Security Management Strategies for the CIO
Email Alerts
-
Information security book excerpts and reviews
Visit the Information Security Bookshelf for book reviews and free chapter downloads. Information Security Book
-
Quiz: How to build secure applications
Use this five-question quiz to test your knowledge of how to secure your enterprise apps. Quiz
-
Geekonomics: The Real Cost of Insecure Software
In Chapter 1 of his new book, "Geekonomics: The Real Cost of Insecure Software," David Rice examines why software manufacturers continue to produce (and consumers continue to purchase) unreliable and insecure software. Book Chapter
-
The Art of Software Security Testing
Read an excerpt from the book, The Art of Software Security Testing: Identifying Software Security Flaws. In Chapter 11, "Local Fault Injection," the authors explain the proper methods for examining file formats. chapter excerpt
-
How to build secure applications
In this lesson, learn how to build security into the software development lifecycle, implement a practical, efficient change management system and test your applications using a black-box or white box technique. partOfGuideSeries
-
Attacks targeted to specific applications
This is the fourth tip in our series, "How to assess and mitigate information security threats," excerpted from Chapter 3: The Life Cycle of Internet Access Protection Systems of the book "The Shortcut Guide to Protecting Business Internet Usage," pu... Book Chapter
-
PING with Aviel Rubin
In this exclusive interview with Information Security magazine, Aviel Rubin, author of "Brave New Ballot" examines security problems in e-voting machines, and details why isn't just a cause for concern, it's a matter of national security. Information Security maga
-
Checklist: Ten dos and don'ts for secure coding
Download this checklist of dos and don'ts for developing secure code. Checklist
-
Architectural Risk Analysis: Traditional Risk Analysis Terminology
Book Chapter
-
SAP Security Learning Guide
This guide pulls SAP security information from both SearchSecurity.com and its sister site, SearchSAP.com, to provide the most comprehensive resource around for all aspects of making your SAP system bulletproof. Learning Guide
- See More: Essential Knowledge on Software Development Methodology
-
Enterprises at core of vendor software security testing, Veracode finds
Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing. News | 13 Nov 2012
-
Gary McGraw: Proactive defense prudent alternative to cyberwarfare
Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons. News | 01 Nov 2012
-
Web app design at the core of coding weaknesses, attacks, says expert
When addressing Web application threats and vulnerabilities, security teams need to look out for design flaws, says Mike Shema of Qualys, Inc. News | 16 Oct 2012
-
Ten commandments for software security
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms. Opinion | 04 Oct 2012
-
Firms failing at mobile application development security, study finds
Security is failing to gain a priority in the rush to build and test mobile applications, according to a study by Capgemini. News | 19 Sep 2012
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News | 19 Sep 2012
-
BSIMM study expands scope, identifies new software security activities
BSIMM4 found some firms actively scanning for malicious code from rogue developers. Crisis simulation scenarios improve product security response. News | 17 Sep 2012
-
Java sandboxing could thwart attacks, but design may be impossible
Basic Java sandboxing has been around since 1995, but flaws in the Java virtual machine are highly targeted. Experts are calling on Oracle to do more. News | 29 Aug 2012
-
Black Hat 2012: Dan Kaminsky tackles secure software development
Security researcher Dan Kaminsky’s annual "black ops" talk at Black Hat 2012 focused improving secure software development with better code. News | 25 Jul 2012
-
Chris Wysopal: Web application vulnerabilities an easy target
Despite a decline in SQL injection errors over the last two years, attackers continue to find Web application flaws as easy targets, says Chris Wysopal of Veracode Inc. News | 25 Jun 2012
- See More: News on Software Development Methodology
-
HTML5 security: Will HTML5 replace Flash and increase Web security?
Will HTML5 replace Flash? Expert Michael Cobb discusses whether HTML5 security is better than Flash, and why HTML5 traffic can be harder to secure. Tip
-
UTM features: Is a UTM device right for your layered defense?
Expert Mike Chapple explores what features a contemporary UTM device provides, and explains the factors that help determine UTM total cost of ownership. Tip
-
Securing naming and directory services for application defense-in-depth
There are several aspects of naming and directory services when it comes to security. In this tip, part of the SearchSecurity.com Application Security School lesson, learn how to secure LDAP, as well as how application security teams can work with in... Tip
-
Improving software with the Building Security in Maturity Model (BSIMM)
Learn about the Building Security in Maturity Model (BSIMM), a software security framework that emphasizes attack models, software security testing, code review and compliance policies. Also, does your company have a software security group (SSG)? Tip
-
How to detect software tampering
In their book Surreptitious Software, authors Christian Collberg and Jasvir Nasvir reveals how to tamperproof your software and make sure it executes as intended. Tip
-
Common PCI questions: Web application firewalls or source code review?
Is it better to use Web application firewalls, automated source code security reviews or vulnerability scans? Michael Cobb reviews your options. Tip
-
Enterprise security in 2008: Building trust into the application development process
The Storm botnet, launched a year ago, proved that malicious hackers were developing more sophisticated botnets -- and more sophisticated business strategies. As Michael Cobb explains, it's just one reason why application security pros need to keep a... Tip
-
Cross-build injection attacks: Keeping an eye on Web applications' open source components
Web application developers' growing dependence on open source components has opened the door for attackers to insert malicious code into applications even as they are being built. Michael Cobb explores the emerging attack method called cross-build in... Tip
-
How to avoid dangling pointers: Tiny programming errors leave serious security vulnerabilities
For years, many have said that there is no practical way to exploit a dangling pointer, a common application programming error. But these software bugs should no longer be thought of as simple quality-assurance problems. Michael Cobb explains how th... Tip
-
Dynamic code obfuscation: New threat requires innovative defenses
Dynamic code obfuscation used to be a taxing effort, but now even the most junior-level malicious hackers have learned how to effectively hide their code. In this tip, Michael Cobb examines how dynamic code obfuscation works, why it's on the rise and... Tip
- See More: Tips on Software Development Methodology
-
Implement software development security best practices to support WAFs
WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why. Answer
-
Replace technical debt-laden Adobe Reader with alternative PDF readers
Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers. Answer
-
H.264 vs Flash: Using the H.264 codec as a secure Flash alternative
Can the H.264 video codec serve as a more secure Flash alternative? Expert Nick Lewis provides a security breakdown of H.264 vs Flash. Answer
-
An intro to free Microsoft security tools for secure software development
Free Microsoft security tools Threat Modeling, MiniFuzz and RegExFuzz are designed to help developers build secure software. Answer
-
How to secure websites using the HSTS protocol
Learn how to use HTTP Strict Transport Security (HSTS) to secure websites and how HSTS prevents man-in-the-middle attacks. Answer
-
Windows ASLR: Investing in your secure software development lifecycle
Implementing Windows ASLR can be a worthwhile investment in your enterprise’s secure software development lifecycle. Answer
-
What is a virtual directory? The essential application deployment tool
What is a virtual directory? As expert Michael Cobb explains, it can be an extremely helpful secure application deployment tool. Answer
-
Java Virtual Machine architecture: Applet to applet communication
In a Java Virtual Machine architecture, is it possible for two machines to communicate with one another? Expert Michael Cobb describes how the applet-to-applet communication process works. Answer
-
Managing application permissions through isolated storage
Application permissions are essential in securing application data. Learn how isolated storage allows secure, controlled access to application files. Answer
-
Secure coding best practices: PHP and programming language security
Michael Cobb explains how proper secure coding training is much more important than PHP programming language security. Answer
- See More: Expert Advice on Software Development Methodology
-
mobile security (wireless security)
Mobile security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless ... Definition
-
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued) Definition
-
fuzz testing (fuzzing)
Fuzz testing or fuzzing is a technique used by ethical hackers to discover security loopholes in software, operating systems or networks by massive inputting of random data to the system in an attempt to make it crash... (Continued) Definition
-
heuristics
Heuristics is the application of experience-derived knowledge to a problem and is sometimes used to describe software that screens and filters out messages likely to contain a computer virus or other undesirable content. Definition
-
debugging
In computers, debugging is the process of locating and fixing or bypassing bugs (errors) in computer program code or the engineering of a hardware device. Definition
-
threat modeling
Threat modeling is a procedure for optimizing network security by identifying objectives and vulnerabilities, and then defining countermeasures to prevent, or mitigate the effects of, threats to the system... Definition
-
trigraph
A trigraph is a three-character replacement for a special or nonstandard character in a text file. Definition
-
bypass
Bypass, in general, means either to go around something by an external route rather than going through it, or the means of accomplishing that feat. Definition
-
sandbox
In general, a sandbox is an isolated computing environment used by software developers to test new programming code. Definition
-
Debating international cyberespionage, poor secure coding practices
Corey Schou explains why cyberespionage and corporate intelligence are linked; also, why attackers aren't to blame for insecure coding practices. Video
-
Video: Software Reliability: Building Security In
In this video, learn state-of-the-art techniques for building a secure software development process. Video
-
Countdown: Top 5 must-haves for your SDL security strategy
In this podcast, expert Cory Scott details the five most important elements to ensure enterprise SDL security for Web applications. Podcast
-
Marcus Ranum on the consequences of poor software design
Marcus Ranum discusses the consequences of poor software design and what can be done to ensure this does not happen in the future. Video
-
Secure software development: Getting started
Chris Eng, senior security researcher at Veracode Inc., explains how firms can get started improving their software development processes. Video
-
Secure application development processes improving, expert says
In this interview conducted at RSA Conference 2011, Gary McGraw, chief technology officer at Cigital Inc., a software security and quality consulting firm, explains how more organizations are embracing software development processes to improve the co... Video
-
An application security framework for infrastructure security managers
Video: Get a primer on common application attack methods and an application security framework to help infrastructure security teams. Video
-
Software security threats and employee awareness training
What are the newest threats to enterprise networks, and how can you subvert these emerging security threats? Greg Hoglund, CEO of HBGary and creator of the first rootkit, answers these questions. Video
-
The importance of secure software development training
At Information Security Decisions 2008, security researchers discuss secure application coding and how to teach best practices to young developers (part 4 of 4). Video
-
The future of exploit vulnerability research
At Information Security Decisions 2008, security researchers discuss the most vulnerable network points and the future of the SDLC (part 1 of 4). Video
- See More: Multimedia on Software Development Methodology
-
Implement software development security best practices to support WAFs
WAFs aren't a panacea for all Web security woes. Software development security best practices are still vital. Expert Michael Cobb discusses why. Answer
-
mobile security (wireless security)
Mobile security is the protection of smartphones, tablets, laptops and other portable computing devices, and the networks they connect to, from threats and vulnerabilities associated with wireless computing. Mobile security is also known as wireless ... Definition
-
Enterprises at core of vendor software security testing, Veracode finds
Less than one in five enterprises have requested code-level security tests from at least one vendor, but the volume of assessments is growing. News
-
Gary McGraw: Proactive defense prudent alternative to cyberwarfare
Software security expert Gary McGraw explains that the U.S. should build proactive defense capabilities rather than pour billions into cyberweapons. News
-
Debating international cyberespionage, poor secure coding practices
Corey Schou explains why cyberespionage and corporate intelligence are linked; also, why attackers aren't to blame for insecure coding practices. Video
-
Web app design at the core of coding weaknesses, attacks, says expert
When addressing Web application threats and vulnerabilities, security teams need to look out for design flaws, says Mike Shema of Qualys, Inc. News
-
Ten commandments for software security
Software security expert Gary McGraw provides actionable guidance based on analysis of dozens of software security firms. Opinion
-
Replace technical debt-laden Adobe Reader with alternative PDF readers
Adobe Reader's technical debt may pose too great a security risk for some enterprises. Security expert Nick Lewis advises turning to alternative PDF readers. Answer
-
Firms failing at mobile application development security, study finds
Security is failing to gain a priority in the rush to build and test mobile applications, according to a study by Capgemini. News
-
Little being done to prevent Web application threats, analysts say
Vulnerabilities in HTML 5 make it an emerging threat; however, SQL injection and XSS remain among the top attacks. News
- See More: All on Software Development Methodology
About Software Development Methodology
This software development methodology resource center offers news and advice on using secure code to develop software without breaking it. Get information about secure software development tools, methods, systems, testing, the software development lifecycle, threat modeling, and static and source code analysis.