Great article on how application security fits into the overall product security in an organization.
Securely Built’s Post
More Relevant Posts
-
Great write up on some of the features in GitLab that help support a secure SDLC!
Cybersecurity Pathfinder | Award-Winning Author & Speaker | Shaping the Future of Security as Educator & Industry Leader | CISSP, CSSLP, AWS
The more you know! If you're not familiar, GitLab provides several features that align well with the National Institute of Standards and Technology (NIST) Secure Software Development Framework (#SSDF). 🗺 The SSDF is a set of guidelines designed to help organizations incorporate security into the #software development lifecycle. 🗺 GitLab’s platform supports many of the practices recommended by the SSDF to ensure #security is integrated throughout the software development lifecycle. A few ways (not all) GitLab supports the four SSDF practices: Prepare the Organization (PO): 📜 GitLab allows organizations to set and enforce policies across their development projects, helping to ensure that security practices are followed consistently. 🛂 GitLab supports RBAC, which helps manage who can access certain parts of the project, ensuring that only authorized personnel can make changes to sensitive parts of the codebase. Protect the Software (PS): 📉 GitLab includes built-in tools for scanning vulnerabilities in the code and in its dependencies. This aligns with the SSDF’s recommendation to analyze code for vulnerabilities and manage the risk associated with third-party components. 🥫Container Scanning: GitLab can scan containers for vulnerabilities, which is crucial for ensuring the security of containerized applications. Produce Well-Secured Software (PW): 🔎 GitLab provides integrated ASTs (SAST, fuzz testing, secret detection, etc) tools that help developers identify and fix security vulnerabilities within their code before it’s deployed. 🕵♀️ Support for DAST, which tests running applications for vulnerabilities, a key practice for ensuring that the software behaves securely under malicious conditions. Respond to Vulnerabilities (RV): 🐛 GitLab has built-in features for tracking issues, including security vulnerabilities. This helps organizations respond promptly to vulnerabilities and manage patches or updates effectively. 🛠 GitLab facilitates the integration of fixes through its merge request features, enabling a quick turnaround on #vulnerability patches and ensuring that changes are reviewed and approved before deployment. By leveraging these and other integrated DevOps tools, GitLab helps organizations adhere to SSDF practices, making it easier to embed security throughout the software development lifecycle. This not only improves the security posture but also enhances the overall efficiency of development teams. Are you using this in your secure SDLC? What did I miss? #devops #devsecops
-
Another great article on supply chain impacts in the financial system.
Cybersecurity Pathfinder | Award-Winning Author & Speaker | Shaping the Future of Security as Educator & Industry Leader | CISSP, CSSLP, AWS
Unlike the straightforward path of a physical product from creation to consumer, the #financial #supplychain is layered and complexity, involving everything from the initial customer interaction to third-party relationships that banks rely on. 💰 Something as "simple" as opening a bank account can involve multiple third-party services from identity verification to the issuance of banking tools. 📃 Cybersecurity, compliance, operational, and reputational risks associated with third-party interactions can cripple a bank or even have global ripple effects. Additionally, strict regulatory frameworks like #SOX, #PCI DSS, and #GDPR can influence third-party management for financial institutions. 🌐 Geopolitical tensions and rising nationalism affect international #banking, compelling banks to adapt their #data management practices to comply with local data residency #laws. ⛓ However, while there are challenges, there are opportunities that lie ahead for banks in managing their supply chain security over the next decade. Let me know your thoughts on the hidden dynamics that drive the financial services we use every day.
Did someone leave the vault open?
Derek Fisher on LinkedIn
-
If you haven't heard of Cornucopia from OWASP® Foundation, time to check it out. This has actually been around for a while, but it's a great way to learn about #threatmodeling in an interactive and creative way. Here’s how developers can utilize OWASP Cornucopia to understand and enhance their threat modeling practices: 1. Interactive Learning through Gaming: OWASP Cornucopia is designed as a card game that facilitates interactive #learning. This approach transforms the typically technical and often tedious process of threat modeling into an engaging and collaborative activity. Developers can use this game to simulate threat identification and mitigation strategies in a dynamic and enjoyable setting, which increases participation and retention of information. 2. Integration with Industry Standards: Cornucopia aligns with major security standards and frameworks such as OWASP ASVS, MASVS, MASTG, SAFECode, SCP, and CAPEC. By using this tool, developers can ensure that their security designs and threat models are compliant with established best practices and benchmarks. This alignment helps in systematically addressing security requirements without prior extensive knowledge of these frameworks. 3. Enhanced Team Collaboration and Ownership: The game format encourages team interaction, which in turn fosters a deeper understanding and shared responsibility for security. As described in the narrative, teams not only engage more actively but also start taking initiative in the threat modeling process. This leads to better identification of security threats and the development of robust mitigation strategies. 4. Practical Application and Delegation: Utilizing Cornucopia in threat modeling sessions helps teams move from theoretical discussions to practical applications. It delegates security responsibilities effectively across team members, regardless of their initial knowledge levels. This delegation improves overall team capability in security planning and penetration testing, reducing reliance on external security assessments. 5. Real-World and Fun Learning Environment: Cornucopia makes learning about threat modeling fun, which can significantly enhance the effectiveness of security training sessions. Engaged participants are more likely to contribute actively and remember the strategies discussed. The game’s competitive nature can lead to innovative thinking and problem-solving regarding #security vulnerabilities. 6. Adaptability and Updates: The latest version, Cornucopia 2.0, includes updates like mapping to the latest OWASP ASVS and the introduction of a new mobile app edition, ensuring the tool remains relevant with current technology trends and security challenges. This adaptability makes it a sustainable choice for ongoing security education and practice.
-
What do you do when your puzzle has broken pieces!?
When your puzzle has a few broken peices
Derek Fisher on LinkedIn
-
Is #SAST dead? TLDR: It's not. But is it getting better?
SAST is Dead, long live SAST
Derek Fisher on LinkedIn
-
#vulnerabilitymanagement is like finding a single needle in the stack of needles. There can be a better way in #applicationsecurity. Read more below.
There is no haystack, only needles
Derek Fisher on LinkedIn
-
Great article on the intersection of application and product security.
Cybersecurity Pathfinder | Award-Winning Author & Speaker | Shaping the Future of Security as Educator & Industry Leader | CISSP, CSSLP, AWS
📰 In this edition, I'll cover the complexities and evolving nature of AppSec, exploring its crucial role within the broader spectrum of product security. I'll delve into the essence of AppSec, the balance between risk and business needs, and the methodologies of Secure SDLC and DevSecOps. You'll get some insights into the tools and practices that define a robust AppSec program, showcasing the importance of a defense-in-depth approach. 🔍 A Notable Highlight: We reflect on the 23andMe data breach of late 2023, dissecting the lessons learned and the importance of multi-factor authentication (MFA) in safeguarding sensitive data. This incident underscores the critical need for comprehensive security measures in today's interconnected products.
Strengthening the Foundation: Application Security within Product Security
Derek Fisher on LinkedIn
-
Check out the latest newsletter from Derek Fisher on utilizing #threatintelligence in #productsecurity
The more you know
Derek Fisher on LinkedIn
-
Securely Built is launching a newsletter 🎉 If you're curious about product security and it's overall role in cybersecurity and protecting organizations, then this newsletter is for you! [securelybuilt.substack] - link below. Please subscribe! The initial focus will be on the role of product security in technology and how organizations can consider security throughout the product life cycle while delivering value to customers. This series will dive into what product security truly means across organizations and unravel the complexities. 🛠️ In upcoming editions, we'll dive into integrating disciplines like information security, network security, and more to create a robust product security function within organizations. 💡 Did you know product security extends beyond enterprise software? We'll uncover its role in devices, vehicles, and medical devices, shedding light on their unique challenges and solutions. 🔄 Plus, we'll discuss posture management tools, compliance impacts, and regulatory frameworks shaping the landscape of product security today. Subscribe now to stay update as I release new editions. What have i wrought upon this world....hopefully good stuff 😁 #productsecurity #cybersecurity #infosec #networksecurity #iotsecurity #devicesecurity #compliance
-
