A Hard Look at Software Security https://www.csoonline.com/podcast/ahardlook/ en Copyright Foundry | Sponsored Content - All rights reserved. In Season 2 of our podcast series, we’ll discuss the implications and mandates generated by Veracode’s most recent State of Software Security report. Our industry experts will pick up from Season 1’s highlights to take a closer look at application security today. Listeners will learn more about:The impact security debt is having across industriesThe changing attitudes and priorities put around application securityHow the average number of days to fix software flaws has almost tripled since the last reportThe case for scanning early and oftenSponsored by Veracode https://megaphone.imgix.net/podcasts/094c6952-e92e-11e9-8fae-3387dca27c0f/image/c0651ee7d25358055ee31b9f61d9315d.jpg?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress A Hard Look at Software Security https://www.csoonline.com/podcast/ahardlook/ no serial Foundry In Season 2 of our podcast series, we’ll discuss the implications and mandates generated by Veracode’s most recent State of Software Security report. Our industry experts will pick up from Season 1’s highlights to take a closer look at application security today. Listeners will learn more about:The impact security debt is having across industriesThe changing attitudes and priorities put around application securityHow the average number of days to fix software flaws has almost tripled since the last reportThe case for scanning early and oftenSponsored by Veracode In Season 2 of our podcast series, we’ll discuss the implications and mandates generated by Veracode’s most recent State of Software Security report. Our industry experts will pick up from Season 1’s highlights to take a closer look at application security today. Listeners will learn more about:The impact security debt is having across industriesThe changing attitudes and priorities put around application securityHow the average number of days to fix software flaws has almost tripled since the last reportThe case for scanning early and oftenSponsored by Veracode

]]> Foundry podcasts@foundryco.com Ep. 6, S2: Frequency matters: the case for scanning early and often, part 2 https://www.csoonline.com/article/3516162/frequency-matters-the-case-for-scanning-early-and-often-part-2.html Security debt – which is defined as aging and accumulating flaws in software -- is a lot like credit card debt. You can throw money at the balance, but if you don’t stop spending, you’re never going to actually get out of debt.  In this episode of A Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will join us to continue our conversation on software scanning with focus on the accumulating security debt in applications caused by persistent flaws in long-term time frames. Listeners will learn more about: Why there is less security debt in organizations that scan their code more than 300 times per year How to know if security debt is meaningful Best practices for incorporating scanning into the process  Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 16:41:00 -0000 Frequency matters: the case for scanning early and often, part 2 full 2 6 Foundry Security debt – which is defined as aging and accumulating flaws in software -- is a lot like credit card debt. You can throw money at the balance, but if you don’t stop spending, you’re never going to actually get out of debt.  In this episode of A Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will join us to continue our conversation on software scanning with focus on the accumulating security debt in applications caused by persistent flaws in long-term time frames. Listeners will learn more about: Why there is less security debt in organizations that scan their code more than 300 times per year How to know if security debt is meaningful Best practices for incorporating scanning into the process  Produced by FoundryCo, Inc., in association with Veracode. Security debt – which is defined as aging and accumulating flaws in software -- is a lot like credit card debt. You can throw money at the balance, but if you don’t stop spending, you’re never going to actually get out of debt. 

In this episode of A Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will join us to continue our conversation on software scanning with focus on the accumulating security debt in applications caused by persistent flaws in long-term time frames.

Listeners will learn more about:

  • Why there is less security debt in organizations that scan their code more than 300 times per year
  • How to know if security debt is meaningful
  • Best practices for incorporating scanning into the process 

Produced by FoundryCo, Inc., in association with Veracode.

]]> 896 no Ep. 5, S2: Frequency matters: the case for scanning early and often, part 1 https://www.csoonline.com/article/3516131/frequency-matters-the-case-for-scanning-early-and-often-part-1.html The latest Veracode State of Software Security report reveals that scanning early, often, and steadily helps you fix more flaws faster while not contributing to security debt. The report finds 56 percent of software flaws eventually get fixed. While 76 percent of high severity flaws are addressed by developers, half of the applications showed a net reduction in flaws over the sample time frame. In this episode of a Hard Look at Software Security, Paul Farrington, chief technology officer for the Europe, Middle East, and Asia regions for Veracode, will dive deeper into those numbers and discuss when development teams should consider scanning and why. Listeners will learn more about: The stage at which development teams should engage in software scanning DevSecOps culture and how to enable it Where DevSecOps is heading in the future  Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 16:35:00 -0000 Frequency matters: the case for scanning early and often, part 1 full 2 5 Foundry The latest Veracode State of Software Security report reveals that scanning early, often, and steadily helps you fix more flaws faster while not contributing to security debt. The report finds 56 percent of software flaws eventually get fixed. While 76 percent of high severity flaws are addressed by developers, half of the applications showed a net reduction in flaws over the sample time frame. In this episode of a Hard Look at Software Security, Paul Farrington, chief technology officer for the Europe, Middle East, and Asia regions for Veracode, will dive deeper into those numbers and discuss when development teams should consider scanning and why. Listeners will learn more about: The stage at which development teams should engage in software scanning DevSecOps culture and how to enable it Where DevSecOps is heading in the future  Produced by FoundryCo, Inc., in association with Veracode. The latest Veracode State of Software Security report reveals that scanning early, often, and steadily helps you fix more flaws faster while not contributing to security debt. The report finds 56 percent of software flaws eventually get fixed. While 76 percent of high severity flaws are addressed by developers, half of the applications showed a net reduction in flaws over the sample time frame.

In this episode of a Hard Look at Software Security, Paul Farrington, chief technology officer for the Europe, Middle East, and Asia regions for Veracode, will dive deeper into those numbers and discuss when development teams should consider scanning and why.

Listeners will learn more about:

  • The stage at which development teams should engage in software scanning
  • DevSecOps culture and how to enable it
  • Where DevSecOps is heading in the future 


Produced by FoundryCo, Inc., in association with Veracode.

]]> 1037 no Ep. 4, S2: AppSec grows up https://www.csoonline.com/article/3516091/appsec-grows-up.html AppSec awareness has grown in a decade. In Veracode’s State of Software Security report, Volume one, most of the conversation was around trying to explain and advocate for application security. Today, far less of that is necessary and more emphasis is put on talking about how to build an effective, mature application security program. In this episode of a Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will discuss positive AppSec signs – and what they mean for security best practices. Listeners will learn more about: Factors influencing the change in application security programs What the State of Software Security report uncovers when it comes to current AppSec efforts Why awareness about AppSec risk has grown, but actual risk reduction still has room for improvement Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 16:30:00 -0000 AppSec grows up full 2 4 Foundry AppSec awareness has grown in a decade. In Veracode’s State of Software Security report, Volume one, most of the conversation was around trying to explain and advocate for application security. Today, far less of that is necessary and more emphasis is put on talking about how to build an effective, mature application security program. In this episode of a Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will discuss positive AppSec signs – and what they mean for security best practices. Listeners will learn more about: Factors influencing the change in application security programs What the State of Software Security report uncovers when it comes to current AppSec efforts Why awareness about AppSec risk has grown, but actual risk reduction still has room for improvement Produced by FoundryCo, Inc., in association with Veracode. AppSec awareness has grown in a decade. In Veracode’s State of Software Security report, Volume one, most of the conversation was around trying to explain and advocate for application security. Today, far less of that is necessary and more emphasis is put on talking about how to build an effective, mature application security program.

In this episode of a Hard Look at Software Security, Chris Wysopal, Chief Technology Officer with Veracode, will discuss positive AppSec signs – and what they mean for security best practices.

Listeners will learn more about:

  • Factors influencing the change in application security programs
  • What the State of Software Security report uncovers when it comes to current AppSec efforts
  • Why awareness about AppSec risk has grown, but actual risk reduction still has room for improvement

Produced by FoundryCo, Inc., in association with Veracode.

]]> 874 no Ep.3, S2: Unresolved flaws: security debt grows deeper https://www.csoonline.com/article/3516159/unresolved-flaws-security-debt-grows-deeper.html The average number of days to fix software flaws was at 59 days in the first Veracode State of Software report from ten years ago. Today, it’s jumped to 171 days in the latest 2019 report. While typical median fix times haven't gotten worse in 10 years – they have remained about the same - security debt is getting much deeper. In this episode of a Hard Look at Software Security, Chris Eng, Vice President of Research with Veracode, will discuss relevance of the findings on median time to remediate flaws - and where organizations may stand when it comes to their own security debt. Listeners will learn about: Why security debt is getting much deeper If fixes are based on flaw severity or exploitablilty Why the source of an application affects fix speed of remediation Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 16:23:00 -0000 Unresolved flaws: security debt grows deeper full 2 3 Foundry The average number of days to fix software flaws was at 59 days in the first Veracode State of Software report from ten years ago. Today, it’s jumped to 171 days in the latest 2019 report. While typical median fix times haven't gotten worse in 10 years – they have remained about the same - security debt is getting much deeper. In this episode of a Hard Look at Software Security, Chris Eng, Vice President of Research with Veracode, will discuss relevance of the findings on median time to remediate flaws - and where organizations may stand when it comes to their own security debt. Listeners will learn about: Why security debt is getting much deeper If fixes are based on flaw severity or exploitablilty Why the source of an application affects fix speed of remediation Produced by FoundryCo, Inc., in association with Veracode. The average number of days to fix software flaws was at 59 days in the first Veracode State of Software report from ten years ago. Today, it’s jumped to 171 days in the latest 2019 report.

While typical median fix times haven't gotten worse in 10 years – they have remained about the same - security debt is getting much deeper.

In this episode of a Hard Look at Software Security, Chris Eng, Vice President of Research with Veracode, will discuss relevance of the findings on median time to remediate flaws - and where organizations may stand when it comes to their own security debt.

Listeners will learn about:

  • Why security debt is getting much deeper
  • If fixes are based on flaw severity or exploitablilty
  • Why the source of an application affects fix speed of remediation


Produced by FoundryCo, Inc., in association with Veracode.

]]> 669 no Ep. 2 S2: Security debt across sectors: behind the numbers https://www.csoonline.com/article/3516158/security-debt-across-sectors-behind-the-numbers.html According to the latest State of Security Software report from Veracode, the retail industry has the lowest average number of unaddressed security flaws. Government and education have the largest “iceberg“ of security debt lurking below the surface. Financial services firms have the best fix rate among all industries. In this episode of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss security debt across industries, and what is influencing their flaw fix rates. Listeners will learn more about: The differences in software security across sectors Why the government and education sectors have a so-called iceberg of security debt The details on why finance has the best fix rate Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 15:57:00 -0000 Security debt across sectors: behind the numbers full 2 2 Foundry According to the latest State of Security Software report from Veracode, the retail industry has the lowest average number of unaddressed security flaws. Government and education have the largest “iceberg“ of security debt lurking below the surface. Financial services firms have the best fix rate among all industries. In this episode of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss security debt across industries, and what is influencing their flaw fix rates. Listeners will learn more about: The differences in software security across sectors Why the government and education sectors have a so-called iceberg of security debt The details on why finance has the best fix rate Produced by FoundryCo, Inc., in association with Veracode. According to the latest State of Security Software report from Veracode, the retail industry has the lowest average number of unaddressed security flaws. Government and education have the largest “iceberg“ of security debt lurking below the surface. Financial services firms have the best fix rate among all industries.

In this episode of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss security debt across industries, and what is influencing their flaw fix rates.

Listeners will learn more about:

  • The differences in software security across sectors
  • Why the government and education sectors have a so-called iceberg of security debt
  • The details on why finance has the best fix rate


Produced by FoundryCo, Inc., in association with Veracode.

]]> 837 no Ep. 1, S2: What’s behind most security debt https://www.csoonline.com/article/3516035/what-s-behind-most-security-debt.html Security debt - defined as aging and accumulating flaws in software - is emerging as a significant pain point for organizations across industries. In this first episode of our second season of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss what factors are behind security debt and how security managers can arm themselves with this knowledge to tackle the problem. Listeners will learn about: How cross-site scripting is contributing to security debt and why it’s noteworthy Findings on how organizations are prioritizing fixes Why security debt is not being discussed enough among security professionals Produced by FoundryCo, Inc., in association with Veracode. Thu, 23 Jan 2020 15:44:00 -0000 What’s behind most security debt full 2 1 Foundry Security debt - defined as aging and accumulating flaws in software - is emerging as a significant pain point for organizations across industries. In this first episode of our second season of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss what factors are behind security debt and how security managers can arm themselves with this knowledge to tackle the problem. Listeners will learn about: How cross-site scripting is contributing to security debt and why it’s noteworthy Findings on how organizations are prioritizing fixes Why security debt is not being discussed enough among security professionals Produced by FoundryCo, Inc., in association with Veracode. Security debt - defined as aging and accumulating flaws in software - is emerging as a significant pain point for organizations across industries.

In this first episode of our second season of a Hard Look at Software Security, Tim Jarrett, Senior Director of Product Management with Veracode, will discuss what factors are behind security debt and how security managers can arm themselves with this knowledge to tackle the problem.

Listeners will learn about:

  • How cross-site scripting is contributing to security debt and why it’s noteworthy
  • Findings on how organizations are prioritizing fixes
  • Why security debt is not being discussed enough among security professionals


Produced by FoundryCo, Inc., in association with Veracode.

]]> 898 no How Can A Security Champion Help Your Development Team? https://www.csoonline.com/article/3387147/how-can-a-security-champion-help-your-development-team.html A security champion serves as the voice of the developer while satisfying the needs of the business from a security perspective. In this episode we dig deeper into details on the role of the security champion and what effect having a champion can have on development and security. Listeners will learn about: • How to identify a security champion in your organization • What benefits can be expected from having a security champion • Suggestions for getting started with a security champion program Fri, 05 Apr 2019 14:27:00 -0000 full 1 6 Foundry A security champion serves as the voice of the de… A security champion serves as the voice of the developer while satisfying the needs of the business from a security perspective. In this episode we dig deeper into details on the role of the security champion and what effect having a champion can have on development and security. Listeners will learn about: • How to identify a security champion in your organization • What benefits can be expected from having a security champion • Suggestions for getting started with a security champion program A security champion serves as the voice of the developer while satisfying the needs of the business from a security perspective. In this episode we dig deeper into details on the role of the security champion and what effect having a champion can have on development and security. Listeners will learn about: • How to identify a security champion in your organization • What benefits can be expected from having a security champion • Suggestions for getting started with a security champion program

]]> 979 no Flaw Fix Rates Are Low - How Can They Be Improved? https://www.csoonline.com/article/3363702/flaw-fix-rates-are-low-how-can-they-be-improved.html In this episode we discuss the latest findings on flaw fix rates in enterprises. Chris Eng, Vice President of Research, Veracode, offers perspective on what figures in the State of Software Security report reveal about the troubling amount of time it takes to address the majority of vulnerabilities. Listeners will learn about: • Average enterprise fix rates at one week and one month • Why enterprises still struggle with vulnerable open source components in software • What business can can do to mitigate risks associated with open source flaws Tue, 12 Mar 2019 19:23:00 -0000 full 1 5 Foundry In this episode we discuss the latest findings on… In this episode we discuss the latest findings on flaw fix rates in enterprises. Chris Eng, Vice President of Research, Veracode, offers perspective on what figures in the State of Software Security report reveal about the troubling amount of time it takes to address the majority of vulnerabilities. Listeners will learn about: • Average enterprise fix rates at one week and one month • Why enterprises still struggle with vulnerable open source components in software • What business can can do to mitigate risks associated with open source flaws In this episode we discuss the latest findings on flaw fix rates in enterprises. Chris Eng, Vice President of Research, Veracode, offers perspective on what figures in the State of Software Security report reveal about the troubling amount of time it takes to address the majority of vulnerabilities. Listeners will learn about: • Average enterprise fix rates at one week and one month • Why enterprises still struggle with vulnerable open source components in software • What business can can do to mitigate risks associated with open source flaws

]]> 954 no Open Source Components Continue to Thwart Enterprises In this episode, we’ll discuss why enterprises still struggle with the occurrence of vulnerable open source components within their software - and what they can do to mitigate these risks. Listeners will learn more about: • The landscape of open source software today compared to internally developed code in enterprises • Why risk from open source components is an issue in most enterprises • The factors behind the friction between the process of DevOps and security Tue, 26 Feb 2019 19:51:00 -0000 full 1 4 Foundry In this episode, we’ll discuss why enterprises st… In this episode, we’ll discuss why enterprises still struggle with the occurrence of vulnerable open source components within their software - and what they can do to mitigate these risks. Listeners will learn more about: • The landscape of open source software today compared to internally developed code in enterprises • Why risk from open source components is an issue in most enterprises • The factors behind the friction between the process of DevOps and security In this episode, we’ll discuss why enterprises still struggle with the occurrence of vulnerable open source components within their software - and what they can do to mitigate these risks. Listeners will learn more about: • The landscape of open source software today compared to internally developed code in enterprises • Why risk from open source components is an issue in most enterprises • The factors behind the friction between the process of DevOps and security

]]> 686 no Building a Security-first Culture Starts with Coding In this episode, we learn about changes in application security and the partnership between development and security. Chris Wysopal, Chief Technology Officer and Co-Founder of Veracode, joins us to discuss the synergy between these teams – and what best practices help create a solid devsecops program. Listeners will learn more about: • The factors behind the evolving relationship between development and security • What this change means for secure coding in the future • Action items for creating a security-first culture in the enterprise Tue, 26 Feb 2019 19:49:00 -0000 full 1 3 Foundry In this episode, we learn about changes in applic… In this episode, we learn about changes in application security and the partnership between development and security. Chris Wysopal, Chief Technology Officer and Co-Founder of Veracode, joins us to discuss the synergy between these teams – and what best practices help create a solid devsecops program. Listeners will learn more about: • The factors behind the evolving relationship between development and security • What this change means for secure coding in the future • Action items for creating a security-first culture in the enterprise In this episode, we learn about changes in application security and the partnership between development and security. Chris Wysopal, Chief Technology Officer and Co-Founder of Veracode, joins us to discuss the synergy between these teams – and what best practices help create a solid devsecops program. Listeners will learn more about: • The factors behind the evolving relationship between development and security • What this change means for secure coding in the future • Action items for creating a security-first culture in the enterprise

]]> 687 no Data Supports DevSecOps Practices In this episode, we will look at the emergence of DevSecOps in the enterprise. Tim Jarrett, Senior Director of Product Marketing with Veracode, joins us to explain the goal of building security into the software development process at the outset. Listeners will learn more about: • What research says about the effectiveness of DevSecOps • The core principles of DevSecOps • What is holding DevSecOps back from going mainstream? • Predictions on where this practice is heading in the future Tue, 29 Jan 2019 15:23:00 -0000 full 1 2 Foundry In this episode, we will look at the emergence of… In this episode, we will look at the emergence of DevSecOps in the enterprise. Tim Jarrett, Senior Director of Product Marketing with Veracode, joins us to explain the goal of building security into the software development process at the outset. Listeners will learn more about: • What research says about the effectiveness of DevSecOps • The core principles of DevSecOps • What is holding DevSecOps back from going mainstream? • Predictions on where this practice is heading in the future In this episode, we will look at the emergence of DevSecOps in the enterprise. Tim Jarrett, Senior Director of Product Marketing with Veracode, joins us to explain the goal of building security into the software development process at the outset. Listeners will learn more about: • What research says about the effectiveness of DevSecOps • The core principles of DevSecOps • What is holding DevSecOps back from going mainstream? • Predictions on where this practice is heading in the future

]]> 1028 no The State of Software Security is Still a Challenge In the first episode of the series, we are joined by Chris Eng, Vice President of Research at Veracode. We’ll detail highlights of the Veracode State of Software Security Volume 9 report and discuss what the findings reveal in terms of the progress companies are making with fixing flaws. How are factors like flaw severity, business criticality of applications, and exploitability of the flaws impacting how companies view vulnerabilities? We’ll also examine information about industry performance, differences by region, third-party component risks, and vulnerability trends to give security and development teams a holistic view of the state of software security. Thu, 03 Jan 2019 15:27:00 -0000 full 1 1 Foundry In the first episode of the series, we are joined… In the first episode of the series, we are joined by Chris Eng, Vice President of Research at Veracode. We’ll detail highlights of the Veracode State of Software Security Volume 9 report and discuss what the findings reveal in terms of the progress companies are making with fixing flaws. How are factors like flaw severity, business criticality of applications, and exploitability of the flaws impacting how companies view vulnerabilities? We’ll also examine information about industry performance, differences by region, third-party component risks, and vulnerability trends to give security and development teams a holistic view of the state of software security. In the first episode of the series, we are joined by Chris Eng, Vice President of Research at Veracode. We’ll detail highlights of the Veracode State of Software Security Volume 9 report and discuss what the findings reveal in terms of the progress companies are making with fixing flaws. How are factors like flaw severity, business criticality of applications, and exploitability of the flaws impacting how companies view vulnerabilities? We’ll also examine information about industry performance, differences by region, third-party component risks, and vulnerability trends to give security and development teams a holistic view of the state of software security.

]]> 955 no