• June 13, 2007 13 Jun'07

    Jeremiah Grossman on the pervasive nature of XSS

    Jeremiah Grossman, founder and chief technology officer of WhiteHat Security, talks about his new book, Cross Site Scripting Attacks: XSS Exploits and Defense; how developers and users can defend themselves against XSS; and the state of Web ...

  • June 12, 2007 12 Jun'07

    Agile development methodologies -- Podcast

    This recording from Venkat Subramaniam's presentation at 2007 The Server Side Java Symposium in Las Vegas looks at different agile software development methodologies, then compares and contrasts the features of each.

  • June 11, 2007 11 Jun'07

    Ten ways to improve testing, performance of Web 2.0 applications

    Web 2.0 is forcing organizations to update their software development and testing strategies. Here are 10 things you can do to ensure that your QA testing is sophisticated, thorough and agile enough to keep up with the evolving complexity of Web 2.0...

  • June 06, 2007 06 Jun'07

    IBM to acquire Web application security vendor Watchfire

    IBM announced plans to acquire Watchfire, creator of the AppScan application security products.

  • June 05, 2007 05 Jun'07

    How static analysis can improve software security

    Fortify's Brian Chess talks about his upcoming book, Secure Programming with Static Analysis, and progress that has been made toward making security part of the software development life cycle (SDLC).

  • June 04, 2007 04 Jun'07

    ALM 2.0: Application lifecycle management changing to meet development organizations' needs

    The changing face of application lifecycle management (ALM) has application development organizations looking to tools and technologies that help them collaborate across functional silos, work across large geographic distances and work more ...

  • May 30, 2007 30 May'07

    Giving managers time to manage

    Task-Oriented Applications can be used to collaborate with and coordinate staff, document activities and decisions and meet regulatory requirements, while giving managers more time to manage.

  • May 29, 2007 29 May'07

    XSS the top vulnerability in most Web applications in Q1

    Cenzic's Application Security Trends report shows various cross-site scripting (XSS) vulnerabilities dominated the top 10 vulnerabilities in commercial and open source Web applications the first quarter of 2007.

  • May 25, 2007 25 May'07

    XSS leads OWASP's Top 10 for 2007

    OWASP says cross-site scripting (XSS) remains the "termite" of Web applications, while cross-site request forgery and cryptography emerge as serious problems.

  • May 24, 2007 24 May'07

    Ten software testing traps

    You may think you're testing software correctly, but you could be following a tendency that traps you and limits how effective you are. Learn what 10 tendencies testing guru Jon Bach has observed that trap software testers.

  • May 21, 2007 21 May'07

    Alistair Cockburn on what's agile, what's not

    Alistair Cockburn, a signatory on The Manifesto for Agile Software Development, talks about the agile landscape, what has changed and where his methodology, Crystal, fits in.

  • May 15, 2007 15 May'07

    Application security shouldn't involve duct tape, Band-Aids or bubble gum

    By applying a multilayered approach to application security throughout the SDLC, software ships more securely, closer to the scheduled delivery date and closer to anticipated cost. How do you do that? Joe Basirico, a senior security trainer at ...

  • May 08, 2007 08 May'07

    OMG working to improve application security testing

    The OMG's development of a Software Assurance Framework would allow information to be shared among the security tooling community, enabling interoperability between application security tools.

  • May 07, 2007 07 May'07

    Klocwork enhances static code analysis suite

    The Klocwork 7.7 static code analysis suite provides enhanced usability and expanded support for Visual Studio .NET C/C++ and IntelliJ IDEA for Java. The goal is to make application security easier for developers.

  • April 26, 2007 26 Apr'07

    Model-driven development tool facilitates software development

    Skyway Visual Workspace 5.0, a new graphical system for creating SOA-based applications and Web services, uses an automated, model-driven development (MDD) process to speed up and improve software development.

  • April 24, 2007 24 Apr'07

    Performance testing improves Sigma-Aldrich's Web site quality

    Using Borland's SilkPerformer for predeployment performance testing of its Web site, life sciences company Sigma-Aldrich provides a quality experience for customers.

  • April 20, 2007 20 Apr'07

    Quality assurance tools from Gomez facilitate Web application testing

    Gomez Inc. announced the industry's first on-demand quality assurance applications. Gomez On-Demand QA Solutions help Web development organizations reduce design cycles and perform true production-based testing for new Web applications.

  • April 18, 2007 18 Apr'07

    How to attack (test) software yourself

    What's the best way to protect your software? Act like an attacker. Herbert H. Thompson, PhD., chief security strategist at People Security, outlines how to attack (test) software yourself.

  • April 18, 2007 18 Apr'07

    Software security practices continue to lag

    More people understand the importance of software security, but many more still need to become aware. They also need education and training to ensure they're testing applications properly and securing those applications.

  • April 18, 2007 18 Apr'07

    Benefits of Hyper Agile software development

    AccuRev founder and CTO Damon Poole has developed a methodology he calls Hyper Agile. Recently he talked with about the benefits of Hyper Agile, how it differs from other agile methodologies and how it helped in the ...

  • April 16, 2007 16 Apr'07

    Software testing tools to help integrate application security throughout the SDLC

    Watchfire makes it easier to integrate Web application security throughout the software development life cycle (SDLC) with its new application security testing tools -- AppScan 7.5 and AppScan QA.

  • April 16, 2007 16 Apr'07

    Brief: New automated testing tool available from Seapine Software

    Software testing tool QA Wizard Pro 2007 is available from application security vendor Seapine Software.

  • April 09, 2007 09 Apr'07

    Black, gray and white box testing explained -- Podcast

    Security is critical when operating a Web application. Black, gray and white box tests are three tests you can conduct to ensure an attacker can't get to your application. In this podcast, Jennette Mullaney refers to information from Dan Cornell, ...

  • April 03, 2007 03 Apr'07

    Parasoft C++test developer toolkit integrated into IDEs

    The Parasoft C++test 7.0 developer toolkit has been released as plugins for Eclipse and Microsoft Visual Studio. Developers can write code, test code, review errors and debug test cases from a single environment.

  • April 02, 2007 02 Apr'07

    Debugging framework for multi-process applications unveiled

    TotalView Technologies, formerly Etnus, has announced the TotalView Multi-Core Debugging Framework, a set of debugging tools for multi-threaded, multi-process applications.

  • March 28, 2007 28 Mar'07

    How to control software quality in offshore development projects

    Experts cite numerous challenges to offshore development projects, but there are ways to overcome them and ensure software quality, particularly by applying some agile best practices.

  • March 26, 2007 26 Mar'07

    Agile development best for delivering products on target

    If you want your application to truly meet your users' needs, you must use an agile development methodology. That's the point Venkat Subramaniam from Agile Developer and Neal Ford from ThoughtWorks stressed during their presentations at ...

  • March 26, 2007 26 Mar'07

    Agile project management tool from ThoughtWorks expected in June

    ThoughtWorks' new Studios software division debuted this month with Mingle, an agile project management tool. Mingle, to be released in June, lets you manage projects, collaborate and document projects, capture requirements and link code to ...

  • March 26, 2007 26 Mar'07

    Application security the goal of initiatives from SANS and SPI Dynamics

    Educating programmers about application security is the focus of a campaign being launched by the SANS Institute and SPI Dynamics. A certification exam and workshops will be conducted as part of the campaign.

  • March 21, 2007 21 Mar'07

    Effective prototyping for quality software

    The authors of "Effective Prototyping for Software Makers" discuss the benefits of prototyping, how anyone can create a helpful prototype, and how the software development process is affected by the use of prototypes.

  • March 19, 2007 19 Mar'07

    New .NET application security tool from Fortify

    Fortify Software has extended the use of its Fortify Defender intrusion detection tool to work with Web applications written in .NET.

  • March 19, 2007 19 Mar'07

    Ajax, rich Internet application testing suite launched by Parasoft

    Parasoft today released Parasoft WebKing 6.0, an automated Web testing suite that provides comprehensive testing and analysis of complex Ajax and rich Internet applications (RIA).

  • March 13, 2007 13 Mar'07

    Mix of IT, business skills pays off for IT workers

    Compensation is rising for IT workers who have a mix of IT skills and business skills. The top paying certified skill is Web development, while the top noncertified skill is knowledge of enterprise business applications, according to Foote Partners ...

  • March 13, 2007 13 Mar'07

    SPI Dynamics revamps Web application security management tool

    SPI Dynamics has released a new version of its Web application security management tool, Assessment Management Platform (AMP). AMP 3.0, which assesses and manages application security risk across the enterprise and throughout the software ...

  • March 08, 2007 08 Mar'07

    New automated software testing tool from Seapine Software

    Seapine Software has completely rewritten its QA Wizard automated software testing tool. The new tool was designed to make it easy for companies to test more of an application, test it more thoroughly and test it faster.

  • March 07, 2007 07 Mar'07

    Software development dreams, nightmares

    Work on a software development project long enough and you start to have dreams (or nightmares) about code. In his recent book, Dreaming in Code, Scott Rosenberg witnessed firsthand the struggles and successes of Chandler, a next-generation personal...

  • March 06, 2007 06 Mar'07

    How source code analysis improves application security

    New application vulnerabilities are disclosed daily. Many of them, however, can be discovered and resolved through source code analysis. Learn how in this podcast with Denim Group's Dan Cornell.

  • March 05, 2007 05 Mar'07

    Java secure, but developers introduce vulnerabilities, report finds

    Although Java has been found to be more secure than other languages, a report from Fortify Software's Java Open Review Project warns that developers may inadvertently introduce vulnerabilities into their own code by using the sample code and ...

  • February 28, 2007 28 Feb'07

    Agile methods bring improved software quality, but challenges remain

    Early benchmarking results of Agile development methods such as Extreme Programming (XP) and Scrum projects show productivity and quality improvements, but time/scope pressures remain the biggest challenges to project success. Software metrics and ...

  • February 27, 2007 27 Feb'07

    Xcitek makes software quality rebound

    Xcitek, maker of securities processing software, increased software quality and customer satisfaction using quality assurance (QA) automation tools from Compuware and a continuous integration development method.

  • February 26, 2007 26 Feb'07

    The state of software quality, part 2: The challenge of building quality into the development life c

    Organizations are adopting lighter-weight development methodologies and Agile development styles to address software quality issues, as well as bringing testing into the development process.

  • February 21, 2007 21 Feb'07

    Free software management system from Artifact

    Artifact's Lighthouse Pro software management system includes all of the capabilities needed to manage, monitor and measure software development projects.

  • February 20, 2007 20 Feb'07

    Find software bugs, defects using code coverage

    Software testing is uselss if it isn't complete. Statement and branch coverage can uncover glaring problems in unexecuted blocks of code, but they often miss bugs in the logic of your code. Path coverage, however, is a more comprehensive technique ...

  • February 19, 2007 19 Feb'07

    The state of software quality, part 1: Problems remain, but all is not doomed

    Many experts say software quality hasn't improved much over the years, despite the increased recognition and attention paid to quality issues, but there are some bright spots, such as better tooling and the influence of Agile development methods.

  • February 16, 2007 16 Feb'07

    Compuware Quality Management helps manage software testing, QA

    Compuware's new quality assurance solution, Compuware Quality Management, helps software testing and quality assurance (QA) organizations create a testing process. It also provides a way for them to monitor their tests as well as their testing and ...

  • February 15, 2007 15 Feb'07

    SOASTA Concerto testing service ensures quality Web applications

    SOASTA's new Web testing service has easy-to-use visual editors that help software testers increase their productivity and improve testing quality.

  • February 15, 2007 15 Feb'07

    McCabe Software enhances software quality management suite

    McCabe IQ Developers Edition, Test Team Edition and Enterprise Edition target key groups within the development life cycle, helping companies release high quality software.

  • February 15, 2007 15 Feb'07

    Borland testing, quality management products enhanced

    Borland Software announced new capabilities across its Silk line of integrated testing and quality management products, core components of its Lifecycle Quality Management (LQM) solution.

  • January 30, 2007 30 Jan'07

    Borland integrates Cenzic application security tool with Gauntlet

    Software developers and testers who use Borland's Gauntlet will now have Cenzic's Hailstorm application security testing tool available to them.

  • January 29, 2007 29 Jan'07

    Klocwork tool puts application security in the hands of developers

    Klocwork introduces Developer for Java, an Eclipse/Rational plug-in that enables developers to analyze code for security vulnerabilities and defects.

  • January 29, 2007 29 Jan'07

    SPI Dynamics' WebInspect 7 designed to tackle evolving security threats

    With WebInspect 7, SPI Dynamics has created a security product re-engineered to handle the threats and vulnerabilities of Web 2.0.

  • November 30, 2006 30 Nov'06

    Tips and tricks on Ajax security

    Ajax security can be achieved by following the proper guidelines. In this podcast, expert Caleb Sima explains why Ajax is not inherently insecure, which tools work and which don't, and how to safely deploy Ajax.

  • November 16, 2006 16 Nov'06

    SDLC lacks application security practices

    The SDLC (software development life cycle) must be revamped to accommodate application security. Find out how to incorporate security into the SDLC with techniques from Ryan Berg.

  • November 06, 2006 06 Nov'06

    SPI Dynamics beefs up DevInspect tool

    SPI Dynamics takes application vulnerability detection a step further with DevInspect 3.0. The new version now includes full support for Java developers and J2EE Web applications.

  • November 06, 2006 06 Nov'06

    Watchfire's Web app vulnerability scanner boosts automation, communication

    AppScan 7.0 adds privilege escalation testing and support for two-factor authentication, plus root cause identification and communication features and a new Reporting Console.

  • November 01, 2006 01 Nov'06

    Cenzic unveils application security assessment tool

    To help companies better assess the security of their applications, Cenzic has created Hailstorm Enterprise ARC.

  • October 31, 2006 31 Oct'06

    Injection attacks -- Knowledge and prevention

    SQL injection is recognized as a major threat to application security, but what about other injection attacks? SPI Dynamics' Caleb Sima dissects these exploits and offers straightforward prevention techniques in this podcast.

  • October 26, 2006 26 Oct'06

    Source code analysis part of DoD's app security plan

    The U.S. Navy Network Warfare Command's evaluation of Ounce Labs' source code analysis technology showed how a tool such as Ounce could improve the Department of Defense's application security and reduce project costs.

  • October 25, 2006 25 Oct'06

    Secure agile software development an oxymoron?

    Agile software development should include security measures. Dan Cornell describes how to introduce application security into your agile software development life cycle (SDLC).

  • October 23, 2006 23 Oct'06

    WhiteHat Security rolls out v3 of Sentinel service

    WhiteHat Security debuted version 3.0 of its WhiteHat Sentinel, a continuous vulnerability assessment and management service for Web applications. New features include a one-click vulnerability retest and the Inspector technology for building a ...

  • October 19, 2006 19 Oct'06

    One simple rule to make your Web apps more secure

    If there's one thing developers should do to increase Web applications security, it's input validation, according to Caleb Sima, founder and CTO of SPI Dynamics. In this interview, he discusses the most dangerous threats to Web applications, such ...

  • October 16, 2006 16 Oct'06

    Denim Group donates Ajax security scanner to OWASP

    Sprajax, the first Ajax security scanner, is now available for download at the OWASP Web site. The Denim Group has donated its tool to the non-profit organization.

  • October 12, 2006 12 Oct'06

    Biometric authentication a choice for banks

    As banks struggle to secure online transactions with two-factor authentication, the United Bankers' Bank has chosen a fingerprint biometric system and has seen excellent results.

  • October 10, 2006 10 Oct'06

    Ounce Labs joins forces with app security vendors

    In two announcements, Ounce Labs said it is partnering with application security vendors to help companies better find vulnerabilities in software.

  • October 10, 2006 10 Oct'06

    Web services security enhanced by new technologies

    A new suite of security products from Layer 7 aims to protect SOA, Ajax and Web 2.0.

  • October 06, 2006 06 Oct'06

    Secure voting: Source code analysis tool key to absentee ballot system

    PostX turned to the Fortify Source Code Analysis tool for help developing an absentee ballot request system for the U.S. Armed Forces. The system allows deployed military personnel to securely request and receive absentee ballot packages via the Web...

  • October 05, 2006 05 Oct'06

    Product roundup: New tools for protecting Web, .NET applications

    The past few weeks saw the release of new products to protect applications. Here's a look at some of those products, including WhiteHat Satellite, Aladdin HASP, AttackAPI (0.7) and Thor 0.99.

  • October 02, 2006 02 Oct'06

    Financial Engines revs up software security with code-scanning tool

    The investment advisory company uses Fortify's Source Code Analysis code-scanning tool to help catch flaws and enhance its security in-depth approach.

  • October 01, 2006 01 Oct'06

    Is software becoming more testable?

    Software testing and validation hasn't advanced much recently, although test-driven development (TDD) has made software more testable. However, one innovation, model-based testing, is making waves.

  • September 20, 2006 20 Sep'06

    Burton: Web application firewall market maturing

    Web application firewalls have improved performance and functionality, but it still takes time, knowledge and skills to implement them, according to a recent Burton Group report. They are not "fire and forget" solutions.

  • September 13, 2006 13 Sep'06

    Product roundup: New tools to ensure application security

    Over the past month, several application security products have been announced. Here's a roundup of some of those new tools, including Parasoft's Jtest 8.0, SIFT's Web Method Search tool and WiKID 2.1.1.

  • September 08, 2006 08 Sep'06

    OWASP to pay people to work on projects

    OWASP (The Open Web Application Security Project) aims to deliver more products, as well as increase corporate sponsorship with its Autumn of Code initiative.

  • September 08, 2006 08 Sep'06

    PCI council formed; revised standard includes app security requirement

    American Express, Discover, JCB, MasterCard and Visa have created an independent PCI standards council. Their first act was to release version 1.1 of the PCI Data Security Standard, which clarifies existing requirements as well as adds a new one for...

  • August 30, 2006 30 Aug'06

    Prevent application logic attacks with sound app security practices

    Application logic attacks are common, dangerous and difficult to detect. In this interview, expert Rami Jaamour defines and analyzes logic attacks and provides in-depth security advice. As these threats become more popular, it is imperative to ...

  • August 29, 2006 29 Aug'06

    Hacme Casino tool reveals online gaming vulnerabilities

    Foundstone's Hacme Casino shows some of the threats online gaming applications face and helps developers see how these issues may be present in their own code.

  • August 15, 2006 15 Aug'06

    Application vulnerability assessment improved by Fortify, Watchfire partnership

    The combination of Fortify's source code analyzer with Watchfire's Web application vulnerability scanner provides a more complete assessment of application vulnerabilities. By correlating the results, developers can be taken to the actual line of ...

  • August 14, 2006 14 Aug'06

    Vulnerability assessment service pays off for Debt Exchange

    Loan sale advisor taps Cenzic's ClickToSecure vulnerability assessment services to test applications on its online marketplace. Investment helps give company edge over competitors -- and keeps attackers at bay.

  • August 10, 2006 10 Aug'06

    Ruby on Rails experiences serious security breach

    A security vulnerability has forced the creators of Ruby on Rails to issue an immediate upgrade. Version 1.1.5, which is being called a mandatory upgrade, is available now.

  • July 31, 2006 31 Jul'06

    Software security research highlights coding mistakes, enhances OWASP knowledgebase

    Fortify Software has classified 115 software security vulnerabilities into seven top-level issues and given the research to OWASP to aid with its Honeycomb Project. The goal is to help programmers understand common coding mistakes and to give back ...

  • July 28, 2006 28 Jul'06

    ASP.NET tool upgrade: Compuware releases SecurityChecker 2.5

    Automated security updates, a Team Integration System, improved reporting capabilities and additional vulnerability rules are among the new features in DevPartner SecurityChecker 2.5.

  • July 27, 2006 27 Jul'06

    VSTS and testing today, Part 3 - Are your tests test-driven?

    Test-driven development (TDD) is becoming more popular with developers. But is unit testing truly compatible with TDD? Can the VSTS tool improve the process?

  • July 17, 2006 17 Jul'06

    Top attack methods against Web sites identified

    "Google" hacking and directed attacks such as SQL injection and cross-site scripting are the most dangerous attack methods Web sites face, according to a new study by Fortify Software.

  • July 11, 2006 11 Jul'06

    Helping Ajax developers prevent exploits

    Ajax security is increasingly important as attackers have set their sights on Ajax apps. Andrew van der Stock explained what risks developers need to be aware of in July 06, 2006 06 Jul'06

    New chapter and verse on Ajax application security

    Web application security in Ajax is becoming an issue. Andrew van der Stock, who is heading the OWASP Guide project, spoke with about Ajax security and what risks developers need to be concerned about.

  • July 01, 2006 01 Jul'06

    Role of testing in agile projects

    Agile development emphasizes the role of testing in the software development process. Here are some guidelines to testing within the agile methodology.

  • June 30, 2006 30 Jun'06

    Klocwork static analysis tool proves its worth, finds bugs in open source projects

    Klocwork's K7.1 static analysis tool features 44 new vulnerability checkers across Java, C, and C++, as well as features ARM Compiler and Java 1.5 support.

  • June 30, 2006 30 Jun'06

    VSTS and testing today, Part 2 - Capabilities and plug-ins

    Integration of testing and development, test aggregation and test automation are just a few of the capabilities of VSTS. However, some don't believe these capabilities necessarily make software testing and development easier.

  • June 27, 2006 27 Jun'06

    Web application security testing reaches new level

    The Web application security market is maturing, and more companies are looking for tools to help them better secure their software. SPI Dynamics responded to that need this week with the announcement of two new products -- WebInspect 6.0 and ...

  • June 23, 2006 23 Jun'06

    Demystifying Java security -- Part 2

    Java application security is further explored in the second part of Ramesh Nagappan's Java security series. Part 2 concentrates on Java Web Start security, Java Extensible Security Architecture and APIs.

  • June 22, 2006 22 Jun'06

    Microsoft's new security boss envisions hands-on role

    Ben Fathi, the new face of Trustworthy Computing at Microsoft, expects to get more involved in security design and development.

  • June 21, 2006 21 Jun'06

    Demystifying Java security -- Part 1

    Java technology already has many security features built in. Sun's Ramesh Nagappan explores Java security in the first article of this two-part series. In Part 1, he concentrates on Java Runtime Environment, Java security management tools and Java ...

  • June 14, 2006 14 Jun'06

    What's in your security toolbox?

    Joe Stagner, Microsoft technical evangelist and developer community champion, shared with Software Security Summit attendees tools he's found that help secure applications.

  • June 14, 2006 14 Jun'06

    How things break: Securing your software

    Application security expert Gary McGraw says you need to put your black hats on and start thinking like bad guys if you want to have secure software.

  • June 13, 2006 13 Jun'06

    VSTS and testing today, Part 1 - Revenge of the unit

    Unit testing is very popular among developers, and open source tools such as NUnit have aided in its adoption. Now, Microsoft's Visual Studio Team System is available to support unit testing in an integrated environment.

  • June 12, 2006 12 Jun'06

    Security overhaul key to Microsoft's software success

    Through its Trusted Computing Initiative Microsoft revamped its development lifecycle to produce more secure and reliable products. Steven B. Lipner, senior director of security engineering strategy at Microsoft, explains how the company did it and ...

  • June 09, 2006 09 Jun'06

    Ounce Labs reaches out to developers with new analysis tool

    Ounce 4.0 source code vulnerability analysis tool provides free plug-ins for Microsoft Visual Studio 2005 and Eclipse, allowing developers to scan code for vulnerabilities.

  • June 08, 2006 08 Jun'06

    Want secure software? Break it first

    No software is perfect, but by thinking like a hacker you can better anticipate threats and create a more secure product.

  • June 06, 2006 06 Jun'06

    Are white hat hackers an endangered species?

    The recent prosecution of so-called white hat hackers is fueling a debate over the future of security researchers and acceptable ethics in cyberspace.

  • June 05, 2006 05 Jun'06

    Authentication, SSO tool aids Web app security

    Ping Identity has announced PingLogin, an authentication and single signon (SSO) framework for consumer-facing online services and Web applications.

  • May 25, 2006 25 May'06

    Twelve Java security traps and how to avoid them

    Java security isn't well understood, even by those who create Java applications. Fortify chief scientist Brian Chess describes common exploits that plague Java apps such as XSS, session hijacking and SQL injection.