Cigital is a software security firm, based in Dulles, VA. Services include application security testing, penetration testing, and architecture analysis. Cigital also provides instructor-led security training and products such as SecureAssist, a static analysis tool that acts as an application security spellchecker for developers.

Wikipedia
Cigital
Cigital
SlideShare Presentation
  • Does your organization rely heavily on vendor applications for streamlining your processes? Do you wonder what threats your data is exposed to when it’s handled by these applications? The following discussion acts as a guideline for organizations to follow while reaching a consensus on application assessments and findings.

Cigital
Cigital
SlideShare Presentation
  • Much attention has been given to the need for increased automation in security, given the sheer volume of attackers and attacks, the overload of information security pros must wrangle, and the continued high demand for security expertise. But can automation solve all of security’s most serious problems? If not, why not? Will there always be a need for human involvement? These slides were used in...

Cigital
Cigital
SlideShare Presentation
  • There aren’t enough security experts to fill the more than 1 million open cybersecurity jobs. If you’re lucky enough to have the security staff it’s important to keep them motivated and learning, to do that you need to know what options are open to you. We’ll take a dive into training options so you can pick what’s right for your staff and your organization.

Cigital
Cigital
SlideShare Presentation
  • This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.

Cigital
Cigital
SlideShare Presentation
Cigital
Cigital
SlideShare Presentation
  • More often than not, company executives ask the wrong questions about software security.  This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives.  Caroline will discuss a progression of software security capabilities and the metrics...

Cigital
Cigital
SlideShare Presentation
  • More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of software. Unfortunately, these known frustrations may ...

Cigital
Cigital
SlideShare Presentation
  • Aligning your company’s development and security teams can be a challenge—especially with different goals, resources, and motivations among teams. Each team stakes claim to different areas of the SDLC, making it hard to find common ground. However, when security and development join forces to build secure software together, the company will not only survive, but thrive. In this webinar, we shar...

Cigital
Cigital
SlideShare Presentation
  • "Delivering Security In an Agile World: 7 things to remember to ensure the software you’re developing is secure" When delivering software features in an agile way, it’s critical to ensure the software you’re delivering is secure. To understand how this works, think of the Agile SDLC as a shipping company—instead of delivering software, you’re delivering packages. In this detailed metaphor, you’l...

Cigital
Cigital
SlideShare Presentation
  • Washington has become transfixed by cyber security and with good reason. Cyber threats cost Americans billions of dollars each year and put U.S. troops at risk. Yet, too much of the discussion about cyber security is ill informed, and even sophisticated policymakers struggle to sort hype from reality. As a result, Washington focuses on many of the wrong things. Offense overshadows defense. Nation...

Cigital
Cigital
SlideShare Presentation
  • Did you know that the web is the most common target for application-level attacks? That being said, if you have ever been tasked with securing a web application for one reason or another, then you know it’s not a simple feat to accomplish. When securing your applications, it’s critical to take a strategic approach. This web application security testing checklist guides you through the testing pro...

Cigital
Cigital
SlideShare Presentation
  • Healthcare is one of a very small number of industries responsible for protecting both personal health and payment information, plus intellectual property. Securing all of this data requires a well-rounded mix of planning, technical expertise, and business knowledge. Jim Rout,h CISO of Aetna, Greg Barnes, CISO of Horizon Blue Cross Blue Shield, and Sammy Migues, Principal Scientist of Cigital wil...

Cigital
Cigital
SlideShare Presentation
  • It’s important to ensure that developers are properly trained in secure development. But why? Isn’t the primary goal of a developer to create functionality? Yes and no. Development methods and emerging technologies evolve rapidly. By the time developers apply the knowledge they’ve learned in the classroom, the information may already be out of date. Not to mention that developers have few opport...

Cigital
Cigital
SlideShare Presentation
  • The BSIMM is a study of existing software security initiatives. By quantifying the practices of many different organizations, we can describe the common ground shared by many as well as the variation that makes each unique. BSIMM is not a “how to” guide, nor is it a one-size-fits-all prescription. Instead, BSIMM is a reflection of software security. Here are some things we’ve learned and observe...

Cigital
Cigital
Blog Post

New blog articles detected.

  • Sweet32: Time to Retire 3DES?

    The DES encryption algorithm was designed in the early 1970s by researchers at IBM. It was adopted as a FIPS standard in 1977. The algorithm uses 56-bit keys, which were long enough to be secure at the time. However, as it became feasible to brute force 56-bit keys, 3DES was adopted as a standard in the … Continue reading Sweet32: Time to Retire 3DES? The post Sweet32: Time to Retire 3DES? appeare...

  • Getting to the Bottom of the Top 5 Vendor Risk Management Best Practices

    “We cannot enter into alliances until we are acquainted with the designs of our neighbors.” – Sun Tzu Opening this post with an Art of War quote may seem a bit cliché. At the same time, it really hits the nail on the head when discussing vendor risk management. After all, the best way to … Continue reading Getting to the Bottom of the Top 5 Vendor Risk Management Best Practices The post Getting to...

  • Setting up a Software Security Group in 5 Steps

    Traveling with a group will motivate you to pick up the pace. Working together, a team will share the load and make everyone’s pack lighter. The right team can make the difference between a painful slog and an incredible adventure. Meet your hiking party—the Software Security Group (SSG). Why have a software security group? In … Continue reading Setting up a Software Security Group in 5 Steps The ...

  • Stealing Authentication Tokens From Locked Machines With a Mobile Phone

    Stealing credentials from locked machines shouldn’t work. And yet, it does. The main reason for this is that the operating system automatically loads device drivers if it has access to them. This is true even when a machine is locked. In the case of locked machines, USB Ethernet adapter drivers ship with every major operating … Continue reading Stealing Authentication Tokens From Locked Machines W...

  • Breaking news: We’re expanding our ability to support your software security journey

    Cigital has long held to our vision of “Building Security In.” We believe that software security cannot be bolted on at the end of the process, but must be built into the process—beginning at architecture and design and holding through to delivery. This vision has been the core of everything we have done as a … Continue reading Breaking news: We’re expanding our ability to support your software se...

  • How to Choose Between Closed Source and Open Source Software

    “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” – Abraham Maslow  When it comes to commercial and open source tools (i.e., paid and free software) the debate as to which category of software is better continues, leaving egos, careers, and … Continue reading How to Choose Between Closed Source and Open Source Software The post How to Choo...

  • 7 Elements of a Successful Software Security Journey

    A successful software security journey is an exercise in endurance. As you travel you’ll build strength and skills that make the process more streamlined and efficient. If you make, manage, or purchase software, you need to address software security. Prepare for the adventure by making sure you have the right things in your pack. In … Continue reading 7 Elements of a Successful Software Security J...

  • Voter Registration and Election Security: What You Need to Know

    If you’re registered to vote in the U.S., you probably recall the information collected at registration. To refresh your memory, personal details such as your name, address, date of birth, driver’s license number, and the last four digits of your social security number are all contained within your state’s voter rolls and records. All of this information is … Continue reading Voter Registration an...

  • A Spell Check Equivalent for Building Security In

    Originally posted on SecurityWeek I can honestly say that spell check is the reason I now know how to spell “separate.” It only took about 20 years of patient and faithful repetition from Microsoft Word. The concept of spell check is intriguing when considered in the context of security. There is a significant benefit to … Continue reading A Spell Check Equivalent for Building Security In The post...

  • Handle With Care: You Have My Vulnerability Assessment Report!

    Does your organization rely heavily on vendor products or applications for streamlining processes? Do you wonder what threats your data is being exposed to while it’s handled by these applications? Are you a vendor trying to assure clients that your applications are secure—without divulging too much information? Have you faced situations where your client demands … Continue reading Handle With Car...

  • Securing IoT Devices in the Wake of Last Week’s Mirai Malware Attack

    Last Friday, two major Distributed Denial of Service (DDoS) attacks on Dyn’s Managed DNS infrastructure brought down the websites of over 80 Internet giants including Amazon, PayPal, and Twitter. The sophisticated attack involved tens of millions of IP addresses. Many of these addresses were associated with the open source Mirai botnet. The attack leveraged Internet of … Continue reading Securing ...

  • BSIMM7 Explores Emerging Software Security Trends and Evolution

    BSIMM7 was released October 4th, 2016. That’s just a few weeks before the seventh annual BSIMM Community Conference convened on Amelia Island, Florida. This year’s BSIMM conference was well attended, with 160 participants representing 60 of 95 BSIMM firms from across the globe. The energy and enthusiasm at the conference was palpable. There is nothing … Continue reading BSIMM7 Explores Emerging So...

  • Brace Yourselves: Application Transport Security Is Coming

    HTTP is a plaintext protocol. As such, it creates inherent security and privacy concerns when used by applications. Apple, for instance has (finally) decided to start treating the secure alternative, HTTPS, as the de facto Web protocol for iOS mobile apps. At WWDC16, Apple pointed out that enabling HTTPS doesn’t necessarily mean that you’re secure. … Continue reading Brace Yourselves: Application ...

  • Vulnerability Management: Designing Severity Risk Ranking Systems

    One of the first challenges most security teams tackle is defect discovery. Soon afterwards, the bugs start piling up. I often work with organizations struggling to consistently risk rank issues into severity categories. There are many factors to consider in this process, not to mention the amount of brain power going into devising the perfect … Continue reading Vulnerability Management: Designing...

  • Examining Containerization Security Challenges and Solutions

    Containerization is a relatively new way to host and deploy applications in comparison to the traditional hardware-based deployment or VM-based virtualization. It’s fast, cost effective, and efficient. But is it secure? Let’s find out. The concept of containerization. While Docker and containers are the talk of the town in the DevOps world, the concept of containerization … Continue reading Examin...

  • How to Overcome Common Software Security Training Hurdles

    Software security training is an important part of software development. In the latest Ponemon study on data breaches, training and awareness programs are the number one control implemented after a data breach. However, as with any security control, it’s possible to incorrectly implement training. Within this post, I’ll discuss several common software security training hurdles … Continue reading H...

  • Cloud-Based Application Security Testing Challenges and Tips

    Cloud computing has influenced IT delivery services (including storage, computing, deployment, and management) with the maturity of automation and virtualization technologies. With these maturing technologies, a major obstacle in the adoption of cloud computing is security. Cloud security testing, as a relatively new service model, allows IT security testing service providers to perform on-demand ...

  • Software Security Essentials Every SMB Should Have

    The all-too-prevalent attacks against large organizations are often those that you’ll see pop up on the news. However, attackers aren’t neglecting small and medium-sized businesses (SMBs). That’s why every organization, irrespective of its size, needs software security. Wondering how to kick-start a robust software security implementation for your start-up? Here, I’ll discuss several essential fac...

  • The Latest Must-Have Car Accessory: Security

    Originally posted on SecurityWeek Fall is a great time of year. The kids go back to school. The weather begins to cool and the leaves change. Lord Football returns to his autumnal throne. Television shows return for a new season. Fall is also the traditional time when the automakers release their model year vehicles. Amid … Continue reading The Latest Must-Have Car Accessory: Security The post The...

  • Webinar: Does Increased Automation Lead to Increased Security?

    Given the increasing volume of attempted and successful cyber security attacks, there is a sharp increase in demand for security expertise. Due to this increasing security demand, important questions are emerging in the industry. These questions include: Can automation solve security’s most serious problems? If not, why? What do human security gurus bring to the … Continue reading Webinar: Does In...

  • BSIMM7 Is Now Available: What’s New?

    At the time of the BSIMM7 release today (October 4, 2016), the BSIMM Project has been underway for eight years. During that time, the size of the data set has multiplied over 26 times from 9 measurements to 237. Additionally, the number of firms whose software security initiatives we describe has grown from 9 to … Continue reading BSIMM7 Is Now Available: What’s New? The post BSIMM7 Is Now Availab...

  • 2016 in Review: Cigital CTO Highlights of the Year

    The biggest Cigital news of 2016 is our acquisition by Synopsys. Following another year of profitability and solid growth, we are exceptionally pleased to join the Synopsys team. The strategic fit is perfect. And the culture of exceptional engineering at Synopsys is a great match. Synopsys: More Wood Behind the Software Security Arrowhead Synopsys is … Continue reading 2016 in Review: Cigital CTO ...

  • Lessons Learned From This Year’s Biggest Security Breaches

    As this year draws to a close, we can look back on 2016 and see what challenges the security industry has had to overcome. Jumping on this bandwagon a bit early, I hope to draw attention to some of the more difficult challenges our industry will face in the coming year. In order to do … Continue reading Lessons Learned From This Year’s Biggest Security Breaches The post Lessons Learned From This Y...

  • Top Cyber Security Trends of 2016

    As we near the end of 2016, it’s time to reflect on some of the biggest security issues that we saw this year. 2016 was an interesting year in which many security issues came into focus. We saw many attacks with a goal of financial gain. We saw nation-states threatening cyberattacks around the US election. And, we … Continue reading Top Cyber Security Trends of 2016 The post Top Cyber Security Tre...

  • If You’re Only as Strong as Your Allies, Should You Trust Third-Party Code?

    Originally posted on SecurityWeek Doing business is a highly interactive endeavor and software is increasingly at the heart of those interactions. Agility becomes a key component of staying competitive, so organizations are seeking allies to help them obtain the software they need to stay in the race. Notice I said “obtain” rather than “build” or … Continue reading If You’re Only as Strong as Your...

  • Here Are the Top 10 Best Practices for Securing Android Apps

    Smartphone, tablet, and other hand-held device sales have skyrocketed in recent years. It’s now critical for businesses to provide a mobile option or experience to customers. Additionally, many companies are even created for the sole purpose of making services and entertainment available to their customers’ fingertips—literally. At the same time, software security initiatives must fall … Continue ...

  • Get Executive Support for Your Software Security Journey

    According to Osterman Research, 60% of IT and security leaders say that the information they provide on cyber risk is NOT actionable. To add to that alarming finding, SearchSecurity reports that 12% of CISOs include NO metrics in their reports to senior executives. Software security is one of many competing priorities demanding the attention of … Continue reading Get Executive Support for Your Sof...

Cigital
Cigital
SlideShare Presentation

New SlideShare presentations detected.

  • Agile security - Getting it right from the start

    When implementing security into the various phases of the SDLC, it’s important to implement these activities with purpose. This presentation explains why and how to get security correct from the start.

  • Secure Design: Threat Modeling

    Why are code reviews and penetration tests not enough to secure your organization’s software? This presentation explores the importance of threat modeling in the security journey.

  • Getting Executive Support for a Software Security Program

    Software security is one of many competing priorities within your organization. How do you get the attention and budget you need? This presentation walks you through ways to build executive support

  • Handle With Care: You Have My VA Report!

    Does your organization rely heavily on vendor applications for streamlining your processes? Do you wonder what threats your data is exposed to when it’s handled by these applications? The following discussion acts as a guideline for organizations to follow while reaching a consensus on application assessments and findings.

  • Can You Really Automate Yourself Secure

    Much attention has been given to the need for increased automation in security, given the sheer volume of attackers and attacks, the overload of information security pros must wrangle, and the continued high demand for security expertise. But can automation solve all of security’s most serious problems? If not, why not? Will there always be a need for human involvement? These slides were used in...

  • How to Choose the Right Security Training for You

    There aren’t enough security experts to fill the more than 1 million open cybersecurity jobs. If you’re lucky enough to have the security staff it’s important to keep them motivated and learning, to do that you need to know what options are open to you. We’ll take a dive into training options so you can pick what’s right for your staff and your organization.

  • 6 Most Common Threat Modeling Misconceptions

    There are some very common misconceptions that can cause firms to lose their grip around the threat modeling process. This presentation shines a bright light onto the essentials and helps to get your bearings straight with all things related to threat modeling.

  • Video Game Security

    This presentation from AppSec 2016 covers video game security and hacking video games including how to analyze your business risk, common attacks and protection, and specific tactics to lower your risk.

  • Get Your Board to Say "Yes" to a BSIMM Assessment

    Not everyone understands why benchmarking is important or how it can help set the course for the future. If you’re having trouble convincing your executive team why this matters take a look at our slides Get Your Board to Say “Yes” to a BSIMM Assessment for guidance on what to share and how to share it.

  • Software Security Metrics

    More often than not, company executives ask the wrong questions about software security.  This session will discuss techniques for changing the conversation about software security in order to encourage executives to ask the right questions – and provide answers that show progress towards meaningful objectives.  Caroline will discuss a progression of software security capabilities and the metrics...

  • Get Your Board to Say Yes To Managed Security Services

    Deciding to shift from an in-house application security solution to a managed services partner can be a big decision. If you need help convincing your executive team this is the right decision you’ve come to the right place.

  • Software Security Initiative Capabilities: Where Do I Begin?

    Where to begin your software security initiative including defect discovery, secure SDLC, vendor management and more.

  • Static Analysis Tools and Frameworks: Overcoming a Dangerous Blind Spot

    More and more organizations are using static analysis tools to find security bugs and other quality issues in software long before the code is tested and released. This is a good thing, and despite their well-known frustrations like high false positive rates and relatively slow speeds, these tools are helping improve the overall security of software. Unfortunately, these known frustrations may ...

  • Security vs. Development: The SDLC's Game of Thrones

    Aligning your company’s development and security teams can be a challenge—especially with different goals, resources, and motivations among teams. Each team stakes claim to different areas of the SDLC, making it hard to find common ground. However, when security and development join forces to build secure software together, the company will not only survive, but thrive. In this webinar, we shar...

  • Delivering Security In an Agile World

    "Delivering Security In an Agile World: 7 things to remember to ensure the software you’re developing is secure" When delivering software features in an agile way, it’s critical to ensure the software you’re delivering is secure. To understand how this works, think of the Agile SDLC as a shipping company—instead of delivering software, you’re delivering packages. In this detailed metaphor, you’l...

  • Cyber War, Cyber Peace, Stones, and Glass Houses

    Washington has become transfixed by cyber security and with good reason. Cyber threats cost Americans billions of dollars each year and put U.S. troops at risk. Yet, too much of the discussion about cyber security is ill informed, and even sophisticated policymakers struggle to sort hype from reality. As a result, Washington focuses on many of the wrong things. Offense overshadows defense. Nation...

  • The Complete Web Application Security Testing Checklist

    Did you know that the web is the most common target for application-level attacks? That being said, if you have ever been tasked with securing a web application for one reason or another, then you know it’s not a simple feat to accomplish. When securing your applications, it’s critical to take a strategic approach. This web application security testing checklist guides you through the testing pro...

  • Software Security In Healthcare, What We’ve Learned

    Healthcare is one of a very small number of industries responsible for protecting both personal health and payment information, plus intellectual property. Securing all of this data requires a well-rounded mix of planning, technical expertise, and business knowledge. Jim Rout,h CISO of Aetna, Greg Barnes, CISO of Horizon Blue Cross Blue Shield, and Sammy Migues, Principal Scientist of Cigital wil...

  • How To Close the Software Security Training Gap

    It’s important to ensure that developers are properly trained in secure development. But why? Isn’t the primary goal of a developer to create functionality? Yes and no. Development methods and emerging technologies evolve rapidly. By the time developers apply the knowledge they’ve learned in the classroom, the information may already be out of date. Not to mention that developers have few opport...

  • 10 Things We Can Learn About Application Security From Football

    You may not often look for application security lessons from the game of football, but their fundamentals aren’t so different. In football, the defense blocks the opposing team from getting to the end zone. It’s bad news for your team if the opposition scores a touchdown. Similarly, in security, if the bad guys score a touchdown by hacking into your firm’s sensitive information-filled software, y...

Cigital
Cigital
Blog Post

New blog articles detected.

  • Identifying and Resolving Software Vulnerabilities: A Balancing Act

    Leading a software security group (SSG) is a balancing act. Most decisions come down to how to apply an extremely limited amount of resources to what seems like an insurmountable problem. To give you an example, a question I have been asked in past roles, and continue to hear from clients today is: “Is it better to … Continue reading Identifying and Resolving Software Vulnerabilities: A Balancing ...

  • 5 Questions to Ask Yourself When Deciding on the Best Static Code Analysis Tool

    Buying a house is interesting because it forces you to take a look at everything that you may have taken for granted and ignored. Recently, while I was packing my tools in preparation for a move, I realized that I have eight different hammers in my toolbox. Each hammer serves a different purpose and not … Continue reading 5 Questions to Ask Yourself When Deciding on the Best Static Code Analysis T...

Cigital
Cigital
Blog Post

New blog articles detected.

  • Security Training Solutions for a Multinational Financial Corporation

    A developer’s primary purpose is to create working features within an application or piece of software. They accomplish this task by combining known processes in innovative ways. While their focus involves building a functional application, in most cases they aren’t experts when it comes to breaking it. Failing to think maliciously about ways in which … Continue reading Security Training Solutions...

  • The Greatest Security Vulnerability: Humans

    In the security industry, we hold the following words near and dear to our work: “Humans are the weakest link in the security supply chain.” Even companies with solid, well-built security standards are prone to human error. This is because humans are the most important part of information security and all humans make mistakes. According … Continue reading The Greatest Security Vulnerability: Human...

Out-Market Your Competitors?

Get complete competitive insights on over 2.2 million companies to drive your marketing strategy.

Create Free Account Log in

By signing up, you agree to the Terms of Service and Privacy Policy.

Out-Market Your Competitors

Get complete competitive insights on over 2.2 million companies to drive your marketing strategy.

Create Free Account

Already a user?  Log in

By signing up, you agree to the Terms of Service and Privacy Policy.