-
Lesson/Domain 6 -- Security School: Training for CISSP Certification
Security School webcasts are focused on CISSP training. Each lesson corresponds to a specific domain in the CISSP exam's "Common Body of Knowledge." School
-
Infosec Know IT All Trivia: Application security
Put your knowledge of application security to the test. Quiz
-
Tutorial test: Malicious code -- What's what
Test your knowledge of malicious code with this test. Quiz
- See More: Essential Knowledge on Software Development Methodology
-
Nothing funny about SCADA and ICS security
A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News | 06 Feb 2012
-
Microsoft emergency update to address hash collision attacks
A critical update affects all versions of Microsoft .NET Framework and other programming languages. The vulnerability could allow denial-of-service attacks. News | 29 Dec 2011
-
Cybersecurity career experts: Mobile app security skills hot in 2012
The increase in smartphones and other mobile devices has fueled demand for IT security pros with mobile app security and networking skills, say several cybersecurity career experts. News | 28 Dec 2011
-
Android app security: Study finds mobile developers creating flawed Android apps
A study of enterprise applications designed for Android devices found over 40% of Android applications contain hard-coded cryptographic keys, a practice that weakens Android app security. News | 08 Dec 2011
-
Adobe Flex update patches flaw in Flex application development framework
A coding error in the Adobe Flex SDK could cause developers to create applications with cross-site scripting issues, according to an advisory issued by Adobe Systems. News | 01 Dec 2011
-
HTML 5 security issues pose challenges for enterprises, experts say
While the Adobe Flash replacement packages browser data more efficiently, HTML 5 security issues present holes that could be targeted by attackers. News | 30 Nov 2011
-
Web application risks exacerbated by social media ties, says ISACA
Asynchronous JavaScript Technology, XML, Flash and HTML 5 enable a rich Web experience, but also give attackers an alarming number of ways to penetrate corporate networks. News | 26 Oct 2011
-
Cigital BSIMM 3 study provides software security metrics data
The third iteration of the widely acclaimed Building Security in Maturity Model documents software security initiatives at 42 enterprises. News | 27 Sep 2011
-
Measurement first among secure software development benchmarks
One expert says before implementing secure software development benchmarks, take stock of the security of existing applications. News | 20 Sep 2011
-
Citigroup attack highlights insufficient authorization error
Citigroup hackers used a common website vulnerability to bypass security controls and reap confidential banking data. News | 14 Jun 2011
- See More: News on Software Development Methodology
-
UTM features: Is a UTM device right for your layered defense?
Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership. Tip
-
Securing naming and directory services for application defense-in-depth
There are several aspects of naming and directory services when it comes to security. In this tip, part of the SearchSecurity.com Application Security School lesson, learn how to secure LDAP, as well as how application security teams can work with in... Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
How to detect software tampering
In their book Surreptitious Software, authors Christian Collberg and Jasvir Nasvir reveals how to tamperproof your software and make sure it executes as intended. Tip
-
Common PCI questions: Web application firewalls or source code review?
Is it better to use Web application firewalls, automated source code security reviews or vulnerability scans? Michael Cobb reviews your options. Tip
-
Enterprise security in 2008: Building trust into the application development process
The Storm botnet, launched a year ago, proved that malicious hackers were developing more sophisticated botnets -- and more sophisticated business strategies. As Michael Cobb explains, it's just one reason why application security pros need to keep a... Tip
-
Cross-build injection attacks: Keeping an eye on Web applications' open source components
Web application developers' growing dependence on open source components has opened the door for attackers to insert malicious code into applications even as they are being built. Michael Cobb explores the emerging attack method called cross-build in... Tip
-
How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities
For years, many have said that there is no practical way to exploit a dangling pointer, a common application programming error. But these software bugs should no longer be thought of as simple quality-assurance problems. Michael Cobb explains how the... Tip
-
Dynamic code obfuscation: New threat requires innovative defenses
Dynamic code obfuscation used to be a taxing effort, but now even the most junior-level malicious hackers have learned how to effectively hide their code. In this tip, Michael Cobb examines how dynamic code obfuscation works, why it's on the rise and... Tip
-
Ten dos and don'ts for secure coding
Security practitioners should understand how developers introduce security vulnerabilities into applications and work to support the developers in improving code quality and security. Encouragement and support for improvement must be a fundamental pa... Tip
- See More: Tips on Software Development Methodology
-
An intro to free Microsoft security tools for secure software development
Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Windows ASLR: Investing in your secure software development lifecycle
Implementing Windows ASLR can be a worthwhile investment in your enterprise’s secure software development lifecycle. Answer
-
What is a virtual directory? The essential application deployment tool
What is a virtual directory? As expert Michael Cobb explains, it can be an extremely helpful secure application deployment tool. Answer
-
Java Virtual Machine architecture: Applet to applet communication
In a Java Virtual Machine architecture, is it possible for two machines to communicate with one another? Expert Michael Cobb describes how the applet-to-applet communication process works. Answer
-
Managing application permissions through isolated storage
Application permissions are essential in securing application data. Learn how isolated storage allows secure, controlled access to application files. Answer
-
Secure coding best practices: PHP and programming language security
Michael Cobb explains how proper secure coding training is much more important than PHP programming language security. Answer
-
How to mitigate the risk of a TOCTTOU attack
Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them. Answer
-
Can threat modeling tools help with securing mobile applications?
When developing enterprise applications, do you know the quickest way to bridge the gap between an information security team and a development group? Answer
-
Creating a third-party security policy to prevent a software exploit
Third-party software vulnerabilities are one of the most likely attack vectors in the information security landscape today. In this expert response, Nick Lewis discusses how to prevent these vulnerabilities from becoming exploits. Ask the Expert
- See More: Expert Advice on Software Development Methodology
-
fuzz testing (fuzzing)
Fuzz testing or fuzzing is a technique used by ethical hackers to discover security loopholes in software, operating systems or networks by massive inputting of random data to the system in an attempt to make it crash... (Continued) Word
-
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued) Word
-
threat modeling
Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system... Word
-
trigraph
Word
-
heuristics
Word
-
bypass
Word
-
sandbox
Word
-
debugging
Word
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Marcus Ranum on the consequences of poor software design
Marcus Ranum discusses the consequences of poor software design and what can be done to ensure this does not happen in the future. Video
-
Secure software development: Getting started
Chris Eng, senior security researcher at Veracode Inc., explains how firms can get started improving their software development processes. Video
-
Secure application development processes improving, expert says
In this interview conducted at RSA Conference 2011, Gary McGraw, chief technology officer at Cigital Inc., a software security and quality consulting firm, explains how more organizations are embracing software development processes to improve the co... Video
-
Software security threats and employee awareness training
What are the newest threats to enterprise networks, and how can you subvert these emerging security threats? Greg Hoglund, CEO of HBGary and creator of the first rootkit, answers these questions. Video
-
The importance of secure software development training
At Information Security Decisions 2008, security researchers discuss secure application coding and how to teach best practices to young developers (part 4 of 4). Video
-
The future of exploit vulnerability research
At Information Security Decisions 2008, security researchers discuss the most vulnerable network points and the future of the SDLC (part 1 of 4). Video
-
Gary McGraw on secure software development
Gary McGraw of Cigital Inc. explains why better secure coding could help thwart future Web 2.0 attacks. He says the industry is making progress. Video
-
Nothing funny about SCADA and ICS security
A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News
-
Microsoft emergency update to address hash collision attacks
A critical update affects all versions of Microsoft .NET Framework and other programming languages. The vulnerability could allow denial-of-service attacks. News
-
Cybersecurity career experts: Mobile app security skills hot in 2012
The increase in smartphones and other mobile devices has fueled demand for IT security pros with mobile app security and networking skills, say several cybersecurity career experts. News
-
An intro to free Microsoft security tools for secure software development
Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software. Answer
-
Android app security: Study finds mobile developers creating flawed Android apps
A study of enterprise applications designed for Android devices found over 40% of Android applications contain hard-coded cryptographic keys, a practice that weakens Android app security. News
-
Adobe Flex update patches flaw in Flex application development framework
A coding error in the Adobe Flex SDK could cause developers to create applications with cross-site scripting issues, according to an advisory issued by Adobe Systems. News
-
HTML 5 security issues pose challenges for enterprises, experts say
While the Adobe Flash replacement packages browser data more efficiently, HTML 5 security issues present holes that could be targeted by attackers. News
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Windows ASLR: Investing in your secure software development lifecycle
Implementing Windows ASLR can be a worthwhile investment in your enterprise’s secure software development lifecycle. Answer
- See More: All on Software Development Methodology
About Software Development Methodology
This software development methodology resource center offers news and advice on using secure code to develop software without breaking it. Get information about secure software development tools, methods, systems, testing, the software development lifecycle, threat modeling, and static and source code analysis.