-
Jan 14, 2025 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow8 min read·--If you’re in business, chances are about 100% that you’re a software business — you rely on it even if your product isn’t specifically a software product. Which means Building Security in Maturity Model (BSIMM) is not only a tool you should use, it’s also a club you should join. Indeed, BSIMM, the subject of an annual report by software security company Black Duck now in its 15th iteration, is an example of that cliché about many hands making light work.
-
Dec 9, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·FollowPublished inNerd For Tech·7 min read·--It’s common — and wise — to try out a new product before putting it on the market to see if it functions as intended or has some defects that weren’t caught during its development. That way you can fix problems before they start plaguing your customers. There are multiple slang terms for it — test drive, trial run, shakedown cruise, etc.
-
Dec 2, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·FollowPublished inNerd For Tech·6 min read·--In the forever cat-and-mouse game between ethical builders and users of software and malicious hackers looking to exploit any weaknesses they can find in that software, the good guys have made some progress. Modern software, thanks to more rigorous security testing, is more secure. Still a long way from perfect, but better. That’s the good news. The bad news is that criminal hackers, as always, are endlessly adaptive.
-
Nov 25, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow6 min read·--As we all know, sometimes there can be too much of a good thing. Which may be the case in the world of tracking and flagging software vulnerabilities. Lists of vulnerabilities are a very good thing. Software pretty much runs the world, or doesn’t when it’s vulnerable to malicious hackers. If those who build and use software products don’t know about vulnerabilities in them, they won’t know what needs patching.
-
Nov 12, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow7 min read·--It’s rare for a single change in a product to make it significantly better and safer — it’s almost always a combination. The safety of today’s vehicles is an obvious example. Seatbelts, first installed in cars in the 1950s, help protect passengers in a crash, but airbags, which came along a couple of decades later, help just as much or more in a different way.
-
Nov 4, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow7 min read·--Artificial intelligence (AI) is, and will be, changing everything, for better and worse. Just a partial list includes education, manufacturing, finance, advertising, sports, crime, law enforcement, transportation, utilities, entertainment, and yes, our representative democracy. That last one is extra relevant at the moment, given that tomorrow is the U.S. presidential election.
-
Oct 28, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow7 min read·--First the bad news. An analysis from Google Mandiant documents that cybercriminals are getting better at finding so-called “zero-day” vulnerabilities in software products — those discovered by hackers or other third parties before the makers of the affected products know they exist, which obviously means no patches for them are available. Then the worse news. Hackers are also getting much faster at exploiting those vulnerabilities before a patch is available.
-
Oct 8, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow6 min read·--Breaking news: The artificial intelligence (AI) revolution is over. OK, OK, not over globally in every industry — not even close. But pretty much over in software development when it comes to writing and assembling code. That’s one of the primary findings in “Global State of DevSecOps 2024,” a new report from software security firm Black Duck.
-
Oct 1, 2024 | 
armerding.medium.com | Taylor Armerding
Taylor Armerding·Follow6 min read·--It’s one thing to make a product that, you find out later, has a vulnerability that puts those who use it at risk. Nothing is perfect. That’s the human condition. But it’s another thing to ignore that vulnerability instead of fixing it as quickly as possible and changing your processes so it doesn’t happen again. It’s even worse to fail to address a whole class of damaging defects that have been around for 30 years, while ways to prevent them are available.
-
Sep 23, 2024 | 
armerding.medium.com | Taylor Armerding
There is, unfortunately, such a thing as too much of a good thing. And in software security, that thing — more accurately those things — are testing tools. Testing software for defects with multiple application security testing (AST) tools, is a very good thing — crucial, in fact. Without it, makers of software products are almost certain to put them on the market with vulnerabilities that can be exploited by malicious hackers.
