What’s the difference between agile, CI/CD, and DevOps?
While Agile, CI/CD, and DevOps are different, they support one another. Agile focuses on the development process, CI/CD on practices, and DevOps on culture.
Posted in Agile, CI/CD & DevOps
John Steven
John Steven is a former senior director at Synopsys. His expertise runs the gamut of software security—from threat modeling and architectural risk analysis to static analysis and security testing. He has led the design and development of business-critical production applications for large organizations in a range of industries. After joining Synopsys as a security researcher in 1998, John provided strategic direction and built security groups for many multinational corporations, including Coke, EMC, Qualcomm, Marriott, and FINRA. His keen interest in automation contributed to keeping Synopsys technology at the cutting edge. He has served as co-editor of the Building Security In department of IEEE Security & Privacy magazine and as the leader of the Northern Virginia OWASP chapter. John speaks regularly at conferences and trade shows.
Posts by John Steven:
OWASP Top 10 2017: But is it fixed?
Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed?
Posted in Software Compliance, Quality & Standards
A sea change in pop culture’s understanding of security
Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days.
Posted in Uncategorized
How to align security responsibilities with development frameworks
Learn how to align security controls with the functional elements of a development framework to improve software security, using MVC as an example.
Posted in Software Architecture & Design
Book review: Reading Shostack’s ‘Threat Modeling’
John Steven reviews Adam Shostack’s threat modeling book and provides a reader’s guide to the good and the bad for security practitioners.
Posted in Software Architecture & Design
SHA2 ‘vs.’ SHA1
We briefly compare SHA2 vs. SHA1 to answer whether SHA2 functions are ‘more secure’ than SHA1 and whether you can use SHA2 alone to secure passwords.
Posted in Software Architecture & Design, Software Compliance, Quality & Standards
Touch ID: Yea or nay?
Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.
Posted in Mobile App Security, Software Architecture & Design
Mobile: Different or same sh*t different day?
Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:
Posted in Mobile App Security, Software Architecture & Design
Securing password digests, or how to protect lonely unemployed radio listeners
As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our software security group mailing list.
A few caveats
Posted in Software Architecture & Design
OWASP Top 10 2017: But is it fixed?
Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed?
Posted in Software Compliance, Quality & Standards
A sea change in pop culture’s understanding of security
Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days.
Posted in Uncategorized
How to align security responsibilities with development frameworks
Learn how to align security controls with the functional elements of a development framework to improve software security, using MVC as an example.
Posted in Software Architecture & Design
Book review: Reading Shostack’s ‘Threat Modeling’
John Steven reviews Adam Shostack’s threat modeling book and provides a reader’s guide to the good and the bad for security practitioners.
Posted in Software Architecture & Design
SHA2 ‘vs.’ SHA1
We briefly compare SHA2 vs. SHA1 to answer whether SHA2 functions are ‘more secure’ than SHA1 and whether you can use SHA2 alone to secure passwords.
Posted in Software Architecture & Design, Software Compliance, Quality & Standards
Touch ID: Yea or nay?
Is Touch ID all it’s cracked up to be? We explore the vulnerabilities of Touch ID, biometrics, and password security, including general considerations.
Posted in Mobile App Security, Software Architecture & Design
Mobile: Different or same sh*t different day?
Is mobile security the “same problem” as web application security? Is it just “different day”? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course, both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s different and why. I’ll break things down as usual: threats, attack surfaces, vectors, impacts, and then controls. Summarizing:
Posted in Mobile App Security, Software Architecture & Design
Securing password digests, or how to protect lonely unemployed radio listeners
As we’re prone to say, “much ink has been spilt over the release of password digests” from LinkedIn and others. I’m, as is typical, profoundly disappointed in that amount of misinformation I’ve heard in security folks’ commentary on the problem and the underlying workings of digests, HMACs, and so forth. This blog entry represents a roll-up of a great discussion we had internally on our software security group mailing list. A few caveats
Posted in Software Architecture & Design