Security Management Strategies for the CIO
Email Alerts
-
Managing identities in hybrid worlds
The world in which successful IAM programs must be implemented is increasingly complex, a mix of legacy on-premise IAM infrastructures, cloud-based IDaaS for hybrid cloud infrastructures, and mobile devices that are either an authentication token in ... E-Zine
-
Technical guide to secure development practices
When security practitioners attempt to introduce secure development practices into a development process and organization, they are typically less than accepted. Development organizations tend to reject formal internal structure and process imposed f... E-Book
-
Editor’s desk: A chat with Peter G. Neumann
Peter G. Neumann shares his thoughts on the inherent complexity of trustworthiness and the evolutionary promise of clean-slate architectures. Feature
-
Firm pushes software security testing with fugitive tracking system
System that helps law enforcement track down fugitives was tested thoroughly to prove to CTOs and IT teams that the company is serious about security. Feature
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Quiz
-
Geekonomics: The Real Cost of Insecure Software
In Chapter 1 of his new book, "Geekonomics: The Real Cost of Insecure Software," David Rice examines why software manufacturers continue to produce (and consumers continue to purchase) unreliable and insecure software. Book Chapter
-
The Art of Software Security Testing
Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats. chapter excerpt
-
How to build secure applications
In this lesson, learn how to build security into the software development lifecycle, implement a practical, efficient change management system and test your applications using a black-box or white box technique. partOfGuideSeries
-
Attacks targeted to specific applications
This is the fourth tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book "The Shortcut Guide to Protecting Business Internet Usage," pu... Book Chapter
-
PING with Aviel Rubin
In this exclusive interview with Information Security magazine, Aviel Rubin, author of "Brave New Ballot" examines security problems in e-voting machines, and details why isn't just a cause for concern, it's a matter of national security. Information Security maga
-
Checklist: Ten dos and don'ts for secure coding
Download this checklist of dos and don'ts for developing secure code. Checklist
- See more Essential Knowledge on Software Development Methodology
-
New skills for the QA tester: Scripting, security
Software quality assurance is gaining respect as a profession -- but do QA testers have the scripting and security skills the role now requires? Quality Time | 17 May 2013
-
Deploying DLP technology requires hands-on approach, experts say
Preventing data loss incidents involves sound policy, knowledge of the threat landscape and constant vigilance over your DLP system, experts say. News | 11 Dec 2012
-
Twelve common software security activities to lift your program
Software security expert Gary McGraw explains the processes commonly found in highly successful software security programs. Opinion | 07 Dec 2012
-
Enterprises at core of vendor software security testing, Veracode finds
Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing. News | 13 Nov 2012
-
Gary McGraw: Proactive defense prudent alternative to cyberwarfare
Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons. News | 01 Nov 2012
-
Web app design at the core of coding weaknesses, attacks, says expert
When addressing Web application threats and vulnerabilities, security teams need to look out for design flaws, says Mike Shema of Qualys, Inc. News | 16 Oct 2012
-
Ten commandments for software security
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms. Opinion | 04 Oct 2012
-
Firms failing at mobile application development security, study finds
Security is failing to gain a priority in the rush to build and test mobile applications, according to a study by Capgemini. News | 19 Sep 2012
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News | 19 Sep 2012
-
BSIMM study expands scope, identifies new software security activities
BSIMM4 found some firms actively scanning for malicious code from rogue developers. Crisis simulation scenarios improve product security response. News | 17 Sep 2012
- See more News on Software Development Methodology
-
Five major technology trends affecting software security assurance
Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure. Opinion
-
McGraw: Financial services develop a proactive posture
The idea behind proactive security is simple: build security in the first time by following security models like BSIMM and security engineering. Column
-
Marcus Ranum: Q&A with clean-slate pioneer Peter G. Neumann
Marcus Ranum, security expert and Information Security magazine columnist, goes one-on-one with clean-slate luminary Peter G. Neumann of SRI International and formerly Bell Labs. Column
-
Security transitions: Changes that make a difference
This month, Information Security Magazine examines security industry changes that can really make a difference: improving identity management and building security into software from the get go. Opinion
-
McGraw's mobile app security strategy: Three legs of 'trusted on busted'
Struggling to define your mobile app security strategy? Gary McGraw offers a manifesto to help get infosec and app developers on the same page. Column
-
Testing, assessment methods offer third-party software security assurance
No ultimate test can give third-party software a clean bill of health, but careful assessment can help organizations gain more control over vendors. Opinion
-
Thirteen principles to ensure enterprise system security
Designing sound enterprise system security is possible by following Gary McGraw's 13 principles, many of which have held true for decades. Column
-
Congress should encourage bug fixes, reward secure systems
Cybersecurity policy should encourage bug fixes instead of simply recording and reporting attacks, software security expert Gary McGraw explains. Opinion
-
Gary McGraw: Eliminating badware addresses malware problem
Bad software and malicious software are two different issues that are easily confused, says software security expert Gary McGraw. Opinion
-
Gary McGraw on software security assurance: Build it in, build it right
If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw. Opinion
-
Remediation planning for Ruby on Rails security vulnerabilities
The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning. Tip
-
How to develop cloud applications based on Web app security lessons
Expert Dave Shackleford details how to build cloud applications based on typical Web app security flaws and cloud provider tools and platforms. Tip
-
How to negate business logic attack risk: Improve security in the SDLC
Expert Nick Lewis details the threat posed by business logic attacks and how stressing the importance of security in the SDLC can reduce that threat. Tip
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
UTM features: Is a UTM device right for your layered defense?
Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership. Tip
-
Securing naming and directory services for application defense-in-depth
There are several aspects of naming and directory services when it comes to security. In this tip, part of the SearchSecurity.com Application Security School lesson, learn how to secure LDAP, as well as how application security teams can work with in... Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
How to detect software tampering
In their book Surreptitious Software, authors Christian Collberg and Jasvir Nasvir reveals how to tamperproof your software and make sure it executes as intended. Tip
-
Common PCI questions: Web application firewalls or source code review?
Is it better to use Web application firewalls, automated source code security reviews or vulnerability scans? Michael Cobb reviews your options. Tip
-
Enterprise security in 2008: Building trust into the application development process
The Storm botnet, launched a year ago, proved that malicious hackers were developing more sophisticated botnets -- and more sophisticated business strategies. As Michael Cobb explains, it's just one reason why application security pros need to keep a... Tip
- See more Tips on Software Development Methodology
-
Why securing internal applications is as important as Web-facing apps
Securing internal applications requires the same due diligence as their Web-facing counterparts. Expert Michael Cobb explains why. Answer
-
Secure code review process: How many review rounds are needed?
Expert Michael Cobb details how to argue for a multistep secure code review process like the Microsoft SDL, and the pros of secure coding practices. Answer
-
Application security risks posed by open source Java frameworks
Expert Michael Cobb says security issues with open source Java applications have more to do with misconfigurations than the frameworks themselves. Answer
-
The effects of secure application development practices
Selling the CIO and others on secure application development requires understanding how it will impact the development process. Answer
-
Is sandboxing the answer to Adobe Acrobat, Adobe Reader security woes?
Expert Michael Cobb assesses the impact of sandboxing on Adobe Acrobat and Adobe Reader security. Can enterprises trust Adobe's new security methods? Answer
-
Implement software development security best practices to support WAFs
WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why. Answer
-
Replace technical debt-laden Adobe Reader with alternative PDF readers
Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers. Answer
-
H.264 vs Flash: Using the H.264 codec as a secure Flash alternative
Can the H.264 video codec serve as a more secure Flash alternative? Expert Nick Lewis provides a security breakdown of H.264 vs Flash. Answer
-
An intro to free Microsoft security tools for secure software development
Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
- See more Expert Advice on Software Development Methodology
-
stack overflow
A stack overflow is an undesirable condition in which a particular computer program tries to use more memory space than the call stack has available. In programming, the call stack is a buffer that stores requests that need to be handled. Definition
-
mobile security (wireless security)
Mobile security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless ... Definition
-
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued) Definition
-
fuzz testing (fuzzing)
Fuzz testing or fuzzing is a technique used by ethical hackers to discover security loopholes in software, operating systems or networks by massive inputting of random data to the system in an attempt to make it crash... (Continued) Definition
-
heuristics
Heuristics is the application of experience-derived knowledge to a problem and is sometimes used to describe software that screens and filters out messages likely to contain a computer virus or other undesirable content. Definition
-
debugging
In computers, debugging is the process of locating and fixing or bypassing bugs (errors) in computer program code or the engineering of a hardware device. Definition
-
threat modeling
Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system... Definition
-
trigraph
A trigraph is a three-character replacement for a special or nonstandard character in a text file. Definition
-
bypass
Bypass, in general, means either to go around something by an external route rather than going through it, or the means of accomplishing that feat. Definition
-
sandbox
In general, a sandbox is an isolated computing environment used by software developers to test new programming code. Definition
-
At Adobe, secure software development program demands 'ninja' tactics
Video: Adobe CSO Brad Arkin explains how his firm fosters secure software development by inspiring developers to become security 'ninjas.' Video
-
Kandek: Most secure Web browser may be one with fewest plug-ins
Video: Qualys CTO Wolfgang Kandek said plug-ins now affect Web browser security more than the browsers themselves. Video
-
Use the Android static analysis tool Dexter to safely deploy apps
Video: Keith Barker of CBT Nuggets demos Dexter, the Android static analysis tool that examines and securely deploys Android applications. Screencast
-
Software security podcast library
SearchSecurity.com is pleased to partner with Gary McGraw to feature his monthly Silver Bullet software security podcasts, which discuss best practices in software security. Podcast
-
McGraw: Use VBSIMM software security model when buying software
Video: Gary McGraw explains how JPMorgan Chase and others use the VBSIMM security model to vet software purchased from third-party vendors. Video
-
Gary McGraw on evolution of BSIMM maturity framework
Video: McGraw discusses the past and future of the BSIMM maturity framework for software security, and how vendors like Adobe and Microsoft measure up. Video
-
Debating international cyberespionage, poor secure coding practices
Corey Schou explains why cyberespionage and corporate intelligence are linked; also, why attackers aren't to blame for insecure coding practices. Video
-
Video: Software Reliability: Building Security In
In this video, learn state-of-the-art techniques for building a secure software development process. Video
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Marcus Ranum on the consequences of poor software design
Marcus Ranum discusses the consequences of poor software design and what can be done to ensure this does not happen in the future. Video
- See more Multimedia on Software Development Methodology
-
Five major technology trends affecting software security assurance
Column: Gary McGraw says five shifts in the IT landscape are affecting software security, but several BSIMM best practices can limit risk exposure. Opinion
-
Why securing internal applications is as important as Web-facing apps
Securing internal applications requires the same due diligence as their Web-facing counterparts. Expert Michael Cobb explains why. Answer
-
Secure code review process: How many review rounds are needed?
Expert Michael Cobb details how to argue for a multistep secure code review process like the Microsoft SDL, and the pros of secure coding practices. Answer
-
Application security risks posed by open source Java frameworks
Expert Michael Cobb says security issues with open source Java applications have more to do with misconfigurations than the frameworks themselves. Answer
-
The effects of secure application development practices
Selling the CIO and others on secure application development requires understanding how it will impact the development process. Answer
-
McGraw: Financial services develop a proactive posture
The idea behind proactive security is simple: build security in the first time by following security models like BSIMM and security engineering. Column
-
New skills for the QA tester: Scripting, security
Software quality assurance is gaining respect as a profession -- but do QA testers have the scripting and security skills the role now requires? Quality Time
-
At Adobe, secure software development program demands 'ninja' tactics
Video: Adobe CSO Brad Arkin explains how his firm fosters secure software development by inspiring developers to become security 'ninjas.' Video
-
Kandek: Most secure Web browser may be one with fewest plug-ins
Video: Qualys CTO Wolfgang Kandek said plug-ins now affect Web browser security more than the browsers themselves. Video
-
Marcus Ranum: Q&A with clean-slate pioneer Peter G. Neumann
Marcus Ranum, security expert and Information Security magazine columnist, goes one-on-one with clean-slate luminary Peter G. Neumann of SRI International and formerly Bell Labs. Column
- See more All on Software Development Methodology
About Software Development Methodology
This software development methodology resource center offers news and advice on using secure code to develop software without breaking it. Get information about secure software development tools, methods, systems, testing, the software development lifecycle, threat modeling, and static and source code analysis.