Filter By:

Recent Blogs & Podcasts

Insights

\ AppDev 



October 31, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 When to Trust Docker Images

Docker image security comes down to finding the right balance between trust and risk. In this Ask-an-Expert written response, IANS Faculty Jason Gillam explains why some Docker images (such as those in the official Docker repository) are more trustworthy than others.  

Read More »


September 13, 2017 | Vendor and Partner Management
By Josh More, IANS Faculty

 Create Optimal Contract Language to Enable App Security Assessments via the Cloud

Getting application vendors to agree to have their wares tested in the cloud can  pose challenges, especially because many vendor contracts prohibit the sharing of code, binaries or other data with outside parties. In this Ask-an-Expert written response, IANS Faculty Josh More offers some sample contract language to make it work. 

Read More »


August 15, 2017 | Application Development and Testing
By Andrew Carroll, IANS Faculty

 Help Developers Understand the Importance of Least Privilege

Developers usually push to access any data they want anytime they want it, but unfettered access can open the whole organization up to unnecessary audit, financial and reputational risks. In this Ask-an-Expert written response, IANS Faculty Andrew Carroll suggests educating developers on the risks, implementing least privilege and layering on controls to ensure compliance.

Read More »


August 14, 2017 | AppDev Frameworks
By Adam Shostack, IANS Faculty

 Shostack: Learning From npm's Rough Few Months

The node package manager (npm) is having a bad few months. Organizations need to look at their controls for identification, protection and detection around package management, and if they make a package manager, threat model the heck out of it. 

Read More »


August 10, 2017 | Application Development and Testing
By Jason Gillam, IANS Faculty

 Take a Hybrid Approach to Testing Modern Web and Mobile Applications

Many organizations are considering completely automating their web and mobile application testing, but the increasing complexity of application technology stacks is testing the limits of such automation. In this report, IANS Faculty Jason Gillam recommends taking a hybrid approach to application testing and explains which testing activities should be done manually instead. 

Read More »


August 4, 2017 | Software Development Lifecycle (SDLC)
By Josh More, IANS Faculty

 Match Your Open Source Tools to Your AppSec Workflow

Open source security tools can be a good way to get best-of-breed functionality at low or no cost, but choosing the right toolset among all the options available and can be challenging. In this Ask-an-Expert written response, IANS Faculty Josh More details five common application security workflows and recommends using open source tools that best match your workflow of choice.

Read More »


July 27, 2017 | Application Development and Testing
By Davi Ottenheimer, IANS Faculty

 Standardize Docker Security

Containers remove barriers to productivity by offering a predictable infrastructure at the system level, but security details can go missing from typical container standards. In this Ask-an-Expert written response, IANS Faculty Davi Ottenheimer details three strategies for standardizing container security and offers tips for using technology to secure Docker. 

Read More »


July 25, 2017 | Application Development and Testing
By Josh More, IANS Faculty

 Manage the Risks of Offshore Development

Outsourcing development to offshore companies is a common consideration due to cost savings, but it can also increase risks. In this Ask-an-Expert written response, IANS Faculty Josh More outlines these risks and offers strategies for mitigating them with contractual requirements. 

Read More »


July 20, 2017 | AppDev Frameworks
By Dave Shackleford, IANS Faculty

 Container Security Best Practices

Ensuring containers like Docker remain secure is critical, because any missed issues may end up propagating throughout an environment. In this Ask-an-Expert written response, IANS Faculty Dave Shackleford offers some tips and best practices for deploying containers securely. 

Read More »


July 18, 2017 | AppDev Frameworks
By Jason Gillam, IANS Faculty

 Agile, DevOps and Security: A Primer

As more organizations adopt DevOps and Agile development methodologies, security needs to both understand and participate in the transition. In this Ask-an-Expert written response, IANS Faculty Jason Gillam provides an overview of Agile and DevOps, as well as tips for ensuring security is seamlessly integrated and aligned in the process going forward.

Read More »