Author Archives: Matthias Rohr

Avatar

About Matthias Rohr

Matthias Rohr, CISSP, CCSLP, is the founder and lead security architect at Secodis. Matthias began working in this field in 2004 and is since a frequent speaker on international AppSec conferences, book author, author of TSS-Web and an active AppSec community contributor. He lives and works in Hamburg / Germany.

Agile Threat Modeling

Combining threat modeling with an agile development methodology such as Scrum is a quite challenging topic: Creating a threat model usually requires an experienced security expert and some effort to do this. But how does this work, wen a model … Continue reading

Posted in Threat Modeling | Tagged , , , , | Leave a comment

AST Tool Evaluation – Key Findings and Limitations of OWASP Benchmark Project

Tools that test code for common vulnerabilities such as OWASP Top Ten fall today in three categories of AST (Application Security Testing) tools: SAST (static code scanning), DAST (dynamic app scan) and IAST (dynamic code scanning). Consequently, there are not … Continue reading

Posted in DAST, IAST, SAST | Tagged , , , | Leave a comment

Impressions of OWASP SAMM 2 Beta

Over the last ten years, I have been working with different maturity models for software security, including OWASP SAMM of course. I haven’t used OWASP SAMM 1.x (or OpenSAMM as it was called before it became an OWASP project) have … Continue reading

Posted in Secure SDLC, Secure Software Development, Security Requirements, Threat Modeling | Tagged | Leave a comment

State of Application Security

The last year had been an interesting one for information security with a number of different studies and media coverage on (web) application security. So it’s worth looking a bit closer at that data. I will try to put these … Continue reading

Posted in Uncategorized | 3 Comments

Agile Security & SecDevOps Touch Points

Agile software development has gotten more and more attention in the last couple of years. Not only internet startups or media agencies but also large companies from conservative business lines like automotive, banking, insurance and public sector more and more … Continue reading

Posted in DAST, IAST, Java, SAST, Secure SDLC, Secure Software Development, Security Requirements, Security Test Automation, Threat Modeling | Tagged , , | 5 Comments

Create your own Web Security Standard in 60 Minutes

Security requirements for Web applications are vital because they are specifying what a team (e.g. a development team) has actually to do and what not. Many companies are however struggling with implementing such requirements for Web-based applications, at least consisting … Continue reading

Posted in Secure SDLC, Security Requirements | Tagged | Leave a comment

An Organizational View on Application Security

When it comes to integrating application security into an (especially large) organization, we often experience a bunch of practical problems and frustration. In the end, a lot of money may have been spend, but little or no improvement to the … Continue reading

Posted in Uncategorized | Leave a comment

Microsofts New Threat Modeling Tool

A week ago I had the pleasure of giving a speach at OWASP AppSec EU in Rome on the new Microsoft Threat Modeling Tool 2016 that came out last November and is still available for free. The Threat Modeling Tool … Continue reading

Posted in Secure Software Development, Security Requirements, Threat Modeling | Tagged | 17 Comments

Automating DAST Scans with Jenkins, Arachni & ThreadFix

I’m often asked how security tests can be automated with non-commercial tools, e.g. triggered by a Jenkins build. Therefore I decided to write this post, to give you a bit of understanding which tools you can use and what you … Continue reading

Posted in DAST, Java, Security Test Automation, Uncategorized | Tagged , | 4 Comments

IAST: A New Approach for Agile Security Testing

Static Application Security Testing (SAST) tools such as Fortify, Veracode, Checkmarx or IBM App Scan Source Edition have been available on the market now for a while. All of them have their specific pros and cons. But there are certain … Continue reading

Posted in IAST, SAST, Security Test Automation | Tagged | 5 Comments