Late last year SANS conducted a survey on application security practices in enterprises. One of the questions asked in the survey was how often organizations are doing security testing. The responses were: No security testing policy for critical apps: 13.5% Only when applications are updated, patched or changed: 21.3% Annually: 14.3% Every 3 months: 18.0% … Continue reading Security Testing: Less, but More Often can make a Big Difference
My brain's on fire about devops, having just got back from Devopsdays. Devops is starting to have the same kind of impact on application and system operations as Agile has had on software development. Although only a small number of people at a few companies are really doing devops, it is getting a lot of … Continue reading What Appsec can learn from Devops
When a development team first starts to take application security seriously, they'll end up with a list (probably a long list) of security bugs. It's useful to look at security bugs in different ways.
Design Flaws vs. Implementation Bugs
The first is to ask where each bug comes from - is it an architectural or … Continue reading Different ways of looking at security bugs
Penetration testing is one of the bulwarks of an application security program: get an expert tester to simulate an attack on your system, and see if they can hack their way in. But how effective is application penetration testing, and what should you expect from it? Gary McGraw in Software Security: Building Security In says … Continue reading What's the point of application pen testing?
I attended the RSA conference last week in San Francisco for the first time, and enjoyed the city. Excellent restaurants like Slanted Door, Canteen, Barbacco and especially Commonwealth, the Wharf, Chinatown, the almost perfect weather. I was surprised at the scale of the conference, the impressive number of IT security professionals who came from everywhere, … Continue reading AppSec at RSA 2012 Conference