Stop Freaking Out About Facebook Messenger

Facebook recently announced that mobile chat functionality would soon require users to install Facebook Messenger. Fueled by the media, many people have been overreacting about the permissions that Messenger requests before taking time to understand what the true privacy implications were. In a nutshell, Messenger is hardly an outlier relative to the other social media […]

The Rise of Application Security Requirements and What to Do About Them

As an engineering manager, I am challenged to keep pace with ever-expanding expectations for non-functional software requirements. One requirement, application security, has become increasingly critical in recent years, posing new challenges for software engineering teams. In what manner has security emerged as an application requirement? Are software teams equipped to respond? What can engineering managers […]

Just Another Web Application Breach

Another day another web application breach hits the news. This time ITWorld reports Hackers steal user data from the European Central Bank website, ask for money. I can’t say that I’m surprised. Although vulnerabilities (SQL Injection, cross-site-scripting, etc.) are easy for attackers to detect and exploit, they are still very common across many web applications. […]

Applications are Growing Uncontrollably and Insecurely

This year I’m working with IDG to survey enterprises to understand their application portfolio, how it’s changing and what firms are doing to secure their application infrastructure. The study found that on average enterprises expect to develop over 340 new applications in the 12 months. As someone that has been working in and around the […]

Secure Agile Q&A: API’s, IDE’s and Environment Integration

A few weeks back, I hosted a webinar called “Secure Agile Through Automated Toolchains: How Veracode R&D Does It”, and in this webinar I discussed the importance of security testing and how to integrate it into the Agile SDLC. There were so many questions from our open discussion following the webinar that I have taken […]

The Appsec Program Maturity Curve 2 of 4

As we’ve discussed, the program maturity model for Application Security has six levels. You should be able to recognize at which stage of the curve your particular organization is. The easiest one to recognize is an approach to AppSec called “Do Nothing”. Let’s assume if you are reading this, that’s not you.

If your organization is already pursuing an ad-hoc testing approach to manage the security of your software, you are not alone. Most enterprises with in-house application development teams do some kind of ad hoc AppSec testing, usually during the software QA process. Most organizations who understand the fundamental importance of AppSec start here.

The Appsec Program Maturity Curve 1 of 4

As information security professionals, we must pursue any opportunity to evolve our approach to Application Security. Most enterprises with in-house development teams do some kind of ad hoc AppSec testing, usually during the QA process. But maybe you think it’s time to do more than that, to get a bit more proactive in confronting the potential threats the organization faces from weak software security. Luckily there is a proven AppSec Program Maturity Curve that can help mature your existing effort, following a well-traveled road to overcoming common challenges along the way. Here’s the really good news: it’s easy to climb a few levels of the curve over a matter of months, not years.

Squashing Ants: The Dynamics of XSS Remediation

Is anyone else getting tired of hearing excuses from customers — and worse yet, the security community itself — about how hard it is to fix cross-site scripting (XSS) vulnerabilities? Oh, come on. Fixing XSS is like squashing ants, but some would have you believe it’s more like slaying dragons. I haven’t felt inspired to […]

1 2