Shining a light on application layer DDoS attacks

posted on Jul 21, 2016 by Greg Bouchard

DDoS attacks are rightly understood as one of the biggest cyber threats today, with their frequency and size growing every year and their financial consequences more dire than ever. DDoS attacks increased by 90% across last year, and with high profile targets ranging from HSBC to the BBC and the U.S. Library of Congress, they…

Five Tips for Hiring and Developing Security Staff Using Security Certifications

posted on Mar 7, 2016 by Rohit Sethi

Hiring security staff is no easy task. The demand for IT professionals with security expertise far exceeds supply. In an effort to weed out unqualified applicants, hiring managers tend to rely on information security certifications. Unfortunately, a certification isn’t proof of an individual’s qualification any more than the lack of a certification indicates that an…

Top 5 Benefits of Role-based Security Training for Developers

posted on Mar 2, 2016 by Guest Blogger

  Software fulfills many critical roles in business today – from generating revenue to increasing operational efficiency.  Software engineering teams face growing development queues and pressure to deliver. Unfortunately, when some developers lack the skillset to build secure code every project has the potential to increase the company’s risk. This presents managers with a quandary:…

Tips for Security Leaders on Communicating with the Business

posted on Feb 23, 2016 by Afshar Ganjali

It’s no secret that a communication gap exists between security leaders and the business – and it’s time security leaders did something about it. An inability to articulate the value of the security organization’s efforts and justify expenditures not only impacts the security leader’s credibility, it also impacts the overall effectiveness of the security organization’s…

NIST – From IT to IoT Security

posted on Feb 16, 2016 by Amir Pourafshar

NIST (National Institution of Standards and Technology) primarily publishes its computer/cyber/information security guidelines, recommendations and reference materials through Special Publication (SP) 800 series [1]. Among these publications, NIST SP 800-53 [2] offers organizations a broad range of security controls to provide a more holistic approach to security of their information systems. SP 800-53 catalogs fundamental…

A BRIEF HISTORY OF APPLICATION SECURITY

posted on Feb 2, 2016 by Shane Parfitt

Computer hackers have a long history of trying to expose and exploit vulnerabilities on networks and in software applications. With the advent of the Internet and subsequent mass deployment of Web applications, attacks can be carried out on a massive scale, and can have profound business and personal impacts. The need to eliminate threats and…

A Layman’s Guide to the ISO 27034

posted on Nov 23, 2015 by Rohit Sethi

What is the ISO 27034? The upcoming ISO 27034 standard provides, at long last, an internationally-recognized standard for application security. Though not officially completed yet, much of the ISO 27034 standard’s structure is already set through the publishing of the first part: ISO/IEC 27034-1:2011. The ISO 27034 is closely aligned with several other ISO standards,…

BSIMM Mapping

posted on Nov 19, 2015 by Igor Gvero

The Building Security In Maturity Model (BSIMM) is a descriptive model of software security programs. BSIMM gathers the activities that a collection of companies are already doing as a way to assess a firm’s maturity in software security. Several BSIMM participants are also Security Compass clients, and it’s clear to see why: SD Elements maps…

The Million Dollar Question: Build or Buy for Security Tools?

posted on Nov 17, 2015 by ehsan

When a large enterprise is looking to invest in improving the process and automation, the question of Build vs. Buy comes up more frequently than you would imagine. This is a decision that will have a significant impact for years to come and is a tough decision that the management needs to make. While most…

Don’t Trust Your Plugins

posted on Nov 12, 2015 by Abhineet Jayaraj

WordPress security, or the lack of it, isn’t really a new concept. There are dozens and dozens of posts and guidelines for securing WordPress, including an official post on their site which provides a great overview for tasks you can do to secure your implementation. Here at Security Compass we do a lot of assessments…