Enterprises are still experiencing the paradigm shift towards mobile computing and still struggling to implement both their mobility strategies and Bring-Your-Own-Device (BYOD) programs. While IT understands the enterprise benefits of this shift, there is a gap between mobility eagerness and its readiness to deal with the new types of application security risks inherent with all mobile platforms.
Learn what FS-ISAC and security executives from blue-chip financial services firms recommend to reduce third-party software risk and manage vendor governance.
Strategies for effectively articulating your risk posture and security strategy to business executives.
As part of its FISMA responsibility to develop standards and guidance for federal agencies, NIST created Special Publication (SP) 800-37 “Guide for the Security Certification and Accreditation of Federal Information Systems.” This whitepaper helps readers understand the relationship between NIST 800-37, FISMA and application security testing.
This whitepaper explains how Payment Vendors can meet Visa PABP requirements and prepare for PCI PA-DSS compliance.
On-demand application security testing offered as an outsourced service – based on binary analysis and multiple scanning technologies – is a major step toward reducing risk in applications developed in house as well as applications purchased from third party vendors. Learn how moving to a SaaS model for application security can automate your code reviews.
This whitepaper helps Merchants and Service Providers understand and meet PCI DSS requirements.
This whitepaper outlines how new application security technologies enable organizations to meet the growing threat posed by software and provides risk management best practices which enterprises can use to secure their application inventory.
The Web’s most prevalent application vulnerability remains an open door to attack on your business and your customers. It doesn’t have to be. Eradicate Cross-site Scripting is a whitepaper written to empower organizations to expand their web security programs. This whitepaper provides an introduction to Cross-site Scripting (XSS) and details of Veracode's Free Service that empowers you to begin a campaign to eradicate XSS vulnerabilities in corporate applications.
It is an imperative to include security testing in application development. Yet, with Agile’s fast pace, and lean concepts, it easy to see how many organizations would simply consider testing for application security defects to be too costly in terms of both time and resources. The reasons behind these beliefs are concerns over the cost of the tooling versus the benefit, the cost of deployment and training of the tools, the inability for these tools to fit into Agile development processes, and the objections of developers who must become proficient in the use of the tools. This paper addresses these concerns and describes methods that utilize Veracode’s Security Review and methodologies for security testing that succeed in the Agile world.
Modern mobile applications run on mobile devices that have the functionality of a desktop or laptop running a general purpose operating system. In this respect many of the risks are similar to those of traditional spyware, Trojan software, and insecurely designed apps. However, mobile devices are not just small computers. Mobile devices are designed around personal and communication functionality which makes the top mobile applications risks different from the top traditional computing risks.
What do Google, RSA, Sony, PBS, Barracuda Networks, HBGary and numerous other high profile organizations have in common? All have been breached through vulnerabilities in software applications and often by applications that they didn’t develop, but rather purchased from third-parties. One thing is clear—Software is the Achilles’ heel of information security; vulnerable applications represent a critical area of exposure and a highly significant risk to the business. And yet, while organizations take a rigorous approach to quality assurance of their applications from a functional perspective, very few have anything close to a systematic, policy-based program for detecting and remediating software security flaws.
In September 2011 Gartner published a research note (ID Number: G00216359) titled “Critical Security Questions to Ask a Cloud Service Provider”. The research note provides a checklist of security-related questions that organizations should ask prospective providers of cloud-based services, as part of their due diligence process. For the full report, please contact Gartner directly.
Veracode fully agrees that security is a core component of any cloud-based platform or service. We embrace Gartner’s checklist as part of an organization’s process for evaluating cloud-based application security solutions. Veracode’s specific approach and response to each Gartner requirement is outlined within.
Dynamic Application Security Testing (DAST) has become an integral part of the SDLC in most organizations today. DAST tool vendors demostrate their tools by allowing prospects to scan test sites so they can see how the scanner works and the reports generated.
This paper illustrates why we should not guage the effectiveness of a particular scanner by only looking at the results from scanning these public test sites.
Download the guide – "Five Best Practices of Vendor Application Security Management” and learn how independent verification and validation of third-party software, delivered through an on-demand service, can automate security acceptance testing and secure your enterprise.
The past few years have seen a massive increase in both the number and severity of threats facing applications. With these new threats comes a serious increase in the amount of pressure being put on Chief Information Security Officers (CISO) and their IT security teams to protect this gateway to sensitive company and customer data. However, making a case for increased investment in application security can be a seemingly daunting task.
This paper will provide CISOs and their security teams with guidance for justifying application security investment as well as recommendations for how they can build their efforts into advanced application security programs.
How do you manage the risk posed by your applications? Are you confused by the multitude of technology options available to test your applications? What is the difference between penetration testing and automated scanning? Why do you need to build an effective Application Security program?
This paper will answer all these questions and provide nascent security professionals guidance and recommendations they need to build an effective Application Security program for their enterprises.
Mobile devices, particularly those owned by employees and used to access work applications, represent the latest front for attackers. Employees are downloading applications vulnerable to or infected with malware that mix with company e-mail, productivity/workforce, and other business applications.
Because of this new threat, SANS conducted a survey to discover organizational awareness and the procedures around mobile risk.
Download the whitepaper authored by the FS-ISAC Third Party Software Security Working Group to understand the recommended controls for addressing third party software risk.
This independent paper analyzes control options and offers specific recommendations on control types for financial services to add to their vendor governance programs