Pragmatic Application Security
Thoughts about Secure Development & AppSec Test Automation
Matthias Rohr 
I was recently at the OWASP AppSec Conference in Dublin where I was attending a terrific talk by Chris Romeo about DevSecOps fails. Although I could absolutely agree with most of his points, there was just one, which I often hear in this context, that I do have a different opinion about. And that is … Read more
The idea of integrating security into the software development process is not new. I can’t say for sure if Microsoft really was the first one who came up with this concept, but the Secure Development Lifecycle (SDL) that Microsoft published in 2002 lay doubtless the foundation of what is today generally referred to as a … Read more
Many discussions on how to shift security left in the SDLC, or about implementing DevSecOps in particular, are primarily focused on the integration of various security scanning tools in CI/CD pipelines. Although the use of such tools is indeed an important aspect, it is actually not the most important one. Without proper processes, tools often … Read more
Securing the software (development) lifecycle of a large organization will usually take a lot of time. Especially when you have to start very much at the beginning. It’s therefore vital to focus on quick wins first — measures that are effective and easy to implement at the same time. This is not only important from a risk … Read more
As someone who has been working with IAST long before it was actually called this way – Fortify released its Program Trace Analyzer (PTA) approximately in the year 2008 – I have followed the evolution of this technology closely and posted a couple of times on it as well. For me, IAST was always not … Read more
Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, when a model can be outdated quickly when new threats are introduced by every new user story and … Read more
Tools that test code for common vulnerabilities such as OWASP Top Ten fall today in three categories of AST (Application Security Testing) tools: SAST (static code scanning), DAST (dynamic app scan), and IAST (dynamic code scanning). Consequently, there are not a few but a lot of tools, especially in SAST and DAST areas, both commercial … Read more
Over the last ten years, I have been working with different maturity models for software security, including OWASP SAMM of course. I haven’t used OWASP SAMM 1.x (or OpenSAMM as it was called before it became an OWASP project) have in the last time – mostly when a customer requests such an assessment and very … Read more
The last year had been an interesting one for information security with a number of different studies and media coverage on (web) application security. So it’s worth looking a bit closer at that data. I will try to put these statistics a little bit into perspective. There are some Gartner quotes related to attacks on … Read more
Agile software development has gotten more and more attention in the last couple of years. Not only internet startups or media agencies but also large companies from conservative business lines like automotive, banking, insurance, and the public sector are more and more adjusting to the agile world. Since those companies are often already very much … Read more