May 08, 2013 Added by:Rohit Sethi
Forcing a security process on development teams that doesn’t take into account the way they develop software is a recipe for disaster. A good goal to have for secure SDLC is to minimize the impact on the team’s existing software development practice.
May 01, 2013 Added by:Nish Bhalla
While there are many granular reasons for software security failures at the institutional, developer or vendor level - there are five industry-wide problems that are fueling the current state of insecurity. These are complicated problems and will not be easy to solve. But until we do, software security will remain at risk.
April 29, 2013 Added by:Rohit Sethi
The 2013 Verizon Data Breach Investigations Report has some important data for software development teams, particularly when considering the likelihood of certain threats to your system.
April 24, 2013 Added by:Rohit Sethi
Many automated scanning solutions are outstanding in their cost effectiveness and ability to find certain classes of vulnerabilities. For example, a properly-configured static analysis solution may help you find every instance of potential SQL injection in your software.
April 05, 2013 Added by:Simon Moffatt
As the devices becomes smarter, greater emphasis is placed on the data and services those devices access. Smartphones today come with a healthy array of encryption features, remote backup, remote data syncing for things like contacts, pictures and music, as well device syncing software like Dropbox. How much data is actually specifically related to the device?
April 04, 2013 Added by:Rohit Sethi
Before you perform your next security verification activity, make sure you have software security requirements to measure against and that you define which requirements are in-scope for the verification.
March 20, 2013 Added by:Ian Tibble
The early days of deciding what to do with the risk will be slow and difficult and there might even be some feisty exchanges, but eventually, addressing the risk becomes a mature, documented process that almost melts into the background hum of the machinery of a business.
February 21, 2013 Added by:Rohit Sethi
On February 15, the Open Web Application Security Project (OWASP) came out with its 2013 list of candidates for the Top 10 web application security flaws. The challenge is that while the Top 10 details security flaws, these flaws don’t map cleanly to requirements.
February 15, 2013 Added by:Rohit Sethi
The latest Rails security flaw is example of a common anti-pattern. The issue in each case is an abuse of extensibility. At first glance the idea is clever: allow for run-time execution of new code or binding of server-side variables without changing your compiled code, thereby greatly enhancing extensibility.
January 24, 2013 Added by:Fergal Glynn
It used to be that you could call for more secure software from individual vendors – and Microsoft heeded that call with its push for trustworthy computing in 2002 – but today we’re more dependent on software and more interconnected than ever. We rise and fall by the security of our associates...
January 24, 2013 Added by:David Navetta
The guidelines separately address app developers, app platform providers, mobile ad networks, operating system providers, and mobile carriers. A coalition of advertising and marketing industry groups recently responded, criticizing the guidelines...
January 16, 2013 Added by:Brandon Knight
Mobile devices continue to pick up steam on becoming the primary device that many people use for email, web browsing, social media and even shopping. As we continue installing app after app which we then put our personal information in to the question is how secure are these apps?
January 10, 2013 Added by:Matt Neely
During a recent visit to a client site, I took part in a discussion where the Development Department and the Security Department were arguing over which group was responsible for the security of web applications. Security felt it was the responsibility of the developers, and the developers felt it was the responsibility of security. I commonly see this debate taking place inside organizations, s...
December 25, 2012 Added by:Gene Kim
Want to see how infosec integrates into a DevOps work stream? Watch this fantastic talk by Justin Collins, Neil Matatall, and Alex Smolen from Twitter, called “Put Your Robots To Work: Security Automation at Twitter..."
Hacker to Release Symantec's PCAnywhere Sour... Kajal Singh on 04-21-2015
Financial Malware Fell in 2014 As Takedown O... Kajal Singh on 04-21-2015
Weaknesses in Air Traffic Control Systems ar... Kajal Singh on 04-21-2015