Software Security

Archive for November 2015

 

vBSIMM leading the way to ensure third-party software quality

In reading publications recently released by FS-ISAC and SAFECode on vendor management and third-party risk, I am pleased that the industry is finally coming together. We seem to finally agree on the obvious need to assess the processes under which software is made and not a particular end result. If “penetrate and patch” had any […]

Continue Reading...

Posted in Maturity Model (BSIMM), Vendor Risk Management | Comments Off on vBSIMM leading the way to ensure third-party software quality

 

When do I send in the software security robots?

Robots are the future and they inspire both fear and awe in humans. This tension is as apparent in software as it is in any other field. When I was at the EuroSTAR 2015 testing conference recently, the topic of test automation came up a lot. Testers are constantly under pressure to perform more “automated […]

Continue Reading...

Posted in Application Security, Security Risk Assessment, Software Security Testing | Comments Off on When do I send in the software security robots?

 

The need for more secure IoT devices

It used to hold true that breaking into a car involved breaking a window, hoping for an unlocked door, lucking out by finding the correct set of car keys, or hot wiring the car to steal the thing. Due to constant capability advancements and more and more devices with internet connectivity, that’s no longer the case. In […]

Continue Reading...

Posted in Internet of Things, Software Security Testing | Comments Off on The need for more secure IoT devices

 

3 reasons why the most common OWASP risks are STILL on the list after 10 years

In 2016, OWASP will publish the fifth iteration of the OWASP Top 10. First released in 2004, the OWASP Top 10 is a popular enumeration of the 10 most important web application security vulnerabilities as determined by severity as well as real world prevalence. As we await publication of this latest version, we can’t help […]

Continue Reading...

Posted in Software Development Life Cycle (SDLC), Software Security Testing, Vulnerability Assessment | Comments Off on 3 reasons why the most common OWASP risks are STILL on the list after 10 years

 

Can you afford not to implement security training?

Given enough time, it’s easy to talk yourself out of making the investment in training for your staff. Organizations that take the long view recognize that software security training is an investment that yields critical returns to both the organization and to the staff. Training directly impacts key metrics like bug density ratios and time […]

Continue Reading...

Posted in Maturity Model (BSIMM), Security Training, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Can you afford not to implement security training?

 

10 reasons why your SMB needs software security [Infographic]

Ever wonder how security affects organizations of different sizes? Start-ups, small and medium-sized businesses (SMBs), all the way up to multi-national enterprises should take software security very seriously. If there’s tempting data to be stolen, your firm is at risk. Maybe you’ve secured the software your firm develops in-house, but what about the third-party vendors you’re working […]

Continue Reading...

Posted in Infographic, Software Security Program Development, Software Security Testing | Comments Off on 10 reasons why your SMB needs software security [Infographic]

 

How does the BSIMM help firms strengthen security?

In the beginning, security was made up of prescriptive frameworks; security experts told firms what they should do to build secure software. With time, software security experts realized that this “because I said so” approach really wasn’t a good security strategy. Instead of telling people what to do and what not to do, we needed some perspective. We […]

Continue Reading...

Posted in Maturity Model (BSIMM), Software Security Program Development, Software Security Testing | Comments Off on How does the BSIMM help firms strengthen security?

 

5 essential elements of a successful software security initiative

Every organization that develops or integrates software needs a software security initiative—a blend of people, processes and tools that ensure applications and the data they process are secure. As customers, regulators, executives and boards of directors start asking for evidence of a formal approach to software security, organizations are trying to determine where to start, […]

Continue Reading...

Posted in Security Risk Assessment, Software Security Program Development, Software Security Testing | Comments Off on 5 essential elements of a successful software security initiative

 

Benefits of secure code review: Developer education

The value of code review, having been well-studied and documented, is generally accepted by most development managers, if not always by the developers themselves. While the primary goal of code review is to improve the quality of the code itself, a secondary goal is often to improve the knowledge and skills of the developers so […]

Continue Reading...

Posted in Code Review, Security Training, Static Analysis (SAST) | Comments Off on Benefits of secure code review: Developer education

 

112 BSIMM activities at a glance

The Building Security In Maturity Model, more commonly known as the BSIMM, is a descriptive security model conducted through three levels of security activities. Each level is broken down into four domains of security activities: Governance, Intelligence, SSDL Touchpoints and Deployment. These domains are where each of the 112 security activities are analyzed within participating BSIMM firms. A […]

Continue Reading...

Posted in Maturity Model (BSIMM) | Comments Off on 112 BSIMM activities at a glance