The fog of war: How prevalent is SQL Injection?`

Security statistics are complicated, and there’s a lot of fog of war around some fundamental questions like: how common are SQL Injection flaws? A pair of interesting articles over the last day have illustrated some of the challenges with answering that question. A company called DB Networks announced that it had found an uptick in SQL Injection prevalence in 2014, which had appeared to be on a steady decline from 2010 to 2013. DB Networks based their analysis on data from the National Vulnerability Database, which collects disclosures of known vulnerabilities. Shortly thereafter,...

Read More

How to Choose a Third-Party Developer Based on Software Compliance and Safety

Hiring a third party to build your company's web apps (or pieces of them) may not be as difficult as putting the code together internally, but there can still be significant roadblocks involved. That's especially true when it comes to software compliance, and it becomes more challenging when a company knows little about the nuts and bolts of web app security. The good news? Bringing on a third-party developer isn't much different from hiring a company for any complex task that you don't know much about. Better, a lack of security knowledge doesn't have to make picking the...

Read More

Security Showdown: The Open Source vs. Closed Source Debate

The range of malicious behaviors that made headlines over the past year proves how close to home cybercrime can hit, and how it can harm an organization and force IT leaders to rethink their security strategies. Security teams have sought to secure their enterprise's software however they can — a need that has brought to light the question of open source vs. closed source: is one of these sources for software more secure than the other? Here's a closer look. High-Profile Hacks In 2014, an intimidating number of very public hacking incidents put precious personal data at risk....

Read More

When It Comes to Third-Party Software, It's Not the Size — It's the Motion

You've likely heard the phrase, "Size matters." And you've probably heard, "It's not the size of the dog in the fight; it's the size of the fight in the dog," too. Whether you believe Cosmo or Twain is up to you, but one thing is certain: The democratization of the internet means small shops and major commercial developers alike can deliver third-party software on a level playing field — and deliver it through the same channels. For smaller businesses with low budgets, innovative ideas and a few smart folks behind them, that's great news; however...

Read More

Webinar Review: In Secure Agile Development, Why Can't We All Just Get Along?

Talk about agile with any waterfall-committed manager in the development industry, and you'll hear several reasons why maintaining status quo works better for her or him. You'll probably also hear this: Agile is fast, and probably better suited to how today's users consume software, but it just isn't as secure. The problem with that logic? It's all wrong. Spend an hour listening to this webinar (which features Securosis Chief Technology Officer and Analyst Adrian Lane and Veracode VP of Security Research Chris Eng), and you're certain to agree. Here's an analysis...

Read More

Insurance for Web Application Developers: Plummeting Premiums with Proper Risk Management

Insurance isn't exciting. It doesn't generate noteworthy buzz or media interest — and for most companies, insurance policies are signed, stored and then forgotten unless absolutely needed. But emerging IT security threats such as Shellshock and the recurring Backoff malware have prompted significant growth in the cyber insurance market. Insurance for web application developers is one unique area of interest, but it comes with increased risk: What happens if an app doesn't perform as required, or if it allows a malicious actor through the gate? Here's how developers can...

Read More

Shopping for Cybersecurity Insurance in a Pre-Regulation World

Coping with the digital world is difficult, what with constantly evolving threats, regulations, lag time between major attacks and legislation, SQL, XSS and Java (oh my!). And now, on top of all that, you have to decide on a cybersecurity insurance company. Unlike automobile insurance, where you're at least safe to drive with any company you choose, cyberinsurance is still in its infancy and almost completely unregulated — making navigating its world akin to driving in a country without consistent rules of the road. Luckily, we can help. Here's a closer look at cybersecurity...

Read More

The Dos and Don'ts of Building a Culture of Security

By now, you know implementing any office-wide change can be a challenge. More importantly, you know it's totally possible if you commit — and the results are more than worth the effort. But what does a security-focused workplace look like? What does it do? Here are three growing trends among successfully security-minded workplaces, along with three areas less-successful offices could stand to improve on: A Successful Culture of Security: 1. Understands the Value of Coaching... Mistakes happen. Someone can completely buy into the changes you implement and still make an error (or...

Read More

Apple Mobile Payments: Should You Pioneer or Play It Safe?

We've known for a long time that we'd someday be able to pay for things using our smartphones, ditching those dated plastic credit cards and clunky wallets for good. And it seems that day is right around the corner: Apple Pay is now accepted at a growing number of retailers — and with Square moving to enable near-field communication (NFC) payments for all its customers, the number of small businesses that accept mobile payments can be expected to rise dramatically in 2015. Apple's iOS maintains market share at around 41–42 percent, which means nearly 60 percent of...

Read More

Drive compliance via WIIFM

In our introduction to this series, we talked about how securing the software supply chain is like other supply chain transformation initiatives and our intention to learn from initiatives like “green” supply chain and RFID rollouts. This post highlights the sixth of Seven Habits of Highly Successful Supply Chain Transformations, drawing analogies and translating into application security.  One of the simplest and most effective lessons I learned in a course on negotiation in business school was the concept of WIIFM. That’s “What’s in it for me,” and...

Read More

Pages