Large enterprises tend to have a number of line of business (LOB) applications supporting business operations. It becomes key for an application security program to help the organization manage the risk posed by each of these applications. Applications tend to be comprised of legacy applications, applications under development and application under planning. To start an [...]
Archive for the ‘Application Security’ category
Application Security Governance 1: Understanding your portfolio
April 28, 2008“How many applications do you have and what do they do?” It seems simple enough yet this questions seems to perplex many a smart mind. Having posed it to over a hundred and fifty CSO/CIOs over the last year, I have rarely received a clear answer that wasn’t based solely on gut-feel. The information security [...]
Application Security Governance Series
April 27, 2008After several requests from customers about information on how enterprise class application security programs are set up, I am writing a series of blogs about my experience helping some large enterprises set up application security teams similar to the ACE team at Microsoft. This series will share lessons learnt at Microsoft IT and other large [...]
Encounters making an Application Security Case Study Video
August 18, 2007Microsoft IT has been developing an engineering based application security lifecycle for about 5 years now. The ACE team is responsible for helping develop and maintain this lifecycle called the Security Development Lifecycle for IT (SDL for IT) which is currently used to secure line of business applications developed by Microsoft IT. This lifecycle has [...]
