Home - Application security, Security training, Security awareness, Security architecture, security review, CCSLP, Secure development lifecycle, SAST, DAST, Static Application analysis, Dynamic Application analysis

Governance is centered on the processes and activities related to how an organization manages overall software development activities. More specifically, this includes concerns that cross-cut groups involved in development as well as processes that are established at the organization level.

Construction concerns the processes and activities related to how an organization defines goals and creates software within development projects. In general, this include product management, requirements gathering, high-level architecture specification, detailed design, and implementation.

Verification is focused on the processes and activities related to how an organization checks and tests artifacts produced throughout software development. This typically includes quality assurance work such as testing, but it can also include other review and evaluation activities.

Security – Not just for Networks !
Criminals are targeting software.
Hackers know that you have firewalls – Not convenient to hack the network.
Hackers are targeting a new way to ‘hack’ into your systems; the new way is through applications.

Why Applications?
People are using software in every part of their lives !

The Business Impact
The ramifications of insecure software go beyond mere technology issues; there is also a definite business impact.
Not having secure software can lead to:

Financial loss
Bad publicity
Investigations and litigation
Liability (personal and corporate)
Reputation damage
Loss of brand, confidence and trust among customers, partners, shareholders and stakeholders

What is the answer ?
Success of a software assurance program within an organization is directly proportional to the support of executive management.
Security has to be ensured throughout the entire lifecycle.
All stakeholders in the software development process must be aware of common security tenets and threats.

Building secure software is a result of all the stakeholders having the appropriate levels of participation, and a security mindset in the design, development, and deployment of the software.

Stakeholders must be educated in how to build security within every phase of the lifecycle.

source: CSSLP white paper

SAMM and the Financial Services Industry:
SAMM and the financial services industry: I have conducted, sold and project managed SAMM ...

Trojan May Have Played Part in Spanish Plane Crash
A computer infected with a Trojan failed to trigger an alarm that could have kept an ill-fated ...

HTML5 Raises New Security Issues
As HTML5 enhances the Web, so too will it bring new vulnerabilities, security experts ...

Has Static Analysis reached its limits?
HP?s acquisition of Fortify this week (which I am sure will make some people at Kleiner Perkins ...

Smartphone Trojan Found in the Wild (August 13, 2010)
A Trojan horse program that affects smartphones has been detected in the ...

The OWASP Top Ten and ESAPI ? Final Summary
Ok, well now we?ve been through all the issues listed in the ...

Mobile Website Flaws Cloak Click Fraud
It's possible to craft a malicious website so that a user's clicks are secretly redirected to a ...