Category Archives: AppSec Spotlight

FinSvcs Working Group (FS-ISAC) Takes on Open Source Components


December 2, 2013 By
Derek Weeks
fs-isac thumbnail

Applications are becoming the primary security threat vector. Since applications are constructed from 3rd party components, there continues to be a tremendous amount of industry effort and impetus behind managing open source components effectively. And now we can add the Financial Services / Information Sharing and Analysis Center (FS-ISAC) to the list.

Continue reading...

What’s Happening in the Land of Open Source Components


November 27, 2013 By
Derek Weeks

We continue to see exponential growth in requests from the Central Repository. In fact, there were 8 Billion requests in 2012 – and it is looking like this year will total up to 13 Billion requests.Given these trends, the time seemed right for a series of blog posts that address recent activity in the area of open source governance and security

Continue reading...

PCI 3.0 – Secure Payment Requires Secure Components


November 14, 2013 By
Derek Weeks

Well there is nothing like an updated specification that drives action or interest in a topic. We’re seeing that with the introduction of PCI 3.0. While there are several key updates to the specification, the one I find most interesting reflects the reality of how applications are constructed today – from components. It’s great to […]

Continue reading...

(ISC)² Global InfoSec Study – App Vulnerabilities are #1 Concern


September 30, 2013 By
Derek Weeks

The (ISC)2 Global Information Workforce Study CXO Report was recently released. The report found some interesting and troubling data on application security. While security executives noted that application vulnerabilities were their top concern, this did not translate into how their security team invested their time – in fact, focusing on software development was at the […]

Continue reading...

Agile, Component Development & DevOps – A Natural Match


September 23, 2013 By
Derek Weeks

Can you think of a technology concept that is more hyped than DevOps? We’ve moved past cloud & virtualization, and while not as hyped as Big Data or mobile, everyone on the development and operations side is talking about DevOps, not to mention DevOpsSec.  Using several blog posts, I’m going to layout the vision for […]

Continue reading...

Move Left and Be More Secure


September 16, 2013 By
Jessica Dodson

Author Attribution: This post was written by a guest blogger: Mark Miller, Founder and Curator of Trusted Software Alliance. In a “50-in-50” interview on the Trusted Software Alliance site, Gary McGraw talked about the concept of ‘moving left’, or ‘shifting left’ when it comes to application security in the software life cycle. Traditional development leaves […]

Continue reading...

NSA & Open Source: Another Controversy Brewing?


September 5, 2013 By
Derek Weeks

I attended the NSA Open Source Industry Day in Maryland and thought I’d summarize what did and didn’t surprise me. We’ll see if these observations prove controversial or helpful! More importantly we’ll see if organizations can effectively manage, govern, and secure their applications given the reality of open source, agile development practices and component-based development. […]

Continue reading...

Application Security: Focus on flaws, not on bugs


September 3, 2013 By
Derek Weeks

I recently listened to Gary McGraw’s interview on the Trusted Software Alliance Website. One thing he said (among many) that captured my attention was work that Cigital is doing on architecture risk analysis. Gary noted that security defects can be the result of bugs or flaws. “We pay more attention to (application) bugs and we need […]

Continue reading...