Three ways to empower remote threat modeling

This post is a result of a conversation on the Application Security Podcast. Adam Shostack joined Robert and me, and the topic was remote threat modeling. We're all living in this new world where we're working from home. The question we pose is, how will we make progress on rolling out threat modeling when we can't meet with people face to face and work directly on a whiteboard?

Read Story

Threat modeling: better caught than taught

Everyone wants their engineering staff to be better at threat modeling. Security teams desire a world where developers practice a threat modeling mindset. A threat modeling mindset is where threat modeling is no longer a process or a tool but is instead a way of life. When developers embrace this mindset, they see threats jump off the page in both diagrams and code. They hear peers discussing a potential solution, and they can articulate the security challenges that such an approach will cause.

Read Story

Security coaches

NOTE: This article is written based on a conversation on the Application Security Podcast with Matt McGrath, called “Security Coaches."Most developers will say security is a concern, but not always the first concern. Developers get hit by the business to deliver user stories quickly and in a state of completeness.

Read Story

Top Ten Application Security Podcast Episodes of 2019

These are the top ten, most listened to episodes of the Application Security Podcast for calendar year 2019.

Read Story

OWASP API Security Top 10: Get your dev team up to speed

Marc Andreessen famously stated in 2011 that "software is eating the world." Now, in 2019, application programming interfaces (APIs) serve as the backbone of modern software, and they keep on devouring everything in their path, from microservices to single-page applications and mobile apps to the Internet of Things.

Read Story

Tips for application security program building

When building a new program, many start here, thinking we'll just create a policy and then everyone will follow along and do the right thing for security. Unfortunately, an Executive's direction is not enough to change the security culture. It does not hurt along the way to have executive buy-in, but it won't kick start the program.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.