Feeds:
Posts
Comments

Archive for November, 2016

espincorp-acunetixv11-whatsnew

For those who can not join us for the session, please see the summary and highlight clip for the event.

E-SPIN recently run a Acunetix web vulnerability scanner version 11 what’s new session cover what new for new user and existing users.

For further information, please contact us or visit to our website on http://www.e-spincorp.com

 

Read Full Post »

espincorp-vulnerabilitymanagementrends

From the past 5 years, we see the vulnerability management solution incorporate innovation and best practice technologies from endpoint (capable to base on vulnerability scan result to enforce endpoint firewall blocking and local agent for vulnerability scanning), related with patch management (simplify the remediation for major supported platform vulnerability patching), importing vulnerability scanning result into penetration testing (pentest) tool for exploit verification, rise of interest for static application security testing (SAST), rise of cloud scanner, capability to integrated with web application firewall (WAF), merging of vulnerability scanning and configuration auditing.

For the coming years, for sure we will look forward for the enterprise dashboard consolidate all the respective vulnerability scanners from network, application, database scanners etc to provide unified application vulnerability correlation (AVC).

As the vulnerability management solution keep growing and matured, the price point will continue to drop, since more and more players from different industry will start come in and provide “me-too” solution. At the same time, open source alternative continue to advance and counter the rising price point from those solution, typical balancing act for the market demand and supply.

For the coming years, we will expect specialised scanners functionality will be further incorporate inside generic scanners. The market for truly specialised tool will notice for the market shrink, and most probably take over by those generic and larger players.

In the end, the market will divide into two end, those who continue to use the specialise scanners to get things done, but with set of different scanners (mostly named as professional users); and rise of enterprise grade vulnerability management with range of module /option for turn on and perform those advance feature. It like the Unified Threat Management (UTM) trend for the firewall market.

How many option and module can be provide by the player will be important buying criteria, with the overall lower total cost of ownership.

Mobile app security testing, mobile phone vulnerability will be one of the area attract the attention, a option most of modern enterprise interest to have and to perform deep mobile application security testing, since most of the Internet traffic will come from mobile device, and app inside the mobile.

For customer new to this solution market or have requirement in hand, feel free to contact E-SPIN solution consultant base on your project/requirement in hand.

Read Full Post »

application-security-testing-lifecycle-espincorp

Application Security Testing got three core set of technology vendor, whether focus on Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST) or Interactive Application Security Testing (IAST) as the solution for target user group.

So far nope of any vendor can claim single product can address three core result area, the most is want you to buy sister product or complementary product (so, it is not single product).

To be specific, the topic focus on Static Application Security Testing (SAST), where heavy use by Development Team.

The market have range of offering, whether open source or commercial source offering. Since open source is depend on the user for adopt to it and for self /community support, we focus our topic on commercial tool, since they are paid tool and involved financial investment, we want to share some insight how to choose Static Application Security Testing (SAST) tool.

Despite recent years have more and more security team personnel is interest on the SAST, most of them lack one pre condition competency to master it well – the fundamental programming skill set, whether on Java, C/C++, .Net and the rest.

The great tool appreciate by programmer and developer, may or may not be the right tool for security officer, mainly due to core competency require to understanding the programming code. If you do not understanding the code, how can you study it and attempt to perform secure code review? purely depend on the automated tool and not programming language at all? you can imagine how the report will look like and whether or not can be answer developer question on the report founding.

As you can see, despite now days more and more commercial vendor attempt to market their product cross platform, can cover all the language, you will notice, truly development team will not really excite about it, since they are practice the one or very platform technology only. If you ask them to buy SAST tool claim to support 10 language, it will be nice to have, if that not their money. But in reality, they are maybe just focus on one platform only, in that scenario, specific SAST focus on platform will be more relevance and more importantly, cost much lower and more to the point platform support. It is much more easy to understand and use as well.

Do not get us wrong, we do not against universal static application security testing tool, it have it appeal market, in the matter of fact, we supply it too for some segment of the customers. We are focus on the perspective for development team, who need to use the development tool for not just static code analysis, but perform functionality, load, run time memory error testing as well to make sure the quality of the application, beyond application security testing only.

Once you develop the right perspective, you will much more easy to balance security and development team requirement. On top of it, remember for the rise of application vulnerability correlation (AVC) technology. Security team can keep using their dynamic application security testing tool (DAST), and let development team use their platform specific and more advanced static application security testing tool (SAST). Share the result in the Application Vulnerability Correlation (AVC) platform, dashboard and report to provide unified vulnerability management for the holistic view.

Another more costly and convention approach is invested on the enterprise grade solution, cover end to end and force all users to use the integrated solution.

Technology keep advancing in fast pace, you will notice those purpose built or platform specific tool will be update and upgrade in more fast speed compare with integrated tools.

One last area most of enterprise will forgot to invest on is the secure code review competency training for developer or security officer. It need to be competency specific and may not be product specific. One of the best way to acquire it is to subscribe for the computer based interactive training (CBT) that specific develop for the target competency area, such as secure code review for .Net, C/C++, Java and the rest.

If you have case specific question please feel free to contact E-SPIN for your case and requirement.  Whether on the dynamic or static application security testing tool or security testing, secure code review competency based CBT training program.

Read Full Post »