You are viewing 'Application Security'
The Agile Movement
In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.
Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >
As a Security Consultant for NTT Security (US), Inc. Professional Security Services, I have the privilege of witnessing many application security programs. I see programs that work great, are healthy, and handle risk management very well. Then there are programs that have either missed the mark completely, or are healthy but have some maturing to do.
In this blog I’ll be focusing on organizations or development teams that use a more traditional “waterfall” style approach to application development. I’ll attempt to identify traits of a healthy application security program in order to provide ideas for programs that could use some maturing. If your organization uses a more modern “agile,” “iterative,” or “kanban” style of development we will address those specific challenges in Part 2 of the series.
I’m sure many of us have heard that successful... read more >
Several Penetration Testing assessments that I’ve worked on lately, as a Security Consultant for Solutionary Professional Security Services, have really made me think about the challenges organizations face within corporate information security programs. Recently, the biggest issue I’ve seen has to do with risk management, legacy applications, and network protocols that assist users requesting resources on the network or Internet. I’ve been finding a specific vulnerability that should not exist on any network, even those supporting legacy applications. It seems that alternative solutions for supporting those applications, however, may be pretty scarce.
So what can a business do to mitigate the risk associated with supporting legacy applications until those applications can be upgraded? In order to answer this question, let’s first look at a recent assessment... read more >
It’s hard for me to get enthusiastic about predictions. Let’s face it, anyone at the end of 2014 could have predicted that in 2015 that there would have been mega data breaches, such as those that hit the Office of Personnel Management and Ashley Madison. And in the year ahead, there will be a number of major breaches, shocking vulnerabilities, and surprising gaffes at the hand of the IT department at a number of enterprises and government agencies.
That said, it’s important that security teams always keep an eye on the major trends in the industry so that they can adjust their programs accordingly. With that in mind, here are a handful of key things we can expect to see in 2016 and likely beyond:Citizen developers increase enterprise data risks
If enterprise application security teams think that they have a challenge now regarding keeping applications secure as they’re developed, deployed, and maintained in production,... read more >
AppSec USA 2015 Follow Up
This blog is a continuation of the AppSec USA 2015 blog, “Web Application Testing with Python”, “Web Application Testing with Python – Part 2” and “Web Application Testing with Python – Part 3”. To follow along, please download the virtual machine and scripts that I’ll cover in this series. (The files are posted on an OWASP-controlled Google Drive. See Resources below for the full URL).