Whitepapers

The connection between cybersecurity and a company’s bottom line is crystal clear to board members – and they’re worried. In fact, more than 80 percent of respondents discuss cybersecurity at most or all boardroom meetings. CISOs can become more effective, strategic leaders by understanding prevailing thought before stepping foot into the boardroom.

The rise of the digital economy means the world now runs on applications. As a result, every company is becoming a software company. Yet, research done by IDG revealed that almost two-thirds of applications are not assessed for security.  

This whitepaper provides guidance on preparing for a high-profile vulnerability disclosure so risk-management or security teams can respond with the appropriate level of urgency. Teams can use it as a starting point to formulate a strategy for vulnerability responses and be prepared for the eventual disclosure.

Over the past few years, the view of the CISO as a high-level tactical asset has begun to change. This is in part due to high-profile breaches like Target and Sony, but also because CISOs have evolved their role to help enterprises innovate rather than holding back innovation.

Veracode’s research team performed a set of uniform tests across six home automation devices and organized the findings into four different domains: user-facing cloud services, back-end cloud services, mobile application interface and device debugging interfaces.

Most enterprises today do not build all the applications they use. In fact, the majority of a typical enterprise’s application portfolio is developed by outside vendors. How can enterprises ensure the security of these outsourced or “third-party” applications? Simply assuming these apps are safe is no longer an option. 

Written by a former CISO, this white paper describes strategies for effectively articulating your risk posture and security strategy to business executives.

Every enterprise is now a digital business. This whitepaper provides a detailed overview of Veracode's cloud-based service for protecting against application-layer threats and addressing compliance requirements.

Developing secure products in an agile environment can be challenging. Application vulnerabilities and coding issues are typically time-consuming to find, document, and fix with traditional testing tools. Short agile sprints don’t lend themselves to these long processes; however, there are ways to effectively integrate secure development with agile methods.

The prerequisite for dealing with cyber-security is knowledge. Download this critical chapter to learn about web application vulnerabilities and hacking techniques; freely-available crawling tools; and countermeasures to protect your web application infrastructure.

Adam Shostack is responsible for security development lifecycle (SDL) threat modeling at Microsoft and is one of a handful of threat modeling experts in the world. With specific actionable advice, he details how to build better security into the design of software from the outset. You'll explore various threat modeling approaches, find out how to test your designs against threats, and learn effective ways to address threats that have been validated at Microsoft and other top companies. Software developers will appreciate the jargon-free and accessible introduction to this essential skill. Security professionals will learn to discern changing threats and discover the easiest ways to adopt a structured approach to threat modeling.

Download the whitepaper authored by the FS-ISAC Third Party Software Security Working Group to understand the recommended controls for addressing third party software risk.

This independent paper analyzes control options and offers specific recommendations on control types for financial services to add to their vendor governance programs

The harsh reality is that most internally developed applications are not assessed for critical security vulnerabilities such as SQL injection. IDG Research Services recently surveyed top IT and security executives at enterprises across a variety of industries in the U.S. and the U.K. to better understand the enterprise security landscape. This paper examines the survey results.

This paper, written by the independent security analyst group Securosis, is for security professionals who want to understand Agile development and the issues developers face, so both teams can work together better. Security teams are sharply focused on bringing security to applications and meeting compliance requirements in the delivery of these applications and services. On the other hand, the #1 job for software developers is to deliver code faster and more efficiently, with security placing a distance second. Both security professionals and developers may be tasked with security, but finding the best way to embed security into the software development lifecycle (SDLC) is not an easy challenge.

Read this report to learn about Forrester's 5-step plan for seizing control of your destiny as a CISO – and why the top 3 skills required to succeed are leadership, strategic thinking, and business knowledge.

Enterprises are still experiencing the paradigm shift towards mobile computing and still struggling to implement both their mobility strategies and Bring-Your-Own-Device (BYOD) programs. While IT understands the enterprise benefits of this shift, there is a gap between mobility eagerness and its readiness to deal with the new types of application security risks inherent with all mobile platforms.  

Organizations of all types depend on Veracode to confidentially analyze third-party applications. Veracode is serious about protecting the vendor’s intellectual property embedded in an application’s binary.

Mobile devices, particularly those owned by employees and used to access work applications, represent the latest front for attackers. Employees are downloading applications vulnerable to or infected with malware that mix with company e-mail, productivity/workforce, and other business applications.

Because of this new threat, SANS conducted a survey to discover organizational awareness and the procedures around mobile risk.

Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the top mobile applications risks different from the top traditional computing risks.

Dynamic Application Security Testing (DAST) has become an integral part of the SDLC in most organizations today. DAST tool vendors demonstrate their tools by allowing prospects to scan test sites so they can see how the scanner works and the reports generated.
This paper illustrates why we should not gauge the effectiveness of a particular scanner by only looking at the results from scanning these public test sites.

Download the guide – "Five Best Practices of Vendor Application Security Management” and learn how independent verification and validation of third-party software, delivered through an on-demand service, can automate security acceptance testing and secure your enterprise.

The past few years have seen a massive increase in both the number and severity of threats facing applications. With these new threats comes a serious increase in the amount of pressure being put on Chief Information Security Officers (CISO) and their IT security teams to protect this gateway to sensitive company and customer data. However, making a case for increased investment in application security can be a seemingly daunting task.

This paper will provide CISOs and their security teams with guidance for justifying application security investment as well as recommendations for how they can build their efforts into advanced application security programs.

This whitepaper helps Merchants and Service Providers understand and meet PCI DSS requirements.

As part of its FISMA responsibility to develop standards and guidance for federal agencies, NIST created Special Publication (SP) 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.” This whitepaper helps readers understand the relationship between NIST 800-37, FISMA and application security testing.

Backdoors and malicious code pose significant operational risk to software that is too significant for organizations to ignore. This whitepaper discusses how binary (compiled code) analysis is the ideal platform for detecting backdoors and conducting the most complete independent security test, validation and verification of applications.