AppSec Blog: Author - Eric Johnson

Your Secure DevOps Questions Answered

As SANS prepares for the 2nd Annual Secure DevOps Summit, Co-Chairs Frank Kim and Eric Johnson are tackling some of the common questions they get from security professionals who want to understand how to inject security into the DevOps pipeline, leverage leading DevOps practices, and secure DevOps technologies and cloud services. If you are … Continue reading Your Secure DevOps Questions Answered


2017 Application Security Survey is Live!

Our 2016 application security survey, led by Dr. Johannes Ullrich, saw AppSec Programs continuously improving. In this year's 2017 survey led by Jim Bird, we will be looking at how AppSec is keeping up with rapidly increasing rates of change as organizations continue to adopt agile development techniques and DevOps. The survey is officially … Continue reading 2017 Application Security Survey is Live!


Taking Control of Your Application Security

Application security is hard. Finding the right people to perform application security work and manage the program is even harder. The application security space has twice as many job openings as candidates. Combined that with the fact that for every 200 software engineers there is only 1 security professional, how do we staff a … Continue reading Taking Control of Your Application Security


Continuous Integration: Live Static Analysis with Roslyn

Early in 2016, I had a conversation with a colleague about the very, very limited free and open-source .NET security static analysis options. We discussed CAT.NET, which released back in 2009 and hasn't been updated since. Next came FxCop, which has a few security rules looking for SQL Injection and Cross-Site Scripting included in the … Continue reading Continuous Integration: Live Static Analysis with Roslyn


HTTP Verb Tampering in ASP.NET

We're only a few days into 2016, and it didn't take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly function. Clever attackers can exploit … Continue reading HTTP Verb Tampering in ASP.NET