CISA cybersecurity performance goals: 7 action items to boost your AppSec

CISA cybersecurity performance goals: 7 action items to boost your AppSec

The U.S. Cybersecurity Infrastructure Security Agency (CISA) recently released new guidance on its Secure by Design principles, outlining best practices that the IT sector should take to reduce the cyber-risks its products are exposing its customers to ... Read More
AI is a double-edged sword: Why you need new controls to manage risk

AI is a double-edged sword: Why you need new controls to manage risk

As with just about every part of business today, cybersecurity has been awash in the promises of what AI can do for its tools and processes. In fact, cybersecurity vendors have touted the power of algorithmic detection and response for years ... Read More
AppSec vs. product security: Secure by Design demands a strategy shift

AppSec vs. product security: Secure by Design demands a strategy shift

For the Secure by Design initiative of the Cybersecurity and Infrastructure Security Agency (CISA) to really change the security landscape, the scope of traditional application security (AppSec) will need to expand considerably beyond shifting code testing left (earlier in the software development lifecycle). What is required is a more holistic ... Read More
Threat modeling and binary analysis: Supercharge your software risk strategy

Threat modeling and binary analysis: Supercharge your software risk strategy

One of the trickiest problems organizations face with securing their software supply chain is making risk decisions without really understanding where the biggest threats lie in their software, whether open source or commercial. Even with a full slate of application security testing (AST), without modernizing your approach with software supply chain ... Read More
‘Good, fast, cheap... Pick two’: Software quality dilemma forces risky decisions

‘Good, fast, cheap… Pick two’: Software quality dilemma forces risky decisions

One of the prevailing proverbs of application development is the truth about the so-called iron triangle — that when developing software you’ve got three options: good, fast, and cheap. But you can only pick two. Good can have varying definitions but for most it’s a solid stand-in for "quality," of ... Read More
‘Good, fast, cheap... Pick two’: Software quality dilemma forces risky decisions

‘Good, fast, cheap… Pick two’: Software quality dilemma forces risky decisions

One of the prevailing proverbs of application development is the truth about the so-called iron triangle — that when developing software you’ve got three options: good, fast, and cheap. But you can only pick two. Good can have varying definitions but for most it’s a solid stand-in for "quality," of ... Read More
Cybersecurity Does Not Have a Skill Shortage Gap (It's a Hiring Gap)

Cybersecurity’s workforce woes are a myth: 5 ways to rethink recruiting

The threat landscape is more challenging than ever, and the cybersecurity workforce is dogged by overwork and burnout. No wonder there's a cybersecurity talent shortage. Or is there? ... Read More
Software complexity is a real problem — and your AppSec must factor that in

Software complexity is a real problem — and your AppSec must factor that in

Achieving strong application security is hard even when AppSec and development teams are overseeing the simplest applications and the most streamlined application portfolios. But "simple" is relative. Most modern software products are complex, often weighing in at over 10GB, with thousands of components in them ... Read More
The state of DevSecOps: Why upgrading your AppSec tooling is essential

The state of DevSecOps: Why upgrading your AppSec tooling is essential

DevSecOps started getting written and talked about a decade ago, and today many companies are paying attention to the best-practices recommendations put forth in the press and conferences. In fact, a report released by GitLab earlier this year showed that, as of last year, a majority of companies — 56% ... Read More