AppSec Blog: Author - Jim Bird

Security Testing: Less, but More Often can make a Big Difference

Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were: No security testing policy for critical apps: 13.5% Only when applications are updated, patched or changed: 21.3% Annually: 14.3% Every 3 months: 18.0% … Continue reading Security Testing: Less, but More Often can make a Big Difference


What Appsec can learn from Devops

My brain's on fire about devops, having just got back from Devopsdays. Devops is starting to have the same kind of impact on application and system operations as Agile has had on software development. Although only a small number of people at a few companies are really doing devops, it is getting a lot of … Continue reading What Appsec can learn from Devops


Different ways of looking at security bugs

When a development team first starts to take application security seriously, they'll end up with a list (probably a long list) of security bugs. It's useful to look at security bugs in different ways.

Design Flaws vs. Implementation Bugs

The first is to ask where each bug comes from - is it an architectural or … Continue reading Different ways of looking at security bugs


What's the point of application pen testing?

Penetration testing is one of the bulwarks of an application security program: get an expert tester to simulate an attack on your system, and see if they can hack their way in. But how effective is application penetration testing, and what should you expect from it? Gary McGraw in Software Security: Building Security In says … Continue reading What's the point of application pen testing?


AppSec at RSA 2012 Conference

I attended the RSA conference last week in San Francisco for the first time, and enjoyed the city. Excellent restaurants like Slanted Door, Canteen, Barbacco and especially Commonwealth, the Wharf, Chinatown, the almost perfect weather. I was surprised at the scale of the conference, the impressive number of IT security professionals who came from everywhere, … Continue reading AppSec at RSA 2012 Conference