Managed vs Unmanaged Code – What are the Differences?

Managed vs Unmanaged Code - What are the Differences? When designing a new application, or redesigning an existing one, the question of whether to use managed or unmanaged code may come up. Here’s a rundown of how managed and unmanaged code is executed, the differences between them, and the advantages and disadvantages of both.   [...]

The Benefits of Outsourcing Your Security Team

A Rundown of the Benefits of Outsourcing Your Security Team In this age of complicated IT corporate infrastructures, one of the primary decisions that a security-aware IT executive has to make is whether to build and train an in-house security team, or leverage the abilities and expertise of an outsourced security group. This all-important decision […]

Why Application Security Testers Should Have Developed Apps Before

Why You Want App Security Testers That Are Former Developers Successful security testing of an application during the Software Development Life Cycle (SDLC) is best accomplished if the tester has intimate knowledge of how software is designed, the intricacies of software engineering, methodologies, and processes. This knowledge allows a security engineer to better understand how […]

Tracking and Measuring Security Technical Debt

Assessing and Measuring Your Security Based Technical Debt Technical debt has become a normal part of software engineering industries and is a well-known issue plaguing software applications, IT infrastructures and IT architectures alike. Technical debt often results in costly and serious security vulnerabilities being hard-coded into applications and IT systems. Due to limited time constraints […]

Matching Your SDLC Model To The Best Security Processes

Making Your Existing Software Development Life Cycle More Secure The Software Development Life Cycle (SDLC) provides software development teams with a set of guidelines (or a model) composed of phases to follow during a project. Anyone working in software security knows that security is traditionally an afterthought in this process. This has led to the rising […]

Are Automated Scans Enough to Detect All Security Problems in an Application?

Automated Scanners Are Great Tools, But Are They Enough? Utilizing automated scanners is an effective strategy for identifying vulnerabilities in code that could represent significant risks to your business. While security architecture, threat modeling, manual code reviews and manual application penetration testing are important processes for ensuring data security, automated scanners are an integral part […]

HTTP Verb Tampering in ASP.NET

We’re only a few days into 2016, and it didn’t take long for me to see a web application vulnerability that has been documented for over 10 years: HTTP Verb Tampering. This vulnerability occurs when a web application responds to more HTTP verbs than necessary for the application to properly function. Clever attackers can exploit […]

JavaOne – Integrating Vulnerability Scanning into the SDLC

Last week over 15,000 IT and developer resources invaded the Hilton San Francisco Union Square for the JavaOne and Oracle World conference. I had the privilege of speaking at JavaOne on Monday @ 12:30PM about vulnerability scanning, the importance it plays in catching basic vulnerabilities before they reach production, and how to properly integrate scanning […]

Steve Kosten and Aaron Cure of Cypress Data Defense presenting at Software Quality Assurance Denver

Steve Kosten and Aaron Cure will be presenting different application security vulnerabilities at Software Quality Assurance of Denver (SQUAD). Go reserve a seat at https://www.meetup.com/SQUADCO/events/222561374/. We will be discussion some application security penetration testing techniques as well as discussing secure code reviews and what may be found. Great security training for all!!