Head in the Cloud? Agile Web Application Development Can Help

Agile development is more than just a methodology — it's a mindset. And in the wake of a not-so-subtle reminder that we live in an increasingly insecure world, application developers are starting to see that they need to adjust their approaches and embrace agile application development to secure their software. Here's a closer look at agile and the ways in which it can ensure secure web application development despite risks posed by the cloud: The Cloud Is Looming The proven flexibility, ease of use and cost savings offered by cloud computing make it a no-brainer for most firms...

Read More

Medical Device Cybersecurity: One-off or Overall Strategy?

According to recent data from MarketsandMarkets, the market for portable medical devices will be worth $20 billion by 2018. One key factor in this growth is the "availability of a wide range of medical software applications" that allows manufacturers and health agencies to custom-design medical devices to meet specific needs. The US Food and Drug Administration (FDA), meanwhile, has released a set of medical device cybersecurity guidelines designed to help manufacturers evaluate applications before they bring devices to market. Are these guidelines best used as a way to avoid...

Read More

Web Application Security Testing: Why the Utilities Industry Can't Afford a Security Blackout

Web applications are surprisingly vulnerable to malicious attacks. No longer is the biggest threat to your safety an alleged, long-lost Nigerian uncle who needs all your bank account information so he can wire you a million dollars. Instead, an arsenal comprising parasitic apps, keyloggers, SQL injection and incredibly well-designed XSS shadow sites and emails is available to those who wish to steal even the savviest internet user's information. With the proliferation of advanced threats in this Post-Overseas-Uncle Era, allowing preventable attacks is inexcusable — and web...

Read More

Find it Early, Fix it Early: PETETalks

In my recent blog post I discussed some of the fundamental tenets of the agile methodology of software development – one of which is keeping developers working efficiently within their tool chain.  Having held the role of Scrum Master myself, I’ve had the responsibility to ensure that members of my development team have the tools they need to finish their tasks at hand before they move on to the next story within a sprint. This begs the question of how to embed security into an actual sprint – increasing effectiveness and reducing time spent on the security assessment...

Read More

Fire in the Sky: Shellshock Ignites the Security Debate

In late September, Shellshock exploded, becoming the internet's newest "big problem." Stemming from a flaw in Bash — the default shell for OS X and Linux, and often installed on Windows-based devices as well — the vulnerability caused a wave of panic, exploits and, subsequently, patches to fix this 25-year-old problem. But this is just the latest in a series of threats like Heartbleed and the Backoff point-of-sale (POS) malware, and companies are starting to wonder: Can IT security ever prepare for what's coming next? Boom! According to Ars Technica, the fallout...

Read More

Why Secure Critical Infrastructure Is a Pillar of Society

Critical infrastructure is the backbone of any country. Today, governments are acutely aware of the threat that terrorists, state-sponsored hackers, cybercriminals and hacktivists pose to control systems within a critical environment. As a result, protection (rightly) lies at the heart of every governmental cyberstrategy. The number of cyberattacks launched against critical infrastructures worldwide is constantly growing. And while the security levels of these systems are often poor, the attacks launched against them have grown increasingly complex. In some cases, an attack on a supervisory...

Read More

Concepts, Events and AppSec: What Does Your Training Focus On?

The difference between applied and reactive training is huge in the field of software development, especially when AppSec is involved. I'm a big fan of the "applied learning" side of the equation, at least as it relates to security. In his article, "The 7 Deadly Sins of Application Security," 20-year industry vet and Aspect Security CTO and co-founder Jeff Williams nails why: One thing I've noticed is that two organizations with the exact same application security activities can have wildly different results over time. One organization will improve, steadily...

Read More

Safety Check: Methods for Analyzing Third-Party Security

With almost every software development team now utilizing open source code, outsourced development, commercial-off-the-shelf (COTS) software or some other form of outsourced software, the need to understand proper third-party security has never been greater. The gamut of methods for analyzing third-party software runs from robust solutions that check for true application security to others so simple that, functionally, they're little more than rubber stamps that enable IT departments to claim they have third-party security in place. In the face of growing attacks against vulnerable apps,...

Read More

Medical Device Cybersecurity and the Agile Development Prognosis

Medical device manufacturers face a daunting host of challenges, especially where cybersecurity is concerned. In response to the growing concerns of these manufacturers, the Food and Drug Administration (FDA) recently released guidance in the form of its "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices." This nine-page document details five "cybersecurity framework core functions" — identify, protect, detect, respond and recover — that developers should use to direct the steps they take. But what do these things really mean...

Read More

OCC Compliance and Financial Institutions: A Look Into the Crystal Ball

As goes the world, so goes banking. With everything else that's possible via technology today, there's no reason we shouldn't be able to deposit checks with our smartphones, complete online transactions with bank-enabled checkout systems or move money between bank accounts online. So we can. This creates major headaches for banks and their regulators. Every layer of accessibility is another third party that's involved in the banking process. The Office of the Comptroller of the Currency (OCC) recently released updated guidelines for third-party relationships, focusing...

Read More

Pages