Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Dealing with application in-security - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Dealing with application in-security

At the recent SANS Application Security Summit, I had the pleasure to chat with some of the brightest minds in the appsec field. Aside from educating the developers, everyone seems to agree that we need to roll security into development lifecycle and make sure we test the security aspects of applications before letting them move into production. On the testing front, there has been lots of activity in the product space.

You can have static code scanner which is able to scan code for vulnerability. The approach is obviously more thorough but can generate tons of alerts which could overwhelm the user. Rolling it into the development lifecycle can be a big challenge, organizations are struggling to place it between developer and QA, some organizations are more successful than others. Overall, organizations have to really change their development culture to adopt a static source scanning product.

The runtime analysis tools (commonly known as web application scanners)

Jason

93 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!