AppSec Blog: Category - defense

How much do developers care about security?

3% That's about how much developers care about security. Starting last year I made a concerted effort to speak at developer conferences. The idea was to go directly to people who write actual code and help spread the word about application security. By speaking at technical conferences that appeal to top developers the goal was … Continue reading How much do developers care about security?


Seven Tips for Picking a Static Analysis Tool

Stephen J, who is a member of our software security mailing list, asked a while back, "Do you have any recommendations on static source code scanners?" James Jardine and I started talking and came up with the following tips. There are so many commercial static analysis tools from vendors like Armorize, Checkmarx, Coverity, Fortify (HP), … Continue reading Seven Tips for Picking a Static Analysis Tool


Safer Software through Secure Frameworks

We have to make it easier for developers to build secure apps, especially Web apps. We can't keep forcing everybody who builds an application to understand and plug all of the stupid holes in how the Web works on their own - and to do this perfectly right every time. It's not just wasteful: it's … Continue reading Safer Software through Secure Frameworks


Agile Security for Product Owners - Requirements

Much of cumulative application security knowledge and tools are aimed at detection, rather than prevention, of vulnerabilities. This is a natural consequence of the fact that the primary job of many information security analysts is to look for security vulnerabilities and provide high level remediation suggestions rather than be involved in detailed remediation efforts. Another … Continue reading Agile Security for Product Owners - Requirements


Five Key Design Decisions That Affect Security in Web Applications

By Krishna Raja and Rohit Sethi (@rksethi) Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come. Some decisions are obvious: How do we authenticate users? How do we restrict page access to authorized users? Others, however, … Continue reading Five Key Design Decisions That Affect Security in Web Applications