Key Components to Consider When Kicking Off Your Veracode AppSec Program

I’ve been working as a Veracode security program manager since 2013, and have adopted AppSec best practices in those six years that contribute to successful AppSec programs. I started my journey here as a program manager and was fortunate enough to manage and lead some of Veracode’s largest and most complex customer programs. Today, I’m managing a team of program managers. In this blog, I will walk through four key…

June 25, 2019
Read More >>

Live From Gartner Security & Risk Mgmt Summit: Starting an AppSec Program, Part 2

This is part two of a two-part blog series on a presentation by Hooper Kincannon, Cyber Security Engineer at Unum Group, on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk Management Summit in National Harbor, MD. In this presentation, Hooper provided a great blueprint for starting a DevSecOps program. In part one, I summarized how Hooper got buy-in for his program and…

June 20, 2019
Read More >>

Live From Gartner Security & Risk Mgmt Summit: Starting a Web Application Security Program

Bootstrapping an application security program is hard. Technology is only one part of the equation. You need to inventory your applications, get stakeholders on board, and then execute on the holy trinity of people, process, and technology. That’s why I was excited to see Hooper Kincannon, Cyber Security Engineer at Unum Group, present on “Secure from the Start: A Case Study on Software Security” at the Gartner Security & Risk…

June 20, 2019
Read More >>

Live From Gartner Security & Risk Mgmt Summit: How to Approach Container Security

Container security is a topic most security practitioners still find confusing. It’s a new technology that’s spreading fast because of its numbers benefits, and security implications and solutions are evolving just as fast. That’s why I really appreciated Anna Belak’s session “Container Security – From Image Analysis to Network Segmentation” at the Gartner Security & Risk Management Summit in National Harbor, MD. Anna provided a great framework for thinking about…

June 19, 2019
Read More >>

Embracing the “Sec” in DevSecOps: How Veracode and AWS Work Together to Help You Build Secure Apps

Developers, like most builders, are creative critical thinkers who take pride in their work. Let’s focus on the word “builder” for a moment. During the industrial revolution, we saw a shift in manufacturing where time-consuming processes were made more efficient through automation. With that, we also saw the concept of an assembly line and interchangeable parts transform businesses. The idea was to build as quickly as possible for less cost….

June 19, 2019
Read More >>

Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area. 20 percent of users will never change behavior, no matter…

June 18, 2019
Read More >>

Application Security Beyond Static Analysis

There is no application security “silver bullet” – it takes a combination of testing types to effectively reduce your risk. Each testing method has a different role to play and works best when used in harmony with others. For instance, our research showed that there are significant differences in the types of vulnerabilities you discover dynamically at runtime compared to those you’ll find when doing static testing in a non-runtime…

June 18, 2019
Read More >>

Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week. 57 Percent of Midsize Enterprises Don’t Have a CISO Gartner defines midsize enterprises as companies with less than $20…

June 18, 2019
Read More >>

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base. For example, in 2013,…

June 18, 2019
Read More >>

What the AMCA Data Breach Teaches Us About Modern Supply Chain Security

The State of Software Security Volume 9 (SOSS Vol. 9) found that the healthcare industry, with its stringent regulations, received relatively high marks in many of the standard AppSec metrics. According to Veracode scan data, healthcare organizations ranked highest of all industries on OWASP pass rate on latest scan, coming in with a rate just over 55 percent. Our flaw persistence analysis shows that the industry is statistically closing found…

June 10, 2019
Read More >>