A lot of the revisions to PCI DSS point toward the realization that security must be built into the development process. The foundation that ultimately controls the success or failure of this process must be built upon knowledge — that means training developers to avoid common coding flaws that can lead to different types of […]
A roundtable discussion of medical device security finds that innovation in the connected health space is outstripping security. And the problem will get worse before it gets better. Physicians are used to counseling their patients on the need to take care of themselves and take reasonable precautions to protect themselves from harm. Are you fond […]
In November’s update to PCI DSS, now on version 3.0, you may have noticed that the PCI Security Council switched the order of the first two application security focused sub-requirements. Requirement 6.1 now focuses on establishing ongoing best practices, while 6.2 moves on to patching and remediation efforts. Some of our customers have questioned the […]
I may be one of the few people that gets excited about regulations, controls, and guidance. But I suspect that there are many cyber security leaders that are excited and encouraged by the newly released PAS754:2014. This document provides a general framework for addressing cyber security and can also be used in conjunction with other […]
In the revisions to PCI DSS, now on version 3.0, the PCI Security Council added a note to Requirement 6.3, extending the secure software development mandate to include all custom, third-party developed software. At Veracode, we’ve been talking about the need to secure your third-party code for quite some time now, so we’re excited to […]
An updated guide on risk management practices recommends that companies pay more attention to the security of their software supply chain. A draft release of an updated risk management guide from the National Institute of Standards and Technology (NIST) is warning federal agencies and other firms that operate “high impact systems” to pay more attention […]
A report released in the UK this week highlighted nicely the link between software security and data protection- a very hot topic this side of the pond in the midst of EU regulation reform and post-PRISM privacy concerns. The Information Commissioner’s Office (ICO), the UK’s independent regulatory office dealing with data protection and data privacy, […]
Every year the world seems to grow a little more regulated – and punitive. We’re now seeing banks suing retailers and compliance management firms over PCI assessments. And the recent breach in question appears to be related to insufficient controls around third-party suppliers. According to the Verizon PCI Compliance Report, 84% of organizations that suffered […]
As a pentester, it’s always a different story when we are the ones writing the report. Being on the receiving end is stressful, even more so when you throw compliance into the mix. I figured since I have been fielding questions left and right about what to do when it comes to mobile applications and HIPAA compliance, I would simply write a blog post on the topic.
The first hurdle to running any successful Application Security program is getting it adequately funded. This should come as no great surprise to anyone. Software security is no different than any other IT initiative. Even a willing security team who has considered the ways needs to find the means, and that involves making a compelling case to those that hold the purse strings.