Posts

  • SecureFlag's contextual security training is now available for SonarQube!

    After the success of our Jira and GitHub integrations comes the SecureFlag Knowledge Base for SonarQube. Our on-demand remediation techniques, recommended hands-on labs, testing advice, and example code are all available for SonarQube at the low cost of nothing.

  • Flutter is popular, versatile, and powerful… but is it also secure?

    There’s scale, and then there’s scale…

  • Considerations for Secure Laravel PHP Framework Development

    Web app development in the modern-day digital landscape comprises everything from the design and creation of dynamic web content to front-end and back-end coding, navigating database technologies, connecting to clouds… there’s plenty that needs to occur before one can fire an Angry Bird™ at a porcine fortification!

  • PL/SQL and T-SQL: Pros, Cons, and Security Concerns

    If we wound the clock back several decades, not only would we find ourselves immersed in a time where fashion was non-existent (depending on your taste of course!) and Madonna was top of the charts, but we’d also be smack bang in the middle of some of the most exciting years in computing and internetworking.

  • Comparing the Features and Security Capabilities of Objective-C and Swift Programming Languages

    As arguably trendy as they are comparatively expensive compared with most of their PC cousins, Mac computers and iPhones are the staple technological device for millions upon millions of people globally. Housed within each unit’s shiny silver encasing is a mass of tightly bound hardware and interconnected circuits that come to life courtesy of Mac’s very own Operating System versions: MacOS for Macs, and iOS for iPhones, leveraging Objective-C and Swift as their main programming languages respectively.

  • Why You Should Take Security in COBOL Software Seriously

    For a sector that swears by cutting-edge technology, it’s somewhat ironic that the software industry still heavily relies upon an over 60-year-old programming language. However, not only is the language in question - COBOL - in use today, it is often tied to critical data and functions on mainframe systems and has proven over the years to be resilient and malleable.

  • Salesforce Apex: Security Concerns and the Role of Hands-on Secure Coding Training

    Any modern-day entity with a requirement to manage customers and derive marketing insight from their operations and external feedback will no doubt have come across Salesforce, a software giant that supports one of the world’s most popular Customer Relationship Management (CRM) tools.

  • Secure Coding Training for all Layers, in all Stacks; securing SAP ABAP

    Poke around the net for information on secure coding in Python, Java, Android, or C++, for example, and you will find yourself neck-deep in search results comprising endless streams of back and forths on what can go wrong and how you can stop that from happening. (Indeed, search for professional, secure coding training alongside the language, and you will undoubtedly be directed to our SecureFlag Labs on these topics and more, which we encourage you to visit.)

  • Securing React Native

    React Native is a popular cross-platform framework for developing mobile apps, utilizing a bridge that allows developers to write in one language for both Android and iOS. In this post, we’ll cover some common vulnerabilities to watch out for.

  • Secure Coding Lab Recommendations Now Available for GitHub and Jira!

    Expanding upon our GitHub and Jira integrations, which provide vulnerability remediation and testing advice directly in your issues and pull requests, we’re super excited to announce that they now also recommend relevant training labs in our live environments!

  • Introducing Secure Code Reviews as Part of your SDLC Process

    A secure code review is a software quality assurance process that examines software source code to detect security-related weaknesses, fix logic errors, correct flaws, and scrutinize specification implementation, all with the aim of building application source code of the utmost quality and security.

  • Cyber Security Awareness Month 2021 Challenge Writeup

    The post-mortem… or a security rebirth?

  • SecureFlag's contextual security training is now available for Jira!

    How can developers integrate effective, on-the-fly security into their workflow, minimizing time overhead and maximizing productivity?

  • SecureFlag's contextual security training is now available on Github - security knowledge when it's needed most

    How can developers write production-ready code that both performs optimally and securely?

  • Threat Analysis Training With SecureFlag

    Even to the layman, the sheer volume of successful high-profile attacks on public and private entities the world over speaks volumes about the state of defensive security concerning the management and protection of technological infrastructure. From small family-run businesses with 5 employees, to purportedly impenetrable government and defence organisations like the National Security Agency, attackers continue to gain the upper hand in the ongoing fight to extract secrets, and seemingly infinite budgets are evidently ineffective at stemming the low. In short, getting defensive security right is an incredibly difficult job.

  • How QA and Security Testing Training Makes Software More Secure

    “Experience is merely the name men gave to their mistakes.”

    – The Picture of Dorian Gray

  • Why Secure Coding Training is Essential for 100% Compliance with FDA 21 CFR Part 11

    The U.S. Food and Drug Administration (FDA) is a federal agency that’s responsible forprotecting public health, and for regulating and supervising, among other things - food,drugs, medical devices, pharmaceuticals and vaccines.

  • The Strong Relationship between HIPAA Compliance and Secure Coding Training

    In the healthcare sector, user privacy promotes effective communications between patients and healthcare providers, protects individuals’ dignity, and prevents economic harm, embarrassment, and discrimination. Although patient-data protection is a healthcare cornerstone in numerous jurisdictions globally, this article is specifically about the United States Compliance Act.

  • Securing the Docker Ecosystem: Part 3: Strategies to Secure the Container Runtime

    Our previous two articles about securing the Docker ecosystem addressed two specific and critical areas: the Daemon and the container Build Phase. In each article, we shed light on the dark side of various default configurations, presented evidence of the latest attack methods during the build phase, danced with the Daemon and secured its weak underbelly… and less fantastically, we provided expertly-articulated recommendations and best practices to help you in your Docker-securing endeavors. If you haven’t read these articles yet, here are the links to the first and second blog posts.

  • Securing the Docker Ecosystem: Part 2: Strategies to Secure the Container Build

    Welcome back to Securing the Docker Ecosystem - our three-part series on improving the security posture of your Docker ecosystem. In each article, we address one particular aspect of Docker through a security lens.

  • Securing the Docker Ecosystem: Part 1: Strategies to Secure the Docker Daemon

    In recent times, two key advancements, the acceleration of the software development cycle and the increasing complexity of the application stack, have triggered the need for faster and easier ways of pushing code into production. In this context, more lightweight, flexible, and resource-efficient approaches, such as “containers”, have become increasingly popular. To this end, more and more organisations have adopted Docker technology as the de facto standard in their application container space.

  • Adaptive AppSec Learning for Developers: The Advantages that Organisations Just Can't Afford to Ignore

    Ever heard of a pilot who flew a real plane after merely reading about it in a manual?

    Or a chef in a five star restaurant who served real customers after only reviewing a couple of recipe books?

    Or a professional musician who gave a real performance after simply memorizing some musical compositions?

  • Stretching the Elasticsearch

    Breaking: Elasticsearch instance left open wide by SomeCompany exposing millions of records, including passwords and other personal data… now to sports

    Sound familiar? Headlines like this have become increasingly at home as front page news items over the past several years since the adoption of Elasticsearch, a powerful distributed search and analytics engine based on the Lucene indexing library, has exponentially increased. A seamless dovetailing of its rising popularity, and its stark lack of default-enabled security features, has ensured the widespread presence of misconfigured instances in the wild. This article explores the impact of a number of misconfigurations that occur when the best practice guidelines provided by the (excellent) official documentation are neglected.

  • The Key to Achieving PCI DSS Compliance: Effective PCI Training For Developers

    Data is everywhere… but so are data thieves!

    Any organization that collects, processes, analyzes, or stores data needs to be aware of the risks to this data. And this is especially true for organizations that collect, process, analyze, or store financial data.

  • 7 Kubernetes security challenges, and how to steer the container ship

    Kubernetes Container Orchestration!…

    Now that we have your attention, let’s dig a little deeper into Kubernetes, an open-source orchestration layer that manages container-based applications.

    In this article we’ll explore some of the security challenges you’re going to face when administering Kubernetes clusters, and the appropriate preventative measures to batten down the Kubernetes hatches.

  • Why is practical AppSec training for developers vital for your organization?

    All applications risk being hacked without robust, properly configured application security controls in place. Whereas employing a team of ethical hackers may help in providing assurance on the resilience of the system post-deployment, having a secure Software Development Life Cycle (SDLC) better equips organizations in addressing security concerns at the foundational level. Building security early in the SDLC is more cost efficient and scalable, enabling organizations to identify and correct security issues earlier in the development life cycle.