You are viewing 'Application Security'

Developing a Strong Application Security Program: Part 2

The Agile Movement

Michael Born

September 29, 2016 - Posted by Michael Born to Security Insight

In my previous blog, Developing a Strong Application Security Program: Part 1, I looked at aspects of a successful application security program as it pertains to a more traditional waterfall Software Development Life Cycle (SDLC). In part two of this series, I’ll focus more on an agile-based SDLC and options for implementing a successful application security program.

Let’s briefly describe some of the differences between a traditional waterfall SDLC and agile SDLC. In a waterfall SDLC, there are clear project objectives through each phase of development. Typically, each project consists of several phases: planning, design, coding, and finally testing. Security teams are injected into the phases and should have sign-off authority on each phase before the project continues to the next. I detailed security’s role in this... read more >

Developing a Strong Application Security Program: Part 1

Michael Born

August 18, 2016 - Posted by Michael Born to Security Insight

InfoSec Employees

As a Security Consultant for NTT Security (US), Inc. Professional Security Services, I have the privilege of witnessing many application security programs. I see programs that work great, are healthy, and handle risk management very well. Then there are programs that have either missed the mark completely, or are healthy but have some maturing to do.

In this blog I’ll be focusing on organizations or development teams that use a more traditional “waterfall” style approach to application development. I’ll attempt to identify traits of a healthy application security program in order to provide ideas for programs that could use some maturing. If your organization uses a more modern “agile,” “iterative,” or “kanban” style of development we will address those specific challenges in Part 2 of the series.

I’m sure many of us have heard that successful... read more >

Mitigating Legacy Application Risks

#WarStoryWednesday

Michael Born

January 06, 2016 - Posted by Michael Born to Security Insight

Protection

Several Penetration Testing assessments that I’ve worked on lately, as a Security Consultant for Solutionary Professional Security Services, have really made me think about the challenges organizations face within corporate information security programs. Recently, the biggest issue I’ve seen has to do with risk management, legacy applications, and network protocols that assist users requesting resources on the network or Internet. I’ve been finding a specific vulnerability that should not exist on any network, even those supporting legacy applications. It seems that alternative solutions for supporting those applications, however, may be pretty scarce.

So what can a business do to mitigate the risk associated with supporting legacy applications until those applications can be upgraded? In order to answer this question, let’s first look at a recent assessment... read more >

Five big cyber security trends you need to know in 2016

George Hulme

December 17, 2015 - Posted by George Hulme to Security Insight

2016

It’s hard for me to get enthusiastic about predictions. Let’s face it, anyone at the end of 2014 could have predicted that in 2015 that there would have been mega data breaches, such as those that hit the Office of Personnel Management and Ashley Madison. And in the year ahead, there will be a number of major breaches, shocking vulnerabilities, and surprising gaffes at the hand of the IT department at a number of enterprises and government agencies.

That said, it’s important that security teams always keep an eye on the major trends in the industry so that they can adjust their programs accordingly. With that in mind, here are a handful of key things we can expect to see in 2016 and likely beyond:

Citizen developers increase enterprise data risks

If enterprise application security teams think that they have a challenge now regarding keeping applications secure as they’re developed, deployed, and maintained in production,... read more >

Web Application Testing with Python Part 4

AppSec USA 2015 Follow Up

Michael Born

December 03, 2015 - Posted by Michael Born to Security Insight

This blog is a continuation of the AppSec USA 2015 blog, “Web Application Testing with Python”, “Web Application Testing with Python – Part 2” and “Web Application Testing with Python – Part 3”. To follow along, please download the virtual machine and scripts that I’ll cover in this series. (The files are posted on an OWASP-controlled Google Drive. See Resources below for the full URL).

The last blog, “Web Application Testing with Python – Part 3,” covered password attacks using custom-built Python... read more >

1 | 2 | 3 | 4 | 5 | 6 | 7 | Older Entries >>

Voted one of the Best Computer Security Blogs 2016
NTT Security (US), Inc. (formerly Solutionary) is a security consulting and managed security services provider. The NTT Security blog is a place for IT professionals to both learn and talk about the latest in IT security and compliance.

Get the NTT Security Blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

LATEST TWEETS