Tuesday, May 23, 2017

Software Test Professionals Fall Conference 2017, September 26 – 29

I will be speaking in the Software Test Professionals Fall Conference 2017, September 26 – 29, held in the DC Metro Area on Risk Based Security Testing. It is a 60 minute session.

 Below is the link to my speaker page.
 Speaker - Meera

And the link to the conference page:

STP Conference

Friday, May 19, 2017

Building security into the DevOps life cycle

A new eBook I wrote for my company has just been published. Download a copy from the company website.



The primary goal when breaking the build in the CI/CD DevOps life cycle is to treat security issues with the same level of importance as quality and business requirements. If quality or security tests fail, the continuous integration server breaks the build. When the build breaks, the CI/CD pipeline also breaks. Based on the reason for the broken build, appropriate activities such as architecture risk analysis (ARA), threat modeling, or a manual code review are triggered.
This eBook provides actionable insight into:

  •  Building security into your DevOps SDLC 
  • Understanding the relationship between security and quality in the CI/CD pipeline 
  • Coordinating various teams to ensure that the process is well defined, tools are properly configured, and developers are ready to resolve issues when the build breaks
Download the eBook from here:

Friday, March 10, 2017

Wednesday, March 8, 2017

#BeBoldForChange on International Women’s Day 2017

And here is the one I wrote for my company Synopsys.

https://blogs.synopsys.com/software-integrity/2017/03/08/beboldforchange-international-womens-day-2017/

Read at your leisure!

#BeBoldForChange

Today is International Women's day. The UN theme for 2017 is Empowering Women: Empowering Humanity #BeBoldForChange. What better way to celebrate it than by writing a blog post about breaking the stereotype messages we hear all the time?

I am bold and strong being a woman.
I am bold and fierce being a Senior Principal Consultant in the Security Consulting world, which is dominated by Men.
I am bold and loving and caring being a Mom, in spite of having missed a few award ceremonies and a few tennis lessons for my Daughter.
I am bold and a loving Wife, and still cry on the shoulders of my amazing Husband.
I am bold and still scared while driving at night, and call my Husband.
I am bold and an amazing cook, but still crave for a plate of food to be handed to me when I return from a long day at work. I enjoy every bite of it when handed to me by none other than a Man my Husband.
I am bold and a woman, and Mentor many men at work.
I am bold and a Hindu, and still believe in the Supreme Lord Krishna.
I am bold and a staunch devote of my beloved Guru who is again a Man.
I am bold and a confident woman, and speak at many events and conferences which is filled by Men.
I am bold and adventurous and travel alone for Work.

Who says that being a woman means doing the stereotypes? I have broken several barriers, and push my Daughter, my Mentees, woman I work with, woman I met in my everyday life to break those barriers, and still be a woman.

To quote from the blog I wrote for my Company with minor changes:

This International Women’s Day, based on the theme I want to challenge women around the world to be brave and bold. Be BRAVE and be BOLD, sign up for new challenges which you have never accomplished. Challenge yourself to break the stereotypes.

I will close this post by a famous quote from our 44th President of the United States Barack Obama “Change will not come if we wait for some other person, or if we wait for some other time. We are the ones we've been waiting for. We are the change that we seek.” 

-->

Monday, March 6, 2017

Speaking at We RISE Women in Tech Conference

My talk has been selected for We RISE Women in Tech Conference. The conference is on June 23rd Friday and June 24th Saturday at Atlanta, GA 30303.

You can find details about the conference and the venue at the link below:

We Rise Women in Tech Conference

Monday, August 1, 2016

Why it's time for a new approach to agile security Q&A with @MeeraSRao via @BetaNews

I did a Q&A with BetaNews about "Why it's time for a new approach to agile security Q&A".

Take a look at the same at the following link:

Link for Q&A

Defensive Programming for JavaEE Web Applications - Workshop in Kerala 18-Aug-2016

If you are in or around Kerala, come join me for a day long workshop on " Defensive Programming for JavaEE Web Applications".

You can find all details about the workshop on the conference page located here:

http://is-ra.org/c0c0n/workshops#WS1

Monday, July 11, 2016

Overcoming the 6 Most Common Threat Modeling Misconceptions

Threat modeling promotes the idea of thinking like an attacker. It enables organizations to build software with security considerations, rather than addressing security as an afterthought. However, there are some very common misconceptions that can cause firms to lose their grip around the threat modeling process. This eBook shines a bright light onto the essentials and helps to get your bearings straight with all things related to threat modeling.

Download the complete eBook to:

  • Learn about the most common threat modeling misconceptions
  • Discover the 5 pillars of a successful threat model
  • Determine how to take control of your risk management process
The eBook is published on my company's website, you can download the same from here:

Wednesday, June 15, 2016

How to Build Security Into Your Software Development Process

An amazing ebook. Download and let us know your thoughts!



To standardize the software development life cycle (SDLC), organizations implement development methodologies to fulfill their objectives in a way that best suits their organizational goals. Whether you use Agile, Waterfall, or something in between, building security into your SDLC can improve efficiency and reduce costs if it’s done the right way.
Download the complete eBook to:
  1. Learn how to add security to the various phases of your SDLC
  2. Understand how secure software development works in theory and in the real world
  3. Examine how to implement security activities with purpose
  4. See how to get started

Friday, May 20, 2016

Speaking @ Jenkins World 2016

I am excited and honored to be speaking at this years Jenkins World 2016 Conference to be held in SANTA CLARA CONVENTION CENTER, CALIFORNIA from SEPTEMBER 13 - 15, 2016.

If you are passionate about Security, Jenkins than come see me talk at the conference.

I am giving a talk on "The Three Pillars Behind Continuous Security".

I have been using Jenkins from the day it was made public and was called Hudson. No matter what you are using Jenkins or Hudson or Bamboo or any other CI tool, this talk is definitely going to help you Build Security In.

Saturday, May 14, 2016

SECOND ANNUAL CYBERSECURITY WORKSHOP FOR WOMEN AND MINORITIES!

I am excited to be part of the panel and contributing to the"
SECOND ANNUAL CYBERSECURITY WORKSHOP FOR WOMEN AND MINORITIES!" conference in Huntsville, Alabama.



The link to the page is attached below:

Conference Page

If you are in and around Huntsville, come join us.

Saturday, April 4, 2015

Women in Cyber Security

Last week, Friday and Saturday I attended and spoke at the Women in Cyber Security Conference (WiCyS). The Conference took place in Atlanta, USA on March 27th and 28th. The main goals of the conference was:
  • Security professionals worldwide are expected to increase to nearly 4.2 million by 2015.
  • Women’s representation in this male-dominated field of security is alarmingly low.
  • WiCyS expects to raise awareness about the importance and nature of cyber security career .
  • Hopes to generate interest among students to consider cyber security as a viable and promising career option.
All of the keynote speakers were women in top positions in Cyber Security.
  • Jenn Lesser Henley, Facebook
  • Sherri Ramsay, CyberPoint
  • Phyllis Schneck, Department of Homeland Security
  • Angela Kay, Microsoft
I gave a Technical Presentation on "Know Your Enemy, and Yourself: Demystifying Threat Modeling".
I was amazed to see so many women and young college girls attend the conference. This being just the second year of the conference there were 500 security professionals who attended. It was an interesting mix of students, professors and security professionals who attended.


I am glad I was able to find the Job which is my passion, I work like crazy, never complain, except for the traffic when I go to work.

If you have anyone who is interested to join this profession, either here in the United States or in Bangalore, India leave a comment and send me your resume.

Yes, you read it correct. My Company Cigital has a branch in Bangalore, India. 

Friday, December 19, 2014

Getting All Maven Dependencies

If you are running any static analysis tool for Java, you know how hard it is to get all dependencies from a client. This is especially true if the application uses Maven build. Most clients use Nexus, which makes it even harder to get libraries to compile.

During one such engagement, one of my team members was struggling to compile the code. And anytime you have compilation errors, many of the static analysis tools produce 0 findings.

That's when I sent this simple command line option to my team member, who in turn was able to ask the client to send them all the dependencies using this command. And this worked like a charm, we had all libraries required to compile the code, the tool was happy, we were happy and the client was happy as well.

So, here it is. Make sure you can compile the code without any errors.

From a command line within your project, run "mvn clean compile"


Next, once you have a clean compilation, run the command "mvn dependency:copy-dependencies". This will copy all the dependencies into the target\dependency folder.


Take a look at the target\dependency folder, you have all the libraries to compile and can now configure any tool to scan your code successfully.






Sunday, October 12, 2014

Apache Commons CLI - A Simple Example

As the saying goes " Out of Sight, Out of Mind", I was unable to remember how often I had used the Apache Commons CLI API in my Developer days. Now that I mostly work on Security engagements, when I was reminding one of our Consultants to use command line options, I couldn't remember the name of Commons CLI.

As soon as I got back home from the client site, I fired up my laptop, and there it was the code written almost several years back which used the Apache Commons CLI API.

The best way to get access to these code examples is to blog here, and you have it handy anywhere in the world, right?

The Commons CLI has great documentation on its website. Take a look:

http://commons.apache.org/proper/commons-cli/

Follow the steps below to get it up and running in a few mins:

1. Download Commons CLI from here:
http://commons.apache.org/proper/commons-cli/download_cli.cgi

2. Create a simple Main class:

3. As seen in the above screen shot, use the org.apache.commons.cli.Options to specify the command line options. For mandatory options, use the .isRequired().

4. Add descriptions to each command line option.

5. Next, parse command line input with set options as shown below:


6. Finally, get the individual command line options using the CommandLine object. For the ones which are optional, check if the argument is available using the .hasOption method.

7. Now run the jar file from the command line and you are all set. If an an option which is required is not set, it will print the help message as shown below:



8. If all the required options are specified, you see a message as such:


That's all it is for using the Apache Commons CLI. Happy Coding.

Wednesday, August 27, 2014

Failed to execute goal com.github.searls:jasmine-maven-plugin

When you are running any Static Analysis tool for Security such as IBM's AppScan Source and HP's Fortify SCA, and you notice errors such as the following, the simplest way to solve this is to disable running your unit tests.

 [ERROR] Failed to execute goal com.github.searls:jasmine-maven-plugin:1.3.1.3:test (run-jasmine-unit-tests-external-min) on project your-project-name: There were Jasmine spec failures. -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]

The code needs to be compiled and packaged, however there is no need for unit tests to run successfully for getting good results. So, at this point to get the static analysis tool running, use one of the following commands and you should be up and running.

To skip running tests, use one of the below commands:
 
mvn clean compile package –DskipTests or
mvn package –Dmaven.test.skip=true

Monday, July 21, 2014

Unrecognized or invalid command line argument '-disable-sourcerendering'


If you are seeing the following error while scanning your projects using Fortify Maven plugin, there is a simple fix.

[error]: Unrecognized or invalid command line argument '-disable-sourcerendering'
Fortify Static Code Analyzer 5.16.0.0042
Copyright (c) 2003-2013 Fortify Software

For command-line help, type 'sourceanalyzer -h'

[ERROR] Error invoking sourceanalyzer. Exit code: 1.
Verify your project settings and your SCA installation.

Open the file com.fortify.ps.maven.plugin.sca.ScanMojo.java, and replace the following code:

com.fortify.ps.maven.plugin.sca.ScanMojo

If (!renderSources) {
addArg(“-disable-sourcerendering");
}

With the following lines

If (!renderSources) {
addArg(“-disable-source-rendering");
}

Recompile, package, and install using:

mvn compile package install.

And rerun your scans.



Tuesday, January 7, 2014

Installing Maven Fortify Plugin

The Maven Fortify Plugin supports Maven 2.0.X, 2.2.X and 3.0.X versions. The Plugin provides functionality to translate, scan and upload using Fortify's Source Code Analyzer or SCA as it is commonly called.

The source code of the plug-in is available within the Samples folder of the fortify installation as shown below.



Make sure you have Maven installed.

If the Maven Fortify Plugin has never been installed, run the Maven clean package and install commands as shown below:


 Once the commands run, you should be able to see the jar successfully built.


At this point, you can browse the .m2 folder and see that the plugin has been installed in your local Maven repository.


Now that the plugin is installed, you can easily translate, and scan using Fortify on all your Maven projects. 

A few other posts on Fortify can be found here:

Wednesday, August 21, 2013

Job Openings @ Cigital




Cigital currently has 29 different openings across different locations.  We are actively recruiting for, with critical needs in Texas, London,  and Managing Consultant areas.  You’ll find detailed descriptions for these on our website. Leave a comment here, and I can send you an email to get your resume.



Technical Manager -  Santa Clara
 

Managing Consultant Chicago, Dallas, London, New York, Santa Clara, Toronto

Sales Director – Houston

Associate Consultants - Bloomington, Boston, Dulles and New York

Interns - Bloomington, Boston, Dulles and New York

Security Consultants - Boston, Dulles, London, Minneapolis

Sr. Security Consultant  - Dulles, London and Santa Clara