{"id":200,"date":"2011-07-19T01:19:00","date_gmt":"2011-07-19T01:19:00","guid":{"rendered":"https:\/\/belayclientstaging.zone\/securityeverafter\/2011\/07\/19\/control-7-application-software-security\/"},"modified":"2011-07-19T01:19:00","modified_gmt":"2011-07-19T01:19:00","slug":"control-7-application-software-security","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/control-7-application-software-security\/","title":{"rendered":"Control 7: Application Software Security"},"content":{"rendered":"<p>Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked.<\/p>\n<ul>\n<li>Teach yourself about the <a href=\"https:\/\/www.owasp.org\/index.php\/Main_Page\">OWASP<\/a> <a href=\"https:\/\/www.owasp.org\/index.php\/Category:OWASP_Top_Ten_Project\">Top 10 Project<\/a>. Use this information to create an ongoing workshop for your developers to learn these concepts and be better prepared to avoid them. Meet with your developer and quality assurance teams monthly and review one of the categories each session. With the prevalence of virtualization <a href=\"http:\/\/www.virtualbox.org\/\">solutions<\/a> <a href=\"http:\/\/www.vmware.com\/\">available<\/a>, it will be easy to create an environment for them to test these concepts from the comfort of their own cubicles.&nbsp; <\/li>\n<\/ul>\n<ul>\n<li>A most excellent pre-configured platform to use by your developers and quality assurance teams is <a href=\"http:\/\/samurai.inguardians.com\/\">Samurai Web Testing Framework (WTF)<\/a> on a virtual machine. This free linux distribution is purpose built for web application penetration testing, includes numerous tools and is maintained by <a href=\"http:\/\/www.sans.org\/security-training\/instructors\/Kevin-Johnson\">Kevin Johnson<\/a>. <\/li>\n<\/ul>\n<ul>\n<li>Integrate at least one component of your information security program into each step of the Software Development Life Cycle (SDLC). The key is to get to the point where the developers seek you out. This may have to involve bribery, staying late with them and an occasional <a href=\"http:\/\/www.starbucks.com\/\">Starbucks<\/a> run, but this partnership is very possible to achieve with some effort. <\/li>\n<\/ul>\n<ul>\n<li>An excellent resource for your development team is the <a href=\"http:\/\/ha.ckers.org\/xss.html\">Cross Site Scripting Prevention Cheat Sheet<\/a> created by <a href=\"http:\/\/ha.ckers.org\/\">Robert &#8220;RSnake&#8221; Hansen<\/a>. This listing has numerous code samples that can be used by your team to determine if your site is subject to these attacks.&nbsp; <\/li>\n<\/ul>\n<ul>\n<li>Look for ways to avoid the <a href=\"http:\/\/www.sans.org\/top25-software-errors\">25 Most Dangerous Programming Errors<\/a> published by Mitre and SANS. Categories of these errors include Insecure Interaction Between Components, Risky Resource Management and Porous Defenses.<\/li>\n<\/ul>\n<ul>\n<li>Institute a peer review program where code is reviewed before it is published by a fellow developer. Consider implementing a nominal reward for each security issue identified before it is released into production. <\/li>\n<\/ul>\n<p>Using these very cost effective techniques will go a long way to increase the security posture of your applications.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked. Teach [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[21,22],"tags":[],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Control 7: Application Software Security - Security Ever After - vCISO<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Control 7: Application Software Security - Security Ever After - vCISO\" \/>\n<meta property=\"og:description\" content=\"Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked. Teach [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Ever After - vCISO\" \/>\n<meta property=\"article:published_time\" content=\"2011-07-19T01:19:00+00:00\" \/>\n<meta name=\"author\" content=\"Russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:site\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\"},\"author\":{\"name\":\"Russell\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\"},\"headline\":\"Control 7: Application Software Security\",\"datePublished\":\"2011-07-19T01:19:00+00:00\",\"dateModified\":\"2011-07-19T01:19:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\"},\"wordCount\":364,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"articleSection\":[\"Operational Security\",\"SANS Top 20 Controls\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/securityeverafter.com\/control-7-application-software-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\",\"url\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\",\"name\":\"Control 7: Application Software Security - Security Ever After - vCISO\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/#website\"},\"datePublished\":\"2011-07-19T01:19:00+00:00\",\"dateModified\":\"2011-07-19T01:19:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityeverafter.com\/control-7-application-software-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityeverafter.com\/control-7-application-software-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityeverafter.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Control 7: Application Software Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityeverafter.com\/#website\",\"url\":\"https:\/\/securityeverafter.com\/\",\"name\":\"Security Ever After - CISO\",\"description\":\"vCISO\",\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityeverafter.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/securityeverafter.com\/#organization\",\"name\":\"Security Ever After\",\"url\":\"https:\/\/securityeverafter.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"width\":1169,\"height\":826,\"caption\":\"Security Ever After\"},\"image\":{\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/russelleubanks\",\"https:\/\/www.linkedin.com\/in\/russelleubanks\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\",\"name\":\"Russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"caption\":\"Russell\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Control 7: Application Software Security - Security Ever After - vCISO","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityeverafter.com\/control-7-application-software-security\/","og_locale":"en_US","og_type":"article","og_title":"Control 7: Application Software Security - Security Ever After - vCISO","og_description":"Attacks against applications are certainly a growing threat to organizations. Some argue that as system administrators are much better at configuring and patching their systems, the application is the next logical target of attack. What can be done at little to no cost to help prevent these threats to your environment? Glad you asked. Teach [&hellip;]","og_url":"https:\/\/securityeverafter.com\/control-7-application-software-security\/","og_site_name":"Security Ever After - vCISO","article_published_time":"2011-07-19T01:19:00+00:00","author":"Russell","twitter_card":"summary_large_image","twitter_creator":"@russelleubanks","twitter_site":"@russelleubanks","twitter_misc":{"Written by":"Russell","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/#article","isPartOf":{"@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/"},"author":{"name":"Russell","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3"},"headline":"Control 7: Application Software Security","datePublished":"2011-07-19T01:19:00+00:00","dateModified":"2011-07-19T01:19:00+00:00","mainEntityOfPage":{"@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/"},"wordCount":364,"commentCount":0,"publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"articleSection":["Operational Security","SANS Top 20 Controls"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/securityeverafter.com\/control-7-application-software-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/","url":"https:\/\/securityeverafter.com\/control-7-application-software-security\/","name":"Control 7: Application Software Security - Security Ever After - vCISO","isPartOf":{"@id":"https:\/\/securityeverafter.com\/#website"},"datePublished":"2011-07-19T01:19:00+00:00","dateModified":"2011-07-19T01:19:00+00:00","breadcrumb":{"@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityeverafter.com\/control-7-application-software-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/securityeverafter.com\/control-7-application-software-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityeverafter.com\/"},{"@type":"ListItem","position":2,"name":"Control 7: Application Software Security"}]},{"@type":"WebSite","@id":"https:\/\/securityeverafter.com\/#website","url":"https:\/\/securityeverafter.com\/","name":"Security Ever After - CISO","description":"vCISO","publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityeverafter.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/securityeverafter.com\/#organization","name":"Security Ever After","url":"https:\/\/securityeverafter.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","contentUrl":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","width":1169,"height":826,"caption":"Security Ever After"},"image":{"@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/russelleubanks","https:\/\/www.linkedin.com\/in\/russelleubanks\/"]},{"@type":"Person","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3","name":"Russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","caption":"Russell"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/200"}],"collection":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/comments?post=200"}],"version-history":[{"count":0,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/200\/revisions"}],"wp:attachment":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/media?parent=200"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/categories?post=200"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/tags?post=200"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}