Software Security

Archive for the 'Security Architecture' Category

 

Sirens in the night: Civil defense systems susceptible to legacy vulnerabilities

Increasingly, computer hacking is leaving the traditional network and reaching out into the physical world. So it shouldn’t be too surprising that two recent well-publicized hacks were accomplished using non-traditional ways. One, the sounding of all 100+ civil defense sirens in Dallas, Texas (for 90 minutes during the night) most likely used only sound waves […]

Continue Reading...

Posted in Security Architecture, Threat Modeling, Vulnerability Assessment | No Comments »

 

What are the attributes of secure web application architecture?

Web application architecture typically covers the basic rendering and return of information to a client, usually on a web browser. Behind the scenes, a web application will draw upon many distinct layers. These may include servers used for presentation, business, and data. There are different architectures consisting of different layering strategies depending upon the need. […]

Continue Reading...

Posted in Security Architecture, Software Architecture and Design, Web Application Security | Comments Off on What are the attributes of secure web application architecture?

 

Finding software security flaws at scale

So you know the difference between bugs and flaws and you know you can use techniques like threat modeling and architecture risk analysis to find those flaws. But those techniques can be difficult to scale across the enterprise as they require deep design and software security expertise. And yet, doing no type of design analysis […]

Continue Reading...

Posted in Security Architecture, Software Security Testing | Comments Off on Finding software security flaws at scale

 

Software security myth #3: Penetration testing solves everything

Security testing is important. Conducting specialized penetration tests at the end of the software development life cycle (SDLC) can be a rewarding security activity for your organization. Penetration testing is, after all, the most frequently and commonly applied of all software security practices. But, this isn’t necessarily a good thing. This is why penetration testing […]

Continue Reading...

Posted in Code Review, Penetration Testing, Security Architecture, Software Development Life Cycle (SDLC), Software Security Testing | Comments Off on Software security myth #3: Penetration testing solves everything

 

Software security myth #2: A tool is all you need for software security

All software projects produce at least one common artifact—code. This source code is the number one software security touchpoint your organization should address when strategizing a software security initiative (SSI). We’ve made great strides in the last 15 years building technology to find some types of security defects in code. At the code level, the […]

Continue Reading...

Posted in Code Review, Security Architecture, Software Security Testing, Static Analysis (SAST) | Comments Off on Software security myth #2: A tool is all you need for software security

 

Building security into the SDLC without impacting velocity

Building security into the software development life cycle (SDLC) has become a common practice in many organizations. While security activities reduce security risks and implement compliance-focused requirements within software, they also require time and effort. Development teams are very feature and delivery driven. Requiring additional time and effort make security activities a low-priority, if even in consideration […]

Continue Reading...

Posted in CI/CD, Security Architecture, Software Development Life Cycle (SDLC) | Comments Off on Building security into the SDLC without impacting velocity

 

Gary McGraw discusses the security risks of dynamic code

Dynamic language and associated development and operations (DevOps) methodologies change and evolve constantly. Due to these intentionally ever-changing dynamic aspects of software, security measures must also be in a constant state of progression. The old-school software security approach relied on searching for defects at the very end of the software development life cycle (SDLC). When considering […]

Continue Reading...

Posted in Dynamic Analysis (DAST), Security Architecture, Software Security Testing, Vulnerability Assessment | Comments Off on Gary McGraw discusses the security risks of dynamic code

 

Caching security architecture knowledge with design patterns

We have always done architecture work. In the past clients replaced their legacy systems with ‘new-fangled’ JavaEE. As they explored platform features, an ecosystem of web frameworks, and related commercial products (Netegrity’s SiteMinder). Realizing they needed help, they looked to us for: Standards/Policy JEE Platform Security Guide JEE Security Specification (Requirements) Technology-specific standards Reference Architecture Security […]

Continue Reading...

Posted in Security Architecture, Software Security Testing | Comments Off on Caching security architecture knowledge with design patterns

 

Risk analysis in software design

Originally published in IEEE Security and Privacy Magazine Risk analysis is often viewed as a “black art”—part fortune telling, part mathematics. Successful architecture risk analysis, however, is nothing more than a business-level decision-support tool: it’s a way of gathering the requisite data to make a good judgment call based on knowledge about vulnerabilities, threats, impacts, and probability. Established risk-analysis […]

Continue Reading...

Posted in Security Architecture, Security Risk Assessment, Software Architecture and Design | Comments Off on Risk analysis in software design