With all the breaches and cyberattacks in the news, your executives are probably asking you: "How can we make our application security policy more effective?" According to a recent Gartner report, "Policy is an important form of communication about risk, and the impact on the reader will be maximized if the text is well-crafted in organizational appropriateness and writing style." The report also… READ MORE

RSA is here again.  This year our crew is decked out in spiffy monster ties, sweater vests and cardigans. And here I am again, blogging from my cube.  As usual, I’m perusing the RSA site looking for interesting things that my fellow non-attendees can look at.  And before you ask – no I couldn’t watch the live streaming of the RSA keynote. I… READ MORE

If you are like most CISOs who are starting or scaling up application security programs, you will run into the challenges listed in this infographic.  When you think about it, all of these challenges are interconnected.  The traditional approach of assessing applications with tools requiring security expertise isn’t currently scaling up to assess the volume of applications being produced by… READ MORE

Iain Sutherland, as Managing Director of Information Security Solutions, recruits security executives for large enterprises.  He has a front row view of how the role of security executives and the skills that enterprises value for the CISO position have changed over the last few years. When I met Iain a few weeks ago he pointed out that having a list of security certification acronyms appearing… READ MORE

The path of least resistance for cyber-criminals is often to attack well-known vulnerabilities in enterprise-developed web and mobile applications. This infographic shows that large enterprises have thousands of applications to address in order to minimize the risk of a data breach. On average, enterprises spend $1.65 million to test 37% of their applications for security vulnerabilities commonly… READ MORE

Does this resemble your application security program's coverage? We can help.   Another day another web application breach hits the news. This time ITWorld reports Hackers steal user data from the European Central Bank website, ask for money. I can’t say that I’m surprised. Although vulnerabilities (SQL Injection, cross-site-scripting,… READ MORE

This year I’m working with IDG to survey enterprises to understand their application portfolio, how it’s changing and what firms are doing to secure their application infrastructure. The study found that on average enterprises expect to develop over 340 new applications in the 12 months. As someone that has been working in and around the… READ MORE

The IDG study found that more than sixty percent of internally developed applications are not assessed for critical security vulnerabilities such as SQL Injection.   Later this week I’ll be joining IDG Market Research Manager, Perry Laberis for a webinar to discuss a study on how application infrastructures are changing and how security… READ MORE

Every year the world seems to grow a little more regulated – and punitive. We’re now seeing banks suing retailers and compliance management firms over PCI assessments. And the recent breach in question appears to be related to insufficient controls around third-party suppliers. According to the Verizon PCI Compliance Report, 84% of… READ MORE

So once again, I’m not attending RSA. While my counterparts are working our booth in their new Veracode kicks, and meeting with customers, I’m perusing the RSA conference videos and podcasts for interesting things to read. The Risk and Responsibility in a Hyper-Connected World podcast got my attention – mostly because it promised some… READ MORE