Blog Posts Tagged with "Software Security Assurance"

68b48711426f3b082ab24e5746a66b36

Application Software and Security: A Tale of Two Market Sizes

February 19, 2012 Added by:Fergal Glynn

We spend 0.3% of what we pay for software on ensuring that it is secure. Now you can argue that manual testing is not included. However, even when you account for this variance, the gap in what we spend to buy software and what we spend to secure it is huge...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Straight Talk about Compliance from a Security Viewpoint

February 09, 2012 Added by:Rafal Los

Odds are, you can usually close out multiple compliance requirements across multiple requirements regulations by doing something singular in a security program. Performing software security audits during various phases of your SDLC solves many compliance requirements...

Comments  (0)

68b48711426f3b082ab24e5746a66b36

Top Ten Java Frameworks Observed in Customer Applications

February 08, 2012 Added by:Fergal Glynn

One of the things we record when scanning applications is the presence of frameworks and other supporting technologies, and we’ve been at work mining that data to understand what developers use to build their applications. We’d like to share some of that research with you today...

Comments  (0)

959779642e6e758563e80b5d83150a9f

The Valley of Death Between IT and Security

February 03, 2012 Added by:Danny Lieberman

Truly – the essence of security is protecting the people who use a company’s products and services. What utility is there in running 24×7 systems that leak 4 million credit cards or developing embedded medical devices that may kill patients?

Comments  (0)

68b48711426f3b082ab24e5746a66b36

Mobile Application Security: New Platforms, Old Mistakes

January 24, 2012 Added by:Fergal Glynn

While Android may be a new platform, some of the security issues we found are reminiscent of old mistakes we have seen developers make. One example of this was the practice of hard-coding cryptographic keys directly into the application...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Designing Applications for Compromise

January 24, 2012 Added by:Rafal Los

Make sure you're thinking ahead and designing applications to be resilient in the face of a complete compromise - including the information therein and connected accounts - so your users can still get back to the application even after it's been ravaged by hackers...

Comments  (0)

959779642e6e758563e80b5d83150a9f

Security and the Theory of Constraints

January 16, 2012 Added by:Danny Lieberman

Security management is tricky. It’s not only about technical controls and good software development practice. It’s also about management responsibility. If you remember the Theory of Constraints, there is only one thing that limits a system's (or company's) performance...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Challenges for Software Security Professionals

December 02, 2011 Added by:Rafal Los

So what catches your attention? What conclusions can you draw here that may be insight into how we can improve the state of software security in the enterprise? My eye gets caught on "politics" and TOOLS in big bold letters... then UPHILL and APATHY. Dang, we're a cynical bunch aren't we...

Comments  (1)

Af9c34417f8e5e0d240850bb353b5d40

Free From Defect Software License

November 22, 2011 Added by:Keith Mendoza

This is a question that I would like to pose to the open-source software community: Assuming that we can ignore the lawyers for a second, what amount of effort would you be willing to put to produce software that is free of defect from workmanship? How will you go about making sure?

Comments  (2)

3750d420f6c2a9844b529978894dc0be

Does Software Security Suffer When the Customer is No Longer Master?

November 22, 2011 Added by:Josh Shaul

When you measure the impact on share price, it’s not worth it to build secure software. Buyers are gobbling up the vulnerable stuff as quickly as they can get their hands on it, and the people who pay the price are those whose data is stolen and whose lives are turned upside down in the aftermath...

Comments  (2)

0a8cae998f9c51e3b3c0ccbaddf521aa

Wanted: Software Security Specialists... Are There Any?

November 22, 2011 Added by:Rafal Los

You don't just go to college, get a degree in 'software security' and walk into a job being great at it - mostly because that degree doesn't exist, but also because the days of being able to walk into a job like this are probably long behind us...

Comments  (2)

0a8cae998f9c51e3b3c0ccbaddf521aa

The Fine Line Between Software Defects and Features

November 09, 2011 Added by:Rafal Los

When we find a bug in software that has the potential for causing security-related issues, we want to convince the business to fix the issue, remediate the problem that we find. Only thing is, while we see it as a security vulnerability the business sees it as a critical feature...

Comments  (1)

0a8cae998f9c51e3b3c0ccbaddf521aa

Effective Software Security Starts and Ends with Requirements

October 28, 2011 Added by:Rafal Los

Threat modeling software is a delicate art, and often mis-understood enough to cause poor execution. It seems elementary that the best time to impact security in a positive way is during requirements gathering, yet many security professionals continue to ignore that opportunity...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Scanning Applications Faster - A Chicken vs. Egg Problem

October 09, 2011 Added by:Rafal Los

We need to shift the security culture from "find bugs" to "fix bugs" or else we're in deep, deep trouble. Don't get me wrong, once the software industry has figured out how to write secure software by design, then we can worry about demanding bigger, better, faster scanning automation...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Dynamic Application Security Testing (DAST)

October 05, 2011 Added by:Rafal Los

Dynamic Application Security Testing (DAST) is one of the long-standing staples of Software Security Assurance, and has been the anchor by which many organization have boot-strapped their efforts to write better code. Whether this is the correct approach or not is not the question...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Auditing vs. Secure Software - An Inconvenient Argument

September 19, 2011 Added by:Rafal Los

You may have missed one of the strangest exchanges I think I've seen in a long while. An out-of-the-blue scathing blog post by Oracle's CSO prompted a swift response from VeraCode's Chief Technology and Security Officer. What brought this on is anyone's guess...

Comments  (0)

Page « < 1 - 2 - 3 - 4 - 5 > »
Most Liked