Application Security Tools

Post: Upcoming Webinar on Mobile Application Security Assessments

I’ll be doing a webinar on mobile application security assessments on Wednesday October 22nd. We’ll be talking about how security issues can exist in code deployed on a mobile device, in corporate web services backing the device, in any third party supporting services as well as in the interactions between any of these components. The […]

Post: “How is Your AppSec Program Doing Compared to Others?” Webinar

Organizations that build software and worry about security continually are asking, “How do we stack up to others?” Join John Dickson and Denim Group at 3 PM CDT on Thursday, August 21st for an executive briefing webinar of how to use OpenSAMM to benchmark your application security activities against others and how to identify gaps […]

Post: For Mobile Application Security, What Sort of Protection Do App Stores Provide?

iOS (iPhone/iPad) Non-jailbroken iOS devices can only install applications from the official Apple iTunes App Store. The App Store has an application approval process whose methods are not publicly disclosed, but that does not appear to do meaningful security checking of applications. Instead applications are checked for the use of undocumented APIs or other violations. […]

Post: Why is Mobile Application Security Important?

As more organizations explore ways to push functionality to mobile devices, there is a desire to move an increasing amount of sensitive data onto the device. In addition, there is a push to have more sensitive calculations performed on devices. With the dramatic increase in the number of devices, their technical capabilities, and their use […]

Post: What is Code Signing?

Code signing is the process of attaching a digital signature to application binaries. Cryptographic functions are used to identify a specific application binary and associate that binary with a specific developer or organization. This allows other systems to understand several things about an application: The source of the application based on who signed the application […]

Post: Limitations of Automated Tools for Dynamic Web Application Security Scanning

They can only find technical flaws in applications, not logical flaws. Application security scanners identify only around 30% of the most serious flaws that exist in large-scale web software systems. They cannot find the more serious vulnerabilities that are potentially painful to mitigate, such as architectural or design flaws that were introduced before coding or […]