A couple of weeks ago I posted an article on managing security requirements on agile development at InfoQ. I was pleasantly surprised to see a number of development / agile folks respond positively to the article on the Twitterverse. In fact, I think this article got more attention from developers (not just security focused ones)…

In the last entry on cultural challenges in application security series, we introduced the “Security is Special” problem. We described the problem where application security issues hold a trump card over other development issues, and how that can erode the relationship between security & development. In our experience, insisting on high priorities for all security issues is one of…

By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly other sites. While it’s not immediately clear how malicious attackers got a hold of the passwords, several people in the security community have pointed out that LinkedIn did not follow best practices for password storage. This deviation from best…

I just finished reading Verizon’s insightful 2012 Data Breach Investigations Report. As usual, well-known vulnerabilities such as guessable / brute force credentials and SQL injection continue to be the root cause for the vast majority of hacking-related breaches. The report reminded me of a really insightful presentation from Source Seattle last year by Myles Conley….

This is the second entry in a series on cultural challenges of application security. Steve the application security analyst sits down with Jennifer, an application architect at his company. Steve is armed with a series of PowerPoints and PDFs explaining a secure SDLC rollout. Before Steve can begin, Jennifer starts: “Steve, we all care about…

In the last entry on cultural challenges in application security series, we introduced the incompetent developer problem. In this entry, we’ll describe some techniques to help resolve the incompetent developer problem. We described a scenario where Steve, the application security lead, sat down with Julio, a developer, to explain a secure SDLC program. Steve was…

Steve, the application security lead, sits down with Julio, a senior developer. Steve explains an initiative to move security into the early phases of the SDLC. Julio understands the value proposition: it’s easier to fix defects early on. Steve then goes on to explain the new processes he’ll be instituting and Julio looks concerned: “I…

There’s a popular article on CNET about why the security industry never actually makes us secure. They make specific note about how Microsoft’s SDL program is a success, but that the solution doesn’t scale. We at Security Compass and SD Elements tend to be more optimistic about scaling an SDL program. Secure Application Lifecycle Management…

By Nima Dezhkam and Rohit Sethi Steve, the application security expert, walks into a room of his company’s senior developers. He projects a carefully prepared PowerPoint presentation onto a screen. Steve begins his presentation, “Security in the Software Development Life Cycle”, by articulating the business case for integrating security earlier into the development process. Nobody…

I had the privilege of sitting down with Rafal Los & Glenn Leifheit at OWASP AppSecUSA 2011 in Minneapolis to talk about how we can embed security in QA. Raf was nice enough to record our conversation on his popular Podcast series, Down the Rabbithole. We are big fans of finding practical, repeatable ways to build…