Trends & Vision Newsletter
Upcoming Webinars
(click to register)
EDITORIAL: THE GROWING NEED FOR INSIDE-OUT SECURITY
Cyber-security is making headlines. Recently, Dennis C. Blair, director of the US National Intelligence Agency, said, "Malicious cyber activity is occurring on an unprecedented scale with extraordinary sophistication."
According to a September 2009 report by PAC and ITSMA, the top technological priorities of IT leaders have to do with protecting data (backup, archive, disaster recovery) and securing IT, leaving behind the hyped themes like cloud computing, or ever-popular topics like ERP or BI.
As a multi-layered effort, information security relies on a wide diversity of initiatives. Application security, we argue, lies at the middle of it all, thus requiring a well-orchestrated program to avoid information security breaches.
In this edition we share our experiences in our quest for more secure applications. We begin with a primer by General Electric’s Application Security leader, detailing lessons learned after years of maturing a large-scale and multi-industry application security program, followed by an article by OWASP Chair Jeff Williams.
Hope you find these resources interesting and useful!
Alex Camino
Softtek VP of Marketing & Communications
acamino@softtek.com
FROM THE TRENTCHES
CREATING AND MANAGING A LARGE ENTERPRISE SOFTWARE SECURITY PROGRAM
By Darren Challey, General ElectricRunning a Software Security Program for a large enterprise is largely a thankless task. Building security into products (rather than painting or bolting it on at the end) is not a core competency, and the concepts of securely developing software are not taught broadly enough (yet) in academia.
This white paper discusses the challenges we faced in creating and managing a large enterprise software security program, in hopes that what we have learned might be applicable in your organization. Download White Paper – On Demand Webinar
EXPERT CORNER
“THREE MOST UNDERRATED WEB FLAWS”
By Jeff Williams, Aspect Security CEO and Chair of OWASP
For years, we’ve known about SQL injection and Cross-Site Scripting (XSS), but the attackers haven’t stopped innovating. More recently, attackers have started exploring the following common vulnerabilities:
|
Cross-Site Request Forgery (CSRF) Do your forms and links contain an unpredictable token? If not, hackers can attack anyone who is currently logged into your site by luring them to a malicious website. |
Direct Objects References Do your web pages refer to server-side data using an “ID” that is actually the name of a file, a database key, or part of a URL? You must always verify the user is authorized for the target object. |
Click-jacking Can your pages be framed? If so, an attacker can create an invisible frame containing your site, and hover it over another web page. |
Eliminating these problems requires some dedication, but many organizations are well underway in systematically stamping these problems out. For information on these and other critical web application security risks, please see the recently released OWASP Top 10 for 2010.
RESOURCES FOR EFFECTIVE APPLICATION SECURITY PROGRAMS
|
WHITE PAPER Preparing a Strategy for Application Vulnerability Detection Where should application security testing start? Which applications are most critical? What kind of testing should be used? Find the answers in this White Paper. Download – (IN)SECURE Magazine Version (page 28) |
WHITE PAPER Measuring Progress in Application Security: Six Key Conditions for Metrics-Driven Programs A proven path for turning security data points into reliable, accurate and actionable information, company-wide. |
|
UPCOMING WEBINAR General Electric Shares Experience: Metrics-driven AppSec Program ( Mar 25 @ 1:30pm ET) Featuring Ben Miron, Software Security Leader, GE |
UPCOMING WEBINAR Using Metrics to Drive Performance and Executive Visibility (Apr 14: 1:30pm ET) |
REFERENCE
The OWASP Top 10: 2010 Edition
Sponsored by Softtek, and first released in 2003, the list’s goal is to raise awareness of the importance of application security. The new 2010 edition of the “OWASP Top 10” brings visibility not just to the most common vulnerabilities, but also to the “top 10 risks” organizations face while running web applications. Download
FEATURED REPORT
Emerging Market Suppliers: A Valuable Leverage for Risk Diversification
Everest Research Institute, Dec. 2009 
A new global sourcing paradigm is emerging, and is creating additional push for creating a truly global delivery network. This new paradigm is creating further impetus for expanding the delivery footprint beyond the traditionally favored offshore destination – India. Download
NOTEWORTHY
FEATURED ARTICLES AND PRESS RELEASES
Softtek’s Agustin de la Maza to Keynote at Carnegie Mellon’s SEI SEPG North America 2010 (SEI) –More | Softtek PR
Softtek and CPM Braxis Take Market Share from Top Indian Firms (Nearshore Americas) – More
Softtek featured in HSBC’s ‘The World of Business’ TV ad series (HSBC) – More
Softtek Ranked as Super Company for Launching Young Careers – Softtek PR
About Softtek:
Founded in 1982, Softtek is a global provider of IT and business process solutions with close to 6,000 associates across 30 offices in North America, Latin America, Europe and Asia. With nine Global Delivery Centers in Mexico, China, Brazil, Argentina and Spain, Softtek provides in-depth, high-quality and cost-effective solutions to top-tier corporations in over 20 countries through on-site, on-shore and its trademarked Global Nearshore™ service delivery models. Creator and leader of the Near Shore® Industry, Softtek is the largest private IT service provider in Latin America. For more information, visit softtek.com.