News

Aspect Security Announces Application Security eLearning Version 3.0

Section 508 Compliant, Specialized Role-Based Learning Tracks, Mobile Enabled

COLUMBIA, MD--(Marketwired - Dec 3, 2014) - Aspect Security, a pioneer in application security, announced version 3.0 of their award-winning eLearning for Secure Application Development. Already OWASP Top Ten 2013, PCI/DSS, SANS 25, HIPAA and SOX compliant, version 3.0 contains major updates, including Section 508 compliance for use in government agencies and their contractors, HTML5 programming so content can be accessed from tablets and mobile devices, four additional application security topics to meet today's complex threat-scape, and customized, role-based learning tracks that provide information for specialized roles and responsibilities.

Dark Reading Radio Webinar

From Dark Reading:

"In this Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security when Marilyn Cohodas interviews two industry leaders from the Open Web Application Security Project, on the heels of OWASP’s AppSec USA conference in Denver Sept. 16-19.

Our guests include Michael Coates, OWASP Chairman and Product Security Director at Shape Security, and former OWASP Chairman Jeff Williams, who is founder and CTO of Aspect Security, and the creator of many open-source standards, tools, libraries, and guidelines – including the OWASP Top Ten."

http://www.darkreading.com/radio.asp?webinar_id=144 

Expert Roundtable: The Future of Security Education

Read more of the advice HP's Jacob West, Digital Management's Rick Doten, and Aspect Security's Jeff Williams discuss different aspects of application security, university programming and development programs, and where the industry is going.

http://www.softwareadvice.com/security/industryview/future-security-education-2014/ 

The 2014 State of Developer Application Security Knowledge Report

Aspect Security Analyzes Gaps in Developers’ Application Security Knowledge
2014 State of Developer Application Security Knowledge Report

Columbia, MD, September 15, 2014– Aspect Security, a pioneer in application security, today announced their findings of developers’ knowledge of application security principles. The 2014 State of Developer Application Security Knowledge Report details the top areas of expertise and those critical areas that require strengthening.  Data for the study came from results culled from more than 1,400 developers from 695 organizations worldwide who participated in Secure Coder Analytics, a free online assessment tool created by Aspect Security. A 20-question randomized quiz, Secure Coder Analytics arms organizations with an accurate assessment of their development team's knowledge of application security.  Participants represented diverse industries including: financial services, banking, e-commerce, retail and the federal sector.

The Real Wakeup Call From Heartbleed

There's nothing special about Heartbleed. It's another flaw in a popular library that exposed a lot of servers to attack. The danger lies in the way software libraries are built and whether they can be trusted.

In case you live under a rock, a serious security flaw was disclosed back in April in the widely used OpenSSL library. On a threat scale of 1 to 10, well known security expert Bruce Schneier rated it an 11. Essentially, an attacker can send a "heartbeat" request that tricks the server into sending random memory contents back to the attacker. If the attacker gets lucky, that memory contains interesting secrets like passwords, session IDs, Social Security numbers, or even the server’s private SSL key.

Flying Naked: Why Most Web Apps Leave You Defenseless

Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place.

Imagine for a moment a major airline only checking 10 percent of its fleet for safety problems. Now imagine that when they do check an aircraft, they find 22 safety problems (some major, some minor). That would represent a crazy business risk for any airline. Roughly 90 percent of the fleet wouldn’t be checked for safety and mechanical problems. That would never fly. But yet, I am here to tell you that 90 percent of applications in most organizations are naked -- since they have no application security defenses in place.

The Seven Deadly Sins of Application Security

How can two organizations with the exact same app security program have such wildly different outcomes over time? The reason is corporate culture.

The knee-jerk approach to application security is to start finding and fixing vulnerabilities. The problem with these reactive programs is that they end up being expensive witch-hunts that don’t change the way code is built. Instead, we need to think of those vulnerabilities as symptoms of a deeper problem that lies somewhere in the software development organization.

Secure Code Starts With Measuring What Developers Know

I recently discovered I've been teaching blindly about application security. I assumed that I know what students need to learn. Nothing could be further from the truth.

Since 1999, I’ve taught over 2,000 developers, architects, and managers about application security. This is no small challenge, since the subject is almost totally ignored in most college curriculums and there is a lot to learn. In fact, the MITRE CWE Project lists over 1,000 different ­categories of security mistakes that developers can make. Many of these security quagmires are not immediately obvious and quite a few are downright diabolical. So I totally understand why developers don’t spend their off-hours researching the inner workings of "padding oracle" vulnerabilities and other security lore.

Another breach like Target’s is inevitable, security expert tells Consumer Reports

Major security lapses that a Senate report highlighted are widespread

Expect more data breaches as large and severe as the Target breach.

That’s the takeaway from our exclusive interview with a security expert Jeff Williams. The types of security missteps a Senate Committee recently cited in analyzing the Target incident are found in many organizations, he said. “The problem isn’t really Target,” he said. “The problem is systemic. This could have been anybody.”

CIOReview Names Aspect Security to its Top Twenty List

CIOReview put together a panel of CIOs and CEOs of public companies, analysts, and the CIOReview editorial board to finalize their list of the 20 Most Promising Enterprise Security Consulting Companies. We are honored: