This is a weekly post where we address questions of interest to the Application Information Security Community. To that end, we’d love to hear your questions! Please Tweet us with the hashtag #ThinkAppSec or leave us a comment below and we’ll pick one or two questions from that list.

I had the good fortune to meet with financial services customers and potential customers in Spain this week. These questions were inspired by those discussions.

1. Who Should be Responsible for Application Security Testing?

As with many security questions the ultimate answer depends on the company in question: what are their specific needs? Budget? Skill sets? But some high level general rules of thumb:

  • At some levels, application security testing is the responsibility of everyone involved in the software development lifecycle from the CEO to the Development team
  • Exec Manage should have buy-in and support security activities
  • Business and App Owners should get involved in the security requirements definition and understand associated risks
  • Developers should be trained on secure coding techniques and have access to testing tools
  • Architects should understand principles of secure design and consider providing libraries and components that help developers achieve more secure software
  • Security and audit often have testing responsibilities prior to launch for both static and dynamic tests

What else? Who is responsible for app sec testing at your company? And why? And would you like to see the responsibility change in anyway? Let us know in the comments or using the #thinkappsec hashtag on Twitter.


2. Can “generated code” be tested?

If generated code is in a format and language that the tool can scan, then yes it should be testable with application security testing tools.

However, since it’s generated it may be harder to fix the vulnerability, for example if a component from a vendor generates buggy code, the dev or security team would need to go back to the vendor to have the component updated.

Are you using component based development in your shops? How do you test those apps?

Week 1- What is the importance of software security in supply chain management?

More from Application Security

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Detecting the Undetected: The Risk to Your Info

IBM’s Advanced Threat Detection and Response Team (ATDR) has seen an increase in the malware family known as information stealers in the wild over the past year. Info stealers are malware with the capability of scanning for and exfiltrating data and credentials from your device. When executed, they begin scanning for and copying various directories that usually contain some sort of sensitive information or credentials including web and login data from Chrome, Firefox, and Microsoft Edge. In other instances, they…