Secure Software Lifecycle Management (SSLM)

The idea of integrating security into the software development process is not new. I can’t say for sure if Microsoft really was the first one who came up with this concept, but the Secure Development Lifecycle (SDL) that Microsoft published in 2002 lay doubtless the foundation of what is today generally referred to as a … Read more

Shifting Security Left by Sharing Security Ownership & Responsibilities

Many discussions on how to shift security left in the SDLC, or about implementing DevSecOps in particular, are primarily focused on the integration of various security scanning tools in CI/CD pipelines. Although the use of such tools is indeed an important aspect, it is actually not the most important one. Without proper processes, tools often … Read more

Agile Threat Modeling

Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, when a model can be outdated quickly when new threats are introduced by every new user story and … Read more

Key Findings and Limitations of the OWASP Benchmark Project

Tools that test code for common vulnerabilities such as OWASP Top Ten fall today in three categories of AST (Application Security Testing) tools: SAST (static code scanning), DAST (dynamic app scan), and IAST (dynamic code scanning). Consequently, there are not a few but a lot of tools, especially in SAST and DAST areas, both commercial … Read more

State of Application Security

The last year had been an interesting one for information security with a number of different studies and media coverage on (web) application security. So it’s worth looking a bit closer at that data. I will try to put these statistics a little bit into perspective. There are some Gartner quotes related to attacks on … Read more

Agile Security & SecDevOps Touch Points

Agile software development has gotten more and more attention in the last couple of years. Not only internet startups or media agencies but also large companies from conservative business lines like automotive, banking, insurance, and the public sector are more and more adjusting to the agile world. Since those companies are often already very much … Read more