Weak passwords and password reuse are still some of the most serious concerns for cybersecurity. There are several ways to increase password security but they are often not adopted by users and administrators. Here’s how you can make sure that sensitive data in your web…
How often should you test your critical web applications?
When it comes to web application security, the concern is not whether you should test but, rather, how often you should test. Many people scan for web vulnerabilities using dedicated vulnerability scanners and perform manual analysis/penetration testing once per year. Some people do it once…
Trends that underscore the seriousness of the cybersecurity skill gap
It is no secret that there’s a glaring skills gap in cybersecurity. Learn more about the trends impacting AppSec success and the steps that can help bridge gaps in DevSecOps workflows. Under pressure to innovate, development outpaces security Picture this: a time-strapped engineer chasing a…
DevSecOps vs. SecDevOps
DevSecOps is a relatively new approach to continuous software development processes in agile environments. It is an extension of DevOps (Development + Operations) that includes the automation of security. The order of component terms in the DevSecOps name, however, may lead to incorrect application security approaches. That…
The cutting-edge conundrum: Why federal agencies can’t compromise on security
2021 was a banner year for cyberattacks, with reported breaches increasing by 68 percent. The record-breaking number of 1,862 data breaches put previous years to shame, especially considering industry-rocking incidents like Log4Shell, which had most organizations in the public and private sectors scrambling to secure…
AppSec best practices for security that sticks
New year, new AppSec program. Just like any good resolution, AppSec that makes a lasting impact is one you have to stick to, fine-tune, and hold yourself accountable for. AppSec programs act like bumpers in a bowling lane and help keep you on track, but…
What is server-side request forgery (SSRF)?
Server-side request forgery (SSRF) is the only type of vulnerability that has its own category in the OWASP Top 10 2021 list. Several major cybersecurity breaches in recent years, including Capital One and MS Exchange attacks, involved the use of SSRF as one of the break-in techniques. SSRF…
Zero trust countdown: New OMB memo stresses urgency for modern AppSec
The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal…
The importance of testing “less critical” web systems
When it comes to security oversight, I’m a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and…