Blog Posts Tagged with "SSA"
October 28, 2011 Added by:Rafal Los
Threat modeling software is a delicate art, and often mis-understood enough to cause poor execution. It seems elementary that the best time to impact security in a positive way is during requirements gathering, yet many security professionals continue to ignore that opportunity...
August 27, 2011 Added by:Rafal Los
Security professionals need to ensure that we're doing what's right for the developers who will be building more secure software, rather than us security professionals who are adept at bolting on security bits. That's the big revelation here, but of course, only if you believe me...
July 24, 2011 Added by:Rafal Los
Security isn't somehow disconnected from the business... it's part of the business. When we fail to see that, to acknowledge that, then we lose - and by we I mean the entire community, the organization and you too...
July 06, 2011 Added by:Rafal Los
The technology available today for testing your applications is quite complex, but many folks simply want to push the "magic security button" and get fast, accurate results. That's simply impossible, but the requirements continue to demonstrate this want. So what do we do?
June 10, 2011 Added by:Rafal Los
Being able to tie exploitable issues in a running application to source code is the Holy Grail of security testing... but it's unlikely you'll get good adoption and success if you're trying to hand a bunch of developers black-box security testing technology...
June 01, 2011 Added by:Rafal Los
I've been learning a lot lately from one of my senior colleagues who's been doing this software security assurance thing much longer than I have, and the more time I spend with him the more I understand that it all comes down to one very simple question: Why?
May 25, 2011 Added by:Rafal Los
Can you handle the work it would take to ratchet up security on your applications? If you've got more than a dozen applications with more then 5 in the pipeline, you can figure on a single non-dedicated resource being able to handle one application security test per week, tops...
May 11, 2011 Added by:Rafal Los
While the blistering speed of application development and deployment may enable the business to be more agile and responsive to the changing business climate than ever, it creates unparalleled challenges for anyone with security as part of their job description...
April 19, 2011 Added by:Rafal Los
Money and technology alone won't bring us secure software or applications. Many times the idea of spending a large chunk of money on tools alone sounds appealing because someone selling you something says that you should - but I'd like to urge caution...
April 15, 2011 Added by:Rafal Los
Down-scaling an enterprise security challenge into a smaller fit is more of a challenge than you'd think, because it's just too easy to say 'outsource it all'... but how does that actually help an organization write more secure software? The answer is that it doesn't...
April 02, 2011 Added by:Rafal Los
Many organizations forego a Software Security Assurance (SSA) program simply because they don't develop their own software and so are missing the risks of the software or applications they are purchasing - don't get caught with this type of risk...
March 22, 2011 Added by:Rafal Los
When an organization's SSA Program is mature, they've minimized their spending (thus maximizing their efficiency), they're impacting their business in a minimal way, and have decreased latent IT-based risk to their business applications to an acceptable level...
February 15, 2011 Added by:Rafal Los
Process can be outlined in documentation and stored on a network share or published in a booklet on everyone's desktop. Process can be a workflow-driven project management system that requires a security-infused approach from requirements gathering all the way through post-release...
January 26, 2011 Added by:Rafal Los
You cannot reasonably expect to take application security analysis results and hurl them over the proverbial wall into the developer's world and expect something magical to happen. It won't. 9 out of 10 times the mass of bits you just sent over will be ignored, or worse, misunderstood...
January 23, 2011 Added by:Rafal Los
Having clearly-defined and attainable goals of your Software Security Assurance program is more important than almost anything else. While there are many subtleties to building goals in any organization, without them being clearly defined and reachable you cannot expect anything else but failure...
December 29, 2010 Added by:Rafal Los
So looking back on 2010 and where our footprints in the sand have led us to so far, I can't help but feel like we've been walking around in circles, talking about the same security issues over and over again but only changing up the words to make it look more appealing and calling it new...
Steps Toward Weaponizing the Android Platfor... Freid Jerome on 05-17-2013