Categories Topics
Description
Application Security

Overview
Security needs to be included in the design of every application. Application Security is most effective when planned and implemented throughout the development lifecycle of the application. This process is often referred to as SDLC or "Secure Development Lifecycle" and ensures application code is developed securely to meet security requirements. Application vulnerabilities should be addressed prior to release to production or customer use. Since web applications are often outward facing to the public, insecure applications offer one of the best means for an attacker into an organization.

Guidelines
Application Security, to include SDLC, includes many different processes and control tests to ensure code is secure. Examples include input controls (e.g. valid information, field lengths, data types), output controls (e.g. accuracy and completeness of information) and processing controls (e.g. valid transactions, audit trail mechanisms). Numerous threats and vulnerabilities can affect Application Security to include: SQL injection, buffer overflow, cross-site scripting, malware, covert channels, mobile code and object reuse, to name a few.

Organizations should implement application vulnerability scanning tools and code review process that will scan and detect application vulnerabilities at any step along the SDLC (as well commercial-off-the-shelf or "COTS" applications). It would also be good practice to hire a good application security company to run a periodic penetration test on your application prior to releasing your web application to the internet zoo. This is especially important for public facing web applications or applications that have access to sensitive customer or personal information.

Applications should also ensure security goals are met to include confidentiality (is data viewable by anyone?), data integrity (can data be changed?), and availability (is data available when customers need it?).

Confidentiality: Applications should ensure strong encryption is used to ensure data can be accessed by only authorized individuals. Examples include: AES256 (for data at rest), SHA2 (password encryption) and SSL or SSH (to encrypt end-to-end communication). Passwords used for authentication to an application should also be at least 10 or 12 characters in length and complex (e.g. at least one number, capital letter, lower case letter, and symbol).

Integrity: Monitoring of unauthorized changes is key to ensure the integrity of data. Database Management Systems (DBMS), Security Information Event Management (SIEM) systems, integrity checking software and privileged access control tools are all good solutions to alert application owners when a potential unauthorized change takes place or to alert on potential malicious activity. It's important to ensure unauthorized changes are acted on promptly and rolled back to a previous version as appropriate.

Availability: Applications should provide fault tolerance controls to include disk mirroring, failover systems/databases, load balanced web servers and disaster recovery plans where appropriate. Good change control procedures should also be in place to manage and control changes to production systems and applications. Problem management and security monitoring processes should also be in place to document and take care of issues in a timely manner.

If you would like to learn more about Application Security, we've included links to news articles, white papers and standards below
.

Topic Category
Application Security
 
News Articles
Google Chrome: HTTPS by default D-Day is tomorrow, folkswww.theregister.co.uk7/23/2018
Millions of Apps Leak Private User Data Via Leaky Ad SDKsthreatpost.com4/18/2018
The world’s most popular YouTube video has been hackedwww.welivesecurity.com4/10/2018
Popular Sonic the HedgeHog Apps at Risk of Leaking User Data to Unverified Serversthreatpost.com1/22/2018
Linus 'Linux' Torvalds gives security developers guidancewww.zdnet.com11/27/2017
Google: Chrome is backing away from public key pinning, and here's whywww.zdnet.com10/30/2017
Microsoft's new open source tool can scan your website for security and performance headacheswww.zdnet.com10/26/2017
Google to enforce HTTPS on TLDs it controlswww.helpnetsecurity.com10/4/2017
Equifax Sent Breach Victims to Fake Websitewww.securityweek.com9/21/2017
Equifax Announces Cybersecurity Incident Involving Consumer Informationwww.equifaxsecurity2017.com9/7/2017
VMWare releases AppDefense to protect enterprise virtual environmentswww.zdnet.com8/28/2017
Former DoD official recommends single overarching bug bounty program for all U.S. agencieswww.scmagazine.com7/29/2017
Tor Project Opens Bounty Program To All Researchersthreatpost.com7/20/2017
Facebook users pwnd by phone with account recovery vulnerabilitywww.theregister.co.uk7/17/2017
Ohio government websites defaced by pro-ISIS hackerswww.networkworld.com6/26/2017
It's time to upgrade to TLS 1.3 already, says CDN engineerwww.networkworld.com6/23/2017
Microsoft extends the Microsoft Edge Bounty Programwww.helpnetsecurity.com6/22/2017
Unprotected database exposes VINs, owner info of 10 million carswww.helpnetsecurity.com6/7/2017
Verizon Messages App Allowed XSS Attacks Over SMSwww.securityweek.com5/22/2017
WordPress announces bug bounty programwww.helpnetsecurity.com5/17/2017
Microsoft finally bans SHA-1 certificates in Internet Explorer and Edgewww.networkworld.com5/10/2017
DoD Launches "Hack the Air Force" Bug Bounty Programwww.securityweek.com4/27/2017
HipChat Implements Partial Password Reset Due to Security Incidentwww.tripwire.com4/25/2017
Android O no! Android O causes problems for mobile ransomware developerswww.symantec.com4/12/2017
20,000-bots-strong Sathurbot botnet grows by compromising WordPress siteswww.helpnetsecurity.com4/7/2017
Elite Chinese hackers target board directors at some of the world's largest firmswww.zdnet.com4/6/2017
Don’t pay for what is for free: Malicious Adobe Flash Player app found on Google Playwww.welivesecurity.com4/4/2017
Splunk Patches Information Theft and XSS Flawswww.securityweek.com4/3/2017
Fake SEO plugin backdoors WordPress installationswww.helpnetsecurity.com4/3/2017
Strange Mirai botnet brew blamed for powerful application layer attackwww.theregister.co.uk3/29/2017
Intel Launches Its First-Ever Bug Bounty Programwww.tripwire.com3/17/2017
Malicious uploads allowed hijacking of WhatsApp and Telegram accountswww.computerworld.com3/15/2017
Third-Party Twitter Service Hacked to Push Out Nazi-Themed Tweetswww.tripwire.com3/15/2017
Google’s CAPTCHA Service Now Goes Invisible for Human Userswww.tripwire.com3/9/2017
21% of websites still use insecure SHA-1 certificateswww.helpnetsecurity.com3/8/2017
WordPress 4.7.3 Patches Half-Dozen Vulnerabilitiesthreatpost.com3/7/2017
Google, Microsoft increase bug bountieswww.helpnetsecurity.com3/6/2017
Yahoo cookie-forging incident affected 32 million accountswww.helpnetsecurity.com3/2/2017
Slack bug paved the way for a hack that can steal user accesswww.computerworld.com3/2/2017
WordPress Plugin With 1 Million Installs Has Critical Flawwww.securityweek.com3/1/2017
Expanding protection for Chrome users on macOSsecurity.googleblog.com3/1/2017
Criminals Monetizing Attacks Against Unpatched WordPress Sitesthreatpost.com2/22/2017
Iraqi hacker took credit for hijacking subdomain and defacing Trump sitewww.networkworld.com2/20/2017
Lone hacker Rasputin breaches 60 universities, federal agencieswww.zdnet.com2/16/2017
Report: some small cities have surprisingly high number of exposed deviceswww.csoonline.com2/15/2017
Attackers target dozens of global banks with new malwarewww.symantec.com2/12/2017
Recent WordPress vulnerability used to deface 1.5 million pageswww.networkworld.com2/10/2017
Google plans purge of Play Store apps without privacy policieswww.zdnet.com2/9/2017
WordPress kept users and hackers in the dark while secretly fixingwww.helpnetsecurity.com2/2/2017
Google to Operate its Own Root CAthreatpost.com1/27/2017
WordPress Releases Security Update (4.7.2)wordpress.org1/26/2017
Firefox 51 starts flagging HTTP login pages as insecurewww.helpnetsecurity.com1/25/2017
Hack the Army Bounty Pays Out $100,000; 118 Flaws Fixedthreatpost.com1/20/2017
China clamps down on app stores in bid to curb malwarenakedsecurity.sophos.com1/19/2017
SHA-1 End Times Have Arrivedthreatpost.com1/18/2017
McDonald's Website Flaws Allow Phishing Attackswww.securityweek.com1/17/2017
WhatsApp vulnerability could expose messages to prying eyes, report claimswww.greenbot.com1/13/2017
Trojanized Photo App on Google Play Signs Up Users for Premium Servicessecuringtomorrow.mcafee.com1/13/2017
GoDaddy revokes digital certificates improperly validated due to bugwww.theregister.co.uk1/11/2017
Airport boarding gate display leaks booking codes, puts passenger data at riskwww.symantec.com1/10/2017
Website Malware Targets Mobile Platformsblog.sucuri.net1/2/2017
Session Stealer Script Used In OpenCartblog.sucuri.net12/29/2016
Critical flaw in PHPMailer library puts millions of websites at riskwww.computerworld.com12/28/2016
Cerber Ransomware Spread by Nemucod in Pseudo-Darkleech Campaignwww.tripwire.com12/27/2016
Apple gives iOS app developers more time to encrypt communicationswww.networkworld.com12/23/2016
Ticno trojan installs via Windows "save" dialog boxwww.scmagazine.com12/21/2016
Project Wycheproofsecurity.googleblog.com12/19/2016
‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Serverssecuringtomorrow.mcafee.com12/13/2016
Sony kills off secret backdoor in 80 internet-connected CCTV modelswww.theregister.co.uk12/6/2016
UPDATED: Magento One Page Checkout redirects to phishing pageswww.scmagazine.com11/28/2016
WordPress Plugins Leave Black Friday Shoppers Vulnerablethreatpost.com11/22/2016
Microsoft Cutting Off SHA-1 Support in February for Edge, IE 11threatpost.com11/22/2016
Hacker can backdoor your computer and router in 30 seconds with $5 PoisonTap devicewww.computerworld.com11/16/2016
NIST publishes massive report on IoT cybersecurity needswww.scmagazine.com11/15/2016
OAuth 2.0 Hack Exposes 1 Billion Mobile Apps to Account Hijackingthreatpost.com11/10/2016
Clever Gmail Hack Let Attackers Take Over Accountsthreatpost.com11/8/2016
Web security still outstandingly mediocre, experts reportwww.theregister.co.uk11/7/2016
Here’s to more HTTPS on the web!security.googleblog.com11/3/2016
Universal hijack hole turns DIY Wix blogs into botnetswww.theregister.co.uk11/3/2016
Student discovers security flaw in Virgin Media recruitment systemwww.scmagazine.com10/31/2016
One-quarter of UK police websites lack a secure connectionwww.theregister.co.uk10/11/2016
Increased Use of WMI for Environment Detection and Evasionwww.fireeye.com10/7/2016
Attackers Modifying Core WordPress Files to Redirect Visitors to Spamwww.tripwire.com10/6/2016
Web-Based Keylogger Used to Steal Credit Card Data from Popular Sitesthreatpost.com10/6/2016
Tesla introduces code signing to harden their cars’ securitywww.helpnetsecurity.com9/28/2016
Reshaping web defenses with strict Content Security Policysecurity.googleblog.com9/26/2016
Meet MailSniper, a tool to search Microsoft Exchange emails for sensitive infowww.networkworld.com9/26/2016
Student cybervandal earns $300,000 for hacking US Airlinesnakedsecurity.sophos.com9/20/2016
Flaw Allowed Hackers to Hijack Facebook Pageswww.securityweek.com9/20/2016
ICS-CERT warns of remotely exploitable power meter flawswww.helpnetsecurity.com9/16/2016
Android apps based on Adobe AIR SDK send out unencrypted datawww.helpnetsecurity.com9/15/2016
Critical MySQL Vulnerability Disclosedthreatpost.com9/12/2016
Moving towards a more secure websecurity.googleblog.com9/8/2016
Yelp Launches Public Bug Bountythreatpost.com9/6/2016
40 apps containing DressCode malware family found on Google Playwww.scmagazine.com9/5/2016
Microsoft bug bounty program adds .NET Core and ASP.NET Corewww.computerworld.com9/2/2016
Mozilla launches free website security scanning servicewww.computerworld.com8/26/2016
Imperva: Application layer DDoS attacks are on the rise.www.networkworld.com8/23/2016
SQL Injection Vulnerability in Ninja Formsblog.sucuri.net8/16/2016
Apple Announces Bug Bounty Program with Maximum Reward of $200Kwww.tripwire.com8/5/2016
Adding YouTube and Calendar to the HTTPS Transparency Reportsecurity.googleblog.com8/1/2016
Hackers Can Intercept HTTPS URLs via Proxy Attackswww.securityweek.com7/29/2016
Another media-stealing app found on Google Playwww.symantec.com7/27/2016
Amazon Silk browser ignored SSL searches, failing to protect your privacywww.zdnet.com7/25/2016
Compromised Joomla sites are foisting ransomware on visitorswww.helpnetsecurity.com7/18/2016
Flaw in vBulletin add-on leads to Ubuntu Forums database breachwww.networkworld.com7/18/2016
Chrysler Launches Detroit’s First ‘Bug Bounty’ for Hackerswww.wired.com7/13/2016
Two Zero-Day Vulnerabilities Found in BMW Web Applicationswww.tripwire.com7/8/2016
Phishers Abuse Hosting Temporary URLsblog.sucuri.net6/7/2016
Jetpack plug-in for WordPress vulnerable to XSSwww.scmagazine.com6/1/2016
Security Advisory: Stored XSS in Jetpackblog.sucuri.net5/27/2016
OWASP set to address API security riskswww.helpnetsecurity.com5/23/2016
Flaws Allowed Hackers to Brute-Force Instagram Accountswww.securityweek.com5/20/2016
Google to block Flash by default on most sites for Chrome userswww.computerworld.com5/16/2016
GoDaddy Remediates Blind XSS Vulnerabilitywww.tripwire.com5/10/2016
Study: Apple, Android should better vet app stores, notify users of 'dead apps'www.scmagazine.com5/10/2016
Google denies email injection flaw can bypass filters and pwn userswww.scmagazine.com5/4/2016
Microsoft to begin SHA-1 crypto shutoff with Windows 10's summer upgradewww.computerworld.com5/2/2016
Improvements to Safe Browsing Alerts for Network Administratorssecurity.googleblog.com4/6/2016
New Ransomware KimcilWare Targets Magento Websitesthreatpost.com4/1/2016
Beware: the password testing tool that saved and shared your passwordsnakedsecurity.sophos.com3/31/2016
Certificate Transparency for Untrusted CAssecurity.googleblog.com3/21/2016
Microsoft adds OneDrive to bug bounty programwww.theregister.co.uk3/20/2016
Symantec partners with hosting providers to offer free TLS certificates to website ownerswww.networkworld.com3/15/2016
Project issues 1 million free digital certificates in three monthswww.computerworld.com3/9/2016
CTB Locker ransomware now also encrypts websiteswww.helpnetsecurity.com2/29/2016
Google lays bare security flaws in anti-malware product with 250 million userswww.zdnet.com2/3/2016
Massive Admedia/Adverting iFrame Infectionblog.sucuri.net2/1/2016
Magento plugs XSS holes that can lead to e-store hijacking, patch immediately!www.net-security.org1/25/2016
GM Vulnerability Disclosure Program Lacks Rewardsthreatpost.com1/11/2016
Joomla! New Version Fixes Security Flawswww.scmagazine.com12/23/2015
Facebook switches to HTML5 for all video instead of Flashwww.zdnet.com12/21/2015
Proactive measures in digital certificate securitygoogleonlinesecurity.blogspot.com12/11/2015
Baidu Android app component puts 100 million devices at riskwww.computerworld.com11/2/2015
Hackers infect MySQL servers with malware for DDoS attackswww.computerworld.com10/29/2015
Zero-Day in Magento plug-in could allow attacker to steal datawww.scmagazine.com10/14/2015
Fraudsters exploit weak SSL certificate security to set up hundreds of phishing siteswww.scmagazine.com10/13/2015
Apple excommunicates adblockers that could access users' private datnakedsecurity.sophos.com10/12/2015
Security advisory: Stored XSS in Jetpackblog.sucuri.net10/1/2015
Apple tells devs to validate Xcode after App Store malware breachwww.zdnet.com9/23/2015
Chinese ad firm pwns Android users, creates hijackable global botnetwww.theregister.co.uk9/23/2015
D-Link Accidentally Leaks Private Code-Signing Keysthreatpost.com9/18/2015
Let's Encrypt issues its first open source certificatewww.scmagazine.com9/17/2015
Applock riddled with security holes, researcher claimswww.zdnet.com9/2/2015
Another Popular Android Application, Another Leakwww.fireeye.com8/19/2015
XSS flaw put Salesforce accounts at risk of hijackingwww.tripwire.com8/13/2015
Hackers Exploit ‘Flash’ Vulnerability in Yahoo Adsbits.blogs.nytimes.com8/3/2015
Apple Patches ‘High’ Input Validation Vulnerability in iTunes, App Storewww.tripwire.com7/29/2015
Researcher finds several vulnerabilities in PHP File Managerwww.scmagazine.com7/28/2015
Google, the Wassenaar Arrangement, and vulnerability researchgoogleonlinesecurity.blogspot.com7/20/2015
Static Encryption Key Found in SAP HANA Databasethreatpost.com6/19/2015
Announcing Security Rewards for Androidgoogleonlinesecurity.blogspot.com6/16/2015
Uber petition site pulled after hacker redirected visitors to rivalnakedsecurity.sophos.com6/15/2015
OpenSSL patches and releases new versionswww.scmagazine.com6/12/2015
US to require HTTPS for all government websiteswww.computerworld.com6/9/2015
Fail: SourceForge under fire (again) for alleged shady practiceswww.computerworld.com6/4/2015
Majority of websites have serious vulnerabilitieswww.computerworld.com5/29/2015
Logjam security flaw leaves top HTTPS websites, mail servers vulnerablewww.zdnet.com5/20/2015
Address Bar Spoofing Bugs Found in Safari, Chrome for Androidwww.securityweek.com5/19/2015
Google cripples all Chrome add-ons from outside its app storewww.computerworld.com5/15/2015
Microsoft Security Advisory 3042058: Update to Default Cipher Suite Priority Ordertechnet.microsoft.com5/12/2015
WordPress 4.2.2 Security and Maintenance Releasewordpress.org5/7/2015
Thousands of iOS apps left open to snooping thanks to SSL bugwww.zdnet.com4/27/2015
WordPress Flaw Allows Arbitrary Code Execution via Comments: Researcherwww.securityweek.com4/27/2015
Ads Take a Step Towards “HTTPS Everywhere”googleonlinesecurity.blogspot.com4/17/2015
Dropbox launches HackerOne bug bounty programwww.zdnet.com4/16/2015
Google sticks anti-SQL injection vaccine into MySQL MariaDB forkwww.theregister.co.uk4/9/2015
Android Installer Hijacking Bug Used as Lure for Malwareblog.trendmicro.com4/6/2015
Mozilla piles on China's SSL cert overlord: We don't trust you eitherwww.theregister.co.uk4/2/2015
Wider use of HTTPS could have protected GitHubwww.computerworld.com4/1/2015
Out with unwanted ad injectorsgoogleonlinesecurity.blogspot.com3/31/2015
PCI Council updates penetration testing guidance for merchantswww.scmagazine.com3/30/2015
Puush urges users to change passwords after cyber attackwww.scmagazine.com3/30/2015
Virgin Media takes its time on website crypto upgradewww.theregister.co.uk3/30/2015
Bitcoin exchange Cryptoine hackedwww.zdnet.com3/26/2015
Instagram API Bug Could Allow Malicious File Downloadsthreatpost.com3/24/2015
Cross-Site Scripting Vulnerability Discovered In WordPress Photo Gallery Pluginblog.fortinet.com3/20/2015
DeepCode tool detects software flaws before releasewww.zdnet.com3/18/2015
Microsoft scrambles to kill Live.fi man-in-the-middle diddlewww.theregister.co.uk3/17/2015
Cryptography Services launches security audit for OpenSSLwww.scmagazine.com3/13/2015
WPML Security Update, Bug and Fixwpml.org3/11/2015
Facebook Users Open to Attack Via Several Security Bugsthreatpost.com3/11/2015
‘Podec’ Trojan Bypasses CAPTCHA on Android Phoneswww.tripwire.com3/11/2015
Zero-Day Vulnerability Found in MongoDB Administration Tool phpMoAdminblog.trendmicro.com3/6/2015
Pwnium V: the never-ending* Pwniumgoogleonlinesecurity.blogspot.com2/24/2015
Using Google Cloud Platform for Security Scanninggoogleonlinesecurity.blogspot.com2/19/2015
Feedback and data-driven updates to Google’s disclosure policygoogleonlinesecurity.blogspot.ro2/13/2015
Dating apps pose US corporate security risk, says IBMwww.cnbc.com2/11/2015
Netflix airs its developers' Dirty Laundrywww.theregister.co.uk2/9/2015
Senate Report Slams Automakers for Leaving Cars Vulnerable to Hackerswww.wired.com2/9/2015
Android Malware Poses as Games on Google Play Store, Infects Millions of Userswww.tripwire.com2/4/2015
Google Trades Technicality for Brevity With New #SSL Warningthreatpost.com2/3/2015
NFL Mobile App Leaks Unencrypted Credentialsthreatpost.com1/28/2015
Gogo in-flight WiFi service serves fliers fake Google certswww.net-security.org1/6/2015
Half of UK financial institutions vulnerable to well-known crypto flawswww.theregister.co.uk1/5/2015
Delta Airlines flaw lets others access your boarding passnakedsecurity.sophos.com12/17/2014
Google Can Now Tell You’re Not a Robot With Just One Clickwww.wired.com12/3/2014
Ready, aim, fire: an open-source tool to test web security scannersgoogleonlinesecurity.blogspot.com11/18/2014
Introducing nogotofail—a network traffic security testing toolgoogleonlinesecurity.blogspot.com11/4/2014
Drupal SQL injection nasty leaves sites 'wide open' to attackwww.theregister.co.uk10/16/2014
Retail applications hit hardest, Web Application Attack Report indicateswww.scmagazine.com10/9/2014
Microsoft Starts Online Services Bug Bountythreatpost.com9/23/2014
Gartner: 75 percent of mobile apps will fail security tests through end of 2015www.scmagazine.com9/18/2014
An Alliance of Major Players to Guide Open-Source Softwarebits.blogs.nytimes.com9/15/2014
Hacked Brazilian Newspaper Site Targets Router DNS Settingsthreatpost.com9/12/2014
FBI’s Story of Finding Silk Road’s Server Sounds a Lot Like Hackingwww.wired.com9/8/2014
HealthCare.gov breached, injected with malwarenakedsecurity.sophos.com9/8/2014
Researchers discover two SQL injection flaws in WordPress security pluginwww.scmagazine.com9/4/2014
Twitter swaps kudos for cash with launch of bug bounty security programwww.zdnet.com9/4/2014
Feds warn first responders of dangerous hacking tool: Google Searcharstechnica.com8/27/2014
Google to Prioritise Secure Websiteswww.bbc.com8/7/2014
Critical Android FakeID Bug Allows Attackers to Impersonate Trusted Appsthreatpost.com7/29/2014
Hackers Find Way to Outwit Tough Security at Banking Sitesbits.blogs.nytimes.com7/22/2014
Third-Party Software Library Risks to be Scrutinized at Black Hatthreatpost.com7/22/2014
Emergency vBulletin patch fixes SQL injection vulnerabilitywww.computerworld.com7/17/2014
Meet ‘Project Zero,’ Google’s Secret Team of Bug-Hunting Hackerswww.wired.com7/15/2014
Critical flaw in WordPress newsletter plug-in endangers many blogswww.computerworld.com7/2/2014
Ad network compromise leads to rogue page redirects on Reuters sitewww.computerworld.com6/23/2014
Heartbleed still a threat: Over 300,000 servers remain exposedwww.cnet.com6/23/2014
Sealed with an XSS: How I gave TweetDeck a heart attack - teen comp sci boff Firowww.theregister.co.uk6/12/2014
WordPress Promises SSL on All Domains by End of 2014threatpost.com6/6/2014
Spotify Android Application at Issue in Breachthreatpost.com5/27/2014
Facebook Takes Tougher Stand Against BREACH Attackthreatpost.com5/19/2014
After PCI DSS issues, LifeLock removes Wall mobile appwww.scmagazine.com5/19/2014
Microsoft continues RC4 encryption phase-out plan with .NET security updateswww.computerworld.com5/14/2014
Urgent Security Update Regarding Your Bitly Accountblog.bitly.com5/9/2014
SHA-2 takes off, thanks to Heartbleedwww.zdnet.com5/6/2014
Bug Bounties Expanding to Individual Developersthreatpost.com5/1/2014
Google Adding Security Checks to Non-OAuth 2.0 Compliant Appsthreatpost.com4/24/2014
Heartburn from Heartbleed forces wide-ranging rethink in open source worldwww.cnet.com4/24/2014
Heartbleed Saga Escalates With Real Attacks, Stolen Private Keysthreatpost.com4/14/2014
Did open source matter for Heartbleed?www.zdnet.com4/14/2014
Heartbleed coder admits 'oversight' but backs open sourcewww.cnet.com4/11/2014
Heartbleed: What programs are 'critical infrastructure'?www.zdnet.com4/9/2014
SSL Bug Threatens Secure Communicationssecuritywatch.pcmag.com4/8/2014
Smarten Up! Everyone Needs to Think About Android Securitysecuritywatch.pcmag.com4/4/2014
Researcher lights fire under Tesla securitywww.theregister.co.uk4/1/2014
WordPress tops for blogging and malware distributionwww.zdnet.com3/25/2014
Hackers transform EA Web page into Apple ID phishing schemenews.cnet.com3/19/2014
THOUSANDS of Tesco.com logins and passwords leaked onlinewww.theregister.co.uk2/14/2014
Syrian Electronic Army hacks Forbes, steals user datanews.cnet.com2/14/2014
Record-breaking DDoS attack in Europe hit 400 Gbpsnews.cnet.com2/11/2014
MS update coming to block MD5 digital certificateswww.zdnet.com2/11/2014
Snapchat bug lets hackers aim DENIAL of SERVICE attacks at YOUR MOBEwww.theregister.co.uk2/10/2014
Hacktivists dish out DNS hijack to PayPal, eBaywww.theregister.co.uk2/3/2014
Hackers access 800,000 Orange customers' datawww.zdnet.com2/3/2014
DailyMotion Still Infected, Serving Fake AV Malwarethreatpost.com1/31/2014
Engineer bypasses Snapchat's CAPTCHAs with fewer than 100 lines of codewww.scmagazine.com1/23/2014
Security researcher finds clues to malware in Target heistnews.cnet.com1/15/2014
Starbucks App Stores User Information, Passwords in Clear Textthreatpost.com1/15/2014
Twitter enforces SSL encryption for apps connecting to its APIwww.zdnet.com1/14/2014
Yahoo says malware attack farther reaching than thoughtnews.cnet.com1/11/2014
Teen Reported to Police After Finding Security Hole in Websitewww.wired.com1/8/2014
Snapchat issues update in wake of 4.6 million user data breachwww.theregister.co.uk1/4/2014
Snapchat API has several vulnerabilities, researchers reportwww.scmagazine.com12/27/2013
Researchers publish Snapchat code allowing phone number matching after exploit disclosures ignoredwww.zdnet.com12/25/2013
Microsoft joins tech giants and FIDO in the fight for simpler, safer authenticationnakedsecurity.sophos.com12/16/2013
Microsoft Adds New Security Features to Accountsthreatpost.com12/10/2013
French Government Spoofs Google Certificatethreatpost.com12/9/2013
JPMorgan Chase admits network hack; 465,000 card users' data stolenwww.zdnet.com12/5/2013
Your browser may be up to date: But what about the PLUGINS?www.theregister.co.uk12/2/2013
Bitcoin developers offer $10,000 virtual bounty to fix mystery Mac bugwww.zdnet.com11/26/2013
Ruby on Rails CookieStore Vulnerability Plagues Prominent Websitesthreatpost.com11/26/2013
Hack-a-thon Finds 220 Bugs in Facebook, Google, Etsysecuritywatch.pcmag.com11/22/2013
Old JBoss vuln in the wild, needs patchingwww.theregister.co.uk11/19/2013
JBoss Attacks Up Since Exploit Code Disclosurethreatpost.com11/19/2013
Out with the old: Stronger certificates with Google Internet Authority G2googleonlinesecurity.blogspot.com11/18/2013
Mandatory HTTP 2.0 encryption proposal sparks hot debatewww.theregister.co.uk11/14/2013
Enterprise giant SAP's systems take a probe to the wobbly bits - reportwww.theregister.co.uk11/13/2013
Power Plants and Other Vital Systems Are Totally Exposed on the Internetwww.wired.com11/8/2013
Microsoft, Facebook unite for Internet Bug Bounty programnews.cnet.com11/7/2013
Twitter Fixes Bug that Enabled Takeover of Any Accountthreatpost.com11/6/2013
Following Controversy, Yahoo Officially Launches Bug Bounty Programthreatpost.com11/4/2013
Google Chrome to Automatically Block Malicious Downloadswww.zdnet.com11/1/2013
PHP.net resets passwords after malware flinging HACK FLAPwww.theregister.co.uk10/25/2013
Safari matches rivals with sandboxed Flash for better securitynews.cnet.com10/24/2013
Google Malaysia Site Hijackedthreatpost.com10/11/2013
Google to Pay Rewards For Patches to Open Source Projectsthreatpost.com10/10/2013
Researcher Takes Home $100k Prize From Microsoft For New Attackthreatpost.com10/8/2013
Researchers Nab $28k in Microsoft Bug Bounty Programthreatpost.com10/7/2013
Yahoo changes bug bounty policy following 't-shirt gate'www.zdnet.com10/3/2013
Having a bug bounty doesn't mean you take security seriouslywww.zdnet.com10/1/2013
Yahoo offers its first tepid bug bountynews.cnet.com9/30/2013
Cisco launches open-source tool for penetration testerswww.zdnet.com9/25/2013
Security Issue in Ruby on Rails Could Expose Cookiesthreatpost.com9/25/2013
Maryland state security sloppiness exposes personal datawww.zdnet.com9/17/2013
NASDAQ Fixes XSS 2 Weeks After Bug Reportedthreatpost.com9/17/2013
BlackBerry joins online authentication standards alliancewww.zdnet.com9/5/2013
FTC and TrendNet settle claim over hacked security camerasnews.cnet.com9/4/2013
Pinterest Closes Hole That Allowed Anyone to View Users’ Email Addressesthreatpost.com8/26/2013
Hackers target, 'deface' Google Palestine sitewww.zdnet.com8/26/2013
PayPal fixes critical account switcheroo bug after researcher tipoffwww.theregister.co.uk8/23/2013
Security Community Raises Money for Researcher Snubbed by Facebook Bounty Programwww.wired.com8/19/2013
Researcher posts Facebook bug report to Mark Zuckerberg's wallnews.cnet.com8/18/2013
Syrian Electronic Army Hacks Washington Postthreatpost.com8/15/2013
Google confirms Android flaw that led to Bitcoin theftnews.cnet.com8/14/2013
Google to quintuple some bug bountiesnews.cnet.com8/13/2013
Counter.php Found Redirecting to Sites Peddling Styx Exploit Kitthreatpost.com8/12/2013
Fort Disco Brute-Force Attack Campaign Targets CMS Websitesthreatpost.com8/7/2013
Step into the BREACH: New attack developed to read encrypted web datawww.theregister.co.uk8/2/2013
Facebook transitions to secure browsing by default for everyonewww.scmagazine.com8/1/2013
Canonical bares breach details as Apple continues security silencewww.zdnet.com7/31/2013
Mozilla, Blackberry Join Forces To Advance Peach Fuzzerthreatpost.com7/30/2013
Nasdaq hackers charged following 'largest known data theft in history'www.zdnet.com7/26/2013
PayPal opens bug bounty program to minorswww.computerworld.com7/25/2013
US Top Source of Web-Based Attacks; Retailers Heavily Targetedthreatpost.com7/24/2013
E-shopkeepers stabbed with SQL needles 'twice' as much as other siteswww.theregister.co.uk7/23/2013
Apple Developer Site Compromisedthreatpost.com7/22/2013
Researcher: Apple developer site hack? I meant no harmnews.cnet.com7/22/2013
Tumblr urges password reset after iPhone/iPad security lapsewww.zdnet.com7/17/2013
Amazon 1Button Browser Add-On Leaks Data in Plain Textthreatpost.com7/16/2013
Brute-Force Attack Leaks Data on 35,000 Konami Gamersthreatpost.com7/13/2013
IRS Exposes SSNs in Database of Public Tax Filingsthreatpost.com7/11/2013
Microsoft to Pay First Bug Bounty for IE 11threatpost.com7/11/2013
WellPoint takes $1.7 million hit over HIPAA slipwww.zdnet.com7/11/2013
Data of 50K Michigan residents compromised after website hackwww.scmagazine.com7/9/2013
Security firm claims 99 percent of Android apps open to takeoverwww.zdnet.com7/4/2013
More details emerge on extent of ticketing company breachwww.scmagazine.com7/4/2013
Several Flaws Discovered in ZRTPCPP Library Used in Secure Phone Appswww.computerworld.com6/30/2013
Google: Hacked sites far worse than attack sitesnews.cnet.com6/25/2013
Google Fortifies Chrome’s Web Store Vetting Processthreatpost.com6/24/2013
Common Web Vulnerabilities Plague Top WordPress Plug-Insthreatpost.com6/20/2013
Thousands of suspected crims, informants spilled all over web in IT gaffewww.theregister.co.uk6/19/2013
Microsoft Launches $100,000 Bug Bounty Programthreatpost.com6/19/2013
OWASP: The Best Web App Security Resource On The Internetblogs.mcafee.com6/19/2013
Hacking 101: Metasploit, cross-site scripting, and SQL injectionwww.zdnet.com6/4/2013
Rise in Red Kit Exploit Kit Activityresearch.zscaler.com6/1/2013
Google push for faster zero day fixes hits a wall: Other companiesnews.cnet.com5/31/2013
Google push for faster zero day fixes hits a wall: Other companiesnews.cnet.com5/31/2013
The Case for a Government Bug Bounty Programthreatpost.com5/31/2013
Drupal resets account passwords after detecting unauthorized accesswww.computerworld.com5/29/2013
Google Advocates 7-Day Deadline to Publicize Critical Vulnerabilitiesthreatpost.com5/29/2013
Google to lengthen SSL encryption keys in Augustwww.computerworld.com5/24/2013
Citadel’s New Target – Payza’s Payment Platformwww.trusteer.com5/21/2013
Future Firefox takes tougher stance on mixed contentnews.cnet.com5/17/2013
Google releases new 5 year Roadmap for Strong Authenticationgoo.gl5/9/2013
Hacked DNS Servers Used in Linux/Cdorked Malware Campaignthreatpost.com5/8/2013
D.C. Media Sites Hacked, Serving Fake AVthreatpost.com5/7/2013
Nearly Nine in Ten Websites Contain One Serious Vulnerabilitythreatpost.com5/2/2013
Watering Hole Attack Claims US Department of Labor Websitethreatpost.com5/1/2013
Apache attack drives traffic to malwarewww.theregister.co.uk4/30/2013
Vulns, exploits, hacks: Trusteer touts tech to terminate troubleswww.theregister.co.uk4/24/2013
Hackers favor authentication-based attacks, report showswww.zdnet.com4/24/2013
Google joins FIDO's crusade to replace passwordsnews.cnet.com4/23/2013
WordPress attack highlights 30 million targetswww.zdnet.com4/19/2013
Chris Wysopal, Veracode: U.S. Government worst at data securitywww.zdnet.com4/19/2013
Security certificate problem trips up Bing Web sitenews.cnet.com4/19/2013
DevOps Integration Key to Avoiding Pre-Ordained Security Failuresthreatpost.com4/16/2013
Brute Force Attacks Build WordPress Botnetkrebsonsecurity.com4/12/2013
Hack of college database jeopardizes sensitive data of 125k studentswww.scmagazine.com4/11/2013
South Korea tightens online transaction securitywww.zdnet.com4/9/2013
Skype, Dropbox Patch Critical Facebook Authentication Bugsthreatpost.com4/4/2013
Report: Among simple, yet effective web app attacks, cloud environments hit hardestwww.scmagazine.com3/26/2013
XSS Flaw in WordPress Plugin Allows Injection of Malicious Codethreatpost.com3/25/2013
Practicing safe DNS with Googlewww.zdnet.com3/20/2013
Credit report breach has link to Zeus banking malwarewww.computerworld.com3/18/2013
Researchers resurrect and improve CRIME attack against SSLwww.computerworld.com3/14/2013
Help Keep Threats at Bay With ‘Click-to-Play’krebsonsecurity.com3/11/2013
Black hat greed reducing software vulnerability report ratewww.theregister.co.uk2/26/2013
Hacking victim Bit9 blames SQL injection flawwww.computerworld.com2/25/2013
Certificate Authorities to push for better certificate-revocation checkingwww.computerworld.com2/14/2013
Lenovo, PayPal, launch post-password planwww.theregister.co.uk2/13/2013
Google Play privacy SNAFU sends app buyers' details to devswww.theregister.co.uk2/13/2013
Exploit Sat on LA Times Website for 6 Weekskrebsonsecurity.com2/13/2013
Yahoo! Pushing Java Version Released in 2008krebsonsecurity.com2/11/2013
Critical cURL library flaw could expose many apps to hackerswww.computerworld.com2/8/2013
Researchers devise new attack techniques against SSLwww.computerworld.com2/5/2013
Safeguard your code: 17 security tips for developerswww.computerworld.com2/4/2013
FTC Endorses New Privacy Guidelines, Do Not Track for Mobile Apps, Devicesthreatpost.com2/4/2013
Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attackwww.theregister.co.uk2/4/2013
Eight-month WordPress flaw responsible for Yahoo mail breach: Bitdefenderwww.zdnet.com2/1/2013
Google Announces Pwnium 3, Ups Ante and Offers $3M+ in Rewardsthreatpost.com1/28/2013
Twitter flaw gave private message access to third-party apps, researcher sayswww.computerworld.com1/22/2013
College Student Expelled After Bringing Web Vulnerability to School's Attentionthreatpost.com1/21/2013
Facebook, Yahoo Fix Valuable $ecurity Hole$krebsonsecurity.com1/9/2013
Global security breaches are now an 'epidemic': reportwww.zdnet.com1/9/2013
Ruby on Rails patches more critical vulnerabilitieswww.computerworld.com1/9/2013
Adobe warns of critical ColdFusion hole being exploited in the wildwww.zdnet.com1/8/2013
Ruby on Rails vulnerable to six year old flawwww.zdnet.com1/8/2013
US Dept for Homeland Security shafted by trivial web bugwww.theregister.co.uk1/7/2013
Yahoo Mail XSS Vulnerability Could Affect Millions of Accountsthreatpost.com1/7/2013
Browser vendors block 'active attacks' using fraudulent digital certwww.zdnet.com1/3/2013
Ruby on Rails has SQL injection vulnwww.theregister.co.uk1/3/2013
Changes to Mozilla Security Program Foster Open Source Security Tool Developmentthreatpost.com12/28/2012
Hacker, Verizon duel over customer record claimswww.zdnet.com12/22/2012
Apple shifts iTunes to HTTPS, sidesteps China’s censorswww.theregister.co.uk12/21/2012
Oracle Adds Ability to Prevent Java Apps From Running in Browsersthreatpost.com12/18/2012
Egyptian hacker claims to find Yahoo flawswww.computerworld.com12/16/2012
ExploitHub admits 'embarrassing oversight' led to hackwww.computerworld.com12/11/2012
New Accounting System Hack Could Cause 'Mayhem'threatpost.com12/7/2012
Rumble in the Tumblr: Troll-worm infected thousands of blogswww.theregister.co.uk12/4/2012
Forget Disclosure Hackers Should Keep Security Holes to Themselveswww.wired.com11/29/2012
Companies House website security 'a bit of a mess'www.theregister.co.uk11/28/2012
Researcher Finds Nearly Two Dozen SCADA Bugs in a Few Hours' Timethreatpost.com11/26/2012
Yahoo Email-Stealing Exploit Fetches $700krebsonsecurity.com11/23/2012
eBay: It's safe to buy busted lava lamps and bug-infested rugs againwww.theregister.co.uk11/22/2012
Nintendo Wii U network 'hacked' hours after launch?www.zdnet.com11/19/2012
Hackers break into two FreeBSD Project servers using stolen SSH keyswww.computerworld.com11/19/2012
The Root Of All Database Security Evils = Inputwww.darkreading.com11/15/2012
Fidelity Invests In Secure Software Developmentwww.darkreading.com11/15/2012
Security report: Enterprises place reckless trust in third-party software supplierswww.zdnet.com11/15/2012
Adobe suffers database leak, user forum taken offlinenews.cnet.com11/15/2012
Adobe Hacker Says He Used SQL Injection To Grab Database Of 150,000 User Accountswww.darkreading.com11/14/2012
Enterprises Pressure Software Vendors To Clean Up Their Appswww.darkreading.com11/13/2012
Portrait of a Full-Time Bug Hunter — Abdul-Aziz Haririwww.wired.com11/8/2012
Apache Server-Status Publicly Viewable on Top Sitesthreatpost.com11/2/2012
The SQL Injection Disconnectionwww.darkreading.com10/31/2012
DDoS and SQL injection are the most popular attack subjectswww.infosecurity-magazine.com10/29/2012
3.6 Million South Carolina Taxpayers at Risk of ID Theftthreatpost.com10/26/2012
Popular Android apps under security scrutinywww.zdnet.com10/22/2012
Ghostshell leaks 120,000 records from top 100 universitieswww.zdnet.com10/2/2012
Adobe code signing infrastructure hacked by 'sophisticated threat actors'www.zdnet.com9/27/2012
Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Googlewww.wired.com9/7/2012
NullCrew pillages Sony servers?www.zdnet.com9/3/2012
Website 'Hellfire': Hackers release 1m accountswww.zdnet.com8/29/2012
Pro-Assange group claims university hackingwww.zdnet.com8/29/2012
RSA: Phishing Attacks Net $687m to Date in 2012threatpost.com8/24/2012
Tesco web security 'flaw' probed by UK data watchdogwww.bbc.com8/20/2012
As Bug Bounty Programs Mature, Still More Room For Growththreatpost.com8/17/2012
FTC accuses Facebook of misleading developers over securitywww.zdnet.com8/13/2012
Average Web App Attacked Every Three Daysthreatpost.com8/8/2012
How SQL Injection Attacks Workthreatpost.com8/3/2012
Yahoo user sues over password leaknews.cnet.com8/3/2012
Microsoft tool shows whether apps pose danger to Windowswww.computerworld.com8/3/2012
SQL injection attacks up 69%www.zdnet.com7/27/2012
Yahoo Says It Has Closed Security Hole Exploited in Breachwww.eweek.com7/14/2012
Hackers post 450K credentials pilfered from Yahoonews.cnet.com7/11/2012
iPhone Trojan App Sneaks Past Apple Censorswww.informationweek.com7/9/2012
‘The Analyzer’ Gets Time Served for Million-Dollar Bank Heistwww.wired.com7/5/2012
Whitelisting is the solution for the national infrastructurewww.infosecurity-magazine.com6/21/2012
Understanding cyberspace is key to defending against digital attackswww.washingtonpost.com6/2/2012
WHMCS under renewed DDoS blitz after patching systemswww.theregister.co.uk6/1/2012
Trojan poses as privacy tool, spies on Iranian surferswww.theregister.co.uk5/30/2012
Backdoor in chip used by military: Blame software, not Chinagcn.com5/30/2012
WHMCS Breach May Be Only Tip of the Troublekrebsonsecurity.com5/24/2012
Microsoft India warns that hackers accessed customer datawww.computerworld.com2/28/2012
Romanian arrested on Pentagon, NASA hacking chargesnews.cnet.com1/31/2012
Hackers disrupt Israel airline, stock marketwww.usatoday.com1/16/2012
Latest SQL Injection Campaign Infects 1 Million Web Pageswww.darkreading.com1/4/2012
Hackers Expose Details of 15,000 Israeli Credit Cards on Webwww.businessweek.com1/3/2012
Siemens fixing cyber bugs in industrial control systemswww.reuters.com12/22/2011
Web security questioned after data leakwww.chinadaily.com.cn12/22/2011
Self-aware' bank account robbing code unleashed by hacker 'XSS on steroids' crafted to highlight web security holeswww.theregister.co.uk12/16/2011
Telstra resets 60k passwords after privacy gaffewww.scmagazine.com.au12/12/2011
Google pulls 22 more malicious Android apps from Marketwww.computerworld.com12/12/2011
SQL injection attack infects more than 4,000 websiteswww.scmagazineuk.com12/5/2011
Endless Exploit Attempts Underline Importance of Timely Java Patchingwww.securityweek.com12/2/2011
Hackers accessed city infrastructure via SCADA - FBIwww.information-age.com11/29/2011
Question Marks On Breach Liabilitywww.darkreading.com11/23/2011
Evildoers can now turn all sites on a Linux server into silent hell-pitswww.theregister.co.uk11/21/2011
Nasdaq Server Breach: 3 Expected Findingswww.informationweek.com10/25/2011
How secure is HTTPS today? How often is it attacked?www.eff.org10/25/2011
Developer function enables phishing at American Expresswww.h-online.com10/7/2011
Sony yet to fully secure its networks: expertwww.reuters.com5/13/2011
O2 fixes mobile broadband number leakswww.zdnet.co.uk1/26/2011
White Papers
Windows Management Instrumentation (WMI) Offense, Defense, and Forensicswww.fireeye.com10/7/2016
PCI DSS Penetration Testing Guidancewww.pcisecuritystandards.org3/29/2015
Lucky Thirteen: Breaking the TLS and DTLS Record Protocolswww.isg.rhul.ac.uk2/4/2013
OWASP Top 10www.owasp.org4/28/2012
Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systemswww.mcafee.com3/1/2012
Five Web Application Security Mythswww.securityweek.com12/2/2011
Peer-to-Peer File Sharing: A Guide for Businessbusiness.ftc.gov1/1/2010
Policies
Application Security Policy
Software Maintenance Policy
Standards
DISA STIG for Antivirus Security GuidanceDISA-STIG11/30/2015
DISA STIG for Application Security and DevelopmentDISA-STIG7/28/2017
Application security -- Part 1: Overview and conceptsISO11/1/2011
Information Supplement: PCI DSS eCommerce Security GuidelinesPCI1/31/2013
Information Supplement: PCI DSS Mobile Payment GuidelinesPCI2/14/2013
NIST SP 800-28 Version 2 Guidelines on Active Content and Mobile CodeNIST3/1/2008
NIST Recommendation for Key Management: Part 3 Application-Specific Key Management GuidanceNIST1/23/2015
NIST Security Considerations in the System Development Life CycleNIST10/1/2008
NIST National Checklist Program for IT Products: Guidelines for Checklist Users and DevelopersNIST12/10/2015
NIST Guide to Secure Web ServicesNIST8/1/2007
NIST SP 800-163 Vetting the Security of Mobile ApplicationsNIST1/26/2015
NIST SP 800-190 Application Container Security GuideNIST9/25/2017