We use cookies to deliver you the best experience on our website. By continuing to use our website, you consent to our cookie usage and revised Privacy Statement.

Filter By:

Type

Topic

Recent Blogs & Podcasts

Insights Portal

\ AppDev 



May 17, 2018 | Threat Intelligence and Modeling
By Jake Williams, IANS Faculty

 Threat Modeling: Three Basic Approaches to Consider

With so many threat modeling approaches available, how do you choose the right one for your particular environment? In this Ask-an-Expert written response, IANS Faculty Jake Williams recommends three approaches designed to help model threats against PaaS and IaaS cloud assets, in addition to a range of other attacks.

Read More »


February 15, 2018 | DevOps Organization and Strategy
By Dave Shackleford, IANS Faculty

 Best Practices in Container Security

While many organizations are deploying containers for all kinds of applications, few fully understand - and implement - strong container security today. In this Ask-an-Expert live interaction, IANS Faculty Dave Shackleford recommends ways to secure the underlying platform and ensure the integrity of repositories, in addition to other best practices.

Read More »


January 31, 2018 | Vulnerability Assessment and Management
By Marcus Ranum, IANS Faculty

 Structure a Low-Profile Bug Bounty Program

While Google's bug bounty program is well designed and provides rich rewards, not every organization can operate at that high level. In this Ask-an-Expert live interaction, IANS Faculty Marcus Ranum describes how to build a well-structured, low-profile program that encourages participation using a more realistic reward scale. 

Read More »


January 9, 2018 | Penetration Testing and Red Teaming
By Shannon Lietz, IANS Faculty

 Best Practices for Working with Bug Bounty Programs

Bug bounty programs like HackerOne, Bugcrowd and Synack can help organizations uncover code flaws before the bad guys do, but what are the best ways to leverage them without busting the budget? In this Ask-an-Expert live interaction, IANS Faculty Shannon Lietz explains the importance of solid security basics and preparation prior to engagement. 

Read More »


December 13, 2017 | DevOps Organization and Strategy
By Shannon Lietz, IANS Faculty

 Secure DevOps Requires Focus on Components and Developer Responsibility

Determining where, when and how to scan for vulnerabilities within a DevOps environment isn't straightforward. In this Ask-an-Expert live interaction, IANS Faculty Shannon Lietz recommends focusing early in the process to create secure components, while also fostering a culture where developers take responsibility for the security of their own code.

Read More »


October 31, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 When to Trust Docker Images

Docker image security comes down to finding the right balance between trust and risk. In this Ask-an-Expert written response, IANS Faculty Jason Gillam explains why some Docker images (such as those in the official Docker repository) are more trustworthy than others.  

Read More »


September 13, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Create Optimal Contract Language to Enable App Security Assessments via the Cloud

Getting application vendors to agree to have their wares tested in the cloud can  pose challenges, especially because many vendor contracts prohibit the sharing of code, binaries or other data with outside parties. In this Ask-an-Expert written response, IANS Faculty Josh More offers some sample contract language to make it work. 

Read More »


August 15, 2017 | Application Development and Testing
By Andrew Carroll, IANS Faculty

 Help Developers Understand the Importance of Least Privilege

Developers usually push to access any data they want anytime they want it, but unfettered access can open the whole organization up to unnecessary audit, financial and reputational risks. In this Ask-an-Expert written response, IANS Faculty Andrew Carroll suggests educating developers on the risks, implementing least privilege and layering on controls to ensure compliance.

Read More »


August 14, 2017 | AppDev Frameworks
By Adam Shostack, IANS Faculty

 Shostack: Learning From npm's Rough Few Months

The node package manager (npm) is having a bad few months. Organizations need to look at their controls for identification, protection and detection around package management, and if they make a package manager, threat model the heck out of it. 

Read More »


August 10, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Take a Hybrid Approach to Testing Modern Web and Mobile Applications

Many organizations are considering completely automating their web and mobile application testing, but the increasing complexity of application technology stacks is testing the limits of such automation. In this report, IANS Faculty Jason Gillam recommends taking a hybrid approach to application testing and explains which testing activities should be done manually instead. 

Read More »