Jerry Hoff is vice president of the Static Code Analysis division at WhiteHat Security. In this role, he oversees the development of WhiteHat's cloud-based static application security testing (SAST) service. Prior to WhiteHat, Mr. Hoff was co-founder and managing partner of Infrared Security, a leading application security professional services firm. Mr. Hoff is an experienced application security consultant with years of professional development and training delivery. He is also the lead of the OWASP Appsec Tutorial Series.
This is a weblog of Jerry Hoff. The opinions expressed are those of Jerry Hoff and may not represent those of Computerworld.
To make sure their development teams are writing secure code, companies need a dedicated security team using security tools and controls that are used consistently across all applications in their product portfolio.
Security professionals are prone to delivering edicts about securing code in new dev projects, but what about the mountain of existing code that is already in production?
Taking the development world by storm since its introduction and popularization in 2001, the Agile Software Development model aims to keep development goals and timelines short and sweet, with frequent testing to deliver functionality as soon as it is available and ready. The Agile method promotes adaptive planning and encourages flexibility and rapid adaption to change.
Organizations continue to place themselves in the line of fire by the same set of avoidable flaws that invariably show up in software-both small and large organizations alike wind up with copius amounts of un-quantified risk. However, it’s important to note that measured risk is at least quantified and on an organization’s radar, yet most risk introduced by custom-built software remains unknown by the organization.
The seemingly never-ending spate of hacking attacks are now the unfortunate norm across the web landscape. Among the casualties lay everything from personal data to entire companies who have been mercilessly eradicated in the Darwinian world of web vulnerabilities.
Instead of focusing on the Top 10 vulnerabilities, let's chant the mantra of necessary security controls.
Choosing the proper framework, platform and language that already have the necessary default security features for a web project can drastically reduce most security issues.
The last few years have been filled with anxiety and the realization that most websites are vulnerable to basic attacks. We now live in a world where daily reports of massive data loss, denial of service, and even complete ruin of companies are upon us. Take the example of HB Gary Federal, an organization that was basically eradicated from the corporate landscape thanks to a series of attacks by the hacking group Anonymous.