Blog Posts Tagged with "Secure Coding"
Broken Logic: Avoiding the Test Site Fallacy
July 25, 2012 Added by:Fergal Glynn
Dynamic Application Security Testing (DAST) tool vendors demonstrate their tools by allowing prospects to scan test sites so they can see how the scanner works and the reports generated. We should not gage the effectiveness of a scanner by only looking at the results from scanning these public test sites...
Comments (1)
Deploying Code Faster as a Security Feature?
July 24, 2012 Added by:Rafal Los
What if deploying faster is actually a security feature? I can empathize with the frustration many security professionals feel when they find a critical issue in an application only to be told that the patch will be rushed in about 3 months. I'd certainly love to hear that the update will be shipped this afternoon...
Comments (1)
Software Security Assurance: Figuring Out the Developers
July 18, 2012 Added by:Rafal Los
From organizations that don't care about the security of their applications to to those that follow "best practices", to those that never stop spending money and trying to improve - they all have one thing in common: They've experienced a security incident of varying levels of calamity...
Comments (0)
Security Mistakes You Will Make on Your Next Cloud Project
July 18, 2012 Added by:Danny Lieberman
The Cloud Security Control model looks great, but it doesn’t mitigate core vulnerabilities in your software. Once you choose the right service model and vendor, put aside the security reference models and focus on hardening your application software. It’s your code that will be running in someone else's cloud...
Comments (0)
Web Application Firewalls: There is No Spoon
July 12, 2012 Added by:Wendy Nather
I agree that some apps can't be remediated in a short time span, others can't ever be fixed, and so on - for those exigencies a WAF is better than nothing. However, I would caution anyone against deciding that the wave of the future is to rely on the WAF or other network-based security device for application security...
Comments (1)
Detecting Unknown Application Vulnerabilities "In Flight"
July 10, 2012 Added by:Rafal Los
While you certainly can use velocity and frequency to detect attacks against a web application, high frequency doesn't always mean an attack or that a vulnerability is present. But, it is a fallacy to assume that a component needs to have a high frequency or velocity to signal targeting by an attacker....
Comments (0)
Nonsense Abounds, and More is Coming...
July 05, 2012 Added by:Jack Daniel
You cannot “stop attacks”, you can only alter the consequences of the attacks. You can stop attacks from succeeding sometimes, and minimize the impact on your organization, but the attacks will come no matter what. Further, the idea that “attacks” only fall into two categories, zero-day and patchable, is more nonsense...
Comments (1)
In Secure Programming, the Documentation Matters Too
June 28, 2012 Added by:Keith Mendoza
Some will argue that using the documentation is a cop out; that it's more of a liability protection than "secure programming". I would argue that the documentation should be part of the "secure programming" practice because it makes it clear to everyone what they should expect from the application...
Comments (0)
The Resilient Enterprise: Learning to Fail Part 2
June 25, 2012 Added by:Rafal Los
Failing with the support of a DevOps tribe can lead to a more resilient enterprise and ultimately better enterprise security. In the following few sections we're going to take a look at combining tools, processes and the tribe mentality to solve some otherwise ugly problems - and come out the other side...
Comments (0)
Static Analysis: Hopper’s Decompiler Feature
June 22, 2012 Added by:Fergal Glynn
After reading this tutorial, hopefully binaries will appear less inscrutable and magical, and you will understand why reverse engineers laugh in the face of programmers who think no one will understand their awesome secret algorithm without the source code. Don’t count on “but it’s compiled” as a security feature...
Comments (0)
Software Security is a Business Problem
June 14, 2012 Added by:Rafal Los
Information Security hasn't figured out how to actually approach the problem of insecure code. Security is still largely seen as the "not my problem" problem. It's not that developers have singled out security as something they want to ignore - it's that they've got too many other things to worry about...
Comments (0)
Building Secure Web Applications: An Infographic
June 14, 2012 Added by:Fergal Glynn
Neglecting to take security measures at the application layer is one of the most common causes of data breaches, yet many companies still leave their applications unprotected. Securing applications begins with developer training on the risks applications face and methods required for vulnerability prevention...
Comments (0)
The Path to NoOps is Through the Cloud
June 12, 2012 Added by:Rafal Los
So what is the single most valuable piece of technology that can push a development closer towards a NoOps methodology? I believe it's the adoption of cloud computing. While many of the security folks who read this blog are probably shaking their heads right about now, read on and let me convince you...
Comments (0)
Disclosures: The Vulnerability of Publicly Traded Companies
June 12, 2012 Added by:Fergal Glynn
What we’ve been lacking is quantitative information that helps inform the debate around application security. We want to use this data to shape the conversation around application security so that our attention gets focused on the right things and our investments get made in the right areas...
Comments (1)
What's in a Name: Does DevOps Need a Security Flavor?
June 12, 2012 Added by:Rafal Los
Lots of folks are trying to remove bottlenecks between development and deployment within an organization to get IT to a more agile state. Every once in a while someone talks about security - I've been trying to figure out whether and how we should be discussing the DevOps and security relationship...
Comments (0)
SUDOERS Commented Code Includes Use for Evil
May 31, 2012 Added by:Rob Fuller
When I started looking into appending or inserting lines into /etc/sudoers for CCDC, I happened upon an interesting function of that file. Near the end of the file there are two lines that look commented out, but in actuality are interpreted and acted upon, an evil way to stay hidden on a 'nix box...
Comments (1)
- Reddit Names Allison Miller as Chief Information Security Officer (CISO)
- SecurityWeek Names Ryan Naraine as Editor-at-Large
- Why Cyber Security Should Be at the Top of Your Christmas List
- United States Federal Government’s Shift to Identity-Centric Security
- How Extreme Weather Will Create Chaos on Infrastructure
- BSIMM11 Observes the Cutting Edge of Software Security Initiatives
- Sustaining Video Collaboration Through End-to-End Encryption
- Will Robo-Helpers Help Themselves to Your Data?
- Securing the Hybrid Workforce Begins with Three Crucial Steps
- A New Strategy for DDoS Protection: Log Analysis on Steroids