Best of TechBeacon 2016: 10 app security stories you don't want to miss
You're never finished with application security—ever. You can design in all the security controls you want into your software, follow every capability maturity and software development model out there, and test the daylights out of all your apps. But at the end of the day, you are never done. There’s always something you overlooked, or left behind, or that crept into your code creates an exploitable vulnerability.
TechBeacon’s top 10 security stories of 2016 cover the range of issues and trends that will help you get focused on what you may have missed so that you can move forward, with better app security, in the coming year.
Security must be an integral part of any application development process; you can't just bolt it on as an afterthought at the end of the cycle. But integrating it into your development and delivery agenda doesn’t have to be expensive, thanks to a slew of free open source application security tools. TechBeacon's Mike Perrow offers this handy guide to the best of them.
If there’s one thing that security professionals don’t lack, it's security tools. In recent years, security vendors have flooded the market with a vast array of products and services designed to protect against every conceivable threat out there, and then some. But do you know which tools will matter the most in coming years? TechBeacon contributor John P. Mello reports on five emerging technologies that could level the playing field.
Whether you like them or not, mobile applications are not going away. Users will continue to download and use them in the enterprise, without regard for the security implications. That means it’s up to you to perform penstration testing to ensure that the apps people use don’t pose a risk to enterprise security. Johanna Curiel, co-founder of Ossecsoft, offers a set of recommendations for pen testing mobile apps.
Penetration testing is a good way to unearth vulnerabilities in software. But it is one thing to pen test on-premise applications and quite another to pen test applications that run in the public cloud. In addition to the technical challenges, you'll face legal obstacles. David Linthicum, senior vice president at Cloud Technology Partners, explains all hurdles you need to overcome when conducting pen tests on your cloud-based apps.
Contrary to what some might believe, DevOps practices aren't incompatible with information security best practices. In fact, if done right, DevOps can bolster application security by helping to identify and mitigate security issues earlier in the development lifecycle. DevOps can also help speed up the automation of information security functions and services. Electric Cloud CTO Anders Wallgren explains how.
Developers and security experts have acknowledged the need to bake in security during development, not bolt it on at the end of the process. The Open Web Application Security Project, and other efforts, have led to some progress in this area. But a lot of work remains to be done in making security an integral part of the application development lifecycle, reports contributor Jaikumar Vijayan.
Software developers tend not to think of themselves as responsible for security. That’s a mistake. Trends such as the movement to DevOps and CloudOps, and the growing need for organizations to enable authentication at the application layer, are driving the need for cloud app developers to become experts in security. David Linthicum offers advice on the high-level concepts that developers need to focus on if they want to succeed at cloud app security.
Most organizations manage a mix of Web, mobile, open-source and cloud applications, and each environment presents its own set of security challenges. That's why it's important to keep an eye on the latest trends and practices in each realm. Did you know, for instance, that most organizations plan to spend more on application security in 2017 than they did last year, and that near 8 in 10 use open source security tools? Jaikumar Vijayan reports on 32 app sec trends that you should be watching.
The microservices approach to software development enables faster and more frequent updates, and mitigates some of the challenges involved in ensuring that different development groups work and release in tandem. But are you aware of all of the security issues associated with microservices? Do you know why security professionals react to microservices with so much trepidation and skepticism? Bernard Golden, CEO of Navica, lays it all out.
One of the first dictums of application security is to never trust users to behave in a secure manner. Other fundamentals you need to keep in mind at all times include never having hard-coded credentials in your applications, and not forgetting that you are ultimately responsible for the security of not just your own apps, but third-party software as well. Security Journey's Chris Romeo describes the six app sec lessons all security teams should study.