Software Integrity

Archive for the 'Penetration Testing' Category


How proactive is your software security initiative?

The bad news is that software gets hacked. The defects or vulnerabilities that attackers take advantage of to hack software can be made by an organization internally, or by their vendors or partners. The good news is that remediation methods to resolve these defects and vulnerabilities are well known. Organizations with a mature software security […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Development Life Cycle (SDLC), Software Security Program Development


Agile methodology and application security: A promising pair

Agile and application security are often spoken of together as oil and water, but are they really? Agile software development happens fast. The high frequency of iterations and releases often translates to wildly dynamic application build structures, with new components/modules added regularly throughout the software development life cycle (SDLC). This iterative approach enables teams to […]

Continue Reading...

Posted in Agile Methodology, Application Security, Dynamic Analysis (DAST), Penetration Testing, Software Development Life Cycle (SDLC), Static Analysis (SAST), Threat Modeling


Is conventional penetration testing enough to secure eCommerce applications?

Can your customers trust you to process their transactions and safeguard their personal information? Can you be sure online sales follow the business rules you’ve put in place? If you are like most eCommerce companies, you’ve been pushing the envelope to create applications that are increasingly easy to use, accessible from any device, and personalized […]

Continue Reading...

Posted in Penetration Testing, Threat Modeling, Vulnerability Assessment


Are you red team secure?

Data breaches can result in severe damages to an organization’s brand, financial standing, or customer trust. Many of these, including recent breaches in the news, are not the result of a single, easy to find weakness that just happened to be overlooked or the common “low hanging fruit” that is adequately detected by automated scanners […]

Continue Reading...

Posted in Penetration Testing, Red Teaming, Threat Modeling


Is it time for Enterprise IT to declare defeat in the cyber security war?

How can business leaders guarantee that they won’t be the next headline security breach? How should companies even start to address software security? Watch the HP Discover Performance Weekly video featuring Cigital CTO, Dr. Gary McGraw, to find out.

Continue Reading...

Posted in Code Review, Financial Services Security, Penetration Testing, Software Security Testing


The 10 commandments for software security

You all know by now that the BSIMM is a descriptive model and not a prescriptive one.  We’re happy to give prescriptive advice about software security based on our experience as well.  It’s what we do for a living.  In fact, every prescriptive model (think the Touchpoints) needs to be measured with a measuring stick […]

Continue Reading...

Posted in Maturity Model (BSIMM), Penetration Testing, Software Security Testing


Is pen testing security testing?

Some people start “Security Testing” by buying and using a pen-test tool on project. Such tools uncover security vulnerabilities (though they seldom help with root cause analysis or even obtaining double-digit code coverage). These tools are degenerate, at best, in facilitating a security testing strategy. Why? Because, these tools are “black box” tools. What are […]

Continue Reading...

Posted in Application Security, Penetration Testing