Blog Posts Tagged with "SDLC"
May 08, 2013 Added by:Rohit Sethi
Forcing a security process on development teams that doesn’t take into account the way they develop software is a recipe for disaster. A good goal to have for secure SDLC is to minimize the impact on the team’s existing software development practice.
May 01, 2013 Added by:Nish Bhalla
While there are many granular reasons for software security failures at the institutional, developer or vendor level - there are five industry-wide problems that are fueling the current state of insecurity. These are complicated problems and will not be easy to solve. But until we do, software security will remain at risk.
March 09, 2013 Added by:Rohit Sethi
If you process, transmit or store credit card data in your software then you’re likely subject to the Payment Card Industry Data Security Standard (PCI DSS). One of the most onerous sections of the PCI DSS is requirement 6: Develop and maintain secure systems and applications.
September 12, 2012 Added by:Rafal Los
I can't tell you the fun things we found in this pre-production environment when we started digging around during security testing. No, really, I can't tell you, but rest assured it didn't end with misconfigurations, or accidental code bits being included...
July 25, 2012 Added by:Fergal Glynn
Dynamic Application Security Testing (DAST) tool vendors demonstrate their tools by allowing prospects to scan test sites so they can see how the scanner works and the reports generated. We should not gage the effectiveness of a scanner by only looking at the results from scanning these public test sites...
July 24, 2012 Added by:Rafal Los
What if deploying faster is actually a security feature? I can empathize with the frustration many security professionals feel when they find a critical issue in an application only to be told that the patch will be rushed in about 3 months. I'd certainly love to hear that the update will be shipped this afternoon...
July 18, 2012 Added by:Rafal Los
From organizations that don't care about the security of their applications to to those that follow "best practices", to those that never stop spending money and trying to improve - they all have one thing in common: They've experienced a security incident of varying levels of calamity...
June 12, 2012 Added by:Rafal Los
So what is the single most valuable piece of technology that can push a development closer towards a NoOps methodology? I believe it's the adoption of cloud computing. While many of the security folks who read this blog are probably shaking their heads right about now, read on and let me convince you...
June 12, 2012 Added by:Rafal Los
Lots of folks are trying to remove bottlenecks between development and deployment within an organization to get IT to a more agile state. Every once in a while someone talks about security - I've been trying to figure out whether and how we should be discussing the DevOps and security relationship...
May 04, 2012 Added by:Fergal Glynn
Security professionals place developer’s code under a microscope and highlight each and every flaw, so you can appreciate why there may be some tension. Testing of code only offers assessments of what they did wrong. Can we apply a different lens while having this conversation?
February 24, 2012 Added by:Pamela Gupta
Traditional access control is simple, but permission-based access has become challenging – applications that request the user’s permission to access sensitive data explicitly. We are expecting users to be system administrators without adequate training, which is not feasible...
February 11, 2012 Added by:Rafal Los
The trick is, when security can't clearly and absolutely get definition on what employees should and shouldn't be allowed to do, they have to implement the law of least privilege overly aggressively and then things get slow, tedious, and everyone complains about security...
February 09, 2012 Added by:Rafal Los
Odds are, you can usually close out multiple compliance requirements across multiple requirements regulations by doing something singular in a security program. Performing software security audits during various phases of your SDLC solves many compliance requirements...
November 17, 2011 Added by:Andrew Weidenhamer
The problem with using a risk based approach is the manner in which risk is defined and accepted. As long as there is a good Risk Assessment methodology in place and further good reasons and justifications to deal with risk, then using a risk based approach is perfectly acceptable...
June 03, 2011 Added by:Rafal Los
Holding a vendor accountable is understandable, since that is their primary business. There's really no excuse when a vendor of security products gets exploited or has a publicly disclosed exploit... well, sort of right? In the final analysis, what is it really all about?
April 25, 2011 Added by:kapil assudani
With a secure coding skillset missing from their primary job responsibility, and no enterprise process that introduces/enforces a secure coding process, there are really no incentives for developers to go the extra mile of introducing security into their code...
Mobile Security Processes Could Be Applied t... Johnnie Nix on 05-21-2013
ATM Security (And Really Learning from the P... Johnnie Nix on 05-21-2013
New Study Published on Mobile Malware... Caitlin Rachel on 05-21-2013