Blog Posts Tagged with "SDLC"

219bfe49c4e7e1a3760f307bfecb9954

Can Software Security Requirements Yield Faster Time to Market?

October 17, 2013 Added by:Rohit Sethi

Addressing security requirements while building software is substantially faster than fixing security vulnerabilities later, and since so many organizations end up mandating fixing security defects, preventing those defects up-front yields faster time-to-market.

Comments  (0)

219bfe49c4e7e1a3760f307bfecb9954

The Three Patterns of Software Development for SDLC Security

August 30, 2013 Added by:Rohit Sethi

A one-sized fits all approach to Software Development Life Cycle (SDLC) security doesn’t work. Practitioners often find that development teams all have different processes – many seem they are special snowflakes, rejecting a single SDLC security program.

Comments  (4)

0a8cae998f9c51e3b3c0ccbaddf521aa

Enterprise Software Security - The Fake Choice Between Fast and Secure

June 12, 2013 Added by:Rafal Los

If adding security to your enterprise software development methodology and lifecycle creates a significant amount of drag on the actual release deadlines —for an extended period of time — you’re doing it wrong.

Comments  (0)

219bfe49c4e7e1a3760f307bfecb9954

Three Reasons Why a One-Size-Fits-All Secure SDLC Solution Won’t Work

May 08, 2013 Added by:Rohit Sethi

Forcing a security process on development teams that doesn’t take into account the way they develop software is a recipe for disaster. A good goal to have for secure SDLC is to minimize the impact on the team’s existing software development practice.

Comments  (1)

B3686baa29e6fe1c9c2e3feb0f9ebf99

Why Are We Failing at Software Security?

May 01, 2013 Added by:Nish Bhalla

While there are many granular reasons for software security failures at the institutional, developer or vendor level - there are five industry-wide problems that are fueling the current state of insecurity. These are complicated problems and will not be easy to solve. But until we do, software security will remain at risk.

Comments  (2)

219bfe49c4e7e1a3760f307bfecb9954

How to comply with PCI DSS 6.3

March 09, 2013 Added by:Rohit Sethi

If you process, transmit or store credit card data in your software then you’re likely subject to the Payment Card Industry Data Security Standard (PCI DSS). One of the most onerous sections of the PCI DSS is requirement 6: Develop and maintain secure systems and applications.

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

The SDLC Knowledge Gap in Motion: DevOps to the Rescue?

September 12, 2012 Added by:Rafal Los

I can't tell you the fun things we found in this pre-production environment when we started digging around during security testing. No, really, I can't tell you, but rest assured it didn't end with misconfigurations, or accidental code bits being included...

Comments  (0)

68b48711426f3b082ab24e5746a66b36

Broken Logic: Avoiding the Test Site Fallacy

July 25, 2012 Added by:Fergal Glynn

Dynamic Application Security Testing (DAST) tool vendors demonstrate their tools by allowing prospects to scan test sites so they can see how the scanner works and the reports generated. We should not gage the effectiveness of a scanner by only looking at the results from scanning these public test sites...

Comments  (1)

0a8cae998f9c51e3b3c0ccbaddf521aa

Deploying Code Faster as a Security Feature?

July 24, 2012 Added by:Rafal Los

What if deploying faster is actually a security feature? I can empathize with the frustration many security professionals feel when they find a critical issue in an application only to be told that the patch will be rushed in about 3 months. I'd certainly love to hear that the update will be shipped this afternoon...

Comments  (1)

0a8cae998f9c51e3b3c0ccbaddf521aa

Software Security Assurance: Figuring Out the Developers

July 18, 2012 Added by:Rafal Los

From organizations that don't care about the security of their applications to to those that follow "best practices", to those that never stop spending money and trying to improve - they all have one thing in common: They've experienced a security incident of varying levels of calamity...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

The Path to NoOps is Through the Cloud

June 12, 2012 Added by:Rafal Los

So what is the single most valuable piece of technology that can push a development closer towards a NoOps methodology? I believe it's the adoption of cloud computing. While many of the security folks who read this blog are probably shaking their heads right about now, read on and let me convince you...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

What's in a Name: Does DevOps Need a Security Flavor?

June 12, 2012 Added by:Rafal Los

Lots of folks are trying to remove bottlenecks between development and deployment within an organization to get IT to a more agile state. Every once in a while someone talks about security - I've been trying to figure out whether and how we should be discussing the DevOps and security relationship...

Comments  (0)

68b48711426f3b082ab24e5746a66b36

What’s Going Right with Your Secure Development Efforts?

May 04, 2012 Added by:Fergal Glynn

Security professionals place developer’s code under a microscope and highlight each and every flaw, so you can appreciate why there may be some tension. Testing of code only offers assessments of what they did wrong. Can we apply a different lens while having this conversation?

Comments  (0)

00c83c62ef65f17ce8e790850c596964

Secure Now or Forever...

February 24, 2012 Added by:Pamela Gupta

Traditional access control is simple, but permission-based access has become challenging – applications that request the user’s permission to access sensitive data explicitly. We are expecting users to be system administrators without adequate training, which is not feasible...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Enterprise Security and the Battle Over Productivity

February 11, 2012 Added by:Rafal Los

The trick is, when security can't clearly and absolutely get definition on what employees should and shouldn't be allowed to do, they have to implement the law of least privilege overly aggressively and then things get slow, tedious, and everyone complains about security...

Comments  (0)

0a8cae998f9c51e3b3c0ccbaddf521aa

Straight Talk about Compliance from a Security Viewpoint

February 09, 2012 Added by:Rafal Los

Odds are, you can usually close out multiple compliance requirements across multiple requirements regulations by doing something singular in a security program. Performing software security audits during various phases of your SDLC solves many compliance requirements...

Comments  (0)

Page « < 1 - 2 > »