A BRIEF HISTORY OF APPLICATION SECURITY

posted on Feb 2, 2016 by Shane Parfitt

Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in software applications. With the advent of the Internet and subsequent mass deployment of Web applications, attacks can be carried out on a massive scale, and can have profound business and personal impacts. The need to eliminate threats and…

A Layman’s Guide to the ISO 27034

posted on Nov 23, 2015 by Rohit Sethi

What is the ISO 27034? The upcoming ISO 27034 standard provides, at long last, an internationally-recognized standard for application security. Though not officially completed yet, much of the ISO 27034 standard’s structure is already set through the publishing of the first part: ISO/IEC 27034-1:2011. The ISO 27034 is closely aligned with several other ISO standards,…

BSIMM Mapping

posted on Nov 19, 2015 by Igor Gvero

The Building Security In Maturity Model (BSIMM) is a descriptive model of software security programs. BSIMM gathers the activities that a collection of companies are already doing as a way to assess a firm’s maturity in software security. Several BSIMM participants are also Security Compass clients, and it’s clear to see why: SD Elements maps…

The Million Dollar Question: Build or Buy for Security Tools?

posted on Nov 17, 2015 by ehsan

When a large enterprise is looking to invest in improving the process and automation, the question of Build vs. Buy comes up more frequently than you would imagine. This is a decision that will have a significant impact for years to come and is a tough decision that the management needs to make. While most…

Don’t Trust Your Plugins

posted on Nov 12, 2015 by Abhineet Jayaraj

WordPress security, or the lack of it, isn’t really a new concept. There are dozens and dozens of posts and guidelines for securing WordPress, including an official post on their site which provides a great overview for tasks you can do to secure your implementation. Here at Security Compass we do a lot of assessments…

What is an easy way to discover all of my external facing systems?

posted on Nov 6, 2015 by Guest Blogger

Problem: I’ve just taken over the Internal Security Engineer position at a company. We’ve never gone through a security audit before. We know which network ranges we own. However, we have no idea what our actual external-facing exposure is. There are some documented systems, but for all I know, people have been building and putting…

FFIEC and DDoS Testing

posted on Aug 24, 2015 by sahba

DDoS has now secured itself a top 5 spot on most financial institutions’ list of security risks.  With a few exceptions out there, the question is no longer whether you have DDoS mitigation in place, but rather how mature your DDoS defense strategy needs to be. The FFIEC recently released a Cybersecurity Assessment Tool to help financial…

DDoS – An Attacker’s Perspective

posted on Aug 10, 2015 by Yousif Hussain

As you know, the evolution of Distributed Denial-of-Service (DDoS) attacks has many organizations scrambling to defend themselves. Even with defenses in place, a site is never truly protected until the defense is tested. Our team has been busy as of late; ensuring mitigation solutions are living up to their claims and ensuring the quality of…

Women In Tech: Opheliar Chan

posted on Jul 29, 2015 by Yousif Hussain

This blog series has allowed us to get to know multiple women in the Security and Technology industry. It is interesting to see the varying paths they took to get to Security Compass. Their passion for technology is what led them to where they are today, and will fuel them to continue to make a…

Security Compass Internal CTF Write-Up

posted on Jul 6, 2015 by Geoff Heymann

A link to the CTF discussed below: Introduction I thoroughly enjoyed the CTF organized by Stephen Hall for a recent Learning & Growth session at Security Compass. I was in awe of how some of my co-workers solved the challenges, and wanted to understand their mindset. So, I looked at one of the challenges no…