes back to code and vulnerabilities. New solutions, like Cloud-…</description>
109.  <pubDate>Wed, 28 Feb 2024 07:00:00 -0500</pubDate>
110.                            <dc:creator>cwysopal@veracode.com (cwysopal)</dc:creator>
111.                            <guid isPermaLink="true">https://www.veracode.com/ver64936</guid>
112.                            </item>
113. <item>
114.  <title>Veracode Scan for VS Code: Now with Veracode Fix</title>
115.  <link>https://www.veracode.com/blog/customer-news/veracode-scan-vs-code-now-veracode-fix</link>
116.  <description>Veracode is pleased to announce the availability of Veracode Fix capability in Veracode Scan for VS Code. Now developers can discover and remediate security flaws using Veracode’s Generative AI-powered tools directly from their Integrated Development Environment (IDE).
117. According to the Veracode State of Software Security, 45.9% of organizations have critical security debt. The fact that this data comes from organizations who are actively testing their software with a high-quality solution implies that it’s not finding flaws that is the problem: it’s fixing them.
118. Last year we introduced Veracode Fix – an AI assistant that can take the results of a Veracode Static scan and allow developers to apply suggested fixes directly to their code. Veracode Fix cuts the time to research and implement a fix for a given finding to minutes, while still keeping the developer in control. Fix was implemented as part of the Veracode CLI utility, which is available for Linux, Windows, and MacOS. 
119. A…</description>
120.  <pubDate>Tue, 27 Feb 2024 14:58:43 -0500</pubDate>
121.                            <dc:creator>rhaynes@veracode.com (rhaynes)</dc:creator>
122.                            <guid isPermaLink="true">https://www.veracode.com/ver64931</guid>
123.                            </item>
124. <item>
125.  <title>Practical Steps to Prevent SQL Injection Vulnerabilities</title>
126.  <link>https://www.veracode.com/blog/secure-development/practical-steps-prevent-sql-injection-vulnerabilities</link>
127.  <description>In today's digital landscape, web applications and APIs are constantly under threat from malicious actors looking to exploit vulnerabilities. A common and dangerous attack is a&nbsp;SQL injection.
128. In this blog, we will explore SQL injection vulnerabilities and attacks, understand their severity levels, and provide practical steps to prevent them. By implementing these best practices, you can enhance the security of your web applications and APIs.
129. Understanding SQL Injection Vulnerabilities and Attacks
130. SQL injection attacks occur when hackers manipulate an application's SQL queries to gain unauthorized access, tamper with the database, or disrupt the application's functionality. These attacks can lead to identity spoofing, unauthorized data access, and chained attacks.
131. SQL injection is a technique where hackers inject malicious SQL queries into a web application's backend database. This vulnerability arises when the application accepts user input as a SQL statement that the database…</description>
132.  <pubDate>Mon, 26 Feb 2024 15:17:44 -0500</pubDate>
133.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
134.                            <guid isPermaLink="true">https://www.veracode.com/ver64926</guid>
135.                            </item>
136. <item>
137.  <title>Addressing the Threat of Security Debt: Unveiling the State of Software Security 2024</title>
138.  <link>https://www.veracode.com/blog/research/addressing-threat-security-debt-unveiling-state-software-security-2024</link>
139.  <description>Today, I’m proud to share our 14th annual State of Software Security report. Our 2024 report shines a spotlight on the pressing issue of security debt in applications, and it provides a wake-up call to organizations worldwide. The demand for speed and innovation has resulted in the accumulation of risk known as security debt. As Chief Research Officer at Veracode, I’m deeply committed to empowering businesses to confront the challenges posed by security debt. Let’s dive in.&nbsp;
140. The Changing Landscape of Software and Cybersecurity  
141. Our 2024 report research began based on findings from our 2023 report. We explored factors that affect flaw introduction, remediation times, and security debt. We found that applications grow by about 40% year on year irrespective of their original size. As these apps grow and age, flaws accumulate, further driving up security debt. 
142. This year we sought to figure out, “How risky is security debt really? Is it worth tackling? And if it’…</description>
143.  <pubDate>Wed, 14 Feb 2024 00:30:00 -0500</pubDate>
144.                            <dc:creator>CEng@veracode.com (CEng)</dc:creator>
145.                            <guid isPermaLink="true">https://www.veracode.com/ver64761</guid>
146.                            </item>
147. <item>
148.  <title>A Getting Started Guide to Veracode DAST Essentials</title>
149.  <link>https://www.veracode.com/blog/intro-appsec/getting-started-guide-veracode-dast-essentials</link>
150.  <description>
151. The Critical of Role of Dynamic Application Security Testing (DAST)
152. Web applications are one of the most common vectors for attacks, accounting for over 40% of breaches, according to Verizon's Data Breach Report. Dynamic application security testing (DAST) is a crucial technique used by development teams and security professionals to secure web applications in the software development lifecycle.
153. In fact, Veracode's State of Software Security Report reveals that 80% of web applications have critical vulnerabilities that can only be found with a dynamic application security testing solution. But modern software development practices prioritize tight deadlines. The demand is for faster releases without introducing vulnerabilities, making it difficult for teams to prioritize security. Security testing needs to work and scale within your DevOps speed and release frequency. 
154. Getting Started with Veracode DAST Essentials
155. Veracode DAST Essentials is a dynamic application…</description>
156.  <pubDate>Mon, 05 Feb 2024 10:45:38 -0500</pubDate>
157.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
158.                            <guid isPermaLink="true">https://www.veracode.com/ver64736</guid>
159.                            </item>
160. <item>
161.  <title>Digital Operational Resilience Act (DORA): Compliance from a Software Security POV</title>
162.  <link>https://www.veracode.com/blog/security-news/digital-operational-resilience-act-dora-compliance-software-security-pov</link>
163.  <description>Regulatory frameworks play a crucial role in ensuring the resilience and security of organizations. One such regulation that has garnered significant attention is the Digital Operational Resilience Act (DORA). Here are the key aspects of DORA, as well as guidance for how to ensure compliance with it while measurably reducing risk to your business.&nbsp;
164. DORA Timeline and Overview 
165. DORA, governed by three European authorities - the banking authority, the insurance and pension authority, and the securities and markets authority - is set to come into force on 17 January 2025. This act aims to establish security requirements for companies within the financial sector and their third-party service providers. 
166. One driving force behind why you need to pay attention to DORA is that it’s a regulation and not a directive. A regulation means that come January 2025, it’s in effect without anything else needing to happen as far as being translated into laws; a directive would mean it…</description>
167.  <pubDate>Fri, 02 Feb 2024 13:13:08 -0500</pubDate>
168.                            <dc:creator>Michael Man@veracode.com (Michael Man)</dc:creator>
169.                            <guid isPermaLink="true">https://www.veracode.com/ver64731</guid>
170.                            </item>
171. <item>
172.  <title>Essential Cloud Security Tools for Effective DevSecOps</title>
173.  <link>https://www.veracode.com/blog/managing-appsec/essential-cloud-security-tools-effective-devsecops</link>
174.  <description>Implementation of a DevSecOps approach is the most impactful key factor in the total cost of a data breach. Successful DevSecOps in a cloud-native world is aided by the right tools. Here are a handful of the most essential cloud security tools and what to look for in them to aid DevSecOps.&nbsp;
175. Top Essential Cloud Security Tool for DevSecOps: Software Composition Analysis 
176. Software Composition Analysis (SCA) is the bread and butter of cloud security tools for effective DevSecOps and securing the software supply chain.  
177. Why it matters: open-source software (OSS) is handy, but it comes with a few catches. There are vulnerabilities, missed updates, and license risk to be worried about. That’s where SCA comes in.  
178. SCA takes a proactive approach to finding these risks early. A few things you want to look out for when picking the right SCA tool for you: 
179.  
180.  
181. Continuous Monitoring 
182.  
183.  
184. Reporting & Analytics with Peer Benchmarking 
185.  
186.  
187. Remediation…</description>
188.  <pubDate>Mon, 22 Jan 2024 05:10:56 -0500</pubDate>
189.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
190.                            <guid isPermaLink="true">https://www.veracode.com/ver64661</guid>
191.                            </item>
192. <item>
193.  <title>Announcing a Unified Veracode SAST and SCA IDE Plugin</title>
194.  <link>https://www.veracode.com/blog/customer-news/announcing-veracode-scan-unified-sast-and-sca-ide-plugin</link>
195.  <description>Veracode is pleased to announce the availability of a new Integrated Development Environment (IDE) Plugin for VS Code. Our new plugin combines both Veracode Static Analysis (SAST) and Software Composition Analysis (SCA) into a single plugin. This allows developers to quickly scan projects for security weaknesses and risks in both first-party code and third-party libraries.&nbsp;&nbsp;&nbsp;
196. The Benefits of a Combined SAST and SCA Plugin 
197. Scanning projects with SCA and SAST is important to make sure that both the code and libraries are as safe as possible. Making these tools available natively in the IDE in a single plugin makes performing security checks both faster and easier to perform. Scanning code early in the software development process reduces both the cost of remediating flaws and the chances of flaws making it into production.  
198. How the Veracode Unified Plugin Works 
199. The unified plugin takes care of packaging and sending of artifacts to the Veracode…</description>
200.  <pubDate>Thu, 18 Jan 2024 17:51:52 -0500</pubDate>
201.                            <dc:creator>rhaynes@veracode.com (rhaynes)</dc:creator>
202.                            <guid isPermaLink="true">https://www.veracode.com/ver64641</guid>
203.                            </item>
204. <item>
205.  <title>Implementing AI: Balancing Business Objectives and Security Requirements </title>
206.  <link>https://www.veracode.com/blog/managing-appsec/implementing-ai-balancing-business-objectives-and-security-requirements</link>
207.  <description>Artificial Intelligence (AI) and machine learning have become integral tools for organizations across various industries. However, the successful adoption of these technologies requires a careful balance between business objectives and security requirements. I sat down with Glenn Schmitz, the Chief Information Security Officer of the Department of Behavioral Health and Developmental Services in Virginia, as he shared valuable insights on implementing AI while ensuring safety, security, and ethical considerations. Here are some of the key takeaways.&nbsp;
208. Understanding Business Objectives and Security Requirements Starts with Fundamentals 
209. When Schmitz joined the organization, he recognized the need to understand the overall security maturity level. By aligning business objectives with security requirements, he aimed to enable the business to achieve its goals in a safe and secure manner. 
210. Schmitz shared: "I started at a very fundamental level. Security is here to protect the…</description>
211.  <pubDate>Tue, 16 Jan 2024 12:16:39 -0500</pubDate>
212.                            <dc:creator>broche@veracode.com (broche)</dc:creator>
213.                            <guid isPermaLink="true">https://www.veracode.com/ver64621</guid>
214.                            </item>
215. <item>
216.  <title>Introducing Dynamic Analysis MFA: Automated Support for MFA Setups</title>
217.  <link>https://www.veracode.com/blog/managing-appsec/introducing-dynamic-analysis-mfa-automated-support-mfa-setups</link>
218.  <description>Veracode has recently introduced a new feature called Dynamic Analysis MFA, which provides automated support for multi-factor authentication (MFA) setups during dynamic analysis scans. This eliminates the need for you to disable or manually support your MFA configurations when conducting security testing.
219. Understanding Dynamic Analysis MFA
220. When we log into applications, we usually use a username and password, which is considered one-factor authentication. However, to enhance security and reduce the risk of passwords being lost or stolen, multi-factor authentication (MFA) was introduced. MFA adds an extra layer of security by requiring an additional step, such as using a hardware key, receiving a text message, or entering a code from an authenticator app.
221. MFA has become more common for web applications as web security becomes a higher priority, but some security testing tools require users to disable or manually support their MFA setups during application security testing. This can be…</description>
222.  <pubDate>Mon, 08 Jan 2024 10:54:45 -0500</pubDate>
223.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
224.                            <guid isPermaLink="true">https://www.veracode.com/ver64576</guid>
225.                            </item>
226. <item>
227.  <title>Securing JavaScript: Best Practices and Common Vulnerabilities</title>
228.  <link>https://www.veracode.com/blog/intro-appsec/securing-javascript-best-practices-and-common-vulnerabilities</link>
229.  <description>
230. JavaScript is the most commonly-used programming language, according to the most recent StackOverflow developer survey. While JavaScript offers great flexibility and ease of use, it also introduces security risks that can be exploited by attackers. In this blog, we will explore vulnerabilities in JavaScript, best practices to secure your code, and tools to prevent attacks.
231.  
232. Understanding JavaScript Vulnerabilities 
233.  
234. If you're short on time, you can begin by using Veracode DAST Essentials, a JavaScript security scanner, to identify potential vulnerabilities. Running this tool will quickly generate reports, highlight your specific vulnerabilities, and provide clear instructions on how to remediate them. 
235. JavaScript Source Code Vulnerabilities
236. JavaScript developers typically rely on integrating numerous public or open-source packages and libraries containing hidden vulnerabilities and exposing security issues within the source code. Open-source vulnerabilities might not…</description>
237.  <pubDate>Mon, 08 Jan 2024 09:39:09 -0500</pubDate>
238.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
239.                            <guid isPermaLink="true">https://www.veracode.com/ver64571</guid>
240.                            </item>
241. <item>
242.  <title>What To Look For in an Open Source Vulnerability Scanner </title>
243.  <link>https://www.veracode.com/blog/intro-appsec/what-look-open-source-vulnerability-scanner</link>
244.  <description>One of the top security concerns we hear from technology leaders is about the security of open source software (OSS) and cloud software development. An open source vulnerability scanner (for scanning OSS) helps you discover risk in the third-party code you use. However, just because a solution scans open source does not mean you are ultimately reducing security risk with it. Here is what to look for in an open source vulnerability scanner and security testing solution to find and fix vulnerabilities in OSS.&nbsp;&nbsp;
245. Background on Vulnerabilities in Open Source and What the Risk Looks Like 
246. Before we can talk about what to look for in a scanning solution, we need to talk about the vulnerabilities the tools are looking for. Born in 1999, the National Vulnerability Database (NVD) was a product of the National Institute of Standards and Technology (NIST) made to be “the U.S. government repository of standards based vulnerability management data.” It represents an index of known…</description>
247.  <pubDate>Thu, 04 Jan 2024 13:35:17 -0500</pubDate>
248.                            <dc:creator>cbertram@veracode.com (cbertram)</dc:creator>
249.                            <guid isPermaLink="true">https://www.veracode.com/ver64561</guid>
250.                            </item>
251. <item>
252.  <title>Using Veracode Fix to Remediate an SQL Injection Flaw </title>
253.  <link>https://www.veracode.com/blog/secure-development/using-veracode-fix-remediate-sql-injection-flaw</link>
254.  <description>Introduction&nbsp;
255. In this first in a series of articles looking at how to remediate common flaws using Veracode Fix – Veracode’s AI security remediation assistant, we will look at finding and fixing one of the most common and persistent flaw types – an SQL injection attack.
256. An SQL injection attack is a malicious exploit where an attacker injects unauthorized SQL code into input fields of a web application, aiming to manipulate the application's database. By manipulating input parameters, attackers can trick the application into executing unintended SQL commands. This can lead to unauthorized access, data retrieval, modification, or even deletion. Successful SQL injection attacks compromise data integrity and confidentiality, posing serious security risks.
257. Example Code and Analysis
258. Let’s look at a weakness in the source code of the deliberately vulnerable (and freely available) Verademo application, specifically the UserController.java source file found in the application repository…</description>
259.  <pubDate>Tue, 02 Jan 2024 18:16:59 -0500</pubDate>
260.                            <dc:creator>rhaynes@veracode.com (rhaynes)</dc:creator>
261.                            <guid isPermaLink="true">https://www.veracode.com/ver64316</guid>
262.                            </item>
263. <item>
264.  <title>Behind the Recognition: Why We Believe We’re a Gartner® Peer Insights™ Customers’ Choice 2023</title>
265.  <link>https://www.veracode.com/blog/customer-news/behind-recognition-why-we-believe-were-gartnerr-peer-insightstm-customers-choice</link>
266.  <description>As 2023 comes to a close, we aim to inspire excellence by highlighting our customers’ dedication to a more secure world. Thanks to you, we are honored to be (for the fourth consecutive year) recognized as a 2023 Gartner® Peer Insights™ Customers’ Choice. Let’s explore some of the stories that make this recognition possible.&nbsp;
267. Veracode Named a 2023 Gartner® Peer Insights™ Customers’ Choice for the Fourth Consecutive Year 
268. Veracode is recognized by Gartner® Peer Insights™ in 2023 as a Customers’ Choice for Application Security Testing – for the fourth consecutive year. This distinction, in more detail below, is based on meeting or exceeding user interest, adoption, and overall experience.
269.  
270. We believe what makes Veracode a Gartner® Peer Insights™ Customers’ Choice for the fourth consecutive year is what we call: customer obsession. We constantly strive to understand both the problems and North Star our customers face so we can be the partner you truly need. 
271. Our Partnership…</description>
272.  <pubDate>Thu, 21 Dec 2023 11:35:53 -0500</pubDate>
273.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
274.                            <guid isPermaLink="true">https://www.veracode.com/ver64516</guid>
275.                            </item>
276. <item>
277.  <title>4 Ways Veracode Fix Is a Game Changer for DevSecOps</title>
278.  <link>https://www.veracode.com/blog/managing-appsec/4-ways-veracode-fix-game-changer-devsecops</link>
279.  <description>In the fast-paced world of software development, too often security takes a backseat to meeting strict deadlines and delivering new features. Discovering software has accrued substantial security debt that will take months to fix can rip up the schedules of&nbsp;even the best development teams. &nbsp;
280. An AI-powered tool that assists developers in remediating flaws becomes an invaluable asset in this context. In Veracode Fix, we’ve harnessed the capabilities of generative AI to build a specialized tool that allows developers to remediate flaws within minutes without manually writing a single line of code.  
281. Watch this 3-minute demo of how you can easily take flawed code and use Veracode Fix to generate easily-implemented remediation suggestions. 
282.  
283. 4 Major Benefits of Veracode Fix in DevSecOps 
284. Here are four ways that Veracode Fix supercharges DevSecOps and your SDLC with the swift remediation of security flaws. 
285. 1. Tackle Security Debt with Rapid Flaw…</description>
286.  <pubDate>Wed, 20 Dec 2023 14:21:01 -0500</pubDate>
287.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
288.                            <guid isPermaLink="true">https://www.veracode.com/ver64311</guid>
289.                            </item>
290. <item>
291.  <title>What Our Security Experts Discussed at AWS re:Invent 2023</title>
292.  <link>https://www.veracode.com/blog/managing-appsec/what-our-security-experts-discussed-aws-reinvent-2023</link>
293.  <description>The landscape of coding is changing as developers embrace AI, automation, microservices, and third-party libraries to boost productivity. While each new approach enhances efficiency, like a double-edged sword, flaws and vulnerabilities are also introduced faster than teams can fix them. Learn about one of the latest innovations solving this in a recap of what our security experts discussed at AWS re:Invent 2023.&nbsp;
294. Veracode Fix: A Game Changer in Flaw Remediation for Developers
295. During their AWS on Air segment, our experts, Vice President of Strategic Product Management, Tim Jarrett, and Senior Solutions Architect, Eric Kim, shared how Veracode Fix is a new game-changing tool that helps developers cut down the flaw remediation process from months to minutes. 
296. Leveraging the power of AI, the tool allows developers to easily reduce security issues by generating suggested fixes for existing code that is flawed and vulnerable.  
297. While many AI-powered coding tools are…</description>
298.  <pubDate>Thu, 14 Dec 2023 12:07:06 -0500</pubDate>
299.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
300.                            <guid isPermaLink="true">https://www.veracode.com/ver64286</guid>
301.                            </item>
302. <item>
303.  <title>State of Log4j Vulnerabilities: How Much Did Log4Shell Change?</title>
304.  <link>https://www.veracode.com/blog/research/state-log4j-vulnerabilities-how-much-did-log4shell-change</link>
305.  <description>December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that Veracode estimated at the time was used in 88 percent of organizations.&nbsp;
306. If exploited, the zero-day vulnerability (CVE-2021-44228) in Log4j versions Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) would allow attackers to perform a remote code execution (RCE) attack and compromise the affected server. 
307. It triggered a massive effort to patch affected systems, estimated to be in the hundreds of millions. The apocalypse that many feared didn’t happen, but given its pervasiveness, the U.S. Department of Homeland Security’s Cyber Safety Review Board determined that fully remediating Log4Shell would take a decade. 
308. The two-year anniversary of…</description>
309.  <pubDate>Thu, 07 Dec 2023 13:23:31 -0500</pubDate>
310.                            <dc:creator>CEng@veracode.com (CEng)</dc:creator>
311.                            <guid isPermaLink="true">https://www.veracode.com/ver64246</guid>
312.                            </item>
313. <item>
314.  <title>Open Source Vulnerability Management Recommendations for 2024</title>
315.  <link>https://www.veracode.com/blog/managing-appsec/open-source-vulnerability-management-recommendations-2024</link>
316.  <description>Stepping in 2024, the dynamics of open source vulnerability management are shifting. Rapid changes to software development demand a more nuanced approach to open source security from practitioners. From redefining risk to the cautious integration of auto-remediation, here are the pivotal recommendations for successful open source vulnerability management in 2024 and beyond.&nbsp;
317. 1. Embrace the Permanence of Open Source (& It’s Vulnerabilities) 
318. We’ve known it for years; open source is here to stay. Github’s Octoverse report tells us: “A whopping 97% of applications leverage open-source code, and 90% of companies are applying or using it in some way.” 
319. The permanence (and risk) of open source is proven by the White House’s Executive Order on Improving the Nation’s Cybersecurity. It places huge importance on open source vulnerability management, calling it out specifically: “Developers often use available open source and third-party software components to create a product…</description>
320.  <pubDate>Mon, 04 Dec 2023 12:06:25 -0500</pubDate>
321.                            <dc:creator>rhaynes@veracode.com (rhaynes)</dc:creator>
322.                            <guid isPermaLink="true">https://www.veracode.com/ver64216</guid>
323.                            </item>
324. <item>
325.  <title>How Dynamic Analysis Helps You Enhance Automation for DevSecOps</title>
326.  <link>https://www.veracode.com/blog/secure-development/how-dynamic-analysis-helps-you-enhance-automation-devsecops</link>
327.  <description>DevSecOps, also known as&nbsp;secure&nbsp;DevOps, represents a mindset in software development that holds everyone accountable for application security. By fostering collaboration between developers and IT operations and directing collective efforts towards better security decision-making, development teams can deliver safer software with greater speed and efficiency.&nbsp;
328. Despite its merits, implementing DevSecOps can introduce friction into the development process. Traditional tools for testing code and assessing application security risk simply weren’t built for the speed that DevOps testing requires.
329. To navigate these challenges, development teams need to start with automated testing tools, as relying on manual processes can’t possibly keep pace with accelerated development timelines. Automation is considered key to continuous integration of security analysis and threat mitigation of dynamic workflows. As an extension of DevOps principles, DevSecOps automation helps…</description>
330.  <pubDate>Mon, 04 Dec 2023 10:39:37 -0500</pubDate>
331.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
332.                            <guid isPermaLink="true">https://www.veracode.com/ver64211</guid>
333.                            </item>
334. <item>
335.  <title>Preventing Broken Access Control Vulnerabilities in Web Applications</title>
336.  <link>https://www.veracode.com/blog/managing-appsec/preventing-broken-access-control-vulnerabilities-web-applications</link>
337.  <description>Understanding Broken Access Control
338. Access control is crucial for modern web development as it enables the management of how users, processes, and devices should be granted permissions to application functions and resources. Access control mechanisms also determine the level of access permitted and manifest activities carried out by specific entities. Broken access control vulnerabilities arise when a malicious user abuses the constraints on the actions they are allowed to perform or the objects they can access. Attackers typically leverage access control failures to gain unauthorized access to resources within the web application, run malicious commands, or gain a privileged user‘s permission. 
339. This blog discusses broken access control vulnerabilities and common prevention techniques to better secure your web applications.
340. Access control issues enable unauthorized users to access, modify, and delete resources or perform actions that exceed their intended permissions. Broken…</description>
341.  <pubDate>Fri, 01 Dec 2023 13:50:00 -0500</pubDate>
342.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
343.                            <guid isPermaLink="true">https://www.veracode.com/ver64191</guid>
344.                            </item>
345. <item>
346.  <title>Top 5 Open Source Security Risks IT Leaders Must Know</title>
347.  <link>https://www.veracode.com/blog/intro-appsec/top-5-open-source-security-risks-it-leaders-must-know</link>
348.  <description>Lurking in the open source software (OSS) that pervades applications around the world are open source security risks technology leaders must be aware of. Software is one of technology’s most vulnerable subsets with over 70% of applications containing security flaws. Here are the open source security risks IT leaders must be aware of to protect technology and help it scale safely.&nbsp;
349. Why Address Open Source Software Security Risks 
350. On December 9, 2021, a Tweet exposed a vulnerability in the widely-used OSS library Log4j. It didn’t take long before attackers around the world were working to exploit the Log4j vulnerability. This incident was a wake-up call to how the security of a library can quickly change and proactive measures must be in place to protect from this danger.  
351. Log4j is just one example of how vulnerabilities in open source pose significant risks that can impact operations, data security, and overall IT health. Strategic technology choices can make a big…</description>
352.  <pubDate>Mon, 27 Nov 2023 16:01:16 -0500</pubDate>
353.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
354.                            <guid isPermaLink="true">https://www.veracode.com/ver64146</guid>
355.                            </item>
356. <item>
357.  <title>DevSecOps Best Practices: Leveraging Veracode DAST Essentials</title>
358.  <link>https://www.veracode.com/blog/secure-development/devsecops-best-practices-leveraging-veracode-dast-essentials</link>
359.  <description>DevSecOps is a modern approach to software development that implements security as a shared responsibility throughout application development, deployment, and operations. As an extension of DevOps principles, DevSecOps helps your organization integrate security testing throughout the software development life cycle.
360. In this blog, we discuss DevSecOps best practices and practical steps to producing secure software.
361.  
362. Understanding DevOps 
363. DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the development life cycle and help you deliver software faster. DevOps is complementary to agile software development; several DevOps aspects came from the agile methodology.
364. The concept of DevOps practices and agility is nothing new for most companies and developers - most well-known frameworks (e.g., Scrum, XP, etc.) are applied in many teams throughout organizations. 
365. The Power of DevSecOps 
366. DevOps primarily aims to…</description>
367.  <pubDate>Mon, 20 Nov 2023 19:09:05 -0500</pubDate>
368.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
369.                            <guid isPermaLink="true">https://www.veracode.com/ver63931</guid>
370.                            </item>
371. <item>
372.  <title>New Data Reveals Top Drivers of Secure Software in Financial Services Sector </title>
373.  <link>https://www.veracode.com/blog/research/new-data-reveals-top-drivers-secure-software-financial-services-sector</link>
374.  <description>Across the globe, the financial services sector is affected by increased security regulations. To name a few, there is the United States’ Executive Order on Improving the Nation’s Cybersecurity, the European Union’s NIS2 Directive, the SEC’s new rules on disclosures, and ISO 20022. With so much pressure on the sector, Veracode is proud to present new data, looking specifically at organizations in this industry, that reveals the top drivers security teams can employ to measurably reduce their software security risk.&nbsp;&nbsp;
375. "The security performance of financial applications generally outperforms other industries, with automation, targeted security training, and scanning via Application Programming Interface (API) contributing to a year-over-year reduction in the percentage of applications containing flaws,” shared our press release coverage of the research on 25 October, 2023.  
376. Let’s dissect this research from the State of Software Security 2023 in Financial Services in more…</description>
377.  <pubDate>Wed, 15 Nov 2023 12:31:18 -0500</pubDate>
378.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
379.                            <guid isPermaLink="true">https://www.veracode.com/ver63921</guid>
380.                            </item>
381. <item>
382.  <title>Securing Your Web Applications and APIs with Veracode DAST Essentials</title>
383.  <link>https://www.veracode.com/blog/managing-appsec/securing-your-web-applications-and-apis-veracode-dast-essentials</link>
384.  <description>Web applications are one of the most common vector for breaches, accounting for over 40% of breaches according to Verizon's 2022 Data Breach Report. Ensuring that your web applications are sufficiently protected and continue to be monitored once they are in production is vital to the security of your customers and your organization.&nbsp;
385. Staying Ahead of the Threat
386. Attackers are constantly looking for new ways to exploit vulnerabilities and to breach web applications, which means that as their methods mature and they become more aggressive, even the most securely developed applications can become vulnerable. Organizations that only perform annual penetration tests on their web applications may be leaving themselves open to a breach that could be easily prevented with regular production scanning. 
387. Application security outlines a collection of processes and tools focused on identifying, remediating, and preventing application-level vulnerabilities throughout the entire software…</description>
388.  <pubDate>Sun, 12 Nov 2023 22:55:15 -0500</pubDate>
389.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
390.                            <guid isPermaLink="true">https://www.veracode.com/ver63856</guid>
391.                            </item>
392. <item>
393.  <title>Securing APIs: Practical Steps to Protecting Your Software</title>
394.  <link>https://www.veracode.com/blog/managing-appsec/securing-apis-practical-steps-protecting-your-software</link>
395.  <description>In the dynamic world of software development, Application Programming Interfaces (APIs) serve as essential conduits, facilitating seamless interaction between software components. This intermediary interface not only streamlines development but also empowers software teams to reuse code. However, the increasing prevalence of APIs in modern business comes with security challenges. That’s why we’ve created this blog post - to provide you with actionable steps to enhance the security of your APIs today.&nbsp;
396. Understanding API Security
397. API security extends beyond protecting an application's backend services, including elements such as databases, user management systems, and components interacting with data stores. It involves adopting diverse tools and practices to strengthen the integrity of your tech stack. A strong API security strategy reduces the risk of unauthorized access and malicious actions, ensuring the protection of sensitive information.
398. Exploring API Vulnerabilities
399. Despite…</description>
400.  <pubDate>Tue, 07 Nov 2023 17:37:50 -0500</pubDate>
401.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
402.                            <guid isPermaLink="true">https://www.veracode.com/ver63721</guid>
403.                            </item>
404. <item>
405.  <title>SAST vs. DAST for Security Testing: Unveiling the Differences</title>
406.  <link>https://www.veracode.com/blog/intro-appsec/sast-vs-dast-security-testing-unveiling-differences</link>
407.  <description>Application Security Testing (AST) encompasses various tools, processes, and approaches to scanning applications to uncover potential security issues. Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) are popularly used security testing approaches that follow different methodologies of scanning application codes across different stages of a software development lifecycle.&nbsp;&nbsp;
408. SAST follows a white-box testing approach to analyze the binary code to identify exploitable vulnerabilities and coding errors. On the other hand, DAST implements a black-box testing method, where security engineers parse simulated attack payloads through the application’s front end without exposing internal information on the application’s internal construct.  
409. In this blog, we will discuss SAST and DAST testing approaches, how they help detect vulnerabilities and application failures, their differences, and best use cases. 
410. Static Application…</description>
411.  <pubDate>Thu, 02 Nov 2023 13:45:06 -0400</pubDate>
412.                            <dc:creator>Jenny Buckingham@veracode.com (Jenny Buckingham)</dc:creator>
413.                            <guid isPermaLink="true">https://www.veracode.com/ver63686</guid>
414.                            </item>
415. <item>
416.  <title>How Executive Order on Artificial Intelligence Addresses Cybersecurity Risk</title>
417.  <link>https://www.veracode.com/blog/security-news/how-executive-order-artificial-intelligence-addresses-cybersecurity-risk</link>
418.  <description>Unlike in the 1800s when a safety brake increased the public’s acceptance of elevators, artificial intelligence (AI) was accepted by the public much before guardrails came to be. “ChatGPT had 1 million users within the first five days of being available,” shares Forbes. Almost a year later, on October 30, 2023, President Biden issued an Executive Order “to ensure that America leads the way in seizing the promise and managing the risks of artificial intelligence (AI).” Here’s what the Executive Order gets right about addressing cybersecurity risk and promise posed by AI.&nbsp;
419. Overview of Key Points in the Executive Order on Artificial Intelligence 
420. Before diving more deeply into a few cyber-specific aspects of the Executive Order on Artificial Intelligence, let’s look at some of the key points and goals included in this far-reaching order.  
421. From requiring “developers of the most powerful AI systems share their safety test results and other critical information with the…</description>
422.  <pubDate>Wed, 01 Nov 2023 14:51:15 -0400</pubDate>
423.                            <dc:creator>cwysopal@veracode.com (cwysopal)</dc:creator>
424.                            <guid isPermaLink="true">https://www.veracode.com/ver63681</guid>
425.                            </item>
426. <item>
427.  <title>Top 6 DevOps Web Application Security Best Practices</title>
428.  <link>https://www.veracode.com/blog/secure-development/top-6-devops-web-application-security-best-practices</link>
429.  <description>In today’s world, the importance of incorporating web application security best practices cannot be overstated. Recent studies show that web applications are the top attack vector in nearly 80% of incidents. The good news is DevOps processes lend themselves to integrated security practices.&nbsp;Here are the top six best practices for seamlessly weaving web application security into DevOps.&nbsp;
430. The Role of Web Application Security Best Practices in DevOps 
431. The cornerstone of a successful DevOps practice is automation; this is why automating security within workflows (DevSecOps) makes so much sense. DevSecOps is lacing each step of the DevOps process and practice with security.  
432. By adding security into each step of the software development lifecycle (SDLC) – from planning to coding and building to testing to staging to operating and monitoring –&nbsp;the most important outputs of the SDLC are assured to be secure when deployed and attestable for compliance.&nbsp;…</description>
433.  <pubDate>Mon, 30 Oct 2023 13:54:34 -0400</pubDate>
434.                            <dc:creator>cbertram@veracode.com (cbertram)</dc:creator>
435.                            <guid isPermaLink="true">https://www.veracode.com/ver63621</guid>
436.                            </item>
437. <item>
438.  <title>Securing Web Applications: A CISO’s Checklist for Tech Leaders</title>
439.  <link>https://www.veracode.com/blog/intro-appsec/securing-web-applications-cisos-checklist-tech-leaders</link>
440.  <description>As a CISO, securing web applications and ensuring their resilience against evolving cyber threats is a non-negotiable priority. Verizon’s Data Breach Investigations Report 2023 cites web applications as the top attack vector by a long shot (in both breaches and incidents). Here’s a simplified checklist for securing web applications that will help you improve your organization’s security posture and the integrity of your technology.&nbsp;
441. Assessing Web Application Risk and Threats 
442. A powerful first step in securing web applications is discovery. You can’t secure what you don’t know about! Start with an inventory of your software or application portfolio to understand sources of risk and what you want to prioritize.  
443. For some this may be simple. For others it will be an essential inventory of what makes up your software and development process. Here are some questions to consider in your assessment of your portfolio: 
444.  
445.  
446. How many applications do you have? &nbsp;…</description>
447.  <pubDate>Wed, 18 Oct 2023 11:21:23 -0400</pubDate>
448.                            <dc:creator>Sohail Iqbal@veracode.com (Sohail Iqbal)</dc:creator>
449.                            <guid isPermaLink="true">https://www.veracode.com/ver63516</guid>
450.                            </item>
451. <item>
452.  <title>Web Application Security: 5 Security Tips for Software Engineers</title>
453.  <link>https://www.veracode.com/blog/secure-development/web-application-security-5-security-tips-software-engineers</link>
454.  <description>As a software engineer in a cloud-native world, you’re the first line of defense in web application security. Armed with a few best practices that have a huge impact, securing both the code you create and the code you compile can be simple. Here are five tips that make your role easier in protecting data with secure development.&nbsp;
455. Overview of Preventing Breaches with Web Application Security Practices 
456. Growing threats in the digital landscape, like entering the era of AI-driven attacks, make proactive code security essential. A nonprofit organization focused on open-source software security, the Open Web Application Security Project (OWASP), maintains the OWASP Top 10, a list of the top 10 security risks faced by web applications. This is a foundational resource for ensuring secure code. Many of these risks can be handled using the tips that follow. 
457. Tip 1: Start Building Apps with Security in Mind 
458. Consider security from the beginning. Here’s how CISA defines…</description>
459.  <pubDate>Wed, 11 Oct 2023 10:19:23 -0400</pubDate>
460.                            <dc:creator>Michael Man@veracode.com (Michael Man)</dc:creator>
461.                            <guid isPermaLink="true">https://www.veracode.com/ver63456</guid>
462.                            </item>
463. <item>
464.  <title>A CISO Explains 4 Steps that Make it Easy to Stay Safe Online</title>
465.  <link>https://www.veracode.com/blog/security-news/ciso-explains-4-steps-make-it-easy-stay-safe-online</link>
466.  <description>To secure our world,&nbsp;Cybersecurity Awareness Month encourages four steps that make it easy to stay safe online. As a CISO, my team and I advocate for these practices constantly within our organization. If you are a security practitioner looking to bolster cybersecurity awareness, here’s a brief look at how we explain these steps to help make staying safe online easier.&nbsp;
467. Before we dive in, making cybersecurity practices relatable and clear is key to the adoption at any organization. Consider the recent disclosure of a new vulnerability affecting web applications. This is the type of real-life scenario that can be used to make the following information more relatable. New vulnerabilities like this one are what makes the first step so important. 
468. Software Updates – The Why & How 
469. Software updates are essential for keeping your computer secure and up-to-date. They can fix bugs, improve performance, add new features, and make your software compatible with new…</description>
470.  <pubDate>Mon, 02 Oct 2023 11:06:07 -0400</pubDate>
471.                            <dc:creator>Sohail Iqbal@veracode.com (Sohail Iqbal)</dc:creator>
472.                            <guid isPermaLink="true">https://www.veracode.com/ver63286</guid>
473.                            </item>
474. <item>
475.  <title>Resolving Webp Zero-day Vulnerability CVE-2023-4863</title>
476.  <link>https://www.veracode.com/blog/security-news/resolving-webp-zero-day-vulnerability-cve-2023-4863</link>
477.  <description>Executive Summary
478. The webp image library is vulnerable to Heap Buffer Overflow. The exact steps to exploit the vulnerability have not been disclosed publicly. The NSO group was actively caring out a campaign which infected Apple devices with spyware, which was disclosed by Citizen Lab. It was later discovered that the root of this attack is in the webp library, which exists in many popular applications such as Google Chrome and the Electron Framework. This vulnerability can be detected with Veracode SCA and Veracode Container scanning. We give guidance for testing and remediation below.
479. How to Detect and Remediate 
480. Option 1: Use one of the Veracode SCA scanners; Upload & Scan or Agent-based scan. We are able to detect the following uses of webp: 
481.  
482.  
483. Webp from OS package manager 
484.  
485.  
486. An example is this alpine package  
487.  
488.  
489.  
490. Electron declared as a dependency in package.json or code included in the node_modules directory 
491.  
492. Python Pillow library 
493.  
494.  
495. To…</description>
496.  <pubDate>Fri, 29 Sep 2023 10:12:09 -0400</pubDate>
497.                            <dc:creator>Nova Trauben@veracode.com (Nova Trauben)</dc:creator>
498.                            <guid isPermaLink="true">https://www.veracode.com/ver63266</guid>
499.                            </item>
500. <item>
501.  <title>New EMEA Software Security Data Demonstrates Necessity of SCA</title>
502.  <link>https://www.veracode.com/blog/research/new-emea-software-security-data-demonstrates-necessity-sca</link>
503.  <description>New software security data demonstrates that Software Composition Analysis (SCA) will help bolster the safety and integrity of open-source software usage for organizations in the Europe, Middle East, and Africa (EMEA) region in particular. The EU Cyber Resilience Act makes this research especially crucial and timely. Let’s dive in and look at recommendations for EMEA teams wanting to secure cloud-native development.&nbsp;
504. Understanding EMEA Software Security Landscape 
505. The software security landscape in EMEA is shaken up by the Commission’s proposal for a new Cyber Resilience Act (CRA) from 15 September 2022. It "aims to safeguard consumers and businesses buying or using products or software with a digital component. The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.”&nbsp;&nbsp;…</description>
506.  <pubDate>Tue, 26 Sep 2023 09:52:36 -0400</pubDate>
507.                            <dc:creator>Robert Rhame@veracode.com (Robert Rhame)</dc:creator>
508.                            <guid isPermaLink="true">https://www.veracode.com/ver63226</guid>
509.                            </item>
510. <item>
511.  <title>Secrets Management Best Practices: Secure Cloud-native Development Series</title>
512.  <link>https://www.veracode.com/blog/research/secrets-management-best-practices-secure-cloud-native-development-series</link>
513.  <description>Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our&nbsp;Secure Cloud-native Development Series. This blog is the fifth and final part of the series, and it will teach you to handle credentials and secrets management best practices for securing cloud-native applications.
514. Every organization has their way of managing credentials. In the past, with legacy application architectures, this was a bit more manual and arduous. With cloud-native applications, we have options open to us that are seamless for handling credentials and secrets management. The level of sensitivity of the data will designate the means we use to protect credentials.  
515. Obviously, never check-in credentials to code repositories. But again, utilizing the cloud providers secret manager/vault can help us strengthen our security posture and minimize risk for leaked credentials within the architecture and application.  
516. Best Practices for Secrets Management…</description>
517.  <pubDate>Mon, 25 Sep 2023 15:23:06 -0400</pubDate>
518.                            <dc:creator>dsilveri@veracode.com (dsilveri)</dc:creator>
519.                            <guid isPermaLink="true">https://www.veracode.com/ver63206</guid>
520.                            </item>
521. <item>
522.  <title>What Security Practitioners Can Learn from New SAST Vendor Analysis</title>
523.  <link>https://www.veracode.com/blog/intro-appsec/what-security-practitioners-can-learn-new-sast-vendor-analysis</link>
524.  <description>Developing and maintaining secure code at scale is hard. Having the right Static Application Security Testing (SAST) solution makes it easier, but how are practitioners to choose? In the following interview, you’ll learn about three emerging trends from detailed analysis of the SAST landscape in The Forrester Wave™: Static Application Security Testing, Q3 2023.&nbsp;
525.  
526. Veracode earns the top scores across the Current Offering, Strategy, and Market Presence (tied) categories. To quote the report, “Veracode differentiates with reporting, remediation, and a programmatic approach” with a forward-looking vision that “translates to an exciting roadmap with AI-powered features for flaw prevention, automated remediation, intelligent prioritization, and cross-correlation of application security testing (AST) scans.” 
527. Why a Report on SAST Matters Today
528. I sat down with Christy Smith, Veracode’s Head of Analyst Relations, to talk about this timely report and what trends can be found in this…</description>
529.  <pubDate>Tue, 19 Sep 2023 13:46:57 -0400</pubDate>
530.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
531.                            <guid isPermaLink="true">https://www.veracode.com/ver63181</guid>
532.                            </item>
533. <item>
534.  <title>Why New SEC Cyber Rules Promote Accountability and Maturity</title>
535.  <link>https://www.veracode.com/blog/intro-appsec/why-new-sec-cyber-rules-promote-accountability-and-maturity</link>
536.  <description>Deploying software and hoping it’s “safe enough” isn’t a measurable security strategy. It’s certainly not something that’s going to bode well when the time comes to disclose processes and practices for managing cybersecurity risks. The latest Securities and Exchange Commission (SEC) Cyber Rules will “require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats.”&nbsp;&nbsp;
537. Here’s why I’m optimistic this disclosure requirement begets the transparency and accountability needed to secure our digital future and promote maturity. I also share a critical action that executives can take now to align with the new cyber risk governance rules. 
538. A Brief Introduction to the 2023 SEC Rules on Cybersecurity Risk 
539. The much-anticipated announcement of newly adopted cyber rules arrived from the SEC on July 26, 2023. These rules require public…</description>
540.  <pubDate>Mon, 18 Sep 2023 13:39:59 -0400</pubDate>
541.                            <dc:creator>Sohail Iqbal@veracode.com (Sohail Iqbal)</dc:creator>
542.                            <guid isPermaLink="true">https://www.veracode.com/ver63161</guid>
543.                            </item>
544. <item>
545.  <title>Easily Enable Encryption: Secure Cloud-native Development Series</title>
546.  <link>https://www.veracode.com/blog/research/easily-enable-encryption-secure-cloud-native-development-series</link>
547.  <description>Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our&nbsp;Secure Cloud-native Development Series. This blog is the fourth part of the series, and it will teach you why and how to easily enable encryption and save yourself headaches down the road.
548. Here's a new motto: encrypt everything! When securely moving to cloud-native technologies, building encryption in from the start will save us a lot of headaches later. And it's actually anything but a headache to enable encryption while setting up your cloud-native development workflows. Here I’ll explain why enabling encryption will come in so handy, and what tools will help you do this with the greatest ease. 
549. A Scenario on Why You Need to Enable Encryption 
550. Imagine the following scenario: you have been tasked with a quick and dirty POC for an upcoming service release. You design it and build something that works, but for reasons we don’t need to go into, the release has been pushed…</description>
551.  <pubDate>Thu, 14 Sep 2023 17:46:27 -0400</pubDate>
552.                            <dc:creator>dsilveri@veracode.com (dsilveri)</dc:creator>
553.                            <guid isPermaLink="true">https://www.veracode.com/ver63146</guid>
554.                            </item>
555. <item>
556.  <title>Why Reduce Software Supply Chain Risks with Intelligent Software Security</title>
557.  <link>https://www.veracode.com/blog/security-news/why-reduce-software-supply-chain-risks-intelligent-software-security</link>
558.  <description>There’s a growing array of risks lurking within the supply chain of the digital solutions we increasingly depend upon. Leaving gaps in your software supply chain security (SSCS) could spell disaster for your organization. Let’s explore how new analysis defines an end-to-end solution and why Veracode was ranked as an Overall Leader, Product Leader, Innovation Leader, and Market Leader in the Software Supply Chain Security Leadership Compass 2023 by KuppingerCole Analysts AG.&nbsp;
559. Leading the Charge: Software Supply Chain Security 
560. Picture a world where your security is only as strong as your weakest link, and that link could be a single line of code buried deep within open-source software from an unknown contributor. This is the reality of today’s software supply chain. Each component, whether it’s custom code, third-party libraries, or the configuration of CI/CD tools and infrastructure, presents a potential entry point for an attacker. 
561. Many players are working to provide…</description>
562.  <pubDate>Tue, 12 Sep 2023 14:07:47 -0400</pubDate>
563.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
564.                            <guid isPermaLink="true">https://www.veracode.com/ver63106</guid>
565.                            </item>
566. <item>
567.  <title>Managing Storage Access: Secure Cloud-native Development Series</title>
568.  <link>https://www.veracode.com/blog/research/managing-storage-access-secure-cloud-native-development-series</link>
569.  <description>Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our&nbsp;Secure Cloud-native Development Series. This blog is the third part of the series, and it will teach you how to secure cloud storage and handle access controls on S3 buckets.
570. Each cloud provider has managed storage services that your organization is already probably utilizing.  Cloud storage such as Amazon Simple Storage Service (Amazon S3) or Azure storage tools are tightly integrated into the other managed services which makes it simple to manage. We will discuss specifically Amazon’s S3 storage service and how it relates to secure cloud-native development.   
571. An Introduction to Secure Cloud Storage and Access Control Configuration 
572. Amazon recently turned-on default server-side encryption (SSE) for all users using AES-256. Though most likely we already (or at least should have) had encryption turned on, it’s now one less&nbsp;thing to worry about.&nbsp;…</description>
573.  <pubDate>Tue, 05 Sep 2023 15:20:59 -0400</pubDate>
574.                            <dc:creator>dsilveri@veracode.com (dsilveri)</dc:creator>
575.                            <guid isPermaLink="true">https://www.veracode.com/ver63071</guid>
576.                            </item>
577. <item>
578.  <title>How to Enable Logging: Secure Cloud-native Development Series</title>
579.  <link>https://www.veracode.com/blog/research/how-enable-logging-secure-cloud-native-development-series</link>
580.  <description>Build secure cloud-native applications by avoiding the top five security pitfalls we lay out in our Secure Cloud-native Development Series. This blog is the second part of the series, and it will teach you how and why to enable logging from the start.&nbsp;
581. We’re going to talk about enabling logging (cloud logging, to be specific). What’s the difference? Not much, other than the fact that it’s another managed service integrated with the tools we should already be utilizing.  
582. Why Enable Logging? 
583. All developers/engineers know we need logging. But other conflicting priorities and time constraints get in the way sometimes, and it becomes a “we’ll do that on the next sprint”. I have worked on the engineering side of things as well as the security side, where I needed to track down network/application issues, or security incidents, only to find that we didn’t have logs or logging enabled on specific services.   
584. Enabling logging can be compared to our…</description>
585.  <pubDate>Mon, 28 Aug 2023 14:07:53 -0400</pubDate>
586.                            <dc:creator>dsilveri@veracode.com (dsilveri)</dc:creator>
587.                            <guid isPermaLink="true">https://www.veracode.com/ver62966</guid>
588.                            </item>
589. <item>
590.  <title>Security Researchers Share Insights on Black Hat 2023 Topics and Trends</title>
591.  <link>https://www.veracode.com/blog/research/security-researchers-share-insights-black-hat-2023-topics-and-trends</link>
592.  <description>Shocking to no one: Artificial Intelligence (AI) was a huge topic at Black Hat USA 2023, but what did we learn about it? With no shortage of talks on it, there are many insights to take into account. We asked highly skilled Software Security Researchers who attended both Black Hat and DEFCON to weigh-in on the most insightful moments, particularly related to AI. Here’s what we found.&nbsp;
593. AI is a Double-edged Sword for Security 
594. AI presents society with a double-edged sword (especially when it comes to cybersecurity). John Simpson, Senior Security Researcher, explains: “AI is clearly the hot topic; at both Black Hat and DEFCON there was a lot of emphasis on the dangers but also significant talk about its potential usefulness.” 
595. The intricate interplay between AI’s benefits and risks underscores the complexity of our rapidly evolving digital age. On the one hand, attackers are using AI to enhance their exploit capabilities. Conversely, we are able to enhance defenses with AI…</description>
596.  <pubDate>Mon, 21 Aug 2023 10:25:54 -0400</pubDate>
597.                            <dc:creator>ntischler@veracode.com (ntischler)</dc:creator>
598.                            <guid isPermaLink="true">https://www.veracode.com/ver62896</guid>
599.                            </item>
600. <item>
601.  <title>Enhancing Code Security with Generative AI: Using Veracode Fix to Secure Code Generated by ChatGPT</title>
602.  <link>https://www.veracode.com/blog/secure-development/enhancing-code-security-generative-ai-using-veracode-fix-secure-code</link>
603.  <description>Artificial&nbsp;Intelligence (AI) and companion coding can help developers write software faster than ever. However, as companies look to adopt AI-powered companion coding, they must be aware of the strengths and limitations of different approaches – especially regarding code security.&nbsp;&nbsp;
604. Watch this 4-minute video to see a developer generate insecure code with ChatGPT, find the flaw with static analysis, and secure it with Veracode Fix to quickly develop a function without writing any code. 
605.  
606. The video above exposes the nuances of generative AI code security. While generalist companion coding tools like ChatGPT excel at creating functional code, the quality and security of the code often falls short. Specialized solutions like Veracode Fix - built to excel at remediating insecure code - bring a vital security skillset to generative AI. By using generalist and specialist AI tools in collaboration, organizations can empower their teams to accelerate software development…</description>
607.  <pubDate>Thu, 17 Aug 2023 13:01:00 -0400</pubDate>
608.                            <dc:creator>dmaguire@veracode.com (dmaguire)</dc:creator>
609.                            <guid isPermaLink="true">https://www.veracode.com/ver62891</guid>
610.                            </item>
611.  
612.  </channel>
613. </rss>
614.  

Home · About · News · Docs · Terms