Posts by John Steven:
We’ve been seeing a lot of instances recently in which the terms Agile, CI/CD, and DevOps are used interchangeably. 3 different development tools for building your practice You couldn’t build a house with a single tool. Nor can you enable your development practice with one. Agility, CI/CD, and DevOps are three distinct tools, each important […]
Continue Reading...
Posted in Agile Methodology, CI/CD, DevOps | Comments Off on What’s the difference between Agile, CI/CD, and DevOps?
Months back, I called outright for the removal of “A7: Insufficient Attack Protection” from the OWASP Top 10. The OWASP Top 10 team recently published a second release candidate (RC2) for OWASP Top 10 2017—and A7, which was in RC1, is conspicuously absent. So is the Top 10 fixed? My argument to remove A7 was […]
Continue Reading...
Posted in Application Security, OWASP | Comments Off on OWASP Top 10 2017: But is it fixed?
Foreword by Jim Ivers Vice President, Marketing, Synopsys Software Integrity Group If you’re a software security professional, you’re probably familiar with the OWASP Top 10. Even if you aren’t in the AppSec trenches every day, you may have heard of it. It’s a widely referenced list of the 10 most critical web application security risks […]
Continue Reading...
Posted in Application Security | Comments Off on OWASP Top 10—A7: Request for removal and replacement
Something special happened on Thursday that is very easily overlooked. Marketplace, an American Public Media program making economics accessible to normal folk, ran a story on how kids start honing their cyber security skills early. The angle: future jobs. A good angle considering we’re all short on staff these days. The show’s host, Kai Ryssdal, […]
Continue Reading...
Posted in Application Security, Software Security Testing | Comments Off on A sea change in pop culture’s understanding of security
Practicing software security builds on knowledge of tools, techniques, and technologies. I consistently harp on the importance of understanding development frameworks. These frameworks provide a foundation for technology knowledge — Instructors must speak developers’ language when training; frameworks form the vernacular. When assessing software, one needs to know where in the haystack to look for […]
Continue Reading...
Posted in Maturity Model (BSIMM), Software Security Program Development, Software Security Testing, Threat Modeling | Comments Off on Associating security responsibilities within development frameworks
Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?” More generally, “How can I help developers think about our systems’ security properties?” Synopsys has published a bunch of valuable threat modeling material but the biggest single body of work continues to come […]
Continue Reading...
Posted in Software Security Program Development, Threat Modeling | Comments Off on Book review: Reading Shostack’s ‘Threat Modeling’
Last Wednesday I spoke about password storage security in a WhiteBoard session. Fate has allowed a publicized password breach within a few days prior to these talks nearly without fail and, with the hack of Yahoo’s 3rd party database more than a week in the rear-view, I was a bit self-conscious. Cue the Kickstarter security […]
Continue Reading...
Posted in Data Breach, Threat Modeling | Comments Off on Kickstarter password Breach … #FTW?
For years our assessments have discovered insecure mechanisms for password storage. Though well-intentioned developers often put a good deal of thought into schemes they seldom resist attack. Not surprising–applying the appropriate cryptographic primitives effectively proves challenging for many security practitioners. Available material, such as the simple OWASP Cheat Sheet and more thorough Threat Model, help […]
Continue Reading...
Posted in OWASP, Threat Modeling | Comments Off on SHA2 ‘vs.’ SHA1
Unsurprisingly, German hackers were able to produce a fingerprint prosthetic allowing an attacker to defeat Apple’s TouchID within days of the iPhone 5S release. Media coverage abounds, as has reaction to the attack and discussion about biometrics, multi-factor authentication, and-of course-death of the pin/password. Unfortunately, the password’s death has been reported early None of us […]
Continue Reading...
Posted in Mobile Application Security, Threat Modeling | Comments Off on Touch ID: Yea or nay?
Mobile security the ‘same problem’ as web application security? Is it just ‘different day’? I’ve watched organizations and mobile thought leaders argue perspectives on this question back and forth for years. The answer is, of course: both. Mobile security inherits previous problems and solutions while bringing its own unique ones. Let’s get specific about what’s […]
Continue Reading...
Posted in Mobile Application Security, Threat Modeling | Comments Off on Mobile: Different or same sh*t different day?
