It is an unfortunate fact that most application developers are not well versed in application security.  This mixed with tight deadlines and loose development methodologies, means that your code probably has some issue when it comes to security. This is why you should be doing code reviews.

Code reviews can take the form of third party or internal peer review. In the case of peer review the developers are checking each others work in a team fashion. This is a great way to cut down on common mistakes and implementation decisions. Every organization that does development should include peer review in the process. 

Comment (0) Read More...

I get a lot of customers who are looking for vulnerability assessments of specific systems or specific application. Rarely do people ask for assessments of their overall system architecture. Most assume that since they have a firewall they are covered. Unfortunately it isn't usually as easy as that.

 First of all, what makes a good security architecture? I believe that it needs to take into account, at least, these things:

• Appropriate use of security zones
• Segregation of components
• The technologies in use
• Monitoring requirements
• Available infrastructure components
• Use requirements
• Communication
• Ease of securing each zone
• Performance
• Availability
• Manageability

Comment (0) Read More...