Hackers continue to use new techniques to wreak havoc on software applications and get access to sensitive data. The most effective way to reduce broad-scale application security risk is to conduct threat modeling...

While I realize that the reason DREAD has withstood the test of time is due to it's simplicity and clarity, I think that accuracy and a clear "you need to do something now" is essential.

DREAD has withstood the test of time is due to its simplicity and clarity. If you make things too heavyweight, people are less likely to use it. Also, when classification systems are too granular, more time is spent...

What's the single most impactful step you can take to improve the security of your applications and your application development process?

IT security spend is on the rise; however, damaging attacks and data breaches are more common than ever. Part of the reason for this is the imbalance of spend and mindshare – many organizations allocate higher budget to...

Mitigating Common Password Attacks

by Serge Truth on September 27, 2016 at 10:47 AM

Multiple options are available for mitigating automated password guessing attacks and choosing the most appropriate one(s) requires understanding the trade-offs between security and usability of each. Regardless, the goal...

A CISO's Guide to Application Security

by Danny Harris on August 11, 2016 at 8:53 AM

CISO Executive Summary

Application security differs in a number of ways from IT security, Network Security, and Information Security, so standard solutions from those domains don’t necessarily address the challenges of...

All organizations that process credit card data are required to be PCI compliant and abide by PCI DSS security standards. However, many organizations treat PCI compliance as an expensive, stressful, and time-consuming...

Security Innovation strongly stands behind our corporate policy of Responsible Disclosure, which I’ve written about before. Building upon that, I feel that it’s important to accept and encourage Security Researchers to test...

The new PCI-DSS standard (v3.1) is effective immediately, but v. 3.0 will be retired at the end of June 2015.