Software Integrity Blog

Author Archive

John Steven

jsteven

John Steven is a former senior director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. After joining Synopsys as a security researcher in 1998, John provided strategic direction and built security groups for many multinational corporations, including Coke, EMC, Qualcomm, Marriott, and FINRA. His keen interest in automation contributed to keeping Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.


Posts by John Steven:

 

What’s the difference between agile, CI/CD, and DevOps?

While Agile, CI/CD, and DevOps are different, they support one another. Agile focuses on the development process, CI/CD on practices, and DevOps on culture.

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on What’s the difference between agile, CI/CD, and DevOps?

 

OWASP Top 10 2017: But is it fixed?

Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed?

Continue Reading...

Posted in Security Standards and Compliance | Comments Off on OWASP Top 10 2017: But is it fixed?

 

OWASP Top 10—A7: Request for removal and replacement

Foreword by Jim Ivers, Vice President, Marketing, Synopsys Software Integrity Group

Continue Reading...

Posted in General | Comments Off on OWASP Top 10—A7: Request for removal and replacement

 

A sea change in pop culture’s understanding of security

Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days.

Continue Reading...

Posted in Uncategorized | Comments Off on A sea change in pop culture’s understanding of security

 

How to align security responsibilities with development frameworks

Learn how to align security controls with the functional elements of a development framework to improve software security, using MVC as an example.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on How to align security responsibilities with development frameworks

 

Book review: Reading Shostack’s ‘Threat Modeling’

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. More generally, “How can I help developers think about our systems’ security properties?”

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Book review: Reading Shostack’s ‘Threat Modeling’

 

Kickstarter password Breach … #FTW?

Last Wednesday I spoke about password storage security in a Whiteboard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, I was a bit self-conscious. Cue the Kickstarter security notice.

Continue Reading...

Posted in Data Breach, Software Architecture and Design | Comments Off on Kickstarter password Breach … #FTW?

 

SHA2 ‘vs.’ SHA1

For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help educate but questions remain in readers’ minds. Over the last three years I continue to be asked: “Are the SHA2 family of functions ‘more secure’ than SHA1?”

Continue Reading...

Posted in Security Standards and Compliance, Software Architecture and Design | Comments Off on SHA2 ‘vs.’ SHA1

 

Touch ID: Yea or nay?

Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Touch ID: Yea or nay?

 

Mobile: Different or same sh*t different day?

Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:

Continue Reading...

Posted in Mobile Application Security, Software Architecture and Design | Comments Off on Mobile: Different or same sh*t different day?