Research/Presentations

2014 State of Developer Application Security Knowledge Report

The 2014 State of Developer Application Security Knowledge Report details the top areas of expertise and those critical areas that require strengthening.  Data for the study came from results culled from more than 1,400 developers from 695 organizations worldwide who participated in Secure Coder Analytics, a free online assessment tool created by Aspect Security. A 20-question randomized quiz, Secure Coder Analytics arms organizations with an accurate assessment of their development team's knowledge of application security.  Participants represented diverse industries including: financial services, banking, e-commerce, retail and the federal sector.

Mobile AppSec: Development and Alphabet Soup

There are approximately 6 billion mobile devices in the world today and the number of mobile applications available in the Google Play and Apple AppStore’s is around 1.5 million. Vulnerabilities and mobile malware are skyrocketing, and development of new applications and release of new devices continue at an increasing pace. We are treating mobile application security like a foreign language and are struggling with alphabet soup concerning BYOD, MDM, MAM, and MNM. Dave will explain his experiences in running a mobile application security practice and the solutions he is seeing in the industry in regard to effectively managing the mobile security of devices, applications, and data. Dave will talk about how to effectively protect your data and applications from the bad guy.

Mobile-AppSec-Development-and-Alphabet-Soup

Aspect 2013 GLOBAL APPLICATION SECURITY RISK REPORT

“Insights extracted from thousands of application security risks carefully identified, analyzed, scored, and documented for clients with critical application portfolios. Aspect’s verification efforts are primarily manual code review and manual security testing, and our results shine a light on the dangers of relying on highly automated approaches to application security.”

http://www.aspectsecurity.com/the-2013-global-application-security-risk-report

Real World Application Security in Real Time

Application security has never been more important, yet traditional approaches are starting to fall apart as applications get larger, faster, and more complex while software development has accelerated to “ludicrous speed.” Unless something changes quickly, the world’s entire, limited pool of security experts will soon be completely absorbed seeking out Cross Site Scripting (XSS) vulnerabilities. A new, automated approach called IAST has the potential to achieve better vulnerability analysis results in a way that is much more compatible with the way in which software is developed.

https://www.brighttalk.com/webcast/288/66827

Mobile Application Security – There’s No App For That

Presented by: Dave Lindner, Global Practice Manager – Application Security Services & OWASP Mobile Top Ten Mobile Project Contributor

The number of mobile applications available in the Google Play and Apple App Stores is nearing 1.5 million and vulnerabilities are skyrocketing. On average, Aspect finds {11.6} vulnerabilities in every mobile application we verify. Dave will share his experiences leading Aspect’s Mobile Application Security practice, including the tools and advanced techniques we use. Mobile application security isn’t only about writing secure apps. Organizations also have to protect themselves against employees who download malicious and vulnerable applications and use them on their mobile devices at the same time they access corporate systems. Dave will talk about BYOD, BYON, and MDM issues as they pertain to protecting your data and applications from the bad guy. Join David as he explains mobile application security and why your existing web application security practice needs to adapt and change as this new threat grows in importance. Dave has first-hand expertise in helping clients in the financial and retail sectors with their mobile application security programs.

Get Rugged! The Practical Path to Securing the Software that Powers Your Business

Would it surprise you to know that although the threat has changed dramatically in the last 30 years, the techniques for building secure code have hardly advanced at all? We trust software with our lives, our safety, our healthcare, our communications and our businesses. Unfortunately, there are over 925 different ways that developers can introduce vulnerabilities. The result is widespread flaws that criminals who know how can exploit them and cause malicious harm to others. What does it take to create and deploy secure applications? How do you get a handle on your application portfolio? How do you create a positive, practical and responsible application security program? Join Jeff Williams to learn about the steps your organization can take immediately to Get Rugged and improve your organization’s security posture.

Mobile Applications & Proxy Shenanigans

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risks to organizations. As such, it is imperative that we perform our normal application security procedures on all mobile applications, including pen testing and code reviews. Pen testing mobile applications has proven to be difficult when typical application security testing practices are employed. Proxying mobile traffic for examination and modification is anything but straightforward and every application presents its own, unique challenges. David and Dan will explain the issues that arise when trying to proxy mobile application traffic. Join Dan and Dave as they provide guidance and a roadmap so that you may overcome these obstacles.

Keynote: Stop Fighting It – How to Ruggedize Your Culture and Make Security Easy

Many organizations have reacted to the onslaught of vulnerabilities in their code by searching harder – more dynamic scans, more static analysis, more code review, and more penetration testing. But the cost and complexity of these reactive programs will continue to increase until they are completely ineffective. The only way to get in front of the problem is to find a new path that leads to healthier software development lifestyle.

Using Instrumentation to Find Vulnerabilities in Java EE Applications

Java EE™ is the platform of choice for critical applications – exactly the ones targeted by groups like Anonymous and organized crime. However, discovery of software vulnerabilities has always been a costly and error prone process. We have discovered a way to use the Java™ Instrumentation API to perform “intrinsic analysis” – finding vulnerabilities from within a running application. Our approach is simple to install and powerful – enabling developers to find security flaws without headaches and false alarms. We’ve created a Java agent that runs in your app server and discovers vulnerabilities passively as you develop and test, without requiring anyone to attack your code!

Proactive Mobile Forensics: Where is Your Data?

With over 5 Billion mobile devices presently in use, mobile applications enable new threats and attacks which introduce significant risk. The biggest risks are data loss through an exploit or from devices being lost or stolen. Are your mobile applications susceptible to common software vulnerabilities? Do you know what critical data is being stored on these devices and backed up in the cloud? Is your sensitive data protected if a device is lost or stolen? Join David as he explains how to be proactive by examining your mobile applications, provisioned devices and their footprints.