AppSec Tips & Best Practices

Learn from AppSec success stories and discover tips and best practices for Developers, CISOs and Security Managers to help in securing every part of the SDLC.
Untitled design (8)

5 Steps That WILL Raise Your Developers Information Security Awareness

Jul 17, 2015 By Sarah Vonnegut | In the same post where Bruce Schneier famously said that he personally believes “that training users in security is generally a waste of time, and that the money can be better spent elsewhere,” he added an important caveat about training developers. Developers, he wrote, “are people who can be taught expertise in a fast-changing environment, and this is a situation where raising the average behavior increases the security of the overall system.”

Read More »
9 Essential Secure Coding Principles To (1)

9 Secure Coding Practices You Can’t Ignore

Jul 01, 2015 By Sarah Vonnegut | Writing secure code is no longer an option. With financially motivated crime at the top of the web app attack food chain, according to the latest Verizon Data Breach Investigation report, your organization will be hard-pressed to come out on top if you suffer a breach. In order to ensure our organizations and customers are secure, software developers must be able to create code that stands the test of time – only accomplished with proper techniques and a commitment to consistency throughout the organization.
 

Read More »
Application Security Program Leader

8 Problems Every Application Security Program Leader Has To Tackle

Jun 17, 2015 By Sharon Solomon | Despite the astounding rise in cybercrime and hacking incidents worldwide, the modern Application Security Program Leader faces numerous bumps and obstacles on a daily basis within his organization. Application security has come a long way in the last decade, but the inherited limitations of the traditional solutions are not making life easy.

Read More »
Sign start on an empty road

Security and DevOps: How To Get Started

Jun 11, 2015 By Sarah Vonnegut | The Rise of DevOps
  The methods we use to develop software have gone through radical transformations over the last five years. ‘Slow and steady’ has evolved into quick and agile methodologies like DevOps.   Based on disrupting the silos between Developers and Operations, DevOps embraces the idea of a shared culture of trust, collaboration and automation. By creating cross-functional teams, organizations have reported numerous benefits, not least of which is from a major increase in communication and reliance between teams, which share responsibility for on-time deploys, uptime and downtime.   And it’s taking over the world.

Read More »
SAST

SAST vs WAF – 5 Reasons To Opt For SAST

Jun 03, 2015 By Sharon Solomon | With the industrialization of cybercrime and rise in hacking severity, the value of traditional application security techniques is imploding. The Web Application Firewall (WAF), considered as a go-to security solution until not long ago, is currently experiencing a constant erosion in its effectiveness. On the other hand, Static Application Security Testing (SAST) solutions are gaining momentum.  

Read More »
Proactive AppSec

The Ten Commandments of Proactive Application Security

May 29, 2015 By Sarah Vonnegut | When you’re constantly reacting to suspicious alerts and fixing vulnerabilities only after they’ve been exploited, you’re missing the point of application security.   Application security, according to Wikipedia, “encompasses the measures taken throughout the code’s life-cycle to prevent gaps in the security policy of an application or the underlying vulnerabilities… of the application.” The practice of application security, at its core, exists solely to protect the data of an organization’s applications and, more importantly, the organization itself.  

Read More »
AppSec Metrics

Application Security Metrics: Where (And Why) To Begin?

May 15, 2015 By Sarah Vonnegut | A wise man once said, “to measure is to know…if you cannot measure it, you cannot improve it.” When it comes to application security, measurements are crucial to the success of your program. But determining how to best combine your measurements into metrics which show your programs value is much more important.
As a CISO or the like, you lead a team that the business absolutely depends on. Unfortunately, information security in general and application security in specific have a hard time gaining support, even if the latest Verizon Data Breach Investigation Report noted that 75% of web app attacks are financially motivated, and that application security falls “squarely under ‘the cost of doing business.’

Read More »
6 Tips for Ensuring Your AppSec Program

6 Tips for Ensuring Your Application Security Program Isn’t a Flop

May 08, 2015 By Sarah Vonnegut | Baking security in to our applications is just not an option anymore. The explosion of the number of applications within organizations, coupled with the constant breaches we hear about (and the many more we don’t) don’t allow room for complacency when it comes to securing your organization and customer data.   Yet CISOs and security managers still struggle to receive the support and buy-in for basic application security practices while developers are still making careless security mistakes, all because application security is still not being taken seriously enough.   One of the best ways of getting the organization’s support towards AppSec is coming to the board with a clear, measurable program in place.  And even with an AppSec program in place, it’s difficult to know if you’re “doing it right.” Here we offer six points of attention any security practitioner either implementing or designing an application security program should heed.

Read More »
XSS Guide new site

XSS: The Definitive Guide to Cross-Site Scripting Prevention

Apr 14, 2015 By Sarah Vonnegut | As old as web browsers themselves, cross-site scripting (XSS) has been an ongoing issue in the security world. Its’ consistent appearance on the OWASP Top 10 and in news reports of cross-site scripting attacks has kept the security issue in the spotlight over the years. Yet after two decades the security issue remains one of the most common attacks on web applications, with consistent reports of over 70% of sites at risk.   So, what is Cross-Site Scripting and how do we change our habits as users, developers and security professionals so we can prevent attacks once and for all?   

Read More »
Open Source

3 Things to Know About Managing Open Source Components in Your App

Mar 05, 2015 By Sharon Solomon | Manage your software where it’s created. It is in your continuous integration environment where the various pieces of code become software. While some of the software is proprietary, much of it (probably over 50%) is open source components, as your development teams use open source components to boost their productivity and make better products.
You most likely have your proprietary software thoroughly tested, QAed and reviewed via static code analysis on a regular basis. But what about the open source components?  Open source components may have a direct impact on the quality of your software or service.

Read More »

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.

SUBSCRIBE