How to Train a Globally Distributed Security Team

How companies with successful AppSec programs train globally distributed teams on secure development practices and security guidelines. Every large organization now has a complex and globally distributed software development process. It doesn’t matter whether your developers are in-house or out-sourced; based in Bangalore or Boston, the expectation is that quality, bug-free, secure software is built quickly and efficiently.  This provides the organization with the competitive edge it needs.  When developers cross language, cultural, time zone, and even organizational...

Read More

Quick Wins: Why You Must Get Defensive About Application Security

Application security differs from other forms of security in the number of people it affects. Unlike installing a firewall or anti-virus software, an application security program will affect the everyday routines of many employees in many departments throughout your organization. And you need those employees to buy-in to the goals and policies of your program for it to succeed. Want a good way to get that buy-in? Get a quick win. When you quickly show progress and results, stakeholders will take notice and be more willing to give their support, and funds, to your program. An excellent quick-...

Read More

The ironic battle over crypto

This post was originally published February 4, 2016 on: www.Jarrethousenorth.com   Bruce Schneier: Security vs. Surveillance. As the dust finally settles from the breach of the US Office of Personnel Management, in which personal information for 21.5 million Americans who were Federal employees or who had applied for security clearances with the government was stolen, I find it unbelievable that other parts of the federal government are calling for weakening cryptographic protections. Because that’s what the call for law enforcement backdoors is. There’s a certain kind...

Read More

Security Team – Here Are 5 Things I Need From You

A developer’s perspective on security teams coming in at the last minute to impose requirements on the development team First things first, I am by training, occupation, and birthright a DEVELOPER (yeah, I just screamed that and yeah I said “birthright”)! I was born this way, and if I didn’t love this stuff, there is no way I’d be capable of doing my job. This job isn’t for everyone. if I didn’t love this stuff, there is no way I’d be capable of doing my job Despite all the glitz, glamour, and riches you’ve been led to believe go along...

Read More

What is real-time security and why it is needed

Application security has emerged, evolved, matured and adopted at the programming and testing phases of application lifecycle, not at its operation phase. Technologies for application protection at the operation phase have been adopted at lesser degree and even then they are only adopted with some stipulation. This can be explained. Adopting application assessment/vulnerability detection technologies is less risky than adopting application protection technologies. Technologies such as static application security testing (SAST), dynamic application security testing (DAST), and software...

Read More

How AppSec Fits into an Information Security Program

Want a better information security program? Most companies do and are willing to spend big money on safeguarding critical systems. As noted by Infosecurity Magazine, Allied Market Research predicts huge growth in the hardware encryption market, with a CAGR of more than 50 percent and a net value of almost $300 billion by 2020. But locking down data at rest and in transit is only one step on the road to better InfoSec: If applications and network devices are inherently insecure, even the best encryption won't keep cyber criminals at bay. For many companies, however, the prospect of...

Read More

How We Worked with Our Development Team to Make Security a Differentiator

Many of the software vendors we work with come to us because their customers asked for some sort of security attestation. While we applaud the requests, we know providing separate security attestations for each product and for each customer can be time-consuming and difficult. This is why we urge independent software vendors to take a programmatic approach to application security. If they have a consistent security processes across their entire product line and can demonstrate their security processes to their customers, they are able to get around the security objections holding up sales....

Read More

AppSec in Healthcare: Defending Patient Data

As a single healthcare record brings nearly 10 times the value of a stolen credit-card number, combined with the competitive differentiation of healthcare intellectual property (drug or device development, billing processes, care procedures, etc.), it’s no wonder cyberattackers are increasingly targeting healthcare providers. The rapidly expanding IT footprint, a bottoms-up technology culture where centralized security policies are difficult to enforce and significant skills gaps around security create formidable challenges for healthcare providers trying to secure patient data. Through...

Read More

What Is Application Security?

The past few years have seen a tremendous increase in the number and severity of successful attacks aimed at the application layer. In fact, recent studies indicate that attacks on the application layer are growing by more than 25 percent annually (Akamai Q3 2015 State of the Internet - Security Report). The news headlines are filled with stories about these breaches. From Target to JPMorgan Chase to TalkTalk, every breach is covered in dramatic detail. Yet, although we hear a lot about application-layer breaches, we rarely hear about the solution -- application security. Why? Maybe because...

Read More

Why Doesn’t Application Security Get Enough Attention?

It is almost impossible to comprehend why application security isn’t getting more attention. In 2014 alone, there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen. And we aren’t talking about small breaches at companies no one has heard of. Target, JPMorgan Chase, Community Health and TalkTalk are four examples of companies that have suffered breaches due to vulnerabilities in software. With such high-profile breaches, you would think more people would be paying attention. But that’s not the...

Read More

Pages


Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.