AppSec & Broken Window Theory: Why we are winning battles but losing the war

Recently I had the great fortune to present at BSidesSF 2014 where I presented my thoughts on how despite huge technology advancements in application security we are still very much failing to make software secure right out of the »

I hate Excel - Extracting a domain name from a hostname

Assuming that cell B2 has a hostname like foo.bar.baz.example.com the following will extract just the domain name form the hostname, e.g. "example.com" =CONCATENATE(RIGHT(LEFT(B2,LEN(B2)-4),LEN(LEFT(B2,LEN(B2) »

Encrypting your data on Amazon EC2

Making sure your data is encrypted when it's being stored somewhere outside of your direct control is a good idea. When that system has your customers data on it, it's a requirement. Unfortunately when your data is in a cloud »

The Comedy and Tragedy of Automated Security Source Code Analysis - Act III

ACT III: Reality Sinks In (Read Act I & Act II) THE SOUND of typing can be heard and then suddenly a loud groan of disappointment. DEV LEAD Argggggggggggggggg!!! FADE IN: INT. CORPORATE OFFICE THE DEV LEAD is looking at »

The Comedy and Tragedy of Automated Security Source Code Analysis - Act II

ACT II: The Deception (Read Act I Here) FADE IN: WIDE SHOT -- The server room, filled with blinking lights and racks of servers. We PAN and FOCUS in on the back of the SALES ENGINEER who is typing away »

The Comedy & Tragedy of Automated Security Source Code Analysis - Act 1

The other day I was asked about how one might integrate Veracode's application security analysis solution into their nightly software build process. I get this question all the time because it is a popular idea among automated source code analysis »