{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Q&A with Wendy Nather on Today's AppSec Topics

by Tom Bain on June 12, 2012

I was chatting with Wendy Nather of the 451 Group the other day about a number of items related to appsec. The discussion was insightful on many levels, primarily because well, Wendy is wicked smaht (we’re located in Boston, Wendy is not...).

We touched on a number of issues relevant to secure coding and development standards. We discussed processes and standards, and the lack of both across the industry, often at large organizations. It certainly was fascinating to hear her perspective on how organizations probably should be thinking about standards at least for their own company, if not, taking a cue from reputable best practices.

One thing I have never asked any analyst is what can companies do who might not have any sort of mandate to implement an appsec program – like if they have no process, no requirement to do it, or no idea how to do it, how do they start?

Thought I would share the conversation…


With a lack of industry standards, what are the top 2-3 you see organizations doing to follow some type of application security model so that software they are using and delivering is secure? In other words, what are successful companies doing right?


One of the most important things I see organizations doing is creating their own standards. These standards come from a risk assessment that sets their priorities and takes into account their environment, development processes, and resources. Another thing I see is engagement with the appsec community: getting familiar with OWASP and MITRE (CWE), but more than that, actually meeting with like-minded professionals and trading stories on what works and what doesn't. There isn't one comprehensive standard for application security, so organizations are taking what's there, adapting it, and checking their work with peers.


What can the immature appsec organization do immediately in order to start reducing application security risk in the absence of a formal process (like an SDLC) or even a formal mandate?


When you don't have a formal mandate, you have to practice guerilla appsec, and that means starting at the grass roots level. It means choosing linchpins in your organization — the workers who have the most influence — and winning them over to the idea of improving security. Do any kind of scan on your applications and get a feel for the size of the problem you're facing. Pick a couple of achievable goals, such as stopping the most widespread type of security flaw, and figure out what additional steps you need to put in place to deal with them, both in old code and new. By the time you have that working, you have a baby SDLC.


Are development organizations better served/more effective if they are following an SDLC if it’s mandated by a compliance requirement, or if the security organization is pushing it to them? Why?


Honestly, it depends on whether the organization is more afraid of the hacker, or more afraid of the auditor. But that kind of external motivation doesn't always take root among developers. They should be using an SDLC because it works for them. If it leads to fewer errors, fewer repetitions of process, and helps teams achieve their development goals faster; if it's actually a useful tool for them, then it will function better than if it's imposed on them from above in the name of some threat that the developers might not even believe in.


Topics: application security

Most Recent

What's Trending

Featured Resource