shawn-asmus

Shawn Asmus

Practice Manager, Application Security, CISSP, CCSP, OSCP

Shawn Asmus is a practice manager with Optiv’s application security team. In this role he specializes in strategic and advanced AppSec program services and lends technical expertise where needed. Shawn has presented at a number of national, regional and local security seminars and conferences.

 

Quick Tips for Building an Effective AppSec Program – Part 3

· By Shawn Asmus ·

This is the last post in my series on creating an effective AppSec program within your organization. In my last post, we discussed the importance of toolchains, defect tracking, and establishing vulnerability management processes to help your AppSec and development teams stay on top of remediation efforts in an efficient and programmatic way. In this post, we’ll spend some time exploring how to enable the various stakeholders across the organization, how to measure the effectiveness of your AppSec program, the importance of a knowledge management system, and application runtime protection. So let’s get started.

Continue reading

Quick Tips for Building an Effective AppSec Program – Part 2

· By Shawn Asmus ·

In my last blog post, I talked about what an application security (AppSec) program is and how an organization would go about building a formal program to secure their internally-developed applications, as well as third-party applications they have or will be deploying. I touched on the importance of creating an application catalog, aligning with one of several industry AppSec frameworks, and having a solid understanding of your application architecture, that, together, can form the necessary foundation for a formal program.

Continue reading

Quick Tips for Building an Effective AppSec Program – Part 1

· By Shawn Asmus ·

An application security (AppSec) program can be defined as the set of risk mitigating controls and business functions that support the discovery, remediation and prevention of application vulnerabilities. Controls take the form of written policies, procedures, guidelines and standards for ensuring secure development practices, along with technology and operational processes that implement them. Focus is typically on internal software development capabilities, but may also encompass applications developed by external third parties and those from commercial vendors.

Continue reading

Secure SDLC Lessons Learned: #5 Personnel

· By Shawn Asmus ·

t’s no secret that finding and retaining dependable, well-trained application security professionals is a serious challenge, and has been for years. Part of the problem is that the breadth and depth of AppSec knowledge is rather astronomical; one could argue that it’s exponentially wider than network security and grows at a much faster rate. Based on what I’ve seen, teams tend to be perpetually short-staffed and undertrained.

Continue reading

Secure SDLC Lessons Learned: #4 Metrics

· By Shawn Asmus ·

As the secure SDLC program matures, vulnerabilities should be caught and remediated earlier in the lifecycle. To know if the program is truly working, organizations must capture metrics. The specific metrics chosen should support and align with the organization’s business objectives and risk management program.

Continue reading

Secure SDLC Lessons Learned: #3 Knowledge Management

· By Shawn Asmus ·

The term “knowledge management” (KM) refers to using vulnerability mining to turn remediation into lessons learned. Essentially this involves taking knowledge from security remediation activities and placing it within a KM repository that developers, architects and other stakeholders can access. By sharing remediation information across teams, an organization can remove or reduce intelligence silos that contribute to recurring and familiar software bugs.

Continue reading

Secure SDLC Lessons Learned: #2 Assessment Toolchain

· By Shawn Asmus ·

Most organizations would agree that maintaining a fast, predictable flow of planned work (e.g. projects, scheduled changes) that achieves business goals while minimizing the impact of unplanned work (e.g. bug fixes, outages) is the ultimate IT goal. Security assessment activities should be part of planned work, and to accomplish that, the right tools must be selected.

Continue reading

Secure SDLC Lessons Learned: #1 Application Catalog

· By Shawn Asmus ·

Building an application catalog is a critical step towards maintaining governance over a secure SDLC program. The primary purposes of the catalog are to provide teams information on which technologies are in place in the enterprise (Java, .Net, third-party libraries, platforms) and criteria for identifying which applications are mission critical and/or high risk.

Continue reading

SQL Injection and Reflected Content-Sniffing Attacks

· By Shawn Asmus ·

Content sniffing is a subset of browser quirks that web application developers and security testers alike should be aware of. In a nutshell, content sniffing is when a browser uses proprietary logic to override the expected rendering of content returned by a website. Unfortunately, this behavior can enable an attacker to exploit application security vulnerabilities in novel ways.

Continue reading

Overcoming Buffer Overflows: A real world case study

· By Shawn Asmus ·

I recently performed a manual source code review of an application module written in C. The initial code base was riddled with buffer overflow vulnerabilities. There were over 1,000 instances of calls to strcpy, strcat, sprintf, gets and a few other “unsafe” functions. .

Continue reading
(10 Results)