by Neil MacDonald | January 19, 2011 | 6 Comments
Static application security testing (SAST) can be thought of as testing the application from the inside out – by examining its source code, byte code or application binaries for conditions indicative of a security vulnerability. Dynamic application security testing (DAST) can be thought of as testing the application from the outside in – by examining [...]
Category: Application Security Applications Tags: Application Security, application security testing tools, Best Practices, Defense-in-Depth
by Neil MacDonald | January 14, 2011 | 2 Comments
One of the reasons that security tops the list of inhibitors for the adoption of public cloud computing is the concern around the use of multi-tenant infrastructure and applications. However, I believe the concerns are often overblown. Everything is multi-tenant at some level. For example, we all share the same planet and the same air. [...]
Category: Cloud Cloud Security Next-generation Security Infrastructure Virtualization Virtualization Security Tags: Application Security, Best Practices, Cloud Security
by Neil MacDonald | September 28, 2010 | Comments Off
I work with clients daily on how to change their development (and procurement) processes to product more secure code. I wrote in this blog, that application security cannot be solved with technology alone, yet I still run into organizations trying to solve their application security problems with the purchase of a static or dynamic application [...]
Comments Off
Category: Application Security Tags: Application Security, application security testing tools, Best Practices, Maturity Models, Microsoft
by Neil MacDonald | June 1, 2010 | 4 Comments
Interesting question – eh? There is a great amount of passion on both sides of the argument. Beyond the emotion and hype, what’s the reality? After Microsoft followed Java’s lead and adopted an interpreted byte code model (common language runtime) for .NET, our official position has been that in the hands of a skilled developer, [...]
Category: Application Security Tags: Application Security, application security testing tools, Best Practices, Microsoft Security
by Neil MacDonald | March 26, 2010 | 1 Comment
Microsoft recently held its 2010 MIX conference for web developers in the US. As expected, there was a significant focus on Silverlight, the Windows Phone platform and IE9. An unexpected and welcome surprise was the number of sessions designed to get developers thinking about security and privacy in their applications. Check this out (the sessions [...]
Category: Application Security Tags: Application Security, Microsoft, Microsoft Security
by Neil MacDonald | February 5, 2010 | 1 Comment
One of my major areas of research is in application security, helping clients to change their development (and procurement!) processes to deliver more secure code. This is imperative. However, an equally important application security discussion must be had about how applications should consume security services within our organization. For example, do you have good answers [...]
Category: Application Security Tags: Application Security
by Neil MacDonald | February 3, 2010 | 3 Comments
As the number of mobile smartphones increases, as several platforms begin to dominate and as users begin to download lots of executable code, they will become targets for attack. Rather than repeat the mistakes of the PC world, why can’t we do things better from a security perspective this time around? So far, most mobile [...]
Category: Beyond Anti-Virus Endpoint Protection Platform General Technology Information Security Tags: Application Security, application security testing tools, Endpoint Protection Platform, Whitelisting
by Neil MacDonald | January 14, 2010 | 6 Comments
I’ve written before about OWASP and the guidance they provide to organizations looking to improve application security. One of the best practices for improving application security is to ensure that any code we produce or procure is more secure right from the beginning. Many of the clients I talk with are highly focused on the [...]
Category: Application Security Information Security Tags: Application Security, Best Practices, Information Security, Security No-Brainer
by Neil MacDonald | September 25, 2009 | 6 Comments
Do Macintosh machines need AV? My answer: Forget the OS. Do users download and install arbitrary code/applications? (don’t forget, this includes browser plug-ins as well). If so, I don’t care if you are running Macintosh, Linux, or Windows the answer is you need protection from malware, including signature-based mechanisms (historically referred to as AV…). Just [...]
Category: Beyond Anti-Virus Endpoint Protection Platform Tags: Apple, Application Security, Beyond Anti-Virus, Information Security
by Neil MacDonald | August 25, 2009 | 15 Comments
My previous post on the value of linking web application vulnerability scanning tools with web application firewalls generated a lot of discussion. Take a look through the post and the lengthy comment string. Let me state up front that I firmly believe we should change our development processes (and developer culture) to produce more secure [...]
Category: Application Security Tags: Application Security, application security testing tools
