Help!!! Developers are going blind from Log Files!This is a post by Sri Mallur, an instructor with the SANS Institute for SANS DEV541: Secure Coding in Java EE: Developing Defensible Applications.Sri is a security consultant at a major healthcare provider who has over 15 years of experience in software development and information security. He has designed and developed applications for large companies in the insurance, chemical, and healthcare industries. He has extensive consulting experience from working with one of the big 5. Sri currently focuses on security in SDLC by working with developers, performing security code reviews and consulting on projects. Sri holds a Masters in industrial engineering from Texas Tech University, Lubbock, TX and an
Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were:
- No security testing policy for critical apps: 13.5%
- Only when applications are updated, patched or changed: 21.3%
- Annually: 14.3%
- Every 3 months: 18.0%
- Once a month: 9.5%
- Ongoing: 23.3%
What was most interesting to me is that almost of organizations are doing security testing on an ongoing, near-continuous basis — testing applications as they are being developed or changed.
The only way to test this frequently, and the effective way to scale security testing in large enterprises with thousands of applications and hundreds of web sites, is by relying heavily on
Jim Manico is the VP of Security Architecture for WhiteHat Security, a web security firm. Jim is a participant and project manager of the OWASP Developer Cheatsheet series. He is also the producer and host of the OWASP Podcast Series.
1. Although SQL Injection continues to be one of the most commonly exploited security vulnerabilities in the wild, Cross Site Scripting (XSS) is still the most common security problem in web applications. Why is this still the case? What makes XSS so difficult for developers to understand and to protect themselves from?
Mitigation of SQL Injection, from a developer point of view, is very straight forward. Parameterize your queries and bind your variables!
Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. As CTO and Principal, he leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader, member of the OWASP Global Membership Committee and co-lead of the OWASP Open Review Project. Dan has spoken at such international conferences as RSA, OWASP AppSec USA, and OWASP EU Research in Greece.
The cost of fixing software bugs has been studied for a long time now, with experts like Capers Jones collecting data from development and maintenance projects around the world. But up until recently there has been very little data available on the cost of remediating security vulnerabilities. Denim Group is one
SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people have found are most effective in managing appsec problems.
Please follow this link and take 5-10 minutes to answer the survey questions:
Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!
Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related