Application Security News and Trends
Aspect security news stories focus on the biggest and most influential stories and trends that affect the application security market. Other sites, such as OWASP and WASC cover the day-to-day news, but rarely reflect on broader trends and stories.
This page covers the last 12 months of trends, you can read older trends here.
| 1/07 | Disclosure Debate While mandatory disclosure laws for security breaches seem to be effective in encouraging secure software, disclosure of vulnerabilities by self promoting security researchers for the last decade has not worked. |
| 12/06 | Training and Process First The industry is realizing that the available application security tools are useful, but to support, not replace, the people and process responsible assuring applications. Many organizations that invested in tools first are finding that they are not getting much value. |
| 11/06 | SANS and OWASP Partner The SANS Institute has finally added the OWASP Top Ten as #1 in their venerable security Top 20 list. This advance will bring application directly into the spotlight for a vast array of organizations. |
| 10/06 | XSS Era Arrives Cross-Site Scripting (XSS) has become the number one vulnerability. Development teams struggling with XSS need to establish requirements, programming guidelines, and test plans for eliminating these holes. |
| 9/06 | PCI Standard Enhanced The PCI standard, which governs applications that process payment card information, was enhanced to require either code review or a web application firewall. The newly formed PCI Security Standards Council will manage the standard. |
| 8/06 | OWASP Grants The Open Web Application Security Project has announced the Autumn of Code project, with 8 grants to be awarded for research in application security. The grants will fund projects that significantly enhance existing OWASP projects. |
| 7/06 | Disclosure Laws Working Mandatory disclosure of security breaches is forcing organizations to improve their application security like never before. Preventing these disclosures cost-effectively requires an organized approach to application security. |
| 6/06 | New Technology Is Dangerous Many organizations are starting to experiment with web services, Ajax, and SOA. These technologies are powerful and can be built securely, but it takes extra focus and attention. There is always a time-lag between when a new technology emerges and when we've learned to use it safely. |
| 5/06 | Malicious Developers A malicious developer on most software projects could easily insert a backdoor, time bomb, logic bomb, etc... Organizations should consider this risk and enhance their process to make it more difficult for such attacks to succeed. |
| 4/06 | Public AppSec Initiatives A number of companies have been starting application security initiatives recently, and several have decided to do it publicly. The software market is changing to reward those who build their code securely. |
| 3/06 | Secure Coding Training Organizations like Oracle and Microsoft are putting all of their developers through rigorous secure coding training. These classes teach developers to avoid the "innocent code" mindset and think about the threats faced by their applications. |
| 2/06 | Code Scanning Many organizations are starting to realize the benefits of looking at the code to verify their applications. Naturally, they would like to automate as much as possible of this process. The consensus is that these tools should be used to help security analysts, not replace them. |
