Software Integrity

Archive for October 2015

 

Understanding architecture analysis and secure design review

So you understand the difference between bugs and flaws and that the defect universe is roughly a 50/50 split of bugs and flaws. Awesome! (If you don’t yet understand the difference, here’s a great read about software flaws in application architecture that will explain it.) You’ve also decided you want to start actively doing some […]

Continue Reading...

Posted in Penetration Testing, Software Architecture and Design, Software Security Testing | Comments Off on Understanding architecture analysis and secure design review

 

4 signs you need a proactive application security approach

Organizations usually start paying attention to application security when they’re in a reactive mode. Once something happens involving their firm’s security stance, security becomes a high priority. As application security becomes an increasingly hot topic, and for good reason (as attacks are spreading like wildfire these days), organizations should transition their security strategy to a […]

Continue Reading...

Posted in Security Standards and Compliance, Software Security Program Development | Comments Off on 4 signs you need a proactive application security approach

 

Detection strategies to unmask the source of malicious code

Let’s imagine you discover a string of suspicious code within one of your applications. Perhaps a routine scan by your application testing team finds a point of interest that indicates malcode, such as a time bomb or backdoor, has been inserted by a malicious insider within your software supply chain. First, you breathe a huge […]

Continue Reading...

Posted in Security Risk Assessment, Software Security Testing | Comments Off on Detection strategies to unmask the source of malicious code

 

Software security myth #3: Penetration testing solves everything

Security testing is important. Conducting specialized penetration tests at the end of the software development life cycle (SDLC) can be a rewarding security activity for your organization. Penetration testing is, after all, the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing. This is why penetration testing […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Architecture, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Software security myth #3: Penetration testing solves everything

 

Building Security In Maturity Model infographic: 5 lessons learned from BSIMM6

By providing actual measurement data from the field, the Building Security In Maturity Model (BSIMM) makes it possible to build a long-term plan for a software security initiative (SSI) and track progress against that plan. The BSIMM is dedicated to quantifying the activities carried out by real SSIs in order to help the wider software security community plan, carry […]

Continue Reading...

Posted in Infographic, Maturity Model (BSIMM) | Comments Off on Building Security In Maturity Model infographic: 5 lessons learned from BSIMM6

 

BSIMM6 brings science to software security

The sixth iteration of the Building Security In Maturity Model project is a tool you can use as a measuring stick for software security initiatives. By now, you should have heard about the Building Security In Maturity Model (BSIMM) project, especially if you are a software security person. Maybe you’ve even downloaded a copy of your […]

Continue Reading...

Posted in Maturity Model (BSIMM), Software Security Program Development | Comments Off on BSIMM6 brings science to software security

 

Third-party security risk factors

As we build our budgets for 2016, many organizations are examining 2015 pitfalls in order to strategize where to spend money in the upcoming year. With the recent influx of security breaches, many are concerned about third parties and vendors with whom they share data. What can we do to reduce the likelihood of a breach internally, […]

Continue Reading...

Posted in Maturity Model (BSIMM), Software Security Testing, Vendor Risk Management | Comments Off on Third-party security risk factors

 

Building Security In Maturity Model infographic: BSIMM by the numbers

Over the past seven years, the Building Security In Maturity Model (BSIMM) has studied 112 security activities in over 100 firms to measure the software security practices across a participating organization. Quantifying these practices allows BSIMM to describe the common areas shared by many organizations, as well as the variations that make each unique. BSIMM isn’t a ‘how […]

Continue Reading...

Posted in Infographic, Maturity Model (BSIMM), Software Security Program Development | Comments Off on Building Security In Maturity Model infographic: BSIMM by the numbers

 

How proactive is your software security initiative?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Development Life Cycle (SDLC), Software Security Program Development | Comments Off on How proactive is your software security initiative?

 

Software security myth #2: A tool is all you need for software security

All software projects produce at least one common artifact—code. This source code is the number one software security touchpoint your organization should address when strategizing a software security initiative (SSI). We’ve made great strides in the last 15 years building technology to find some types of security defects in code. At the code level, the […]

Continue Reading...

Posted in Code Review, Security Architecture, Software Security Testing, Static Analysis (SAST) | Comments Off on Software security myth #2: A tool is all you need for software security