Matias is a researcher and developer with more than 15 years of hands-on software security experience. He has developed solutions for companies such as Fortify Software and his own company Sensei Security. Over his career, Matias has led multiple application security research projects which have led to commercial products and boasts over 10 patents under his belt. When he is away from his desk, Matias has served as an instructor for advanced application security training courses and regularly speaks at global conferences including RSA Conference, Black Hat, DefCon, BSIMM, OWASP AppSec and BruCon.
Matias holds a Ph.D. in Computer Engineering from Ghent University, where he studied application security through program obfuscation to hide the inner workings of an application.
Matias Madou, Ph.D. is a security expert, researcher, and CTO and co-founder of Secure Code Warrior. Matias obtained his Ph.D. in Application Security from Ghent University, focusing on static analysis solutions. He later joined Fortify in the US, where he realized that it was insufficient to solely detect code problems without aiding developers in writing secure code. This inspired him to develop products that assist developers, alleviate the burden of security, and exceed customers' expectations. When he is not at his desk as part of Team Awesome, he enjoys being on stage presenting at conferences including RSA Conference, BlackHat and DefCon.
If ever there was something to ruin Christmas in the cybersecurity industry, it’s a devastating data breach that is on track to becoming the largest cyberespionage event affecting the US government on record.
A curated course containing the exact modules in which your developers would need to show proficiency will have a potent impact, and allow them to hit the ground running when it comes to security best practices in their day-to-day work.
Shifting security fixes back towards the development process isn't easy, but is necessary in today's world where even seemingly simple devices like presentation tools are both surprisingly complex, and also networked into everything else.
Authentication often acts as a gateway to both an application and potentially to the rest of a network, so they are tempting targets for attackers. If an authentication process is broken or vulnerable, there is a good chance that attackers will discover that weakness and exploit it.
Software development is no longer an island, and when we account for all aspects of software-powered risk - everything from the cloud, embedded systems in appliances and vehicles, our critical infrastructure, not to mention the APIs that connect it all - the attack surface is borderless and out of control.
It’s safe to say that the past couple of years have been transformational for cybersecurity standards, and while not mandatory, it should be a goal for all organizations to follow suit, and scrutinize vendor security practices as though they are part of their own internal security program.
Developers won’t have a positive impact on vulnerability reduction without a foundational understanding of how the vulnerabilities work, why they are dangerous, what patterns cause them, and what design or coding patterns fix them in a context that makes sense in their world. A scaffolded approach allows layers of knowledge to give a full picture of what it means to code securely, defend a codebase, and stand up as a security-aware developer.
Zero-day attacks, by definition, give developers zero time to find and patch existing vulnerabilities that could be exploited, because the threat actor got in first. The damage is done and then it’s a mad scramble to fix both the software and reputational damage to the business. Attackers are always at an advantage, and closing that edge as much as possible is crucial.
This is part 1 of a two-part series on successful PCI-DSS compliance within an organization. In this chapter, we detail how AppSec specialists can work closely with development managers to empower developers, strengthen the SSDLC and get specific outcomes from general legislation.
There are a few reasons why AppSec tools are not being utilized as we might have come to expect, and it’s less about the tools and their functionality, and more about how they integrate with a security program as a whole.
The playing field between the heroes and villains in cybersecurity is notoriously unfair. Sensitive data is the new gold, and attackers adapt quickly to circumvent defenses, exploiting security bugs large and small for potential paydirt.
This vulnerability occurs when too many requests come in at the same time, and the API does not have enough computing resources to handle those requests. The API can then become unavailable or unresponsive to new requests.
Without infrastructure-level access control in perfect order, it opens up an entire enterprise to attackers, who can use that vulnerability as their gateway for either unauthorized snooping or a full attack.
Cyberattacks are only getting more frequent, and threats affecting Linux-based infrastructure are becoming more common, with the end goal being an opportunity to crack open a loot chest of sensitive data stored in the cloud.
This is part 2 of a mini-series on PCI-DSS compliance within an organization. In this final chapter, we detail how CTOs and CISOs can lead from the top in reducing cyber risk and making the process seamless, successful... and maybe a little fun for developers.
The insufficient logging and monitoring flaw mostly happens as a result of a failed cybersecurity plan in regards to logging all failed authentication attempts, denied access, and input validation errors.
The recent cybersecurity Executive Order from the Biden Administration has certainly got the security industry talking, especially those who are looking to win over developers to the importance of applying secure coding best practices in their day-to-day work.
We need to reinforce a human-led approach to cybersecurity best practices, and it’s going to get better results than a heavy reliance on automation, tools, and reaction to problems that have already been embedded and discovered.
Developers are among those who are most up close and personal with code, in addition to security configurations and access control. Their security skills must be nurtured, and to achieve the high standards as outlined by NIST, a hands-on course structure might just be the efficient way to tackle it, especially with large development cohorts.
We're thrilled to announce a brand new feature release on the Secure Code Warrior platform: Missions. This all-new challenge category is the next phase in developer-ified security training, moving users from the recall of security knowledge, to applying it in a real-world simulation environment.
Whether discomfort comes from the unknowns of a new way of working, a little mistrust, or perhaps not believing remote work, I find that companies who are resistant to it tend to fall behind in terms of attracting top talent, maintaining global reach and frankly, moving with the times.
The key to most computer security these days involves passwords. Even if other security methods are employed, like two-factor authentication or biometrics, most organizations still employ password-based security as one element of their protection.
Secure Code Warrior has built a GitHub Action that brings contextual learning to GitHub code scanning. This means developers can use a third-party action like the Snyk Container Action to find vulnerabilities, and then augment the output with CWE-specific, hyper-relevant learning.
Penetration testing and static analysis scanning tools (better known as SAST) are just part of the overall process to mitigate security risks, operating rather independently from what we do - until the code bounces back to us for hotfixes, of course!
Many companies who are kicking goals in their cybersecurity approach have implemented an official security champion program, bestowing key security responsibilities - everything from liaising between teams and general cheerleading, to overseeing best practices - onto individuals who show aptitude and passion for such a role.
It's likely a little more prevalent in APIs, but attackers will often attempt to find unpatched flaws and unprotected files or directories anywhere in a network. Coming across an API that has debugging enabled or security features disabled just makes their nefarious work a little easier.
At times, applications will also share data with other programs as part of an overall workload. Unless the transport layer is protected, it makes it vulnerable to both outside snooping and unauthorized internal viewing.
A relationship that is built on the shaky foundations of mistrust is, well, best approached with low expectations. Sadly, this can be the state of the working relationship between developers and the AppSec team within an organization.
Security misconfigurations, especially those of the improper permissions variety, most often happen whenever a developer creates a new user or grants permission for an application as a tool in order to accomplish a task.
Attackers will always attempt to find easily exploitable vulnerabilities first and may even use a script to run through common weaknesses. It's not unlike a thief checking all the cars on a street to see if any doors are unlocked, which is a lot easier than smashing a window.
With a persistent skills shortage at odds with the deluge of code being written to satisfy the world’s software needs, many businesses are falling behind in their cybersecurity strategy and existing infrastructure. It’s time we took an honest look at our overall cybersecurity maturity, and assessed the viable quick wins that are right in front of us.
CISOs are finding themselves in an increasingly fraught position: Protect more assets, ship more code, reduce a bigger attack surface, and do it with rapidly diminishing financial resources. It’s an inescapable fact that cybersecurity is viewed as a cost center, and despite an organization’s security program being what stands in the way of a threat actor making them tomorrow’s disastrous headline, security leaders must do more to sell in and prove the overall business value of the department, in language that makes sense to the executive body.
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
In this white paper, security expert and Secure Code Warrior CTO & Co-Founder Matias Madou, Ph.D. will discuss:The six pillars you need to roll out effective security education and enablement for your development cohort. Lessons learned from ten executives implementing security programs at the enterprise level, and common pitfalls to avoid on your road to success.