<iframe src="//www.googletagmanager.com/ns.html?id=GTM-MDM5X7" height="0" width="0" style="display:none;visibility:hidden">

Application and Cybersecurity Blog

Happy Birthday World Wide Web! Will the Next 25 Years be as Risky?

Posted by Ed Adams on August 23, 2016 at 3:59 PM

Happy 25th birthday to the world wide web! It's difficult to imagine the first public website was launched just 25 years ago in 1991. For most people, it's hard to think about our lives without the internet.

Internet use has grown substantially over the years, with estimates of over 3.5 billion users around the world in 2016, up from 2.2 billion the year before.1 And while many are now embracing the convenience of the internet, concerns about internet security are greater than ever. Security needs to be thought about as technology and the internet continue to advance and grow over the next 25 years.

Read More

Topics: application security, internet of things, embedded security, quantum computing, cybersecurity news

QuadRooter: The 4-Headed Monster That Threatens 900 Million Android Users

Posted by Dinesh Shetty on August 15, 2016 at 12:35 PM
As the name implies, QuadRooter is a collection of four exploits in Qualcomm's popular graphics and media chipset, which is in more than 900 million mobile devices globally. When used in combination with malware, the exploit gives an attacker root access, i.e., the "keys to the kingdom." All data, services, and hardware on the device are free to take or control – want to listen to phone conversations, read someone’s mail, track a device via GPS, or wipe an unsuspecting user's phone? All possible with QuadRooter.
Read More

Topics: internet of things, mobile security, cybersecurity news

A CISO's Guide to Application Security

Posted by Danny Harris on August 11, 2016 at 8:53 AM

CISO Executive Summary

Application security differs in a number of ways from IT security, Network Security, and Information Security, so standard solutions from those domains don’t necessarily address the challenges of Application security.  It is a very knowledge-dependent discipline, and defense in depth is rarely achieved with technology solutions alone. 

Read More

Topics: application security, application risk & compliance, owasp, sdlc

Bug Bounty Hunter Programs - Is Your Organization Equipped?

Posted by Joe Basirico on August 9, 2016 at 8:14 AM

With Apple's recent announcement about starting its first Bug Bounty Program this September, it raises the issue of why they waited so long and why they did finally did decide to create one. 

Bug Bounty Hunter (BBH) programs are relatively simple in theory - security professionals or hackers who find security holes receive compensation based on the criteria defined in the program. A well-managed program can be a valuable component of a mature software development lifecycle; however, a poorly-organized one can generate a lot of headaches and effectively paralyze an entire security team as they sift through the findings.

Read More

Topics: application security, sdlc

4 Ways to Reduce the Cost of PCI Compliance

Posted by Alan Pearson on August 5, 2016 at 8:02 AM

All organizations that process credit card data are required to be PCI compliant and abide by PCI DSS security standards. However, many organizations treat PCI compliance as an expensive, stressful, and time-consuming annual event. Often departments have fixed budgets, which is why it's important to reduce costs whenever possible while still being able to maintain compliance requirements.

Read More

Topics: application security, application risk & compliance, pci-dss

Jailbreaking your iPhone: Worth the Security Risk?

Posted by Dinesh Shetty on August 1, 2016 at 7:53 AM

In the wake of Pangu releasing the latest iPhone jailbreak, the industry will continue to debate on whether jailbreaking your iPhone is worth the security risk.

With a jailbroken iPhone, you can get past many of the locked down features to customize your iPhone in nearly any way you can imagine. However, this luxury comes with a risk that makes all the information on your phone a likely target for cyber criminals. So, if jailbreaking is such a big security risk, why do it in the first place?

Read More

Topics: internet of things, mobile security, embedded security

Automotive Cybersecurity Best Practices

Posted by Gene Carter on July 27, 2016 at 8:59 AM


Recently the Automotive Information Sharing and Analysis Center (Auto-ISAC) released "Automotive Cybersecurity Best Practices" for carmakers and their suppliers. This document expands on their "Framework for Automotive Cybersecurity Best Practices" published in January 2016. This is the first time the automakers have addressed cybersecurity in a formal manner and a strong sign they are treating hacker threats seriously.

I am encouraged that the auto industry leveraged the experience of other industries when approaching this task. The Best Practices document builds upon guidelines from NIST and ISO/IEC in creating its cybersecurity guidance. While cars need different security measures from mobile phones or websites, there are elements that are the same across these platforms and the automakers have emphasized the relevant teaching from industries with a longer history of security-conscious software development.

Read More

Topics: developer guidance, connected cars, internet of things, automotive

Chrome Takes on Quantum Computers

Posted by Gene Carter on July 25, 2016 at 11:36 AM

Recently, Google announced they are testing a quantum resistant cryptographic algorithm for the Chrome browser, specifically the new Canary version used for experimentation. If you are unfamiliar with quantum resistant algorithms, you can watch the short video or read a series of blog posts.

I applaud Google's effort to take this important first step toward addressing the existential challenges of quantum computing by creating a more future-proof way for users to securely communicate over the internet. I urge the other browser vendors to follow suit.

Read More

Topics: crypto, embedded security, quantum computing, cybersecurity news

Why You Should Have Trust Issues with Pokemon Go (and every other phone app)

Posted by Joe Basirico on July 14, 2016 at 10:18 AM


I want to run into traffic, fall into a pond, catch Pokémon while my wife is in labor, and find a dead body; let's check out this Pokémon Go thing!

Pop quiz: Is this a valid login screen for Google Account services?

Read More

Topics: security awareness, privacy, online security safety, internet of things, mobile security

Making Application Security Fun and Approachable

Posted by Ed Adams on June 23, 2016 at 10:55 AM

WISP2.jpgApplication security is often overlooked, under-funded, or ignored. Part of the reason for this is because it can be a complex, difficult aspect of IT security…but mostly it's because it's simply misunderstood.

When I speak with CISOs and other InfoSec professionals, the perception is that AppSec is a frustrating, vexing problem for them: the tools are expensive, burdensome, and inaccurate; developers won't take procured training; and, there's a distinct sense of being overwhelmed with dependence so many applications and so much code to run their business. Despair and lack of visibility leaves organizations with the question "Where do we start?" and that question frequently never gets answered.

Read More

Topics: application security