One of the great challenges for consumers of static analysis products, particularly desktop tools, is dealing with the large flaw counts. You have to wade through the findings to decide what to fix and when, which can be a daunting task. At Veracode, we continuously update our analysis engine to…

Last week, during the OWASP AppSec 2008 Conference, the people behind the ubiquitous CISSP certification announced their latest creation -- the Certified Software Security Lifecycle Professional (CSSLP). In front of a captive audience waiting for a 42" plasma TV to be raffled, the…

This post is a response to Alan Shimel's Topic of Interest #2 for the Security Bloggers Network. So what motivates me to attend BlackHat? The #1 reason for me is networking -- meeting new people and catching up with old friends and colleagues. Despite our best intentions, we are all busy and our…

One of my favorite pieces of swag from RSA was this "Not a CISSP" button that was pinned onto me by none other than Sinan Eren as I was chatting with Justine Aitel at the Immunity booth. Actually, there should have been a prize awarded just for finding the Immunity booth -- they were subletting…

I was just reading an article discussing the timeframe for upcoming revisions to the PCI-DSS. Nothing quite so exciting as reading about a compliance roadmap, right? This article reminded us about PCI Section 6.6 becoming mandatory in June 2008, with additional guidance and clarification coming in…