In this podcast, I talk with fellow industry researcher and security consultant Bruce Marshall. We discuss our experiences helping companies roll out their multi-factor and risk-based authentication systems for security sensitive online applications. Gathering from many organization’s first attempts, there is plenty to be wary of when moving toward mulit-factor authentication to ensure that you get the expected reduction in risk. Without careful planning, it is entirely possible that the result could be higher risk due to implementation flaws. We discuss what pitfalls and principles companies should be aware of before jumping on the multi-factor or risk-based authentication bandwagon.

Kris Drent

Today’s podcast provides a brief summary of this talk by running through the three general stages of maturity that organizations can roughly be grouped into:

• Stage 1: Doing Nothing
• Stage 2: Reactive and Tactical
• Stage 3: Proactive and Strategic

Today, it seems that many organizations fit into the Stage 2 group. Some are at this stage because there just learning about how important application security is. Others are quite knowledgeable about the topic, have conducted numerous assessments, and continue to stay on top of the major risks — but they’re still stuck at stage 2.

In this podcast, I’ll summarize these three stages, discuss the difficulties and pitfalls of operating like a stage 2 organization, and end with some pointers on what it takes to get ahead of the game and operate as a stage 3 organization. During the discussion, I’ll also talk about building security into the development process (SDLC), and mention how important developer education, threat modeling, and documented best practices are to achieving truly effective application security.

Also, if you’re interested in seeing the full version of the App Sec Maturity Continuum presentation, it is available on-line as an on-demand Webcast from the Security PS website.

Kris Drent

• Wanting learn about hot topics in the application security industry
• Looking for approaches and strategies to manage application security risk
• Needing insights to bolster your defenses with best practices

…then you’ll want to visit this site often. Drawing from my experience, as well as many other seasoned security experts in the industry, this site will host the “App Security Advisor” podcast and also point out articles, webcasts, and other resources to help you keep up-to-date on topics ranging from technical attacks and best practices to management approaches for low risk development.

This website and podcast is meant to provide a resource to the community, so drop me an e-mail or leave some comments if you would like to give your feedback or provide input on topics you’d like to hear about. Looking forward to getting this moving,

Kris Drent