It is no secret that there’s a glaring skills gap in cybersecurity. Learn more about the trends impacting AppSec success and the steps that can help bridge gaps in DevSecOps workflows. Under pressure to innovate, development outpaces security Picture this: a time-strapped engineer chasing a…
DevSecOps vs. SecDevOps
DevSecOps is a relatively new approach to continuous software development processes in agile environments. It is an extension of DevOps (Development + Operations) that includes the automation of security. The order of component terms in the DevSecOps name, however, may lead to incorrect application security approaches. That…
The cutting-edge conundrum: Why federal agencies can’t compromise on security
2021 was a banner year for cyberattacks, with reported breaches increasing by 68 percent. The record-breaking number of 1,862 data breaches put previous years to shame, especially considering industry-rocking incidents like Log4Shell, which had most organizations in the public and private sectors scrambling to secure…
AppSec best practices for security that sticks
New year, new AppSec program. Just like any good resolution, AppSec that makes a lasting impact is one you have to stick to, fine-tune, and hold yourself accountable for. AppSec programs act like bumpers in a bowling lane and help keep you on track, but…
What is server-side request forgery (SSRF)?
Server-side request forgery (SSRF) is the only type of vulnerability that has its own category in the OWASP Top 10 2021 list. Several major cybersecurity breaches in recent years, including Capital One and MS Exchange attacks, involved the use of SSRF as one of the break-in techniques. SSRF…
Zero trust countdown: New OMB memo stresses urgency for modern AppSec
The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal…
The importance of testing “less critical” web systems
When it comes to security oversight, I’m a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and…
Lessons from the Log4j crisis: Are we ready for the next global vulnerability?
It was an unwelcome early Christmas gift shared with the entire world on December 9th, 2021. Log4Shell rocked the industry when we realized just how dangerous and far-reaching its effects could be. The mad scramble to find and patch the flaw left many organizations wondering…
What to know about Biden’s latest cybersecurity memorandum
Building on his administration’s historic cybersecurity executive order, President Joe Biden yesterday signed a new National Security memorandum (NSM) designed to further improve security across the Department of Defense, intelligence community, and national security systems. The memo lays out concrete requirements around the technology required…