Why DevOps Is Not DevSecOps

jfeiman's picture
By Joseph Feiman August 25, 2016  | Intro to AppSec

The IT industry has long welcomed DevSecOps, yet it is still poorly adopted. Gartner tellingly defines its status as: “Trough of Disillusionment.” What is inhibiting adoption? For the answer, look at its definition, and you will sense something odd. It is defined as a set of processes, people, methods, models, policies, culture, recipes, blueprints and templates.  This list... READ MORE

Vegas Cons 2016 Wrap Up

tpalarz's picture
By Tom Palarz August 18, 2016  | Research
Defcon 2016 Wrap Up

In my earlier post, I gave my thoughts on what the trends were so far part way through the set of conferences last week (BSidesLV, Blackhat, and DefCon24). In this post, I wrap up my thoughts for the week’s conferences. There were several great talks I missed at BSides this year. Two in particular were ones I’m bummed I missed: one on FOIA requests [http://sched.co/7a8k] (given... READ MORE

When Bug Bounties Are Counter-Productive

eschuman's picture
By Evan Schuman August 18, 2016  | Security News
The problems with bug bounty programs.

Crowdsourcing security holes—aka bug bounties—has become an increasingly-popular tech firm tactic, bordering on Silicon Valley standard-operating-procedure. But as tempting as such an approach is, it's not without serious drawbacks. What we're talking about is encouraging and incentivizing anyone and everyone to dig into your app/OS and beat up on it to try and find any... READ MORE

How Developers Can Go From Mercenaries to Masters of Their Domain

pchestna's picture
By Pete Chestna August 17, 2016  | Secure Development
A modern developer working in a devops environment needs many skills.

If you’re a developer like me, you’ve probably had more than a few jobs over the years. In today’s business climate, developers are like 21st century mercenaries: pursued by company after company, enticed by hotter jobs, cooler projects and – of course – bigger salaries. Staying anywhere more than two years is unusual. It’s a sellers’ market if you’... READ MORE

Top 4 Reasons Why Application Security Should Be Your Focus

sciccone's picture
By Suzanne Ciccone August 16, 2016  | Intro to AppSec

We live in a software-driven world – it’s how organizations in every industry interact with customers, prospects and partners. But information security has not kept pace with this shift, and traditional defenses are proving inadequate in this environment. As users and applications become the risk focal point, there is no hard and fast perimeter security professionals can put a wall... READ MORE

Why a Bug Bounty Program Is Just One Bite of the Security Apple

jzorabedian's picture
By John Zorabedian August 15, 2016  | Security News
Apple with bug

When Apple announced at Black Hat that it’s launching a bug bounty program, you could hear from the peanut gallery variations of a common theme: “it’s about time.” Apple has taken some flak for being slow to join the many tech companies with bug bounty programs, from Alphabet to Yahoo. Increasingly, companies outside the tech sector, from auto manufacturing to airlines,... READ MORE

Forcing Monthly Password Changes Only Helps The Thieves

eschuman's picture
By Evan Schuman August 11, 2016  | Security News
Monthly password change requirements weaken security!

When protecting app data, the default response for years has been passwords. And as long as a company's data is solely being defended by passwords, it makes sense to insist that they be changed regularly, no? Would not such mandated periodic changes shorten the life of the access-controls for thieves? Turns out that the answer is "no" to all of the above. To the extent that... READ MORE

You’ve Tested the AppSec Waters: Now It’s Time to Take the Plunge

sciccone's picture
By Suzanne Ciccone August 11, 2016  | Intro to AppSec
cliff diver

You’ve dipped your toes into the AppSec waters, but now it’s time to wade in a little further. Many organizations understand application security is important, and maybe they’ve done some scanning or pen testing of a handful of apps. But many are also unsure what comes next, or even if anything needs to come next. The reality is that Web application attacks are now the most... READ MORE

Taking The Worry Out Of Component Usage

chausammann's picture
By Christine Hausammann August 10, 2016  | Managing AppSec

Software development is changing fast, with one of the biggest recent changes being the shift to open source software. Although this change opens up a whole new world of coding possibilities, it also introduces new challenges, and problems. What’s the best way to balance its advantages and risks? Education recently experienced a similar shift. Harvard and MIT launched EdX not so long ago.... READ MORE

Crypto Fun at Black Hat 2016

tpalarz's picture
By Tom Palarz August 9, 2016  | Research

This year’s Black Hat Briefings included many outstanding talks; being a bit of a crypto geek, the one that particularly piqued my interest was the practical forgery attack on the Galois/Counter Mode (GCM) mode of operation: Nonce Disrespect (slides [pdf], paper [pdf], example code) GCM is an authenticated encryption mode where authentication and ciphering are done in one pass across a... READ MORE

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.