The 2015 SANS State of Application Security Analyst Paper and webcasts are complete. This year, Jim Bird, the lead author of the SANS Application Security Survey series, Frank Kim, and I all participated in writing the questions, analyzing the results, drafting the paper, and preparing the webcast material.
In the 2015 survey, we split the survey into two different tracks: defenders and builders. The first track focused on the challenges facing the defenders who are responsible for risk management, vulnerability assessment, and monitoring. The second track focused on the challenges facing the builders responsible for application development, peer reviews, and production support.
Overall, we had 435 respondents, 65% representing the defenders and 35% representing the builders. Based on the results, the communication barriers between defenders and builders are shrinking. But, there is still work that needs to be done:
Defenders and builders are ...
For the second year in a row Jim Bird and I have helped SANS put together a "Survey on Application Security Programs and Practices". We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to be published paper, include the following:
- There was a significant improvement in the number of organizations implementing application security programs and practices. The percentage of organizations that have an active Appsec program increased from 66% last year to 83% this yearand many of the organizations that do not have a program in place yet are at least following some kind of ad hoc security practices.
- Organizations are testing more frequently. In this year's survey, more than one-third are doing continuous, ongoing security testing of their applications, whereas only 23% indicated doing so in our ...
SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people have found are most effective in managing appsec problems.
Please follow this link and take 5-10 minutes to answer the survey questions:
Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!
Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related
Here are some recent appsec webcasts for your viewing pleasure:
- Web Application Threats: Combining XSS and CSRF to own the world!
Kevin Johnson covers Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Specifically, "how they can be used to exploit users and applications, how to find them and what their combined power can accomplish."
- Innovation in Application Security: Application Risk Management
John Sapp discusses "business critical application security trends and the need for comprehensive approaches to secure software development" including coverage of what "application attacks are most prevalent now, the importance of the secure development lifecycle (SDL), and cost-effective methods to implement a program-level commitment to
We have three cool webcasts lined up next week:
1) SQL Injection for the Penetration Tester on April 27
Eric Conrad will kick off the week of webcasts with something every penetration tester should know about. "Both normal and blind SQL attacks will be described, including reading and altering databases, creating local files, and gaining command shell access to the database server."
2) Defending Web Applications: Going back to to First Principles on April 28
In this talk Johannes and Jason "will outline current attacks against web applications, why they evade detection by network defenses and how to build defensible applications by going back to simple defensive principles. Each of the attacks will be illustrated from a defensive as well as offensive point of view showing the