Blog

Fasoo Data Security and Intelligent Document Platform on Display at RSA Conference 2017
Ron Arden February 13, 2017
Application Security Testing Cybersecurity News

Fasoo Data Security and Intelligence Document Platform on Display at RSA Conference 2017Fasoo has a big presence at the RSA Conference 2017 in San Francisco where we will showcase our newly expanded data security and management framework which helps companies track, manage and secure their data.

Focusing on the business themes of Security, Governance and Productivity, Fasoo is helping executives and boards of directors comply with enhanced cybersecurity regulations while ensuring they can meet the needs of constantly changing business models that demand secure collaboration to get things done.

Today’s business world demands a new look at how we define and protect the borders of our organizations because our data is created, stored and consumed in systems that may be outside the traditional information security and document management models.  Visitors to Fasoo’s booth #S1239 will see demonstrations of the Fasoo Data Security Framework and Wrapsody that together helps organizations consistently control, secure, track and manage documents no matter where they travel.  This new, integrated data-centric approach overcomes legacy solution limitations that comprehensively satisfies organizational demands placed on data security, governance and productivity.

Fasoo Launches SPARROW on Cloud
Ron Arden January 17, 2017
Application Security Testing

Fasoo Launches Sparrow on Cloud, SaaS version of SASTSPARROW, a static code analysis application, is now available as a Software as a Service (SaaS) offering to help organizations quickly detect critical software vulnerabilities at the early stages of software development.  “SPARROW on Cloud“, SPARROW’s cloud solution is an agile, flexible, reliable and cost effective solution that allows organizations to easily manage application security challenges.

“IoT has brought an upsurge in new software that connects and operates everything from cars to medical devices and with that, enormous risk at the development level,” said Fasoo’s CEO Dr. Kyugon Cho. “Providing software developers with a cloud based application security testing solution was the logical next step for Fasoo as it is so essential for software to be secure at the code level.”

Should Developers Have a Spellchecker for Security?
Ron Arden November 3, 2016
Application Security Testing Cybersecurity

Sparrow helps stop security vulnerabilities while you codeA recent article by Maria Cosgrove in CSO asked the question “Wouldn’t it be nice if software developers had something like spellcheck, but instead of catching simple grammar mistakes, it caught basic security problems?”

Very good question, especially when you think about all the cyber security problems and attacks we’ve seen in recent months.  The reality is that developers are still writing software with security vulnerabilities.  As project timelines contract and more people are involved, the development cycle becomes more complex and is prone to problems.  If the problems were rarely seen bugs, it would be one thing, but why are there so many basic errors inside a lot of software?

What is Lurking Inside Your Applications?
Ron Arden May 23, 2016
Application Security Testing Cybersecurity Data breach Data security

Sparrow Static Application Security TestingWhile everyone still draws attention to the need for protection from cyber-attacks and the need for firewalls, intrusion prevention systems, and similar tools, recent highly publicized breaches have been raising awareness on weaknesses in software developed and used. The market is now forced to focus on how to identify and remediate vulnerabilities within applications themselves as things like buffer overruns, SQL injections, cross-site scripting, hard-coded passwords, memory leaks, uninitialized variables, division by zero, and integer overflows can have devastating results.

This is quite a change from the way things used to be. Rather than being an afterthought, security in software design is now becoming an increasingly important concern during development as applications are becoming more and more accessible and hence becoming vulnerable to a wide variety of threats. There is much concern over the likelihood of unauthorized code manipulating applications to access, steal, modify, or delete sensitive data.

Add Static Application Security Testing to Your Arsenal
Ron Arden April 6, 2016
Application Security Testing Cybersecurity Data breach Data security

Static Application Security TestingMany companies have significant investments in network security, but it’s not enough because a significant chunk of all cyber-attacks are happening on the application layer. Cyber criminals are increasingly targeting the application stack for exploitation.

According to the U.S. Department of Homeland Security (DHS), 90% of security incidents result from exploits against defects in software. The Forrester Wave: Application Security Report says that companies rush to build and use applications without thinking about the security of the application itself.  The Global Information Security Workforce Study published by the International Information Systems Security Certification Con­sortium (ISC)2 claims that 30% of companies never scan for vulnerabilities during code development. These are all astounding findings!

Don’t Get Caught With Your Pants Down – Static Application Security Testing Must be part of Security Risk Management
Ron Arden March 18, 2016
Application Security Testing

Pants DownTechnology has changed the way we live our lives. Whether we are at work, home or outside, we have become dependent on our computers, mobile phones and the internet. On a daily basis, we all interact with a significant number of applications.

Demand for technology has led to an explosion of software we use daily, whether these are applications used in the office or at home. Demand for new or updated functionality has shortened software release cycles and application developers need to rapidly introduce new features to outpace competition and meet customer demand. With this reality, application security risk management can no longer be treated as a nice-to-have element.  It must be a mission-critical requirement at every company that develops software.

Gone are the days with long release cycles and infrequent updates.  Application developers are faced with increased pressure to release software, updates and new features and this presents a significant issue with security. While software companies primarily focus on user experience and business value, often they miss the importance of ensuring the applications are truly secure without vulnerabilities.

Stay One Step Ahead Of The App Hackers
Ron Arden November 2, 2015
Application Security Testing Cybersecurity Data breach Data security Privacy

Stay One Step Ahead Of The App HackersI recently wrote an article about hackers getting iOS App developers to use a bogus Xcode development kit downloaded from a Chinese site to create applications.  The development kit contained malicious code that caused all types of security problems in iPhone and iPad apps.  Read the entire article here.

This is a new frontier for hackers.  Rather than attacking perimeter security defenses, like firewalls and end point encryption applications, the hackers are getting developers to embed security vulnerabilities into their code.  This essentially bypasses the middle man, since the applications are already compromised.  Hackers just need to activate malicious capabilities to steal sensitive information or compromise systems.  It’s a clever ploy and takes these attacks to a new level.

Top 10 Reasons Why You Should Use Static Code Analysis
Ron Arden October 9, 2015
Application Security Testing Data breach

Fasoo Sparrow Static Source Code Analysis ToolI have been in the security and privacy industries throughout my entire career. I started my journey many years ago as a software developer and moved into the business side of things gradually. All these years, it has always been painful to see companies spend enormous amount of dollars on firewalls and anti-virus software year after year, but vulnerabilities in software remain unidentified or unfixed in applications. We are living in a world built on software and not a single day goes by without headlines about enterprising intruders exploiting weaknesses to steal massive amounts of data or to inflict damage. Current cyber-attacks target weaknesses in the software organizations develop and use.  After software has been developed, it is generally difficult to stop malware related attacks.

Stop an App Attack
Ron Arden September 21, 2015
Application Security Testing Cybersecurity Data breach

Stopping an App Attack with a semantic-based static analysis toolApple was cleaning up its iOS App Store on Sunday to remove malicious iPhone and iPad programs identified in the first large-scale attack on the mobile software outlet.  Apparently the source of the problem was a bogus Xcode development kit that developers downloaded from a Chinese site.  Many app and Mac developers use the Apple Xcode tools to develop iOS and OSX applications.

The hackers convinced developers to use its version of the Xcode tools rather than Apple’s official software.  One theory is that Apple’s servers are slow to download from inside China, so developers used this alternative mirror download for convenience and speed.  This is fairly common for downloading software, but the developers were unaware that the tools were not real.

[Case Study] Achieving Software Quality and Secure Coding Concurrently
David Kwag February 14, 2015
Application Security Testing

Achieving Software Quality and Secure Coding Concurrently

Major National Bank Achieves Software Quality and Secure Coding Concurrently through SPARROW

Expansion in electronic financial services requires advancement in software quality and secure coding

Report from the Financial Supervisory Service in 2012 states that half of the financial data processing errors were caused while modifying the program. For businesses related handling of financial transactions, the quality assurance of the software for the IT service is more important than in any other businesses. Furthermore, recently there are continuous and new means of cyber terror threats and in result, businesses are demanding security reinforcement through secure coding.

As the bank started to offer more diverse products and the workload got larger, they found limitations in relying on manpower to test development of software for the IT service. The bank found the necessity of detecting and removing potential SW vulnerabilities in outsourced programs of cooperative firms and all internally developing programs through a source code analyzer to strengthen automated quality testing and acquire security verification with secure coding.