Sitemap

OWASP ASVS: Web Application Testing Comes of Age

If your organization builds, buys or uses web applications, you’ve probably heard of the Open Web Application Security Project (OWASP) and its Application Security Verification Standard (ASVS). Now at Version 4, the ASVS is a big step up from the longstanding OWASP...

3 Reasons Why You Should Probably Focus on NIST SP 800-171, Not CMMC

Heresy! Blasphemy! Lunatic? Uninformed? Au contraire, mon amie. Actually, this view is both orthodox and very informed… with one key caveat. Let me explain. The caveat is that you have a current contract that includes the Defense Federal Acquisition Regulation (DFARS)...

Application Security is a Team Sport. Is Your Team Winning?

People say that I get excited when I talk about security. I don't hold a candle to Jim Manico.  He is an application security powerhouse. He founded and runs his own application security training company, Manicode and is a major contributor to a number of OWASP...

Web App Developers Don’t Need to Be Security Experts to Use the OWASP ASVS

The Application Security Verification Standard (ASVS) Version 4 from the Open Web Application Security Project (OWASP) is among the most comprehensive and practical guidance available for organizations looking to build or buy secure web applications, or expose...

70% of Web Apps Have Open Source Security Flaws—Here’s How to Fix Yours

70% of applications have open source security flaws, according to recent Veracode research. Virtually all applications developed are built using some open source components. As Chris Eng, Chief Research Officer at Veracode, notes, “Open source software has a...

What is Exostar and Why Should DoD Suppliers Care?

Did you know that 65% of US Department of Defense (DoD) direct spending—involving about 150,000 companies—is transacted over one service provider’s secure platform? That company is Exostar. If your organization is part of the US Defense Industrial Base (DIB), you may...

Your ISO 27001 ISMS Internal Audit Sucks (Here’s How to Fix It)

No offense, but your ISMS Internal Audit approach/program probably sucks. How would I know? Because Pivot Point Security performs 100+ ISO 27001 ISMS Internal Audits each year for companies across different verticals. What makes them suck? Robert Fritz said it best:...

When Less Really is More

Information security is a well easily fallen into. There are so many options on the market, and so many things to consider.  It’s hard to determine what you actually need, and sometimes companies tend to just grab everything in sight to assure themselves that they are...

Leveraging ISO 27001 for CMMC Requirements

Thomas Price from BSI is a crazy-accomplished auditor.  He has experience in ISO 9001, 20000, 27001, 27017, NIST 800-171, NIST CSF. This guy knows his stuff. I truly believe he will be one of the first auditors to be certified to complete a CMMC certification. If you...

SOC 2 & ISO 27001… The ULTIMATE Security Attestation

A recent episode of Pivot Point Security’s, The Virtual CISO Podcast, featured special guest Dan Schroeder, CPA, CISA, founder and partner-in-charge of the Information Assurance group at business advisory leader Aprio. Dan and host John Verry (Pivot Point Security’s...