The term continuous security in the context of web application security is best understood when paired with well-known terms continuous integration and continuous deployment (CI/CD). Continuous security means that security is part of a continuous process – DevSecOps or, even better, SecDevOps. The confusion around…
FISMA Update: What’s changing and why it matters
In early October, the Homeland Security and Governmental Affairs Committee announced bipartisan legislation that’s set to make waves in federal civilian cybersecurity. This move to overhaul the Federal Information Security Management Act (FISMA) from 2014 is especially notable as the government became the most targeted…
New Industry Study: 70% Of Teams Skip Security Steps
Hot off the presses, the Fall 2021 Invicti AppSec Indicator is shedding light on the state of web application security (AppSec), including areas for improvement to speed up software innovation. The report, created in partnership with Wakefield Research, surveyed 600 individuals in security, development, and…
CISA’s Zero Trust Maturity Model is a rallying cry for modern web app security
Increasingly sophisticated cyberattacks against federal agencies highlight the urgent need to enhance federal cybersecurity. To help with this, CISA has published the Zero Trust Maturity Model to assist agencies in implementing zero trust architecture (ZTA) – and modern AppSec solutions are a crucial part of…
Stop compromising on web application security
Modern web applications are often in continuous development in highly automated workflows, so keeping them secure requires equally automated AppSec solutions. When you add to this a highly dynamic threat environment, manual security processes cannot hope to keep up. This post presents highlights from an…
Paul’s Security Weekly: Securing iframes using the sandbox attribute
Our Senior Security Researcher, Benjamin Daniel Mussler, has been invited to the Security Weekly podcast to talk about the security of iframes and, in particular, how to secure iframes using the sandbox attribute. Benjamin first talked about how traditional framesets have become completely obsolete but…
Debunking 5 cybersecurity posture myths
Small and medium businesses have it hard when it comes to cybersecurity posture. The cybersecurity gap hits them the hardest because most security experts would rather choose different work environments. Young information security enthusiasts are in high demand. However, instead of SMBs, they usually prefer to work…
Web vulnerability classes in the context of information security certifications
For certifications such as CISSP, CISA, Security+, CASP+, or CySA+, web vulnerability classes make up only a small part of the knowledge required to pass the exam. For instance, the CISSP exam evaluates the student’s expertise in eight domains, and even advanced knowledge of subjects…
To build DevSecOps, you need both modern tools and cultural changes
The ATARC webinar and panel discussion Organized under the title “Shifting Security Left with DevSecOps,” the joint webinar brought together industry and government experts to talk about the everyday realities of application security efforts in government agencies and the latest tools available to support them….