October 30, 2013 By Diana Kelley 2 min read

Welcome! This is a new feature that will be a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below and we’ll pick one or two questions from that list. Let’s get talking about Application Security!

Last week I had the good fortune to spend time with many top security, privacy and risk executives at the EWF National Conference. My questions for this week were inspired by the week of information sharing and discussion.

1. To settle or not to settle?

Though AppSec wasn’t top of the agenda, we did have an excellent discussion on integrating security into the mobile application development lifecycle during the session on Mobile Risk. For this session, Lynn Terwoerds, Director of Compliance, Oracle, Shira Rubinoff, Founder and President, Green Armour Solutions and I presented the background information about the recent FTC settlement with a phone manufacturer.

Then we shared our thoughts on the impact of the settlement for software developers going forward. Finally, we asked the audience of ~200 professionals to break into groups and choose:

Would you agree to the Settlement or launch a challenge to the FTC complaint?

The answers were in favor of settling – but we did have participants from both sides present their reasoning in a point counterpoint debate. After the debate the ratio shifted, but the majority still voted to settle.

So here’s a question for you –  If you were the head of security or risk for a large company that creates and ships software, would you have settled or challenged? And why?

 

2. Software security in supply chain management

This question was part of the presentation by Edna Conway, Chief Security Officer, Global Supply Chain, Cisco.

Edna posited that yes, software security matters in supply chain management. Why? Because if the software used to track and inventory the assets in the supply chain isn’t secure, how can the assets being managed be accounted for and protected properly? How can logistics be tracked accurately if the software managing those logistics isn’t reliable?

Edna, made a great argument for the criticality of securing supply chain and in addition to software security she also called out the need for robust access management, monitoring and physical security.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today