Category


Latest Blogs

All Blogs »

March 9, 2017 | AppDev Frameworks
By Jason Gillam, IANS Faculty

 Deploying Containers Securely

Developers love containers because they are quick, simple to use and allow for easier scaling of hardware resources, but few pay much attention to the security issues they present. With containers in the mix, how can security organizations ensure their developers aren’t continually copying and pasting security issues across the environment? In this report, IANS Faculty Jason Gillam steps you through the worst of the pitfalls to ensure your organization rolls out more secure containerized solutions.

Read More »


November 21, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Secure Development Practices for Mobile Applications

Best practices around the secure development of mobile applications are still evolving because of the rapid evolution of the mobile platforms themselves. In this Ask-an-Expert written response, IANS Faculty Jason Gillam outlines the key differences between the secure development of mobile and web applications, and details standard accepted practices around encryption and authentication.

Read More »


October 31, 2016 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Application-Level DoS: Are You Ready?

Application-level DoS attacks can be difficult to detect, challenging to diagnose, and when effectively exploited, they can render your application completely inaccessible. In this report, IANS Faculty Jason Gillam explains how application-level DoS works and offers some key mitigation strategies. 

Read More »


September 1, 2016 | Software Development Lifecycle (SDLC)
By Jason Gillam, IANS Faculty

 Ensuring a PCI-Compliant SDLC Review Process

Establishing a review process for PCI DSS compliance is something organizations should do in a strategic, ongoing fashion, rather than as a once-per-year activity. In this Ask-an-Expert written response, IANS Faculty Jason Gillam details the Building Security in Maturity Model (BSIMM) and demonstrates how organizations can consult this framework to build a continuous compliance review process within the software development lifecycle.

Read More »


May 19, 2016 | Software Development Lifecycle (SDLC)
By Paul Asadoorian, IANS Faculty

 Getting a Grasp on RASP

RASP tools are getting lots of press lately, but are they ready for prime time? How effective are they, really, for application security? In this report, IANS Faculty Paul Asadoorian provides an overview of the space and describes the pros and cons of these new tools.

Read More »


April 28, 2016 | DevOps Organization and Strategy
By Jason Gillam, IANS Faculty

 Building a Process for Measuring/Driving Developer Behavior

Many organizations face significant challenges when trying to integrate security testing within application development, especially in agile or DevOps environments. In this report, IANS Faculty Jason Gillam offers some key ways to help align security with development, as well as several metrics that can be used to track developer behaviors and ensure continual progress is made.

Read More »


April 20, 2016 | Software Development Lifecycle (SDLC)
By Jason Gillam, IANS Faculty

 Creating Awareness Around Application Security

Many application security issues can be traced back to the early phases of the SDLC, so it's important to ensure all team members are aware of the potential risks. In this Ask-an-Expert written response, IANS Faculty Jason Gillam outlines the key questions and considerations that need to be reviewed during the initial SDLC stages, from the risks associated with functionality to log monitoring requirements.

Read More »


April 6, 2016 | Software Development Lifecycle (SDLC)
By Adam Ely, IANS Faculty

 Security and Compliance Implications When Using Automated Code Promotion in Agile Development

Automated tools like Entity Framework Code First Migration promise to ease code promotion and speed development within a DevOps environment, but they also tend to complicate compliance. In this Ask-an-Expert live interaction, IANS Faculty Adam Ely explains how to ensure separation of duties and other compliance obligations remain met when adopting this new process.

Read More »


March 4, 2016 | Software Development Lifecycle (SDLC)
By Adam Ely, IANS Faculty

 Emerging Trends in Application Security

What new application security tools and strategies are leading companies using today? In this Ask-an-Expert live interaction, IANS Faculty Adam Ely describes some of the newer tools and offers tips for inserting security automation within the SDLC.

Read More »


March 2, 2016 | DevOps Organization and Strategy
By Rich Guida, IANS Faculty

 From Scanning to Remediation: How to Get Security and Operations on the Same Page

Uncovering vulnerabilities during a quarterly scan is one thing. Getting them remediated quickly and efficiently is quite another. In this live Ask-an-Expert interaction, IANS Faculty Rich Guida provides proven strategies for getting operations to understand and accept responsibility for remediation so that critical vulnerabilities are fixed - before they can be exploited by an attacker.

Read More »


February 26, 2016 | Software Development Lifecycle (SDLC)
By Jason Gillam, IANS Faculty

 Security Testing in the SDLC: A Strategy Guide

Applications and network infrastructure are increasingly at risk from many different threat agents around the globe and even internally. In this Ask-an-Expert written response, IANS Faculty Jason Gillam details the successful strategies organizations have implemented to embed security into their SDLC.

Read More »


February 8, 2016 | DevOps Organization and Strategy
By Josh Corman, IANS Faculty

 Adapting Security Testing to a DevOps Environment

The speed of DevOps requires a new mindset when it comes to application testing. In this Ask-an-Expert live interaction, IANS Faculty Josh Corman discusses the importance of building a holistic strategy using a variety of tools, including dynamic testing, threat modeling, software supply chain hygiene and Docker.

Read More »


December 10, 2015 | Software Development Lifecycle (SDLC)
By John Strand, IANS Faculty

 Security Testing in the SDLC: It's Easier Than You Think (Webinar Replay/Slides)

In this webinar, IANS Faculty John Strand discusses the various free and inexpensive solutions available to the enterprising and sophisticated Web app developer, detailing just how easy it is to test for the low-hanging fruit and how adding security into the SDLC will make your next hacker or pen tester cry... just a little.

Read More »


November 20, 2015 | Application Development and Testing
By Josh Corman, IANS Faculty

 Best Practices in Securing Microservices Architecture Development

Moving to rapid development and continuous delivery of microservices puts a strain on traditional application and code testing models. In this Ask-an-Expert live interaction, IANS Faculty Josh Corman explains the security pros and cons of microservices and underscores the increased importance of threat modeling and software hygiene in this fast-paced environment.

Read More »


October 23, 2015 | Application Development and Testing
By Marcus Ranum, IANS Faculty

 Securing Web Apps in an Open Campus Environment

Finding and securing web applications in an open campus environment with thousands of undocumented sites is a daunting task. In this Ask-an-Expert live interaction, IANS Faculty Marcus Ranum makes the case for enforcing standardization across the environment first, prior to scanning for vulnerabilities.

Read More »


September 30, 2015 | Application Development and Testing
By Gunnar Peterson, IANS Faculty

 Performing Source Code Review on iPhone Native Mobile Apps

When it comes to performing source code review, one of the first steps is to take into account which vulnerabilities you want to test for. In this Ask-an-Expert written response, IANS Faculty Gunnar Peterson provides a checklist detailing which testing tools cover which vulnerabilities and offers some alternatives to Fortify, from proxy tools like Burp Suite to Xcode plug-ins like Clang.

Read More »


August 27, 2015 | DevOps Organization and Strategy
By Marcus Ranum, IANS Faculty

 Maintaining Quality With Agile Development

A departure from the traditional waterfall method, agile development is an approach that many organizations have adopted in recent years. In this Ask-an-Expert written response, IANS Faculty Marcus Ranum deconstructs the agile development model and explains that security can be maintained with this approach by having a quality-conscious systems architect and conducting security assessments at the component level, among other strategies.

Read More »