November 29, 2015

How To Create an Effective Software Security Training Program For Agile Teams

Although not unique to agile projects, there’s also the issue that the focus of information security has traditionally been at the network layer and not on the software itself. This can (and does) lead to an over-reliance on perimeter security: firewalls, SEIMs, traffic fingerprint devices, etc. The problem is many recent software breaches have been affected at the application layer or data layer and have gone undetected, sometimes for months(!), by perimeter defenses. Software security is a distinct practice within the information security world. It is enough of an emerging concern that many in software development, testing and product owner roles are not aware of the need to build defenses into the code itself.


5 Things Enterprises with Mature Security Programs Should be Thankful

In addition to having a thorough understanding of the systems in place, you’re grateful for having taken the time to understand the nature, motivations, and capabilities of the adversaries that could target your enterprise. You know what data apps and systems hold information that would be of financial gain to cybercriminals, as well as what data would be of interest to your primary competitors. You also know which data you hold that could likely be targeted to be used as part of a two-stage attack aimed at partners or other third parties. Thankfully, when it comes to threat modeling new apps and systems, you are able to swiftly review new apps for how those systems work and what risks may be involved, what data they touch, how access is granted and other security-related attributes.



MailSystem.NET


MailSystem is a suite of .NET components that provide users with an extensive set of email tools. MailSystem provides full support for SMTP, POP3, IMAP4, NNTP, MIME, S/MIME, OpenPGP, DNS, vCard, vCalendar, Anti-Spam (Bayesian , RBL, DomainKeys), Queueing, Mail Merge and WhoIs This project licensed under LGPL, you are free to use the compiled binaries in your personal or commercial project for free. If, for some reasons, you want to keep your changes for yourself, you must acquire a commercial license.


The core principle behind the SAFECode framework is that a software assurance assessment should primarily focus on the secure software development process and its application to the product being assessed, while taking into consideration the context of a product’s intended operating environment. There is no single practice, tool, or checklist that acts as a silver bullet and guarantees better software assurance. Rather, the efficacy and efficiency of software security practices and tools varies based on how they are applied and whether they are implemented as part of a holistic software development process within each unique organization. With that principle understood, we recognize that the maturity of secure development practices varies among technology suppliers.


Robust Security Planning Requires Change in Mindset

Ensuring device security often does not stop with meeting just the set of regulatory requirements. Firms generally search for ways to enhance security further, as they are very concerned about the cost of potential security breaches and the ever-changing landscape of sophisticated attacks. The cost of a security breach and violation of your trust relationship with your customers can be high. It can also have a large impact on your firm’s reputation as well as sales, which can alter how the market views your other products. Legislation now requires firms to disclose breaches with possible financial penalties. The number of sophisticated attackers is also increasing as more robust attack tools become available, in turn increasing the overall risk of a security breach.


Moving towards an Intelligent, Networked and Boundary less World

IoT will herald an evolutionary change in appliances, systems, devices and utilities that people use on a daily basis. From refrigerators, washing machines, microwaves, ACs, TVs, cars to the electrical grids, transport systems, surveillance systems, this change will touch everything. To support such an eco-system the infrastructure vendors are already in hyper-drive to develop and market products that are IoT enablers e.g. SDN, NFV, multiprotocol aggregators, wearable devices, iPV6 based architecture, etc. ... The premise of Smart Cities emanates from a planned city that manages and monitors civil utilities, power grids, communication, transport and traffic systems, citizen services and security and requires a synchronized operation of a complex and automated systems.


3 Reasons Why the Most Common OWASP Risks Are STILL On the List After 10 Years

In the past, security professionals have warned against M&M security—security that is hard and crunchy on the outside but soft and gooey on the inside. Back when network security was the primary concern, enterprises focused most of their effort on protecting the perimeter. Firewalls, intrusion detection systems, and proxies became necessary tools to keep the bad guys out. However, in order for software to be useful, there has to be an entry point for our users (i.e. the front-end web applications running on port 80 or 443). In order to extend the concept of perimeter security to the application layer, many firms rely on web application firewalls or WAFs to protect their sensitive, internal assets.


So, what steps can the CIO take to ensure that its cloud provider staff members are doing their jobs properly? Data analytic tools are emerging that help businesses identify system aberrations, and better identify and potentially thwart insider threats. However, cloud customers need to be proactive in their use of such tools. Often, the vendor is unwilling to let the customer access the data analytics system or talk directly with its employees. But such steps can be written into the customer's service level agreement. "In the SLA, the customer should have the ability to audit the service on occasion, examine system logs, and hire an outside firm to investigate any potential internal breaches," explained Security Architects' Blum.


A Data Model Describes a Business

In many ways the mind of a good businessperson is similar to that of a good data modeler—continually asking questions and looking for areas of improvement. A recent example at a client of mine brought this to light. In building a conceptual data model for a manufacturing company, I was working with a senior engineer to understand the underlying data model for several functional business areas. As he had some previous experience with data modeling, in addition to the logic of engineering, I found this session particularly productive. The data modeling process asks a series of questions that are almost childlike in their simplicity, but when done in a methodical way, can highlight important business rules that might not have come to light.


Considering the number of major security breaches we’ve suffered, and the creative ways that cyber criminals are finding into supposedly secure systems, the good guys could use a break. Could that advantage come from machine learning? It very well could, says Patrick Townsend, CEO and founder of security software vendor Townsend Security, says. “Now that we’re starting to get systems that can really effectively handle examining large amount of very unstructured data and detecting patterns, I’m hoping that the next wave of security products will be based on cognitive computing,” he says. “Look at Watson. If it can win Jeopardy, why can’t it parse all these security events worldwide and make sense of them? I think we’re on the very early cusp of the use of cognitive-based computing to help ramp up security.”



Quote for the day:


"An overburdened executive is the best executive, because he or she doesn't have the time to meddle." -- Jack Welch