It seems that most application security discussions revolve around initial vulnerability scanning and penetration testing. You’ve got to start somewhere. The thing is many people often stop at that point. Vulnerabilities are uncovered, results are passed along to developers, DevSecOps, or other technical staff, and…
Author Archives Kevin Beaver
THE AUTHOR
Kevin Beaver
How often should you test your critical web applications?
When it comes to web application security, the concern is not whether you should test but, rather, how often you should test. Many people scan for web vulnerabilities using dedicated vulnerability scanners and perform manual analysis/penetration testing once per year. Some people do it once…
The importance of testing “less critical” web systems
When it comes to security oversight, I’m a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and…
Make your users part of the web security solution
Around the world today, we’re seeing instances of people being either part of the solution or part of the problem. In the context of information security, it seems we mostly witness people being part of the problem. But there’s often little discussion about people being…
Finding and fixing security flaws in third-party software that you don’t have control over
There’s a popular bit of wisdom that says don’t stress over the things in your life that you cannot control. It’s great advice for all of us these days. Still, though, no matter how hard you try, there will be some things that are out…
Setting and achieving your application security goals
Ensuring application security and resilience is largely a technical endeavor. From source code development to vulnerability and penetration testing and all the variables in between, there are a lot of moving parts on the technical side. It’s important, however, to remember the soft side of…
Why most application security measures fail and what must be done about it
In business, you’re only as good as the things that you have control over. And the only things that you can have control over are the things that you proactively measure and manage. If application security is an important part of your overall security program…
Miscommunication is at the heart of AppSec challenges
Miscommunication breaks things in business. Whether it’s unintentional – based on assumptions or intentional – driven by political motivations, miscommunication is at the heart of most challenges in business today. In our line of work, there’s hardly any more obvious form of miscommunication than what…
DAST is an essential part of a well-rounded application security program
Vulnerability management is one of the most important aspects of an information security program. Finding flaws, determining specific risks, and then following through to ensure those risks are minimized or eliminated sounds simple on the surface, but it’s not. Web applications and the overall function…