Tech,Space,Gaming, and Science Fiction News to wet your whistle
Through the Executive Lens: Prioritizing Application Security Vulnerabilities
It's an old axiom in the security business that your security is only as good as your weakest link. Today, as the number of security threats and attack vectors continues to grow, so too does the number of tools security teams have at their disposal to find and block them. Also growing is the pile of data that security teams must sift through to identify where their systems might be vulnerable. Given all the data, how do you prioritize your efforts?
First, a couple of statistics. According to Tim Clark, SAP contributor to Forbes, 84 percent of all cyber-attacks are happening on the application layer. The 2018 Verizon Data Breach Investigations Report (DBIR) states that web application attacks were responsible for 38 percent of data breaches. And an IBM white paper states that "the costs of discovering defects after release are significant: up to 30 times more than if you catch them in the design and architecture phase." Conclusion: Start by focusing on your application security initiatives.
Within the AppSec space, the variety of vulnerability analysis tools fall into two broad groups: tools that analyze your source code and tools that do dynamic analysis. Each tests for a different type of vulnerability, so a portfolio approach to using them will give you the most comprehensive results—and the most data to sift. You can narrow your focus and prioritize issues in a number of ways.
Use source code scanning tools that integrate with the tools your developers use every day, like their integrated development environment (IDE). Some static analysis tools have IDE plug-ins that let your developers do vulnerability analysis directly in the IDE.
This approach to "shifting security left" in the software development life cycle (SDLC) has several benefits. One is that it distributes the load of looking at vulnerabilities across the entire development organization and makes the team more aware of developing secure code as part of their daily job. Second, it reduces the total number of security issues that make it into the code to be scanned at CI/CD build time.
Whichever tool you pick, be sure that the developer scans use the same engines as the central scans. Otherwise, correlating results across the two scan types won't work well. And if that plug-in supports multiple analysis types, so much the better.
Choose vulnerability scanning tools with low false-positive rates. Not only do false positives increase the volume of data to sift through, but too many false positives in a developer's queue breeds malaise and disinterest in fixing them.
Developer training and measurement
Add security training to your developers' personal development goals, and measure security issues as part of their MBOs. Learning about common vulnerability types, such as cross-site scripting, will make the team more efficient. Adding metrics around software security as part of a team's MBOs will ensure that developers treat security on par with quality and feature delivery. Nothing changes behavior more than a combination of incentives and measurement by one's boss.
This one is harder than you might think. Several tools let you aggregate the results from different tools into one view showing the risk profile of a given app based on those results. The challenge is in correlating data that comes from different tools, each with its own categorizing methodology. Ideally, you'd have a tool that normalizes the results across tools and lets you filter issues based on things like security category and industry standards, such as the OWASP Top 10 or CWE categories.
A few tools offer other features, such as showing open/closed issues over time so you can see progress, and the ability to filter results from one tool by the results of another. For example, if your static analysis tool says you've got 1,000 issues, but your open source scanning tool reports that 800 of those are in open source components, your developers can focus on fixing the 200 that you know are uniquely in your source code.
Summing it up
The work of the security team is never done, but by focusing on specific AppSec initiatives and applying some well-tested strategies and tools, you can do a lot to prioritize the most important issues to focus on.
About the author: Neal Goldman is Senior Product Manager at Synopsys, with over 25 years of product management, marketing, and business development experience at a variety of technology vendors.
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Lenovo is announcing a pair of new laptops today, the Yoga 730 and Flex 14, both of which are seeing a number of small design tweaks and receiving Intel’s 8th gen processors. While there aren’t any major changes this year, the 730 is getting one notable improvement to help it stand out: it has built-in far-field mics so that it can support Alexa. The Yoga 730 is really similar to last year’s Yoga 720 : like all Yoga laptops, it has a touchscreen and can flip around into tablet mode; it starts with a price around $900 but can go much higher if you spec it out; and while it’s a well-made laptop with an aluminum body, it isn’t quite as slim or light as what Lenovo offers in its Yoga 900 series laptops. This year, the 730 has received a few... Continue reading… via The Verge - Tech Posts "http://ift.tt/2BQTs1c"