1. Coverage, both within applications you build and within your entire application portfolio One of the primary benefits of binary static analysis is that it allows you to inspect all the code in your application. Mobile apps…

Last Wednesday I was honored to be able to present a talk on Binary Static Analysis to an Intro to Security class at Tufts University. The instructor, Ming Chow, approached me to speak to his class as he likes to bring in security practioners who are delivering security to their customers. There…

Last week I described the concept of application security debt and application interest rates. I promised that I would follow-up with a financial model that could translate these concepts in to real money. Recap Here’s a quick recap of the initial concept. Security debt is similar to technical debt…

The Top 10 Mobile Application Risks, or “Mobile App Top 10” for short, is designed to educate developers and security professionals about the mobile application behavior that puts users at risk. This behavior can be maliciously designed or inadvertent. Modern mobile applications run on mobile…

Gartner analyst Neil MacDonald has written that Byte Code Analysis is not the Same as Binary Analysis. He describes the difference between statically analyzing binary code, which runs on an x86, ARM, or SPARC CPU, and statically analyzing bytecode, which runs on a virtual machine such as the Java…

Today is a very exciting day for software security. The CWE/SANS Top 25 Most Dangerous Programming Errors is being released. I was one of the 41 contributors to the Top 25 Errors. The list of possible programming errors that can end up causing a vulnerability in an application is immense. The MITRE…