Kiuwan Blog
Your News Source for Application Security Testing & Related Topics. Our expert blog writers stay attuned with the code security landscape and write about the latests industry trends.
Proactive Security Scanning and Testing Pre-Empts Attacks
Best security practices dictates that avoiding trouble is faster, cheaper and easier than fixing trouble after it manifests.
Post-Pandemic Hybrid Office Models Bring New Security Concerns
As 2021 reaches its halfway point, many businesses are transitioning back toward more on-premises operations, but some analysts believe that a hybrid workforce will be the new normal. In a hybrid model, the workforce is made up of both on-premises and remote workers, with many of those workers splitting time between home and the office.
Are Some Programming Languages More Secure than Others?
Security-related bugs can turn up in any programming language, but some are more prone to issues than others. Some newer languages are designed to make such errors harder. Others have “features” that are convenient but encourage coding that’s easy to exploit.
Prestidigitation: the Heart of Social Engineering
Social engineers use many of the same techniques to create an illusion in order to gain a victim’s trust and trick the person into doing their dirty work. They are essentially magicians, with the intent to derive some direct value by deceiving victims.
The 2021 CISSP Exam and Application Security: What’s Changed?
CISSP is one of the most prestigious vendor-neutral information systems security leadership certifications. The certification is a credential that signifies its holder possesses professional experience and demonstrates a high level of knowledge across information systems security domains.
The State of Mobile App Security 2021
The ever-increasing popularity and use of smartphones dwarfs that of more conventional computing devices, such as desktop, laptops, tablets and so forth. Here are some numbers to put things in perspective: according to Statista the total number of mobile...
The Colonial Pipeline Ransomware Attack
On May 7, Colonial Pipeline had to shut down its pipelines due to a ransomware attack. Colonial is a major oil pipeline operator in the southern and eastern United States. Its pipelines extend from Texas to New Jersey and reach Louisiana, Mississippi, Alabama, Georgia, the Carolinas, Tennessee, Virginia, Maryland and Pennsylvania.
Release Announcement – June 16, 2021
We are pleased to announce the availability of the latest Kiuwan update! Released on June 16, 2021, this update includes new features and some bugfixing, described below. The Oauth2/OIDC Integration project, a new feature Nowadays, many organizations...
Facebook Scraping Incident Leaks Info for a Half-Billion Users
In early April, numerous sources disclosed discovery of a pool of Facebook records including information on more than 530 million of its users. The leaked information included users’ names, dates of birth, and phone numbers as posted to a website for...
Pandemic Legacy: Remote Work and Digital Transformation
The COVID-19 pandemic drove many companies to rapidly expand their support for remote work. This change was not simply to appease a changing workforce; it was simply to survive. When most of the workforce was suddenly told to stay home, many organizations had to...
How NIST SP 800-53 Revision 5 Affects Application Security
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the U.S. Department of Commerce that, among other things, maintains physical science laboratories and produces guidance for assessing compliance with a wide range of standards.
Biggest Cloud Breaches of 2020
PCR’s (UK) Top 10 Biggest data breaches of 2020 PCR is a leading information source for IT resellers and distributors in the United Kingdom. It reports its top 10 based on the number of records breached in the incidents selected. They cite the Risk Based Security...
Securing Serverless Applications
Although the term says “serverless,” serverless applications don’t really run without any servers involved. Rather, serverless applications run inside cloud-based infrastructures so that developers and operators need no longer stand up and run their own servers,...
Comprehensive guide to cyber insurance
Social media, advanced technology, and the growing popularity of business transactions over the web continue to determine how organizations operate and communicate with their prospective customers. However, they’re also gateways to cyberattacks and data loss. Whether...
Canary coal mine detecting cyberattacks early
Canary in a Coal Mine: Detecting Cyberattacks Early Many catastrophic events are obvious, with their effects immediately visible — but not all. Fire, flood, tornadoes and earthquakes are all examples of events that can cause a substantial impact to business operation...
Getting Ahead of Payment Card Security Threats
Payment card attacks are nothing new. Cybercriminals have been targeting payment cards for more than a decade. However, there is a disturbing trend of cybercriminals discovering and leveraging novel ways to steal payment cards credentials during online transactions....
Securing Cloud Access in Applications
As applications become increasingly cloud-based – or even, cloud-native – more and more such code is sending data to and from cloud-based stores, both public and private. This makes the methods and controls that such applications use to access the cloud of particular...
Beyond SolarWinds
Beyond SolarWinds: Guarding Against the Rising Threat of Supply Chain Attacks The successful attack in 2020 on the SolarWinds Orion network management software showed that indirect, or third-party, attacks on organizations of all sizes are feasible. Where...
Healthcare Sector Application Security: Preventing Threats from Becoming Attacks
Healthcare Sector Application Security: Preventing Threats from Becoming Attacks Software security isn’t a state of being, or even a single action; it is a process, and one that requires more than just hardening your software. The year 2020 saw a dramatic rise in...
7 Database Security Principles and Practices
Few, if any, other repositories for data and meta-data within an organization exceed the importance and value of its databases (DBs). In fact, databases often provide a home for an organization’s personnel information, financial data of all kinds (pay, taxes,...
Fintech Cybersecurity Trends
Cybersecurity Trends in Fintech The year 2020 will go down in history as being a year of uncomfortable changes. Just about everyone was forced to approach aspects of personal and professional life differently, from buying groceries to conducting business to...
Gambling with Security: Mitigating Threats to Online and Mobile Gaming
In this time of the COVID-19 pandemic, we’re all spending more time on our PCs and smartphones. It might seem odd, but The Business Research Company’s Global Online Gambling Market report asserts that online gambling has skyrocketed in 2020. This is because...
Release Announcement — January 28, 2021
The Kiuwan team is excited to announce the availability of our latest release, with new features for both cloud and on premise customers. Kiuwan is a fast, reliable and scalable Application Security and Enterprise Software Analytics solution. Kiuwan includes several...
Solarwinds hack timeline
The SolarWinds hack was a major security breach that affected over 3,000 SolarWinds customers, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also impacted were multiple US states and government agencies including the US...
Virtual CISO: Leveraging External Security Expertise
Today’s organizations, both big and small, are finding that security activities consume more resources than ever before. Cyber criminals are getting better all the time, and staying just one step ahead of them is getting harder. But it’s not just more sophisticated...
Secure Remote Access: Keeping Employees and the Organization Safe
In this age of lockdowns, social distancing and working from home, organizations must think carefully about how to extend their networks and services across the internet and into employees’ and contractors’ homes. This makes remote access security management both a...
6 Threats to Development Team Productivity
Productivity rates are critical to success in any industry. That is true of software products, too, that not only need to be efficiently produced but secure from cyberattacks as well. If you’re considering how to improve your software team’s productivity, then you...
Rethinking Application Security in a Post-Pandemic World
Without a doubt, the COVID-19 pandemic has had a massive impact on the financial services landscape. Not only did businesses have to tweak their entire operations under safety regulations, but they also had to contend with a growing list of cybersecurity...
Low-Hanging Fruit: The Top 8 Cybersecurity Vulnerabilities in Enterprise Software
Cybersecurity is getting a lot of attention, from the break room to the board room. Few weeks pass without another salacious story in the media about a new large-scale data breach, ransomware outbreak or other attack designed to disrupt normal life. ...
App security quality analytics
As business management expert Peter Drucker once put it:“If you can’t measure it, you can’t improve it.” This quote feels right in place in the world of application security. Many CISOs are finally starting to give SAST tools and other approaches...
The Role of SAST in DevSecOps
Most people involved in the process of creating and deploying software applications today are familiar with DevSecOps, which integrates security and operations into the software development process. In figurative terms, we think of the software development...
OpenSSF Takes a Collaborative Approach to Open Source Security
Open source software is essential to application development, particularly for the web. At the same time, it also represents a key source of application vulnerabilities. To help make open source software more secure, the Linux Foundation has announced a...
Understanding OWASP ASVS
Simply put, threat intelligence – also known as cyber threat intelligence, or CTI – is information that is collected, analyzed, organized, and refined to provide insight, input, and advice about potential and current security threats or attacks that could pose...
Understanding OWASP ASVS
It’s always fun to start throwing out acronyms to get one’s technical juices flowing. To make sense of this blog post title, readers show know that OWASP is the Open Web Application Security Project, and that the ASVS is the Application Security Verification...
kiuwan fall 2020 g2 grid report
Kiuwan Shines in the Fall 2020 G2 Grid Report We’re excited to announce that Kiuwan Code Security and Insights solutions have been recognized in the Fall 2020 G2 Grid Report for Static Code Analysis, due in large part to an overall customer satisfaction rating of 4.4...
Firmware vulnerabilities
What Makes Firmware Vulnerabilities So Deadly? Simply put, firmware is low-level software usually stored in a near-silicon form (ROM, EEPROM, or flash memory) that is used during the initial steps of bootstrapping and starting up a computer, printer, or some other...
8 Tips for Mobile App Security
According to a report from IBM just a few years ago, as many as 50% of companies had no budget for mobile app security. This is especially worrying because, in the first half of 2019 alone, there were data breaches that exposed around 4.1 billion records. A...
October is Cybersecurity Awareness Month
October is Cybersecurity Awareness Month. The theme for 2020 is: “Do Your Part. Be #CyberSmart.” This event, put on by CISA and the National Cyber Security Alliance, is in its seventeenth year. The campaign aims to increase overall cybersecurity awareness,...
Threat Modeling’s Place in DevSecOps
Developers often pursue well-intentioned security efforts by focusing on writing secure code. But that’s just part of the puzzle. Instead of focusing only on the code, it’s just as critical to focus on the attacker. Understanding how attackers compromise controls...
Putting the Principle of Least Privilege to Work for Web Apps
With an ever-increasing proportion of day-to-day work on the desktop occurring in the form of web-based applications, organizations need to rethink how those applications work. They also need to examine – and in some cases tighten up – how web-based apps (or rather,...
Automation fix bad habits
Most discussions of DevSecOps include automation as a major component. In fact, Julien Vehent, Firefox’s Operations Security lead, defines DevOps this way in his book “Securing DevOps”: “DevOps is the process of continuously improving software products through rapid...
Strategies for Managing Widely Deployed Code with Kiuwan
As applications become increasingly cloud-based – or even, cloud-native – more and more such code is sending data to and from cloud-based stores, both public and private. This makes the methods and controls that such applications use to access the cloud of particular...
Use the Strangler Pattern to Refactor Legacy Apps
Most of us who have been responsible for the care and feeding of an enterprise application have had to modify someone else’s code. Whether the modification is due to a newly found bug or to enhance existing functionality, changing someone else’s code is an interesting...
Create a Web Application Security Blueprint
The best way to make web applications secure is to include security at every step along the development process, from requirements analysis, to design, to implementation and testing, and into maintenance and update phases. To that end, it’s wise to consider a kind of...
Managing Open Source Vulnerabilities in DevOps
If you use open-source code frameworks, libraries, and code components and take advantage of code-scanning technologies, sooner or later you’ll find yourself in an interesting situation: learning that a code element is subject to a known threat or vulnerability....
When KLA Met Containers
Containers have emerged as a fantastic technology to deploy applications. Containers save a lot of time for system engineers dealing with infrastructure issues: servers, networks, operating systems (OS), ports, configuration, etc. If your application needs be run with...
Upcoming Webinars Focus on IDEs & Integrations
As part of our mission to help you build applications that are secure from the start, the Kiuwan team is planning an all-new lineup of free, live webinars. Over the past several months, our webinars have delivered training on essential aspects of Kiuwan solutions and...
AppSec or Just Smart Software Development?
The source of all human knowledge (Wikipedia) describes application security as “measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.” AppSec is all about developing software that is as...
AppSec or Just Smart Software Development
The source of all human knowledge (Wikipedia) describes application security as “measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.” AppSec is all about developing software that is as...
SAST and SCA: Putting the Puzzle Together
Developing correct and secure software isn’t easy. A typical application includes a large amount of original and third-party code, and it all has to work together without opening up security holes. Any change to existing code, whether it’s a simple refactoring or the...