Follow Us

Whitepaper Library

Simplifying Application Security & Compliance with the OWASP Top 10

Many organizations are using the OWASP Top 10 to focus their application security and compliance activities. The concept: build processes to prevent the ten most serious web-based attacks, and reduce security risks and development costs.

This management briefing describes how the OWASP Top Ten can be used to transform application security and facilitate compliance.

Threat Modeling for Secure Embedded Software

Embedded software presents a unique set of challenges for application development and engineering teams. To combat embedded software threats, teams are turning to strategies such as threat modeling, static analysis and penetration testing to secure their embedded code. This paper will examine threat modeling and explain how it can be used in concert with secure development best practices, including automated source code analysis, peer code reviews, and penetration testing to both identify and mitigate embedded software threats.

Aligning Application Security and Compliance

Regulators and industry standards have added new requirements as they relate to application development practices, but they are often difficult to understand and the security activities that need to be introduced are not well known. This whitepaper presents a practical approach towards mapping application security practices to compliance requirements. 

19 Attacks for Breaking Applications

Presents 19 attacks that testers can use to uncover vulnerabilities in an application’s dependencies, user interface, design and implementation.    These attacks can be applied to any type of application and are proven in their ability to uncover elusive vulnerabilities.

Application Security by Design

Deployed software is continuously under attack. Hackers have been exposing and exploiting vulnerabilities for decades and seem to be increasing their attacks. This paper describes complete lifecycle activities aimed at producing more secure and robust code that can better withstand attack.

Application Security Maturity Model

The Application Security Maturity (ASM)  was developed by Security Innovation and is based on analysis of ten year’s worth of data about organizations and their their investment in tools, technology, people, and processes. The model helps organizations understand where they are in terms of their overall approach to application security.

How to Conduct a Code Review

A large numbers of bugs can be found and fixed before the code makes it into an official build, where problems are much more costly to address.  By performing the steps in this guide, you will be able to identify the type of bugs that are important for your code and generate a list of bugs that should be prioritized for eradication.

Software Security Total Risk Management

This paper  examines some of the major challenges of software security risk management and introduces the concept of Software Security Total Risk Management (SSTRM), an innovative programmatic approach by which enterprises can apply software security development and assessment best practices in order to meet the twin goals of enhancing business revenues and protecting against business losses.

Static Analysis Strategies

No security activity has gotten more attention lately than static analysis, due to its ability to catch problems in the code before products are deployed.  This paper presents best practices for code security analysis and helps ensure your efforts are efficient.

The Art of Threat Modeling for IT Risk Management

This paper introduces Threat modeling, a powerful software application risk management technique that allows you to identify your “true” risks in deployed or in-construction software and make informed  risk management decisions.

The Biggest Information Security Mistakes that Organizations Make

 This paper introduces five common information security mistakes that organizations make and concludes with recommendations and best practices for building and maintaining a successful information security practice and application security program.