AppSec Blog: Author - Jim Bird

Agile Development Teams CAN build secure software

Agile Development Doesn't Create Secure Software questions whether Agile development teams can build secure code. It mostly references a study on small- and medium-sized Agile development teams, which found that Agile teams don't take security seriously even when building systems that are "web-facing and potential targets of attack". This isn't surprising. We already know that … Continue reading Agile Development Teams CAN build secure software


Software Security starts with Software Quality

In Software Security: Building Security In, Cigital's Gray McGraw breaks software security problems down into roughly equal halves. One half of security problems are security design flaws: missing authorization or doing encryption wrong - or not using encryption at all when you are supposed to, not handling passwords properly, not auditing the right data, relying … Continue reading Software Security starts with Software Quality


Real and useful security help for software developers

There's lots of advice on designing and building secure software. All you need to do is: Think like an attacker. Minimize the Attack Surface. Apply the principles of Least Privilege and Defense in Depth and Economy of Mechanism. Canonicalize and validate all input. Encode and escape output within the correct context. Use encryption properly. Manage … Continue reading Real and useful security help for software developers


Dealing with security vulnerabilities ... er... bugs

A serious problem in many organizations is that the relationship between security and development is marred by blame, mistrust, evasion and lack of understanding. One result of this is that development teams (and their business sponsors) don't take ownership for understanding and managing software security risks, and often try to ignore vulnerabilities or hide them. … Continue reading Dealing with security vulnerabilities ... er... bugs


The C14N challenge

Failing to properly validate input data is behind at least half of all application security problems.In order to properly validate input data, you have to start by first ensuring that all data is in the same standard, simple, consistent format - a canonical form. This is because of all the wonderful flexibility in internationalization and … Continue reading The C14N challenge