DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

The Latest Security Topics

article thumbnail
How Zero Trust Improves Ransomware Response
Zero trust is often discussed as a critical solution to cybersecurity problems. Here's how it can help with the rising threat of ransomware.
October 7, 2022
by Zac Amos
· 6,716 Views · 1 Like
article thumbnail
How to Migrate From Kubernetes Pod Security Policies (PSPs) to Kyverno
Migrating from Kubernetes PSP to Kyverno is just as simple as defining any other Kubernetes resource.
October 6, 2022
by Abhinav Sinha
· 4,690 Views · 2 Likes
article thumbnail
Top 10 Programming Languages to Use in Cyber Security Programming
This article will run through the top 10 coding languages you may want to learn to kickstart your cyber security career.
October 5, 2022
by Alister Esam
· 9,387 Views · 3 Likes
article thumbnail
Appsec and Technical Debt
Technical debt is a fact of life for anyone working in software development: work that needs to be done to make the system cleaner and simpler and cheaper to run over the long term, but that the business doesn't know about or doesn't see as a priority. This is because technical debt is mostly hidden from the people that use the system: the system works ok, even if there are shortcuts in design that make the system harder for developers to understand and change than it should be; or code that’s hard to read or that has been copied too many times; maybe some bugs that the customers don’t know about and that the development team is betting they won’t have to fix; and the platform has fallen behind on patches. It’s the same for most application security vulnerabilities. The system runs fine, customers can’t see anything wrong, but there’s something missing or not-quite-right under the hood, and bad things might happen if these problems aren't taken care of in time. Where does Technical Debt come from? Technical debt is the accumulation of many decisions made over the life of a system. Martin Fowler has a nice 2x2 matrix that explains how these decisions add to a system’s debt load: I think that this same matrix can be used to understand more about where application security problems come from, and how to deal with them. Deliberate Decisions Many appsec problems come from the top half of the quadrant, where people make deliberate, conscious decisions to short cut security work when they are designing and developing software. This is where the “debt” metaphor properly applies, because someone is taking out a loan against the future, trading off time against cost – making a strategic decision to save time now, get the software out the door knowing that they have taken on risks and costs that will have to be repaid later. This is the kind of decision that technology startups make all the time. Thinking Lean, it really doesn't matter if a system is secure if nobody ever uses it. So build out important features first and get customers using them, then take care of making sure everything’s secure later if the company lasts that long. Companies that do make it this far often end up in a vicious cycle of getting hacked, fixing vulnerabilities and getting hacked again until they rewrite a lot of the code and eventually change how they think about security and secure development. Whether you are acting recklessly (top left) or prudently (top right) depends on whether you understand what your security and privacy obligations are, and understand what risks you are taking on by not meeting them. Are you considering security in requirements and in the design of the system and in how it’s built? Are you keeping track of the trade-offs that you are making? Do you know what it takes to build a secure system, and are you prepared to build more security in later, knowing how much this is going to cost? Unfortunately, when it comes to application security, many of these decisions are made irresponsibly. But there also situations when people don’t know enough about application security to make conscious trade-off decisions, even reckless decisions. They are in the bottom half of the quadrant, making mistakes and taking on significant risks without knowing it. Inadvertent Mistakes Many technical debt problems (and a lot of application security vulnerabilities) are the result of ignorance: from developers not understanding enough about the kind of system they are building or the language or platform that they are using or even the basics of making software to know if they are doing something wrong or if they aren't doing something that they should be doing. This is technical debt that is hidden even from people inside the team. When it comes to appsec, there are too many simple things that too many developers still don’t know about, like how to write embedded SQL properly to protect an app from SQL Injection, or how important data input validation is and how to do it right, or even how to do something as simple as aForgot Password function without messing it up and creating security holes. When they’re writing code badly without knowing it, they’re in the bottom left corner of the technical debt quadrant – reckless and ignorant. But it’s also too easy for teams who are trying to be responsible (bottom right) to miss things or make bad mistakes, because they don’t understand the black magic of how to store passwords securely or because they don’t know about Content Security Policy protection against XSS in web apps, or how to use tokens to protect sessions against CSRF, or any of the many platform-specific and situation-specific security holes that they have to plug. Most developers won’t know about these problems unless they get training, or until they fail an audit or a pen test, or until the system gets hacked, or maybe they will never know about them, whether the system has been hacked or not. Appsec Vulnerabilities as Debt Thinking of application security vulnerabilities as debt offers some new insights, and a new vocabulary when talking with developers and managers who already understand the idea of technical debt. Chris Wysopal at Veracode has gone farther and created a sensible application security debt model that borrows from existing cost models for technical debt, calculating the cost of latent application security vulnerabilities based on risk factors: breach probability and potential breach cost. Financial debt models like this are intended to help people (especially managers) understand the potential cost of technical debt or application security debt, and make them act more responsibly towards managing their debt. But unfortunately tracking debt costs hasn't helped the world’s major governments face up to their debt obligations and it doesn't seem to affect how most individuals manage their personal debt. And I don't think that this approach will create real change in how businesses think of application security debt or technical debt, or how much effort they will put in to addressing it. Too many people in too many organizations have become too accustomed to living with debt, and they have learned to accept it as part of how they work. Paying off debt can always be put off until later, even if later never comes. Adding appsec vulnerabilities to the existing debt that most managers and developers are already dealing with isn't going to get vulnerabilities taken care of faster, even vulnerabilities that have a high “interest cost”. We need a different way to convince managers and developers that application security needs to be taken seriously.
Updated October 5, 2022
by Jim Bird
· 10,202 Views · 1 Like
article thumbnail
Secure By-Design Storage for Your SCM
The widely adopted SCM tools we use today, GitHub and Gitlab, are built on the dated architecture and design of git, but this has some security gaps we'll explore.
October 4, 2022
by Avi Mastov
· 5,009 Views · 1 Like
article thumbnail
The Art of Deploying a Service Mesh
Check out the benefits of deploying a service mesh, popular tools for deploying a Service Mesh, and more here in this article.
October 4, 2022
by Ruchita Varma
· 7,095 Views · 1 Like
article thumbnail
Kubernetes Security: 10 Best Practices From the Industry and Community
One of the best ways to tighten your Kubernetes security is by implementing ten tactics that have become industry standard.
October 4, 2022
by Olesia Pozdniakova
· 4,053 Views · 1 Like
article thumbnail
How To Validate Names Using Java
Gain context of three separate API solutions which can be used to validate name input fields within an application as you follow along with this demonstration.
October 3, 2022
by Brian O'Neill DZone Core CORE
· 9,061 Views · 4 Likes
article thumbnail
Managing Application Dependencies in the Cloud: Strategies and Best Practices
This article explains the basics of application dependency mapping, its importance in cloud environments and covers four critical best practices.
October 3, 2022
by Gilad David Maayan
· 4,684 Views · 1 Like
article thumbnail
Exploring the Impact of Ethereum Merge Infrastructure Development
The Merge led to the development of a new programming language, which will make it easier for developers to be part of the network. Read more in this post.
September 29, 2022
by Ryan Kh
· 6,517 Views · 3 Likes
article thumbnail
What Are SOC and SIEM? How Are They Connected?
Understanding how SOC works with SIEM is crucial if you want to understand how these two technologies fit together in your environment.
Updated September 27, 2022
by Navcharan Singh
· 10,081 Views · 2 Likes
article thumbnail
Jenkins Security Tips
This post looks at some methods and tools to keep your Jenkins instance safe, secure and protect those using it. For an open, customizable platform.
September 27, 2022
by Andy Corrigan
· 5,661 Views · 1 Like
article thumbnail
What’s the Future of Device Management? 5 Predictions For What Lies Ahead
Managing devices is getting harder and harder. Here's how to prepare for the future.
September 27, 2022
by Mike McNeil
· 5,827 Views · 1 Like
article thumbnail
A Guide to Endpoint Protection
Endpoint response and detection solutions use techniques to monitor all endpoints for abnormal activity, quickly detect attacks and respond timely.
September 26, 2022
by Irene Fatyanova
· 7,220 Views · 2 Likes
article thumbnail
Data Migration from AWS DocumentDB to Atlas on AWS
AWS Database Migration Service provides heterogeneous migrations between different platforms. See the migration scenario between DocumentDB and MongoDB Atlas on AWS.
Updated September 22, 2022
by Travis Van
· 9,396 Views · 2 Likes
article thumbnail
Strategies for Governing Data Quality, Accuracy, and Consistency
It is easier than ever to accumulate data but also challenges remain to ensure complete and correct data is captured. Discover key techniques and methodologies.
September 22, 2022
by Ted Gooch
· 8,369 Views · 1 Like
article thumbnail
Accelerate Cloud-Native Applications With NVMe
Cloud-native applications have different storage needs from legacy applications or traditional software hosted in the cloud.
September 22, 2022
by Carol Platz
· 4,522 Views · 1 Like
article thumbnail
How to Set Up Trivy Scanner in GitLab CI: The Complete Guide
Trivy is an open-source container image scanner used by DevOps and security teams known for its reliability and ease of use.
September 22, 2022
by Florian Pialoux
· 4,836 Views · 1 Like
article thumbnail
How Does WebAuthn Work?
WebAuthn is the FIDO Protocol that defines a passwordless means of authentication. This article gives a rundown of the process and how the user sees it.
September 22, 2022
by Nick Hodges
· 7,700 Views · 5 Likes
article thumbnail
Thinking Like a Hacker: Abusing Stolen Private Keys
How can an attacker exploit leaked credentials? In this new series, we try to answer this question by imagining plausible attack scenarios. First case: an RSA private key is found in a Docker image.
September 21, 2022
by C.J. May
· 6,647 Views · 2 Likes
  • Previous
  • ...
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • ...
  • Next
  • RSS
  • X
  • Facebook

ABOUT US

  • About DZone
  • Support and feedback
  • Community research

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 215
  • Nashville, TN 37211
  • [email protected]

Let's be friends:

  • RSS
  • X
  • Facebook
×