Application Security Architecture Authentication
CertificationsCorporate ComplianceCryptology
Disaster RecoveryEnterprise SecurityExploits
FirewallsIncident HandlingIntrusion Detection
OS SecurityPolicies and ProceduresSecurity Basics
Security ManagementSecurity ToolsServers
StandardsVoIPVulnerability Management
Web SecurityWiFi SecurityWorms and Viruses

Moving Toward Better Security Testing of Software for Financial Services

by Steve Kosten

The financial services industry (FSI) maintains high-value assets and typically operates in a very complex environment. Applications of all types–web applications, mobile applications, internal web services and so forth–are being developed quickly in response to market pressures by developers with limited security training and with relatively immature processes to support secure application development. This combination presents a juicy target for attackers, and data shows that the FSI continues to be a top target. Attempts to introduce security into the application life cycle frequently face challenges such as a lack of available application security expertise, concerns about costs for tooling, and a fear among product owners that security processes might impede the development cycle and slow their response to market conditions. This paper explores why the applications are being targeted, what is motivating the attackers and what some inhibitors of application security are. Most important, this paper specifies some best practices for developing a secure development life cycle to safeguard applications in the FSI.
» Read more

Using Cloud Deployment to Jump-Start Application Security

by Adam Shostack

The cloud has significantly changed corporate application development. Now that releases come every few days rather than once or twice a year, AppSec is now squeezed into tiny windows of time. The speed, repetitiveness and changes in responsibility associated with these changes make it hard for traditional approaches to work. What are the choices and best practices for security within AppSec? How can you leverage the cloud to work for you? Attend this webcast and be among the first to receive access to the associated whitepaper developed by Adam Shostack.
» Read more

Security by Design: The Role of Vulnerability Scanning in Web App Security

by Barbara Filkins

The growth in custom applications in the cloud has increased organizations’ security exposure. Although more organizations want to test and remediate during development, this doesn’t address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.
» Read more

Testing Web Apps with Dynamic Scanning in Development and Operations

by Barbara Filkins

Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.
» Read more

Asking the Right Questions: A Buyer’s Guide to Dynamic Scanning to Secure Web Applications

by Barbara Filkins

Once an organization has made the decision to invest in dynamic application security testing (DAST) to support its application security program—potentially across all phases of the software development life cycle (SDLC), including production—the next challenge becomes how to proceed. What is the best process to determine and procure what is really needed?
For this reason, SANS has developed a buyer’s guide for procurement of a DAST solution, whether as a product or software-as-a-service (SaaS). This guide will lay out an effective process to evaluate, select and implement the best solution that can be followed by any organization, large or small.
This guide provides a four-step method, for acquiring the solution you need to enable your organization’s use of DAST.
» Read more