Posted by John Verry on Tue, Apr 13, 2010 @ 03:38 PM
Thought that Errata Security's recent survey mapped well to what 
we have seen regarding Application Security Practices:
- While 50% of software development companies say "security is 'always' a concern ..." only half of those firms have a formal Systems Development Life Cylce (SDLC) in place.
- Software developers usually wait for a security incident to occur before calling in a security expert. Companies then look to to integrate secure coding practices as a response.
It's very interesting to me that while the vast majority of developers/application owners recognize the importance of security, SDLC's are usually non-existent, do not adequately integrate security, or are not complied with. This would imply that it is a resource constraint: time and/or knowledge.
Time constraints are illusory in that the failure to address security adequately in early solution stages is well understood to ultimately cost more time than it saves.
This infers that it is a knowledge constraint (perhaps exacerbated by a time constraint). This "feels" consistent with what we see during security assessments or during incident response. What may be surprising is that it is often business management's lack of knowledge relating to application security that is most impactful, as they "own" the responsibility to ensure that an SDLC is in place and operating as intended.
We recorded an on-demand webinar around OWASP that addresses this knowledge constraint. Enjoy.
"Leveraging OWASP to Reduce Web App Data Breach Risks"
Posted by John Verry on Tue, Apr 06, 2010 @ 11:39 AM
Hopefully, this will be the last time I write about Zeus the banking Trojan. However, when the New York State Department of Homeland Security releases a five page cyber information security advisory -- its a little hard to ignore it.
It’s a very comprehensive document that provides good guidance, although I was a bit disappointed they didn’t discuss using a non-windows platform and/or running off a live bootable cd or usb.
That being said, I really liked their idea of using the on screen keyboard (osk.exe invokes it) for entering in your password. It’s a tiny bit awkward ... but it virtually eliminates your password from being stolen via Zeus or similar malware.