Application Security & Software Development Life Cycle Resources

Choosing a Vulnerability Scanner

Vulnerability scanning aims to reveal security weaknesses in an application by using automated tools to assess its code, design, and functionality. Design flaws which lead to vulnerabilities like Cross Site Scripting (XSS), SQL Injection, path disclosure, and other...

read more

Secure Scrum – Integrating Security with Agile

Successfully implementing strong application security is one of the most challenging non-functional tasks Scrum teams face.Traditional application security practices which carefully integrate security throughout the Software Development Lifecycle (SDLC) are often at...

read more

Secure Application Configuration Basics

In June of 2016 it was revealed that a database maintained by a large data brokerage company was hacked exposing 154 million US voter records and personal details like gun ownership, positions on gay marriage, and email addresses were retrieved. Database...

read more

Application Security Code Review Introduction

Security code review is a process which systematically applies a collection of security audit methodologies capable of ensuring that both environments and coding practices contribute to the development of an application resilient to operational and environmental...

read more

The Top 3 Challenges DevOps Poses to Security Teams

DevOps has revolutionized how new applications are brought online, but it is also challenging how security teams do their jobs. In theory, DevOps can make applications more secure by baking security into the Sofware Development Lifecycle from the earliest stages of...

read more

There is More to Application Security than Bulletproof Code

In recent months, momentum has been mounting for developers to write code for their applications that is more secure. While writing secure code is vital to the security of an organization, it’s not the final word in creating applications resistant to attacks. A...

read more

What do SAST, DAST, IAST and RASP mean to developers?

It’s estimated that 90 percent of security incidents result from attackers exploiting known software bugs. Needless to say, squashing those bugs in the development phase of software could reduce the information security risks facing many organizations today. To...

read more

Why don’t developers write more secure code?

Developers have been rapped in some circles for writing code with security flaws, but is such criticism justified? Where is security on developers’ priority list? Programmers certainly have a lot on their plates and while security has been a burning issue in...

read more

Quantifying Software Security Risk

Quantifying Software Security Risk What are the frameworks out there that organizations can use to quantify risk? Risk management is a hot topic across many boardrooms, so much so that the insurance and financial sectors have established frameworks that organizations...

read more

How to Quickly Audit Your Cryptography Usage?

Cryptography is an important security security control  for any application.  It is essential in securing data at rest and in transit. But how do you know your team is following good and solid crypto practices? How do you know whether there are gaps that need to be...

read more

Setting up a Secure Instance of Express JS (GitHub Repo)

In a previous blog post I mentioned ways to secure your ExpressJS instance. This included both using third party modules and modifications to the default configuration of Express. The blog post received great feedback, so we decided to create a skeleton that showed...

read more

Reading through the IRS Hack: Failures and Analysis

IRS has reported that  thieves stole tax information from 100,000 taxpayers, pretty disturbing news on multiple levels. The first level of disturbance is obviously that an organization like the IRS which has more information on every single citizen – probably...

read more

Security Comparison: AngularJS vs Backbone.js vs Ember

Introduction Client side JavaScript security is becoming more and more of an issue with the shift to Single Page Applications or SPAs in modern web development. There are many different libraries and frameworks to pick from when you set out to build your own SPA. The...

read more

Simplified Application Security Code Review

Obviously it is not 2005 anymore. 10 years ago most organizations were OK with perimeter security and a vulnerability scanner. This shift started to happen in the U.S from perimeter security to application security about 4-6 years ago depending on the industry, I know...

read more

Cyber Security Laws & Regulations in Canada

Pop quiz, do Canadians and Americans approach cyber security the same way? The answer is a clear and definite no. With the recent passage of HB 1078 in Washington State (see: here), it seemed appropriate to compare the legal attitudes between Canada’s Parliament and...

read more

Secure Your Express Application

At Software Secured, we have been building our internal tools around Node.js and Express. Node.js is becoming more and more popular nowadays and several frameworks have popped up to wrap Node.js functionality and APIs. One of these frameworks is Express. Express is...

read more

Top Risks and Recommendations For Windows Store Apps

This article originally appeared on Microsoft Developer Connection   OWASP’s Mobile Top 10 is a project launched by OWASP to identify the top 10 risks and threats to mobile apps at large. The project highlights the risk, the impact it could have, and finally some...

read more

Federated Identities: OpenID vs SAML vs OAuth

For an updated version of this article please click here. Single sign-on (SSO) started it all. Organizations needed a way to unify authentication systems in the enterprise for easier management and better security. Single sign-on was widely adopted and provided a...

read more

A Low-Tech Solution To a High-Tech Problem

The Cost is Going Up The cost of data breaches continue to climb, Global Payments which back in the spring reported a data breach in which information associated with an estimated 1.4 million payments cards was stolen, has revealed that expenses associated with...

read more

Are All Static Code Analysis Tools Created Equal?

Static code analysis is an essential ingredient in any semi-decent software security assurance program. Let’s get this out of the way, whether commercial or open source, they are just one important component in software security testing these days. The question...

read more

Top 4 Sources For Information Leakage

Ask pen-testers and they will tell you that the attack is as successful as how much information they can gather during the reconnaissance phase. Reconnaissance is the phase where the attacker tries to gather as much information about your application as possible. How...

read more

Lazy programmer’s guide to web.xml security review

No matter how much security is built in the application, if your configuration is not up to bar, I can safely tell you that it does not really matter how much security is in the application. As the old saying goes: it is as secure as the weakest link, so don’t...

read more

5 Free Ways to Teach Yourself Software Security

–> I was thinking the other day where does an average software developer or a quality assurance engineer draw their fundamental software knowledge from. The fundamentals and basics are mostly engraved in university and maybe the first couple of years of...

read more

Why You Should Re-consider Custom Error Pages

Custom error pages are one of the things that I have always seen in the nice to have requirements document when I was a software developer. You know, when we are done with the “real work”, you will start putting those in web.xml or web.config and start...

read more

The Missing Truth behind SQL Injection

SQL Injection was first found back in 1998, since then a lot of effort has been made towards mitigating this attack. However, it still tops SANS Top 20 and OWASP Top 10 lists. Why is that? What’s missing in addition to all what has been done so far.

read more