Building secure applications has to start with the IT department. We have fought the battle for far to long in trying to have a different group responsible for securing our applications. Whether you call it application security, product security, devsecops, or something else. It just doesn't work. These different groups can help in identifying and implementing some processes, but secure code starts with the development team. If we really want to start building more secure applications we have … [Read more...] about Application Security Starts With IT
application security
Tips for hiring developers with security experience
In order to reduce the risk to our applications, we must start hiring resources that come in with some level of secure development knowledge. As a matter of fact, it shouldn't even be thought of as security knowledge, but just good development knowledge. Job Description The first question that pops up is around writing job descriptions. How much "security" should be in a job description for a developer role? Does it change from entry level engineer to a senior level engineer? I think there … [Read more...] about Tips for hiring developers with security experience
HTTPS Isn’t Just For Sensitive Info
When we think about HTTP vs. HTTPS, we often focus on the risk to sensitive information. HTTP transmits our data in clear-text, while HTTPS encrypts the data to stop people from snooping. But that is not all that HTTPS does. What about tampering? One of the other key aspects of HTTPS is to protect our communication with the server from tampering. In this case, we would be concerned with someone being able to manipulate the responses that are sent back to the user's browser. While no sensitive … [Read more...] about HTTPS Isn’t Just For Sensitive Info
Technical Debt vs. New Dev
When it comes to application vulnerabilities, there are 2 common groups we might view them: Technical Debt and New Development. I break these down because the way in which we address vulnerabilities is fundamentally different. Something that might not be exploitable receives a very low priority when it is technical debt. However, during new development, it can be addressed with little cost. Much of this comes down to if soemthing is syntactically insecure vs. actually vulnerable. Let’s look at … [Read more...] about Technical Debt vs. New Dev
Ep. 120: Addressing Root Cause – Vulnerable Components
In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved? For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Transcript: In this episode, James talks about root cause analysis versus treating … [Read more...] about Ep. 120: Addressing Root Cause – Vulnerable Components
Input validation is less about specific vulnerabilities
Security takes a layered approach to reduce the risk to our organization. Input validation is the perfect example of one of these layers. In most cases, input validation is 1 factor in a multi-pronged approach to protecting against common vulnerabilities. Take any course on secure development and they will, or should, mention input validation as a mitigating control for so many vulnerabilities. You might notice that it always comes with a but. Use input validation, but also use output … [Read more...] about Input validation is less about specific vulnerabilities