Categories
Security

Creating Robust Multi-Factor Authentication (MFA) for Web Apps

    Multi-factor authentication (MFA) is the process of proving your identity. This article first details the available “factors” and introduces typical attack strategies, then explains how to implement a thorough MFA strategy in web applications. The Three Primary Authentication Factors MFA Factor 1: Something You Know The most common authentication method in the digital […]

Categories
Security

Injection Attack Cheat Sheet

What is an Injection Attack?   Injection attacks are malicious code inside an input that causes unintended software behavior. Log4Shell, the most lethal zero-day vulnerability of 2022, is an injection attack. One easy way to visualize this idea is to imagine a normal input as <input>, and an injection attack as an <in<attack>put>. It’s simply […]

Categories
Security

Application Risk Scoring 101: Defining Risk

What Is Risk? Let’s be frank. Risk represents the possibility of loss. In business terms, loss is in the form of cash, customers, partners, revenue, IP, corporate data, and brand loyalty. Global Risk & Compliance (GRC) teams calculate, manage, and mitigate the possibility of loss across the business (and IT). So, what’s the role of […]

Categories
Security

Why Production Matters for Application Security

Attackers live in production because that’s where valuable data resides. Organizations spend $3 million annually combating bad actors with their Security Operations Centers (SOCs), according to Ponemon. That same study found reducing false positives to be the single most important activity for security teams.  In this article, I’ll explain how application security teams prioritize risks […]

Categories
Security

Mitigating the Dangers of Single-Page Applications

Single-Page Applications (SPAs) took the software world by storm. After all, could anything be more important than a seamless user experience? Well, if you ask me, secure data is equally as important. And SPAs are far more challenging to secure than traditional multi-page web applications. In this article, you’ll learn about security concerns in SPAs. […]

Categories
Security

Application Security Orchestration and Correlation (ASOC)

End-to-end application security programs are no longer optional but imperative. With security vulnerabilities skyrocketing and the growing sophistication of cyberattacks, organizations face the daunting challenge of figuring out which vulnerabilities pose the most risk to their business.  To address this pressing need, the Application Security Orchestration and Correlation (ASOC) concept has emerged as an approach […]

Categories
Security

ASOC vs. ASPM

The job of every security professional is to decipher buzzwords created by analysts and vendors. ASOC and ASPM are the latest, which are increasingly relevant in 2023 as applications become cloud-native (more distributed tech) and incorporate CI/CD (loads of f***king changes). In this post, I shall try to explain what ASOC and ASPM are, why […]

Categories
Security

Calculating Your Application Security Posture

Applications are your business. Your customers see more value every time engineers push code. And that’s why your engineers are continuously empowered to move faster.  But, with all these changes in production, your application security posture is morphing. Enter the application security team. They exert a massive amount of effort on risk remediation. And now, […]

Categories
Security

How Do I Measure Right?

For years, software teams have been shifting left and implementing DevSecOps. How do they know it’s truly improving their risk posture? There isn’t a single security professional that will state, “We’ve never been breached, which means we don’t have risks in production.” What makes measuring application risk complicated is, traditionally, exploits in production are unknown […]

Categories
Security

Validate Right: Measuring Your DevSecOps Success with ASPM

Shifting left is proven to help DevSecOps teams create more secure applications by earlier inclusion of security testing practices in the application development lifecycle and CI/CD pipeline. The Cloud Security Alliance estimates that about 90 percent of organizations are in various stages of adopting DevSecOps. IBM’s 2022 Cost of a Data Breach report notes that, among […]

Categories
Data Privacy Security

WhatsApp Data Breach

Meta is a technology behemoth that’s constantly under attack. And unfortunately, it has a long list of security events resulting in the loss of user data. Keep in mind Meta attracts top-caliber software engineers. As the first letter of the envied FAANG / MAANG acronym, it’s an institution employing the best of the best. So, […]

Categories
Security

The Risk Scoring Problem in Cybersecurity

Many security solutions assign numerical scores to indicate the risk that a threat poses so that customers can prioritize which issues to fix first. Teams work through endless tickets, trusting blindly that the assigned score accurately represents the (business) risk that a threat poses.  If all risk scores were created equal (and accurate), then this […]

Categories
Security

Cloud Security is Evolving, but What’s Missing?

Over the last several years, targeted, “boutique” cloud security solutions have consolidated into one-stop shops, known as Cloud-Native Application Protection Platforms (CNAPPs).  This blog discusses the evolution of the CNAPP and its predecessors: Cloud Access Security Broker (CASB) Cloud Workload Protection Platform (CWPP) Cloud Security Posture Management (CSPM) Cloud Infrastructure Entitlement Management (CIEM). We’ll then […]

Categories
Security

6 Ways to Secure Business Critical Applications

Have you ever had one of your executives tell you that they want all your business-critical applications to be 100% secure? Maybe not in those exact words but something similar?  I hate to be the bearer of bad news; there is no such thing as a 100% secure application. Applications always have risks; it is […]

Categories
Security

Jenkins Plugins Reveal Several Zero-Day Bugs

Jenkins, the very popular open-source automation platform used by enterprises worldwide for building, testing, and deploying software, announced last week that it had identified 34 security vulnerabilities affecting 29 plugins. Of the 34 security vulnerabilities, 29 are categorized as zero-day issues.  Full details of the announcement can be found in this disclosure by Jenkins on […]

Categories
Security

Top 10 ASPM Capabilities that Solve Real Security Problems

Application Security Posture Management (ASPM) is a hot new technology that organizations and analysts are investigating and researching. They are reading vendor reports, social media posts, and even blogs like this one to try and educate themselves on ASPM. Even with this research, there are still questions and confusion about ASPM. A common question I […]

Categories
Security

API Security Becomes Complete with Application Security Posture Management

Let’s face it – Application Programming Interfaces or APIs are a foundational part of modern applications. They are just as crucial as home-grown code, open-source packages, frameworks, and libraries in your application’s architecture. One of the questions I have heard for years while working with commercial enterprise applications is: do you have an API? If […]

Categories
Security

A Bug is a Bug is a Bug: Security Bugs are Just Bugs

Let’s just face the fact there is no such thing as a perfect application. All applications have bugs and will continue to have bugs because as soon as one is fixed a new code release introduces a new set of bugs that also need to be fixed. Companies use terms like “hotfixes” and “point updates” […]

Categories
Security

SCA is your front door lock, ASPM is a home security system

It is probably not a surprise to say the use of open source packages in application development is here to stay. Depending on what research report you have read, as there are so many, the percentage of the code in an application being open source is anywhere from 30% to 80% of the total application […]

Categories
Security

Cloud Security Posture Management Lacks Application Risk Context

Cloud Security Posture Management – CSPM – is quickly becoming the gold standard for every organization with cloud-first initiatives. CSPM tools help cloud security teams document and visualize what resources live in their cloud environments and determine whether the proper security controls are in place.  The reason why CSPM has become the gold standard is […]

Categories
Security

ASPM is Your Path to Better Threat Modeling

I have been talking about Application Security Posture Management (ASPM) a lot these days. The articles, blogs, and glass board sessions about the aspects of ASPM got me thinking. What are some other new and exciting ways ASPM could help organizations do things better? I immediately thought of threat modeling. Bionic ASPM Level Set Bionic […]

Categories
Security

Who Really Owns Application Security?

This is a follow-up blog to my blog from last week about Application Security Superheros. Yes, I know the blog was a bit cheesy, but that was the goal. I wanted to get people thinking about what modern-day application security professionals need to be with a bit of humor. Now let’s add some real-world examples […]

Categories
Security

Time for Application Security Professionals to Assemble

Are you an application security superhero? Do you fly in at the last minute to thwart evil hackers like Iron Man, or are you more of the deep thinker that prevents hacks from even happening like Professor X?  The comparison is a bit crazy, but that is where we are at these days. There is […]

Categories
Security

Application Security in 2022 Misses the Big Picture

I recently ran an unofficial poll on LinkedIn asking how people found every instance of Log4J in their application portfolio. The options I gave were CMDB (Configuration Management Database), SBOM (Software Bill of Materials), SCA (Software Composition Analysis), and internal detective work. The overwhelming majority, 54% to be exact, said internal detective work. These results […]

Categories
Security

Time for a Dynamic Software Bill of Materials (DBOM)

I recently read this article on DevOps.com, and it got me thinking. Why is an SBOM not dynamic and updated every time a release happens in your CI/CD pipeline? To keep up with the speed of DevOps, organizations are scaling back things like QA and SBOM updates to only look at the latest release and […]

Categories
Security

False Negatives. Fear The Unknown

After 16+ years in application security, one of the questions I have consistently heard asked is about false positives. Questions like “what is your false-positive percentage” or “how do you deal with so many false positives produced by this tool or that tool.” False-positive is a term that has become the black eye of application […]

Categories
Security

How to Automate Security Reviews & Threat Modeling

Bionic can help teams automate threat modeling and security reviews. We use an agentless approach to scan and reverse engineer your applications in any environment. The output is a real-time living architecture map that is code-level accurate. You can now threat model or review security based on what actually exists in your application versus estimating […]

Categories
Security

Introducing Static Analysis 3.0: Static Analysis for Today’s AppSec World

You are probably thinking, what the heck is this guy talking about. I didn’t even know there was a Static Analysis 1.0 or 2.0, so how can there be a Static Analysis 3.0? Static Analysis as a foundational Application Security platform has been around since the early 2000s. It has evolved to fit with the […]

Categories
Security

Everything is Code: But How Well Do You Understand Your Code?

A Brief History Observed I have been in Static Analysis Security Testing (SAST) for 15+ years. I have worked with some of the largest organizations in the world on scanning their code for security vulnerabilities. From Waterfall to DevOps to Cloud-Native Development, I have seen many changes in how application code is developed and released. […]

Categories
Security

Are Your CI/CD Deployments Secure and Compliant?

As engineering teams accelerate and scale their cloud and CI/CD initiatives, the rate of change in production (and the business) starts to increase dramatically. Continuously delivering small incremental code changes is proven to lower the risk of production incidents and downtime. In addition, tools like DataDog, Splunk, Dynatrace, and New Relic can detect application performance […]

CrowdStrike Bionic

Have you heard the news?

Bionic to be acquired by CrowdStrike to provide the industry’s most comprehensive cloud security platform. Together, we are creating the industry-defining cloud security platform, fully integrated from code to runtime.