These days, it feels like news reports about data security breaches are commonplace. It looks like as if the attackers won and securing IT systems is a Sisyphean task.

More and more (mobile) apps are written in Apache Cordova (or its proprietary variants such as PhoneGap or SAP Kapsel). Apache Cordova is a framework that allows to easily write (mobile) apps for many different platforms using a hybrid development approach, i.e., combining web development technologies (HTML5 and JavaScript) with native development techniques such as Java or Objective C.

Combining web and native technologies creates new security challenges as, e. g., an XSS attacker becomes more powerful. For example, a XSS vulnerability might allow an attacker to access the calendar of a device or delete the address book.

We are proud to announce the release of HOL-TestGen 1.8. HOL-TestGen is a formal specification-based test environment HOL-TestGen that allows to have a seamless transition from verification to test case generation using symbolic computation in Isabelle/HOL.

Apache Cordova is a widely used framework for writing mobile apps that follows the “hybrid app” paradigm. A hybrid app is a mobile app that is partly implemented in platform-neutral HTML5/JavaScript and partly in platform specific languages (e.g., Java or Objective C).

I am looking forward to my first OWASP meeting in Sheffield (it’s actually the second meeting of the Sheffield OWASP Chapter). I will give a talk on my experiences in introducing and implementing a security testing strategy within a large (more than 25000 developers) and international software development team. There will be even more interesting talks (as well as free beer in pizza).

I am happy to announce that Michael Herzberg will join the Software Assurance & Security Research Team as a PhD student.

Michael studied computer science at the Karlsruhe Institute of Technology (KIT) in Germany and finished his studies there with a thesis on “Static Code Analysis for Securing Cordova Application.” During his PhD studies, he will apply formal modeling and verification techniques to (software) vulnerabilities.

Looking forward to a great week in Trento attending the SECENTIS PhD Winter School on Security and Trust of Next Generation Enterprise Information Systems. It will be a week full of interesting lectures on building security and privacy-aware enterprise systems.

Got lost in overwhelmingly large amount security testing research? Do not worry, there is help.

We are happy to announce that our survey on security testing has been published. We do not only provide an overview of the currents state of the art in security testing research, we also explain the role of security testing a secure software development process and discuss the various security testing approaches in the context of a multi-tiered web application.