News

Aspect Security Announces Application Security eLearning Version 3.0

Section 508 Compliant, Specialized Role-Based Learning Tracks, Mobile Enabled

COLUMBIA, MD--(Marketwired - Dec 3, 2014) - Aspect Security, a pioneer in application security, announced version 3.0 of their award-winning eLearning for Secure Application Development. Already OWASP Top Ten 2013, PCI/DSS, SANS 25, HIPAA and SOX compliant, version 3.0 contains major updates, including Section 508 compliance for use in government agencies and their contractors, HTML5 programming so content can be accessed from tablets and mobile devices, four additional application security topics to meet today's complex threat-scape, and customized, role-based learning tracks that provide information for specialized roles and responsibilities.

Dark Reading Radio Webinar

From Dark Reading:

"In this Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security when Marilyn Cohodas interviews two industry leaders from the Open Web Application Security Project, on the heels of OWASP’s AppSec USA conference in Denver Sept. 16-19.

Our guests include Michael Coates, OWASP Chairman and Product Security Director at Shape Security, and former OWASP Chairman Jeff Williams, who is founder and CTO of Aspect Security, and the creator of many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten."

http://www.darkreading.com/radio.asp?webinar_id=144 

Application Developers Barely Passing in Application Security Tests

Coverage from India reporting on Aspect Security's recent study on the 2014 State of Application Security Knowledge Report that reveals that application developers are getting failing grades when it comes to their knowledge of critical security such as how to protect sensitive data, web services, and threat modeling.

http://www.informationweek.in/informationweek/news-analysis/297993/application-developers-barely-passing-application-security-tests

Expert Roundtable: The Future of Security Education

Read more of the advice HP's Jacob West, Digital Management's Rick Doten, and Aspect Security's Jeff Williams discuss different aspects of application security, university programming and development programs, and where the industry is going.

http://www.softwareadvice.com/security/industryview/future-security-education-2014/ 

The 2014 State of Developer Application Security Knowledge Report

Aspect Security Analyzes Gaps in Developers’ Application Security Knowledge
2014 State of Developer Application Security Knowledge Report

Columbia, MD, September 15, 2014– Aspect Security, a pioneer in application security, today announced their findings of developers’ knowledge of application security principles. The 2014 State of Developer Application Security Knowledge Report details the top areas of expertise and those critical areas that require strengthening.  Data for the study came from results culled from more than 1,400 developers from 695 organizations worldwide who participated in Secure Coder Analytics, a free online assessment tool created by Aspect Security. A 20-question randomized quiz, Secure Coder Analytics arms organizations with an accurate assessment of their development team's knowledge of application security.  Participants represented diverse industries including: financial services, banking, e-commerce, retail and the federal sector.

The Real Wakeup Call From Heartbleed

There's nothing special about Heartbleed. It's another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

In case you live under a rock, a serious security flaw was disclosed back in April in the widely used OpenSSL library. On a threat scale of 1 to 10, well known security expert Bruce Schneier rated it an 11. Essentially, an attacker can send a "heartbeat" request that tricks the server into sending random memory contents back to the attacker. If the attacker gets lucky, that memory contains interesting secrets like passwords, session IDs, Social Security numbers, or even the server’s private SSL key.

Flying Naked: Why Most Web Apps Leave You Defenseless

Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.

Imagine for a moment a major airline only checking 10 percent of its fleet for safety problems. Now imagine that when they do check an aircraft, they find 22 safety problems (some major, some minor). That would represent a crazy business risk for any airline. Roughly 90 percent of the fleet wouldn’t be checked for safety and mechanical problems. That would never fly. But yet, I am here to tell you that 90 percent of applications in most organizations are naked -- since they have no application security defenses in place.

The Seven Deadly Sins of Application Security

How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.

The knee-jerk approach to application security is to start finding and fixing vulnerabilities. The problem with these reactive programs is that they end up being expensive witch-hunts that don’t change the way code is built. Instead, we need to think of those vulnerabilities as symptoms of a deeper problem that lies somewhere in the software development organization.

Secure Code Starts With Measuring What Developers Know

I recently discovered I've been teaching blindly about application security. I assumed that I know what students need to learn. Nothing could be further from the truth.

Since 1999, I’ve taught over 2,000 developers, architects, and managers about application security. This is no small challenge, since the subject is almost totally ignored in most college curriculums and there is a lot to learn. In fact, the MITRE CWE Project lists over 1,000 different ­categories of security mistakes that developers can make. Many of these security quagmires are not immediately obvious and quite a few are downright diabolical. So I totally understand why developers don’t spend their off-hours researching the inner workings of "padding oracle" vulnerabilities and other security lore.

What Healthcare Can Teach Us About Application Security

The Centers for Disease Control protects people from health threats and increases the health security of our nation. It's a mission that's not so different from InfoSec.

Here’s our challenge: our increasing reliance on software is occurring exactly when two other trends are making security more difficult. First, software size, complexity, interconnection, and even development speed are increasing rapidly. Second, advances in software technology are rapidly making traditional security scanners and code analyzers obsolete. Seriously… this won’t end well.