Optiv Blog

Quick Tips for Building an Effective AppSec Program – Part 3

· By Shawn Asmus ·

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of toolchains, defect tracking, and establishing vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts in an efficient and programmatic way. In this post, we’ll spend some time exploring how to enable the various stakeholders across the organization, how to measure the effectiveness of your AppSec program, the importance of a knowledge management system, and application runtime protection. So let’s get started.

Continue reading

Phishing - The Rest of the Story

· By Ken Dunham ·

Receiving an email lure designed to trick you into clicking a phishing link and then logging into a fake website has become a common threat. In this blog we look into how to dive deeper into the threat to move from reactive to proactive. These tactics help a company zoom in on specific threats that are common or repeated against them from both opportunistic and targeted attacks.

Continue reading

Transforming Logs and Alerts into Actionable Intelligence with UEBA Functionality

· By Jacob Bolm, Woodrow Brown ·

For information security practitioners, the stored value in security data can reduce both costs and risk. The progression of the treatment of log data is a testament to the recognition of this value. Computer logging facilities began as a first-in-first-out (FIFO) rolling buffer with a finite capacity. Organizations then moved to log management programs where log data was aggregated and stored. Next, Security Information and Event Management (SIEM) systems were put in place. Today, User and Entity Behavior Analytics (UEBA) solutions are at the forefront of unlocking the value of data and a growing number of companies are turning to UEBA to help solve their security challenges.

Continue reading

Dear Board of Directors, It’s Time to Do the Right Thing and Elevate IAM

· By Mitch Powers ·

I talk with IT executives regularly and have noticed a trend across industries that is concerning. While the threat of a data breach looms large on the horizon, IT leaders consistently appear to address the threat with a "wall building" focus. Certainly, protecting resources from unlawful entry is necessary and valuable, but what about the threat from within?

Continue reading

Observations on Smoke Tests – Part 3

· By Raina Chen ·

While attending one of our technology partner’s security training courses, the instructor presented on their product’s various features and capabilities. Some of the discussion centered around application and vulnerability management. As a consultant who mainly focuses on security testing, these features seemed rather useless to me. The importance of application vulnerability management was not revealed until I gained career experience with larger, global enterprise clients.

Continue reading

Getting Started with Postman for API Security Testing: Part 1

· By Rushyendra Reddy Induri ·

Postman is a useful tool used by many developers to document, test and interact with Application Programming Interfaces (APIs). With the ubiquity of APIs in mobile, web and other applications, Postman can be a useful tool for a security tester or developer to evaluate the security posture of the API. Part 1 of this blog series is to provide the basics of using Postman, explaining the main components and features.

Continue reading

Quick Tips for Building an Effective AppSec Program – Part 2

· By Shawn Asmus ·

In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program.

Continue reading

Thoughts on Breach of Trust vs. a Breach of Security

· By Peter Gregory, James Robinson ·

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In recent years, we have seen information security continuing to be defined with strong frameworks, guidelines, and support from regulators to security offices, while the concept of “trust” has just begun to emerge. In recent years we have seen Offices of Trust being defined in companies with the role of Chief Trust Officer.

Continue reading

Five Application Security Best Practices for Serverless Applications

· By Kat Cummings ·

Serverless architecture enables applications to be developed and deployed without management of the underlying host or operating system. Instead of a traditional host, serverless applications run on abstract serverless platforms which are managed by cloud providers. This architecture offers advantages over other architectures, such as scalability, but also has its own unique security risks. The following best practices will help ensure these applications are properly secured.

Continue reading

Customization of IAM Solutions: Risks of Having it Your Way

· By Dusty Anderson ·

Forty years ago Burger King launched a revolution in customization, declaring that they could provide you the power of creating your perfect burger combo. Made to order, fresh, fast and no extra cost. The slogan “Have it Your Way” (replaced now by “Be Your Way”) has more than impacted our drive thru satisfaction, it has become a way of applying customization to anything and everything.

Continue reading
(660 Results)