Develop a Culture of Application Security: Our 4-Step Road Map

Application security isn't just a list of practices or a set of rules to go by — it's a state of mind. Even if that sounds hokey, it's also absolutely, totally, 100 percent true. Without the proper culture instilled at an office-wide level, no cutting-edge protocols or best practices can save you from introducing security flaws into your work. The good news is that AppSec can be accomplished. If your office doesn't reflect a proper commitment to security culture, take a look at this road map, tailor it to your own situation, and give it a go. The results just might...

Read More

IT Security for Small Business: Pipe Dream or Possibility?

Small businesses face a unique challenge when it comes to IT security: They're expected to meet enterprise standards for handling data, but on a shoestring budget and with razor-thin profit margins. And since many smaller companies can't afford to design and build apps in-house, they're forced to rely on an application ecosystem that's dominated by potentially insecure third-party programs. Is true IT security for small business possible — or is it just a pipe dream? The Small-Business Problem According to the National Cyber Security Alliance (NCSA), smaller companies...

Read More

International Cybersecurity Threats: Don't Fear the Distant Tighty-Whities

Unlike national security threats, cybersecurity threats are much harder to track. There is no Jack Bauer hunting down imminent threats, no single organization providing us with lists of places we can and can't go, and no oceans separating hackers from hackees. As the Internet becomes more and more globalized, security regulations can't keep up — which means the responsibility falls to enterprises. Regulators like the OCC and SEC partner with organizations like the FS-ISAC to provide guidelines that will hopefully someday be laws, but managers would be wise to think beyond these...

Read More

How the Dairy Queen Breach Can Help Put the Freeze on Third-Party Security Problems

Would you like a side of stolen credit card data with your Blizzard? It's the flavor of the month, apparently, as Dairy Queen announces that it, too, has been compromised by Backoff point-of-sale (POS) malware. Having risen to infamy after the massive Target breach last year, Backoff continues to pop up on systems across the country — the Dairy Queen breach of nearly 400 locations includes stolen names, card information and expiration dates. What can companies learn from DQ's malware brain freeze? Saw It Coming According to The Wall Street Journal, there was talk of a DQ breach...

Read More

True Code Security Requires Smart Software Development

No CISO in today's environment is going to allow a system to exist without solutions designed to prevent attacks, usually at the infrastructure or operating system (OS) level. But such solutions are naturally limited when it comes to attacks made directly against an application, and those limitations are leaving systems around the world even more vulnerable. True code security has been increasingly difficult to achieve since the advent of Agile development, but there are still ways that CISOs can work together with development teams to protect their businesses from the growing menace of...

Read More

Prevent Web Application Vulnerabilities by Testing Early

An exploit is not an exploit is not an exploit. Though many abusable web application vulnerabilities ostensibly come with the same goal in mind — namely, letting malicious jerks access all sorts of sensitive data — the various roads they take to reach that end are nearly as wide and varied as the types of software they attack. Here's a look at three well-known web application vulnerabilities, how they work, and why stopping them early (read: during production) is crucial for the security of your users and the reputation of your product and company. 1. Heartbleed: Catchy Name,...

Read More

Cracking the (Security) Code: Why Developer Training Matters

How much do developers really know about writing secure application code? That's a question companies are starting to ask in earnest as the number of desktop, web-based and now mobile applications in their networks continues to skyrocket. What's more, many such apps aren't developed in-house; they're either farmed out to third-party vendors or pushed up the pipeline by company partners. Is there a way to gauge the amount of developer training an IT professional has received over the course of his or her career? More importantly: does it matter? C Minus Minus In a recent Dark...

Read More

Wearable Fitness Trackers: Are Healthcare Applications Threadbare on Security?

Fashion is quickly becoming synonymous with function as wearable devices take center stage. Fitness trackers and technologies like Google Glass are just the first step — the next decade could include everything from intelligent fibers that record pulse and breathing rates to contact lenses that monitor your eye health. A lens that monitors blood sugar is already in development. For these wearables to achieve real commercial success, however, they'll rely on a slew of new healthcare applications. Is enough being done to safeguard personal information, or are these new fashion...

Read More

Go Ahead, Use Software Composition Analysis to Perfect Your App Recipe

Creating a new software application is like baking the perfect pie: Every company has its own recipe that includes "secret" in-house code but uses common, third-party ingredients where applicable. But what happens if ingredients in your latest batch are bad? Veracode's software composition analysis service recently determined that external components embed an average of 24 known vulnerabilities into every web application. So how can companies keep their software from poisoning critical systems? Best Practices If third-party or open source vendors make the component you're...

Read More

Guidelines for Risk Management in Third-Party Relationships, Courtesy of the OCC

Banks and financial institutions are increasing their relationships with third parties. In many cases, these collaborations involve key organizational functions, such as partnerships, outsourcing and contracting. In every case, they invite the possibility of serious institutional risk. Concerned about the quality of risk management conducted by banks and financial entities in governing their (often complex) third-party relationships, the Office of the Comptroller of the Currency (OCC) has issued a bulletin designed to inform national banks and federal savings associations about the risks...

Read More

Pages