How to Run a Successful Proof of Concept for an Application Security Programme

So you’ve got upper management buy-in for your application security proof of concept and are ready to start scanning applications: how do you make sure your proof of concept (PoC) is a success and that you demonstrate the need to progress to a full scale program. This article describes some of the lessons learned at the start of our large-scale deployment of Veracode within our organisation.

The first step is to socialise the PoC internally through word of mouth, discussion forums, and developer communities by driving interest in the availability of a new tool for developers, which will assist in the development process and produce better code.

Veracode Directly Delivers Recommended Controls Called for by the Financial Services Industry

A group of leading banks, insurance, and mortgage companies including Aetna, Goldman Sachs, JP Morgan Chase, Citi, (among others) recently crafted recommended controls for addressing third party software security in the paper, “Appropriate Software Security Control Types for Third Party Service and Product Providers.” This paper acknowledges that conventional third party controls are no longer sufficient to cover the ever-expanding attack surface presented by web, mobile, and desktop applications developed by third party software suppliers. Further, this group offers three controls for addressing the risk posed by this third party software.

Video Interview with the CISO of Aetna, Jim Routh

Businesses run on software; it gives us the features and functions needed to make our teams more productive However, these applications and providers build, maintain, and host critical systems as well as high risk data and need to apply the same controls we use. Financial Services are inherently accountable for the risk from vulnerabilities in the software that serves our customers and employees. Too few enterprises have adapted to the growing attack surface of web applications by addressing vendor software security.

Golang’s Context Aware HTML Templates

Golang is a new open source programming language that is growing in popularity. Since I am getting bored of Python, I decided to begin studying it. While I’m really enjoying it as a language, I was completely caught off guard when I started reading about Golang’s built in HTML templating package. I noticed in their […]

All Hail Senator Appsec

Pen testing? Vulnerability scanning? The U.S. Senate's newest member shows that he can ask the tough questions on privacy and data security. It’s about time.

The technical aptitude of our elected representatives – or the lack of it – is so pronounced that it has become the butt of jokes. Long after the late Alaska Senator Ted Stevens inaptly likened the Internet to a “series of tubes” in 2006, congressmen and women continue to exhibit head-slapping ignorance about topics (like online advertising) that (in theory) they are making laws to govern.

The Appsec Program Maturity Curve 3 of 4

A dedicated and rigorous Application Security Program is best pursued as a sustained, policy-driven program that employs proactive, preventative methods to manage software risk. It will deliver an effective software security strategy that addresses both immediate and systemic risks with a rigorous plan and continued investment. The mantra of any successful AppSec Program is utilization, adoption and expansion. Without a clearly defined and governed policy, none of these is possible.

Static Testing vs. Dynamic Testing

With reports of website vulnerabilities and data breaches regularly featuring in the news, securing the software development life cycle (SDLC) has never been so important. The enterprise must, therefore, choose carefully the correct security techniques to implement. Static and dynamic analyses are two of the most popular types of security test. Before implementation however, the security-conscious enterprise should examine precisely how both types of test can help to secure the SDLC. Testing, after all, can be considered an investment that should be carefully monitored.

Security Headers on the Top 1,000,000 Websites: November 2013 Report

It has been almost exactly a year since we conducted the first top 1 million security headers report so it is a great time to re-run the analysis and see how well security header adoption is growing. As before, the latest Chrome and Firefox User-Agent strings were used to make requests to the top 1 million sites over both HTTP and HTTPS. Out of the 2,589,918 responses we had over 100,000 distinct security headers and values to analyze.

1 3 4 5 6 7 64