Filter By:

Type

Topic

Recent Blogs & Podcasts

Insights Portal

\ AppDev 



February 15, 2018 | DevOps Organization and Strategy
By Dave Shackleford, IANS Faculty

 Best Practices in Container Security

While many organizations are deploying containers for all kinds of applications, few fully understand - and implement - strong container security today. In this Ask-an-Expert live interaction, IANS Faculty Dave Shackleford recommends ways to secure the underlying platform and ensure the integrity of repositories, in addition to other best practices.

Read More »


January 31, 2018 | Vulnerability Assessment and Management
By Marcus Ranum, IANS Faculty

 Structure a Low-Profile Bug Bounty Program

While Google's bug bounty program is well designed and provides rich rewards, not every organization can operate at that high level. In this Ask-an-Expert live interaction, IANS Faculty Marcus Ranum describes how to build a well-structured, low-profile program that encourages participation using a more realistic reward scale. 

Read More »


January 9, 2018 | Penetration Testing and Red Teaming
By Shannon Lietz, IANS Faculty

 Best Practices for Working with Bug Bounty Programs

Bug bounty programs like HackerOne, Bugcrowd and Synack can help organizations uncover code flaws before the bad guys do, but what are the best ways to leverage them without busting the budget? In this Ask-an-Expert live interaction, IANS Faculty Shannon Lietz explains the importance of solid security basics and preparation prior to engagement. 

Read More »


December 13, 2017 | DevOps Organization and Strategy
By Shannon Lietz, IANS Faculty

 Secure DevOps Requires Focus on Components and Developer Responsibility

Determining where, when and how to scan for vulnerabilities within a DevOps environment isn't straightforward. In this Ask-an-Expert live interaction, IANS Faculty Shannon Lietz recommends focusing early in the process to create secure components, while also fostering a culture where developers take responsibility for the security of their own code.

Read More »


October 31, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 When to Trust Docker Images

Docker image security comes down to finding the right balance between trust and risk. In this Ask-an-Expert written response, IANS Faculty Jason Gillam explains why some Docker images (such as those in the official Docker repository) are more trustworthy than others.  

Read More »


September 13, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Create Optimal Contract Language to Enable App Security Assessments via the Cloud

Getting application vendors to agree to have their wares tested in the cloud can  pose challenges, especially because many vendor contracts prohibit the sharing of code, binaries or other data with outside parties. In this Ask-an-Expert written response, IANS Faculty Josh More offers some sample contract language to make it work. 

Read More »


August 15, 2017 | Application Development and Testing
By Andrew Carroll, IANS Faculty

 Help Developers Understand the Importance of Least Privilege

Developers usually push to access any data they want anytime they want it, but unfettered access can open the whole organization up to unnecessary audit, financial and reputational risks. In this Ask-an-Expert written response, IANS Faculty Andrew Carroll suggests educating developers on the risks, implementing least privilege and layering on controls to ensure compliance.

Read More »


August 14, 2017 | AppDev Frameworks
By Adam Shostack, IANS Faculty

 Shostack: Learning From npm's Rough Few Months

The node package manager (npm) is having a bad few months. Organizations need to look at their controls for identification, protection and detection around package management, and if they make a package manager, threat model the heck out of it. 

Read More »


August 10, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Take a Hybrid Approach to Testing Modern Web and Mobile Applications

Many organizations are considering completely automating their web and mobile application testing, but the increasing complexity of application technology stacks is testing the limits of such automation. In this report, IANS Faculty Jason Gillam recommends taking a hybrid approach to application testing and explains which testing activities should be done manually instead. 

Read More »


August 4, 2017 | Software Development Lifecycle (SDLC)
By Josh More, IANS Faculty

 Match Your Open Source Tools to Your AppSec Workflow

Open source security tools can be a good way to get best-of-breed functionality at low or no cost, but choosing the right toolset among all the options available and can be challenging. In this Ask-an-Expert written response, IANS Faculty Josh More details five common application security workflows and recommends using open source tools that best match your workflow of choice.

Read More »