AppSec Blog: Author - Eric Johnson

Exploring the DevSecOps Toolchain

The authors of the SANS Institute's DEV540 Secure DevOps & Cloud Application Security course created the Secure DevOps Toolchain poster to help security teams create a methodology for integrating security into the DevOps workflow. As you can see, the poster breaks DevOps down into 5 key phases and includes a massive list of open … Continue reading Exploring the DevSecOps Toolchain


Your Secure DevOps Questions Answered

As SANS prepares for the 2nd Annual Secure DevOps Summit, Co-Chairs Frank Kim and Eric Johnson are tackling some of the common questions they get from security professionals who want to understand how to inject security into the DevOps pipeline, leverage leading DevOps practices, and secure DevOps technologies and cloud services. If you are … Continue reading Your Secure DevOps Questions Answered


2017 Application Security Survey is Live!

Our 2016 application security survey, led by Dr. Johannes Ullrich, saw AppSec Programs continuously improving. In this year's 2017 survey led by Jim Bird, we will be looking at how AppSec is keeping up with rapidly increasing rates of change as organizations continue to adopt agile development techniques and DevOps. The survey is officially … Continue reading 2017 Application Security Survey is Live!


Taking Control of Your Application Security

Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security professional, how do we staff a … Continue reading Taking Control of Your Application Security


Continuous Integration: Live Static Analysis with Roslyn

Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection and Cross-Site Scripting included in the … Continue reading Continuous Integration: Live Static Analysis with Roslyn