« Information Security Awareness & Malicious Charger Malware | Main | Constraining vs. Training Developers – not an either/or decision »

06/11/2013

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Mtroester

Hello Fred -

Do you think that one of the reasons for disillusionment with the application security tools is that the information is generated late in the development lifecycle? That, and in many cases, the information is not completely actionable without a lot of analysis?

We are running into that as we talk to developers, CISOs, etc. We've found that organizations are looking for information that is integrated early in the lifecycle - information that will help make decisions when applications are being constructed. We also see that applications are constructed primarily of components, vs., a lot of custom code - and since traditional solutions are focused on custom code, that a good bit of the application is not protected.

Thanks for the post!

Mark Troester
Sonatype
@mtroester

Fred Pinkett

Hello Mark,

Thanks for kind words. Totally agree that scanning late and getting poor information caused the first level disillusionment, which is what required a correction so security and development could understand each others' need. Throwing a report from a scanner over the wall was not the answer, integrating security practices early through standards and training as well as tools is.

Both components and custom code need to be addressed, and at the end of the day, components start their life as code. When using frameworks, for example, developers need to understand their security capabilities and consider that in their design, as well as have a way to update them if security problems are disclosed.

Fred

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Subscribe Now!

Enter your email address:

Delivered by FeedBurner

Follow Us

Subscribe to the
Application Security Report!

 First Name * 
 Last Name * 
 Email * 

Other Featured Blogs

Dinis Cruz Blog, by Dinis Cruz

WhoIsJoe, by Joe Basirico

TeamMentor Development and Testing, by TeamMentor Developers

Serge Security, by Serge Truth