Security Management Strategies for the CIO
Email Alerts
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Quiz
-
Geekonomics: The Real Cost of Insecure Software
In Chapter 1 of his new book, "Geekonomics: The Real Cost of Insecure Software," David Rice examines why software manufacturers continue to produce (and consumers continue to purchase) unreliable and insecure software. Book Chapter
-
The Art of Software Security Testing
Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats. chapter excerpt
-
Attacks targeted to specific applications
This is the fourth tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book "The Shortcut Guide to Protecting Business Internet Usage," pu... Book Chapter
-
PING with Aviel Rubin
In this exclusive interview with Information Security magazine, Aviel Rubin, author of "Brave New Ballot" examines security problems in e-voting machines, and details why isn't just a cause for concern, it's a matter of national security. Information Security maga
-
Checklist: Ten dos and don'ts for secure coding
Download this checklist of dos and don'ts for developing secure code. Checklist
-
Architectural Risk Analysis: Traditional Risk Analysis Terminology
Book Chapter
-
SAP Security Learning Guide
This guide pulls SAP security information from both SearchSecurity.com and its sister site, SearchSAP.com, to provide the most comprehensive resource around for all aspects of making your SAP system bulletproof. Learning Guide
-
Developer's active content delivery checklist
Rules for developing secure dynamic content for an IIS Web server. Security School
- See More: Essential Knowledge on Software Development Methodology
-
Wysopal on application security training, program gaps
Application security expert Chris Wysopal of Veracode explains why some software security programs are lacking and how simple steps can produce big gains. News | 21 May 2012
-
Steve Lipner on the Microsoft SDL, critical infrastructure protection
Microsoft’s senior director of security engineering says core SDL principles should be at the foundation of critical infrastructure system protection. News | 16 May 2012
-
Reverse engineering tools for mobile apps emerging, expert says
Reverse engineering mobile apps help pen testers find weaknesses and hidden malware, but the various mobile platforms and different versions make automation difficult, according to one expert. News | 27 Apr 2012
-
Spam filter gets better of Microsoft SDL—almost
Two program managers at SOURCE Boston shared how a serious vulnerability reported to the MSRC fell into a spam filter and caused an out-of-band patch. News | 24 Apr 2012
-
HP study finds widespread custom Web application flaws
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws. News | 18 Apr 2012
-
Hunting for application logic flaws requires people, expert says
Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws. News | 10 Apr 2012
-
Gary McGraw: Build security in from start
If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw. News | 09 Apr 2012
-
Nothing funny about SCADA and ICS security
A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News | 06 Feb 2012
-
Microsoft emergency update to address hash collision attacks
A critical update affects all versions of Microsoft .NET Framework and other programming languages. The vulnerability could allow denial-of-service attacks. News | 29 Dec 2011
-
Cybersecurity career experts: Mobile app security skills hot in 2012
The increase in smartphones and other mobile devices has fueled demand for IT security pros with mobile app security and networking skills, say several cybersecurity career experts. News | 28 Dec 2011
- See More: News on Software Development Methodology
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
UTM features: Is a UTM device right for your layered defense?
Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership. Tip
-
Securing naming and directory services for application defense-in-depth
There are several aspects of naming and directory services when it comes to security. In this tip, part of the SearchSecurity.com Application Security School lesson, learn how to secure LDAP, as well as how application security teams can work with in... Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
How to detect software tampering
In their book Surreptitious Software, authors Christian Collberg and Jasvir Nasvir reveals how to tamperproof your software and make sure it executes as intended. Tip
-
Common PCI questions: Web application firewalls or source code review?
Is it better to use Web application firewalls, automated source code security reviews or vulnerability scans? Michael Cobb reviews your options. Tip
-
Enterprise security in 2008: Building trust into the application development process
The Storm botnet, launched a year ago, proved that malicious hackers were developing more sophisticated botnets -- and more sophisticated business strategies. As Michael Cobb explains, it's just one reason why application security pros need to keep a... Tip
-
Cross-build injection attacks: Keeping an eye on Web applications' open source components
Web application developers' growing dependence on open source components has opened the door for attackers to insert malicious code into applications even as they are being built. Michael Cobb explores the emerging attack method called cross-build in... Tip
-
How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities
For years, many have said that there is no practical way to exploit a dangling pointer, a common application programming error. But these software bugs should no longer be thought of as simple quality-assurance problems. Michael Cobb explains how the... Tip
-
Dynamic code obfuscation: New threat requires innovative defenses
Dynamic code obfuscation used to be a taxing effort, but now even the most junior-level malicious hackers have learned how to effectively hide their code. In this tip, Michael Cobb examines how dynamic code obfuscation works, why it's on the rise and... Tip
- See More: Tips on Software Development Methodology
-
An intro to free Microsoft security tools for secure software development
Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Windows ASLR: Investing in your secure software development lifecycle
Implementing Windows ASLR can be a worthwhile investment in your enterprise’s secure software development lifecycle. Answer
-
What is a virtual directory? The essential application deployment tool
What is a virtual directory? As expert Michael Cobb explains, it can be an extremely helpful secure application deployment tool. Answer
-
Java Virtual Machine architecture: Applet to applet communication
In a Java Virtual Machine architecture, is it possible for two machines to communicate with one another? Expert Michael Cobb describes how the applet-to-applet communication process works. Answer
-
Managing application permissions through isolated storage
Application permissions are essential in securing application data. Learn how isolated storage allows secure, controlled access to application files. Answer
-
Secure coding best practices: PHP and programming language security
Michael Cobb explains how proper secure coding training is much more important than PHP programming language security. Answer
-
How to mitigate the risk of a TOCTTOU attack
Are TOCTTOU attacks, exploiting time-of-check-to-time-of-use race conditions, a threat to your enterprise file systems? Expert Michael Cobb discusses the dangers and how to mitigate them. Answer
-
Can threat modeling tools help with securing mobile applications?
When developing enterprise applications, do you know the quickest way to bridge the gap between an information security team and a development group? Answer
-
Creating a third-party security policy to prevent a software exploit
Third-party software vulnerabilities are one of the most likely attack vectors in the information security landscape today. In this expert response, Nick Lewis discusses how to prevent these vulnerabilities from becoming exploits. Ask the Expert
- See More: Expert Advice on Software Development Methodology
-
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued) Definition
-
fuzz testing (fuzzing)
Fuzz testing or fuzzing is a technique used by ethical hackers to discover security loopholes in software, operating systems or networks by massive inputting of random data to the system in an attempt to make it crash... (Continued) Definition
-
heuristics
Heuristics is the application of experience-derived knowledge to a problem and is sometimes used to describe software that screens and filters out messages likely to contain a computer virus or other undesirable content. Definition
-
debugging
In computers, debugging is the process of locating and fixing or bypassing bugs (errors) in computer program code or the engineering of a hardware device. Definition
-
threat modeling
Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system... Definition
-
trigraph
A trigraph is a three-character replacement for a special or nonstandard character in a text file. Definition
-
bypass
Bypass, in general, means either to go around something by an external route rather than going through it, or the means of accomplishing that feat. Definition
-
sandbox
Using the Java programming language and development environment, the sandbox is the program area and set of rules that programmers need to use when creating Java code (called an applet) that is sent as part of a page. Definition
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Marcus Ranum on the consequences of poor software design
Marcus Ranum discusses the consequences of poor software design and what can be done to ensure this does not happen in the future. Video
-
Secure software development: Getting started
Chris Eng, senior security researcher at Veracode Inc., explains how firms can get started improving their software development processes. Video
-
Secure application development processes improving, expert says
In this interview conducted at RSA Conference 2011, Gary McGraw, chief technology officer at Cigital Inc., a software security and quality consulting firm, explains how more organizations are embracing software development processes to improve the co... Video
-
Software security threats and employee awareness training
What are the newest threats to enterprise networks, and how can you subvert these emerging security threats? Greg Hoglund, CEO of HBGary and creator of the first rootkit, answers these questions. Video
-
The importance of secure software development training
At Information Security Decisions 2008, security researchers discuss secure application coding and how to teach best practices to young developers (part 4 of 4). Video
-
The future of exploit vulnerability research
At Information Security Decisions 2008, security researchers discuss the most vulnerable network points and the future of the SDLC (part 1 of 4). Video
-
Gary McGraw on secure software development
Gary McGraw of Cigital Inc. explains why better secure coding could help thwart future Web 2.0 attacks. He says the industry is making progress. Video
-
Wysopal on application security training, program gaps
Application security expert Chris Wysopal of Veracode explains why some software security programs are lacking and how simple steps can produce big gains. News
-
Steve Lipner on the Microsoft SDL, critical infrastructure protection
Microsoft’s senior director of security engineering says core SDL principles should be at the foundation of critical infrastructure system protection. News
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
Reverse engineering tools for mobile apps emerging, expert says
Reverse engineering mobile apps help pen testers find weaknesses and hidden malware, but the various mobile platforms and different versions make automation difficult, according to one expert. News
-
Spam filter gets better of Microsoft SDL—almost
Two program managers at SOURCE Boston shared how a serious vulnerability reported to the MSRC fell into a spam filter and caused an out-of-band patch. News
-
HP study finds widespread custom Web application flaws
A review of hundreds of unique custom Web applications found more than half are vulnerable to cross-site scripting and more than 86% contain injection flaws. News
-
Hunting for application logic flaws requires people, expert says
Rafal Los, a software security expert and consultant with Hewlett Packard, says humans far outgun automated tools in the hunt for costly application logic flaws. News
-
Gary McGraw: Build security in from start
If the field of computer security is to be fixed, the only hope we have is building security in, says software security expert Gary McGraw. News
-
Nothing funny about SCADA and ICS security
A researcher calls the state of industrial control system security “laughable” and warns of the consequences of unpatched critical infrastructure that is reachable over the Internet. News
-
Microsoft emergency update to address hash collision attacks
A critical update affects all versions of Microsoft .NET Framework and other programming languages. The vulnerability could allow denial-of-service attacks. News
- See More: All on Software Development Methodology
About Software Development Methodology
This software development methodology resource center offers news and advice on using secure code to develop software without breaking it. Get information about secure software development tools, methods, systems, testing, the software development lifecycle, threat modeling, and static and source code analysis.