Help!!! Developers are going blind from Log Files!
This is a post by Sri Mallur, an instructor with the SANS Institute for SANS DEV541: Secure Coding in Java EE: Developing Defensible Applications.Sri is a security consultant at a major healthcare provider who has over 15 years of experience in software development and information security. He has designed and developed applications for large companies in the insurance, chemical, and healthcare industries. He has extensive consulting experience from working with one of the big 5. Sri currently focuses on security in SDLC by working with developers, performing security code reviews and consulting on projects. Sri holds a Masters in industrial engineering from Texas Tech University, Lubbock, TX and an
Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were:
- No security testing policy for critical apps: 13.5%
- Only when applications are updated, patched or changed: 21.3%
- Annually: 14.3%
- Every 3 months: 18.0%
- Once a month: 9.5%
- Ongoing: 23.3%
What was most interesting to me is that almost of organizations are doing security testing on an ongoing, near-continuous basis — testing applications as they are being developed or changed.
The only way to test this frequently, and the effective way to scale security testing in large enterprises with thousands of applications and hundreds of web sites, is by relying heavily on
SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people have found are most effective in managing appsec problems.
Please follow this link and take 5-10 minutes to answer the survey questions:
Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!
Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related
John Steven is the Internal CTO of Cigital. John's expertise runs the gamut of software security from threat modeling and architectural risk analysis, through static analysis (with an emphasis on automation), to security testing. As a consultant, John has provided strategic direction to many multi-national corporations, and his keen interest in automation keeps Cigital technology at the cutting edge.
This is the last in a series of interviews with appsec experts about threat modeling.
1. Threat Modeling is supposed to be one of the most effective and fundamental practices in secure software development. But a lot of teams that are trying to do secure development find threat modeling too difficult and too expensive. Why is threat modeling so hard - or do people just think it is hard because they don't understand it?
"Effective in what regard?" The world's conception of what threat modeling is, what it produces, and what it
James Jardine is a senior security consultant at Secure Ideas and the founder of Jardine Software. James has spent over twelve years working in software development with over seven years focusing on application security. His experience includes penetration testing, secure development lifecycle creation, vulnerability management, code review, and training. He has worked with mobile, web, and Windows development with the Microsoft .NET framework. James is a mentor for the Air Force Association's Cyber Patriot competition. He currently holds the GSSP-NET, CSSLP, MCAD, and MCSD certifications and is located in Jacksonville, Florida.
This is the second in a series of interviews with appsec experts about threat modeling.
1. Threat Modeling is supposed to be one of the most effective and fundamental practices in secure software development. But a lot of teams that are trying to do secure development ...