In the last entry on cultural challenges in application security series, we introduced the “Security is Special” problem. We described the problem where application security issues hold a trump card over other development issues, and how that can erode the relationship between security & development. In our experience, insisting on high priorities for all security issues is one of…

By now you’ve probably heard about the disclosure of unsalted, hashed passwords from LinkedIn and possibly other sites. While it’s not immediately clear how malicious attackers got a hold of the passwords, several people in the security community have pointed out that LinkedIn did not follow best practices for password storage. This deviation from best…

Once upon a time driving a car was substantially more dangerous than it is now. Manufacturers were not held liable for accidents caused by their processes. Then everything changed. Now car manufacturers build safety into their car design right from the start. Software developers have also begun to try and build more secure applications. The…

We’ve put together a framework based on the OWASP Security Assurance Maturity Model and some of its user-contributed checklists to perform a security assessment on an organization’s SDLC. The intent here is not to find specific flaws in an application, but rather to measure the level of security baked into the process. Today, this kind of assessment…