Measure Twice, Cut Once: How to Avoid and Overcome Technical Debt

The first time I heard the term "technical debt," I thought it had something to do with buying 45 Nintendo Game Boy Color consoles on credit the day before the Nintendo DS came out. And while I certainly associated the right sentiment (shortsightedness, to be exact) with the term, I was way out of the ballpark. But the list of terms surrounding agile is growing, and fast — so fast, it's hard for many people and companies to keep up. So what exactly is "technical debt," and how can your company avoid it? Put down your credit card and pay attention. Always Test...

Read More

Point-of-Sale Fail: How to Find the Right Retail POS Vendor

There's a massive gap between perceived and actual security, especially when it comes to point of sale (POS) — and, as the recent surge in retail security breaches demonstrates, retailers that fail to recognize this gap are paying the ultimate price. The fact is this: Even though securing customer information has become a paramount concern for many CISOs, retailers don't always have a firm grasp on the places where customer data is most vulnerable, and they might not know what questions to ask vendors to ensure the strongest security possible. Here's a closer look at the POS...

Read More

Scrumban: A Hybrid Framework to Get More Out of Your Agile SDLC

Do you find that demands placed on your Scrum team have changed over time and you have transitioned from a smooth cycle to a more caveat-ridden model? It may be time to consider switching to a different development framework such as Scrumban. Agile teams face many challenges, and the demands on those teams can change throughout a product's lifecycle. Often the demands of a new Scrum team creating a new product are very different from one that is adding features and supporting production issues for a mature product. If you find that you are constantly tweaking your...

Read More

3 Web and Mobile Application Vulnerabilities — and the Lessons They Teach

If you've kept up with the nightmarish data breach Sony Pictures Entertainment is dealing with — and you should, even if you don't care about the event's most tabloid-like aspects — you're seeing one of the most important lessons a modern company can learn played out on a major scale: No data is inconsequential in this age of information, and because of that, digital security is more important than ever. That said, it doesn't take a disruption of such unprecedented size to cause huge headaches for a given company and its customers and clients. Hackers, however...

Read More

Top 5 CISO Challenges Securing Web and Mobile Applications

If you are like most CISOs who are starting or scaling up application security programs, you will run into the challenges listed in this infographic.  When you think about it, all of these challenges are interconnected.  The traditional approach of assessing applications with tools requiring security expertise isn’t currently scaling up to assess the volume of applications being produced by enterprises (challenge 1). Application security budgets aren’t going to increase enough to close the gap by just do more of the same (challenge 4). The most effective way to scale up...

Read More

Where Cybersecurity Insurance Falls Short: Securing Against Third-Party Risk

A spate of high-profile security incidents over the past few years (and the damaging fallout from those incidents) has caused many enterprises to turn toward cybersecurity insurance for protection against business-damaging scenarios. The problem? Many insurance programs fall short when it comes to one of the riskiest aspects of modern technology: dealing with the software and systems of third parties. Enterprise CISOs have to understand policy exclusions and know how to protect the aspects of their business that these policies won't. The Emergence of Cyberinsurance As the number of...

Read More

Exploit Profile: All About SQL Injection

You've heard it before, and you'll hear it again: SQL injection is no joke. Why the repetition? It's that serious a threat. As the number-one exploit on the OWASP Top 10 list of digital security issues (and one of the easiest attacks to successfully pull off), injection is a major tool for novice scripters and skilled hackers alike. With little more than basic knowledge and a sufficiently vulnerable target, black hat types can use the technique to do all sorts of nasty stuff: view users' log-in details, access sensitive info stored in a compromised database, make unauthorized...

Read More

Align benefits for enterprise and supplier – or pay

In our introduction to this series, we talked about how securing the software supply chain is like other supply chain transformation initiatives and our intention to learn from initiatives like “green” supply chain and RFID rollouts. This post highlights the last of Seven Habits of Highly Successful Supply Chain Transformations, drawing analogies and translating into application security. We’ve talked about a wide variety of issues related to a secure supply chain makeover in this series: Industry standards for defining appsec compliance. Segmenting the supply chain for best...

Read More

The Fog of War: How Prevalent Is SQL Injection?

Security statistics are complicated, and there’s a lot of fog of war around some fundamental questions like: how common are SQL Injection flaws? A pair of interesting articles over the last day have illustrated some of the challenges with answering that question. A company called DB Networks announced that it had found an uptick in SQL Injection prevalence in 2014, which had appeared to be on a steady decline from 2010 to 2013. DB Networks based their analysis on data from the National Vulnerability Database, which collects disclosures of known vulnerabilities. Shortly thereafter,...

Read More

How to Choose a Third-Party Developer Based on Software Compliance and Safety

Hiring a third party to build your company's web apps (or pieces of them) may not be as difficult as putting the code together internally, but there can still be significant roadblocks involved. That's especially true when it comes to software compliance, and it becomes more challenging when a company knows little about the nuts and bolts of web app security. The good news? Bringing on a third-party developer isn't much different from hiring a company for any complex task that you don't know much about. Better, a lack of security knowledge doesn't have to make picking the...

Read More

Pages