How Can Enterprises Still Be Victimized By Attacks That We've Known About For Decades?

eschuman's picture
By Evan Schuman June 16, 2016  | Security News

As has become almost a weekly tradition, another major security hole was reported last week (June 8). This report, from Talos, is about a hole that allows malicious files to be launched when anyone clicks on a PDF from within the Google Chrome browser. The attack leverages "an exploitable heap buffer overflow vulnerability in the Pdfium PDF reader. By simply viewing a PDF document that... READ MORE

The Peril Of Confusing A Security Researcher With A Cyberthief

eschuman's picture
By Evan Schuman June 9, 2016  | Security News

The security researcher's lot is not an easy one. This player is an essential part of the security ecosystem, an experienced security person who tries and finds security holes in systems so that they can be flagged and fixed. The problem is that the good guy security researcher—at a glance—looks and acts an awful lot like a bad guy cyberthief. From the CISO's desk, how is one... READ MORE

Vendor Risk Management Must Include Applications

TJarrett's picture
By Tim Jarrett June 8, 2016  | Managing AppSec

Way back in April, Securosis published a whitepaper “Building a Vendor (IT) Risk Management Program. While the paper is informative and practical – do you know what is noticeably missing? Information on how to manage the risk that comes with using vendor applications. This is surprising because Securosis frequently writes about the importance of application security. Companies are... READ MORE

The Future Is Now: Applications Protect Themselves Against Attacks

jlavery's picture
By Jessica Lavery June 7, 2016  | Security News

More enterprises than ever before are recognizing that software is inherently insecure. Yet, they cannot slow down their development cycles to accommodate this reality. Doing so would compromise their innovation and competitiveness. As a tradeoff, many companies end up sacrificing security. RASP technology holds the promise of protecting applications without touching code As a category, runtime... READ MORE

How to Earn a Reputation as a Unicorn

anielsen's picture
By Anne Nielsen June 7, 2016  | Intro to AppSec

You have a great idea for a new product – what could possibly go wrong? One of my favorite games in business[1] is to have a pre-mortem wherein you imagine that you are a year older and wiser and whatever it is you are working on right now fails miserably. I mean, spectacularly – we are talking pets.com-style. This game plays into my hyperbolic nature, but also is useful in... READ MORE

It's Time To Rethink The Password. Yes, Again

eschuman's picture
By Evan Schuman June 6, 2016  | Security News

Every few months, another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting. And yet, just like the... READ MORE

What is Benchmarking?

hcampbell's picture
By Helena Campbell May 31, 2016  | Intro to AppSec

If you type ‘Benchmarking’ into Google, the top definition is “evaluating something by comparison with a standard”. Seems simple enough, but the bigger question here is – who sets that standard? In the past, we may have looked to the big enterprise size companies, however breaches such as; Talk Talk, Sony & Target show us that it’s easy to see that even the... READ MORE

If Government Data Threats Get Companies To Take Data Security Seriously, It May Be All Worthwhile

eschuman's picture
By Evan Schuman May 27, 2016  | Security News

Perceived security threats motivate IT people the same way they do everyone else. People react to how much a threat scares them, which sometimes has little relation to how truly threatening that threat is. Consider rank-and-file U.S. citizens and fears of terrorism. The potential damage by a terrorist is horrendous, but there are consumers who consider terrorist a far bigger threat then burglars... READ MORE

Bad Things Happen When You Don’t Measure Your AppSec Program

sciccone's picture
By Suzanne Ciccone May 23, 2016  | Managing AppSec

If you’re going to spend time, money and effort implementing an application security program, don’t lose your progress by neglecting to collect and share metrics. With strong metrics, you not only prove that your program is making a positive impact, but also identify where and how it’s working – or not working. What happens if you don’t measure? Bad things like these... READ MORE

When US-CERT Issues an Alert, Does IT Listen?

eschuman's picture
By Evan Schuman May 18, 2016  | Security News

Last week, US-CERT (the U.S. Computer Emergency Readiness Team) issued an alert about an old SAP security hole after a vendor flagged that attackers were still using it. The initial problem was that SAP had apparently fixed the hole some six years ago, but gave users the choice whether to protect themselves or not. Candidly, that's an odd choice to offer IT execs, but it's easier to... READ MORE


Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.