{"id":2835,"date":"2014-05-08T00:00:00","date_gmt":"2014-05-08T00:00:00","guid":{"rendered":"http:\/\/otava.test\/bridging-the-software-and-infosec-professional-chasm\/"},"modified":"2014-05-08T00:00:00","modified_gmt":"2014-05-08T00:00:00","slug":"bridging-the-software-and-infosec-professional-chasm","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/","title":{"rendered":"Bridging the software and infosec professional chasm"},"content":{"rendered":"

In contrast to the unseasonably cold weather Columbus, Ohio, has experienced of late, this week\u2019s InfoSec Summit <\/a>kicked off in bright purple \u2018Aloha\u2019 style with Jim Manico\u2019s recommendations for improving web application security. Only one other attendee could match his shirt color, but none were equal to the energy with which Jim highlighted some serious software security concerns.<\/p>\n

No, this wasn\u2019t a dig on the software developers who face an incredibly daunting tempest of deadlines, budget constraints and requirements as part of their daily existence. This was a heartfelt plea to security professionals to provide clear and specific security requirements as part of the pre-design documentation. If we do anything less than proactive, constructive communication about security <\/a>with application developers, we\u2019ll never slow down the freight train of increasing cybersecurity threats.<\/p>\n

The description of Manico’s session explained “we cannot ‘firewall’ or ‘patch’ our way to secure websites. In the past, security professionals thought network security practices and corporate policies were enough. Today, however, these methods are outdated and ineffective to protect application, as attacks on prominent, well-protected websites are occurring every day. No company or industry is immune. Programmers need to learn to build websites and other applications differently.”<\/p>\n

Manico<\/a> — an author, developer security educator and 17-year veteran of building software as a developer and architect — shared several examples of poor software security practices and some healthy antidotes. Here are a few, and you\u2019ll find a link to his library of software security slides referenced at the end.<\/p>\n

Thwart SQL Injections<\/strong><\/p>\n

Would the email address \u2018;–@domain.com<\/a> pass your email address validation? Hope not. It\u2019s the perfect recipe for a SQL injection attack that sets the email address field to nothing (that\u2019s the \u2018; part of the address). And the two dashes? Well, they comment out the rest of the link.<\/p>\n

Solution? Use query parameterization. Now, be honest. When was the last time your development team received \u201cquery parameterization\u201d in their list of requirements? None of the software developers at this week\u2019s InfoSec Summit had the benefit of such instruction, but were still mandated and doing their best to write secure code.<\/p>\n

Improve poor password management<\/strong><\/p>\n

OK, now would “Password1!” meet your password policy<\/a>? How many banking websites are there that still limit passwords to eight characters? Please, allow your passwords to be as long as you reasonably can.<\/p>\n

Sprinkle a little cryptography and salt on your passwords to slow down your password verification. That\u2019s right — slow it down. It puts a real crimp on brute force hackers and can buy you days or even weeks against an aggressive attacker without significant negative impact to your users.<\/p>\n

Use multi-factor authentication<\/strong><\/p>\n

First, if you\u2019re not using multi-factor authentication for your Gmail, Twitter, LinkedIn and other accounts, stop reading this. Enable multi-factor authentication now, and then come back. Seriously. No, go ahead, we\u2019ll wait right here. If you really took the time, you\u2019ve just spared yourself and your networks a lot of spam and hassle.<\/p>\n

Think the impact of poor password management is trivial? Blizzard, producer of World of Warcraft, implemented multi-factor authentication when players\u2019 accounts were brute forced hijacked<\/a> to facilitate cyber money laundering and the involuntary dispersal of valuable possessions. As every business is discovering, digital assets are a currency all their own, and protections are woefully weak<\/p>\n

Don\u2019t reinvent the wheel<\/strong><\/p>\n

There are many excellent software security libraries available, such as the OWASP Java Encoder Project<\/a>. If you are writing your own security code from scratch — stop. Chances are a mature library already exists that you can leverage and help meet those crazy deadlines and requirements even more gracefully!<\/p>\n

\n

\"Download<\/a>Related topics:<\/strong><\/p>\n

Encryption Video Series<\/a><\/p>\n

White paper: Encryption of Cloud Data<\/a><\/p>\n

White paper: Mobile Security<\/a><\/p>\n

\n

Reference:<\/strong><\/p>\n

Jim Manico\u2019s software security slides: https:\/\/www.slideshare.net\/JimManico<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In contrast to the unseasonably cold weather Columbus, Ohio, has experienced of late, this week\u2019s InfoSec Summit kicked off in bright purple \u2018Aloha\u2019 style with Jim Manico\u2019s recommendations for improving web application security. Only one other attendee could match his shirt color, but none were equal to the energy with which Jim highlighted some serious software security concerns. No, this wasn\u2019t a dig on the software developers who face an incredibly daunting tempest of deadlines, budget constraints and requirements as part of their daily existence. This was a heartfelt plea to security professionals to provide clear and specific security requirements as part of the pre-design documentation. If we do anything less than proactive, constructive communication about security with application developers, we\u2019ll never slow down the freight train of increasing cybersecurity threats. The description of Manico’s session explained “we cannot ‘firewall’ or ‘patch’ our way to secure websites. In the past, security professionals thought network security practices and corporate policies were enough. Today, however, these methods are outdated and ineffective to protect application, as attacks on prominent, well-protected websites are occurring every day. No company or industry is immune. Programmers need to learn to build websites and other applications differently.” Manico…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"other_category":[],"class_list":["post-2835","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"acf":[],"yoast_head":"\nBridging the software and infosec professional chasm | OTAVA<\/title>\n<meta name=\"description\" content=\"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Bridging the software and infosec professional chasm\" \/>\n<meta property=\"og:description\" content=\"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\" \/>\n<meta property=\"og:site_name\" content=\"OTAVA\" \/>\n<meta property=\"article:published_time\" content=\"2014-05-08T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png\" \/>\n<meta name=\"author\" content=\"Irma Brillantes\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Irma Brillantes\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\"},\"author\":{\"name\":\"Irma Brillantes\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\"},\"headline\":\"Bridging the software and infosec professional chasm\",\"datePublished\":\"2014-05-08T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\"},\"wordCount\":652,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\",\"url\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\",\"name\":\"Bridging the software and infosec professional chasm | OTAVA\",\"isPartOf\":{\"@id\":\"https:\/\/www.otava.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png\",\"datePublished\":\"2014-05-08T00:00:00+00:00\",\"description\":\"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.otava.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Bridging the software and infosec professional chasm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.otava.com\/#website\",\"url\":\"https:\/\/www.otava.com\/\",\"name\":\"OTAVA\u00ae\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.otava.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.otava.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.otava.com\/#organization\",\"name\":\"OTAVA\u00ae\",\"url\":\"https:\/\/www.otava.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"contentUrl\":\"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg\",\"caption\":\"OTAVA\u00ae\"},\"image\":{\"@id\":\"https:\/\/www.otava.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263\",\"name\":\"Irma Brillantes\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g\",\"caption\":\"Irma Brillantes\"},\"url\":\"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Bridging the software and infosec professional chasm | OTAVA","description":"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/","og_locale":"en_US","og_type":"article","og_title":"Bridging the software and infosec professional chasm","og_description":"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.","og_url":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/","og_site_name":"OTAVA","article_published_time":"2014-05-08T00:00:00+00:00","og_image":[{"url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png","type":"","width":"","height":""}],"author":"Irma Brillantes","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Irma Brillantes","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#article","isPartOf":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/"},"author":{"name":"Irma Brillantes","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263"},"headline":"Bridging the software and infosec professional chasm","datePublished":"2014-05-08T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/"},"wordCount":652,"commentCount":0,"publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"image":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/","url":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/","name":"Bridging the software and infosec professional chasm | OTAVA","isPartOf":{"@id":"https:\/\/www.otava.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage"},"image":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage"},"thumbnailUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png","datePublished":"2014-05-08T00:00:00+00:00","description":"An in-depth summary of Jim Manico's presentation on software and information security during the InfoSec Summit in Columbus, Ohio.","breadcrumb":{"@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#primaryimage","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2019\/04\/download-mobile.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.otava.com\/blog\/bridging-the-software-and-infosec-professional-chasm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.otava.com\/"},{"@type":"ListItem","position":2,"name":"Bridging the software and infosec professional chasm"}]},{"@type":"WebSite","@id":"https:\/\/www.otava.com\/#website","url":"https:\/\/www.otava.com\/","name":"OTAVA\u00ae","description":"","publisher":{"@id":"https:\/\/www.otava.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.otava.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.otava.com\/#organization","name":"OTAVA\u00ae","url":"https:\/\/www.otava.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","contentUrl":"https:\/\/www.otava.com\/wp-content\/uploads\/2025\/03\/otava-logo.svg","caption":"OTAVA\u00ae"},"image":{"@id":"https:\/\/www.otava.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.otava.com\/#\/schema\/person\/35774075f8f4fcdd4eae80cb72034263","name":"Irma Brillantes","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d5251bebc1699793a698d1a6158603cb3cdc50a095a12357e42d415b3e5546c2?s=96&d=mm&r=g","caption":"Irma Brillantes"},"url":"https:\/\/www.otava.com\/blog\/author\/ibrillantesotava-com\/"}]}},"_links":{"self":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/comments?post=2835"}],"version-history":[{"count":0,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/posts\/2835\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/media?parent=2835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/categories?post=2835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/tags?post=2835"},{"taxonomy":"other_category","embeddable":true,"href":"https:\/\/www.otava.com\/wp-json\/wp\/v2\/other_category?post=2835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}