New year, new AppSec program. Just like any good resolution, AppSec that makes a lasting impact is one you have to stick to, fine-tune, and hold yourself accountable for. AppSec programs act like bumpers in a bowling lane and help keep you on track, but…
What is server-side request forgery (SSRF)?
Server-side request forgery (SSRF) is the only type of vulnerability that has its own category in the OWASP Top 10 2021 list. Several major cybersecurity breaches in recent years, including Capital One and MS Exchange attacks, involved the use of SSRF as one of the break-in techniques. SSRF…
Zero trust countdown: New OMB memo stresses urgency for modern AppSec
The White House is following up with a new cybersecurity directive to further improve the security posture for federal agencies. The memo strongly encourages the adoption of zero trust architecture as a way to ensure that, in the process of securing their software landscape, federal…
The importance of testing “less critical” web systems
When it comes to security oversight, I’m a big proponent of focusing on the things that matter. These are your highest payoff areas – otherwise known as your most urgent vulnerabilities on your most important systems. I learned this concept while studying time management and…
Lessons from the Log4j crisis: Are we ready for the next global vulnerability?
It was an unwelcome early Christmas gift shared with the entire world on December 9th, 2021. Log4Shell rocked the industry when we realized just how dangerous and far-reaching its effects could be. The mad scramble to find and patch the flaw left many organizations wondering…
What to know about Biden’s latest cybersecurity memorandum
Building on his administration’s historic cybersecurity executive order, President Joe Biden yesterday signed a new National Security memorandum (NSM) designed to further improve security across the Department of Defense, intelligence community, and national security systems. The memo lays out concrete requirements around the technology required…
Facing DevSecOps hurdles, federal agencies need a modern approach to security
Cybersecurity is no longer a nice-to-have. It’s an imperative for organizations that create, distribute, and manage software every day – especially true for federal agencies as the government moves away from legacy technology in the race to improve user experience and shift to the cloud…
FTC words of warning: Remediate recent Log4j vulnerabilities or face consequences
In an unusual and noteworthy move, the Federal Trade Commission (FTC) issued an early warning to companies that haven’t yet patched recent Log4j vulnerabilities: remediate or risk legal and financial consequences. As noted by the FTC, the recent Log4j vulnerabilities are still being actively exploited…
Five fundamental tips for getting executive buy-in on AppSec
The need for effective cybersecurity programs has never been more apparent. By October of 2021, the number of data breaches leapfrogged the total from 2020 by 17%, and 2021 saw the highest average data breach cost in 17 years ($4.24 million, in fact). Yet, for…