Yan Kravchenko

Information Security Leader with 25+ years of experience

OWASP SAMM 2.0 Assessment

SAMM 2.0 Assessment The release of SAMM 2.0 is widely anticipated and promises to provide a method for measuring and evolving Application Security Programs with the focus on Agile and DevOps methodologies. It’s natural for many organizations to want to dive right in and start assessing to see how they would score against the lastest SAMM. While the assessment process is simple and self-explanatory, there are several factors and approaches that should be considered, such as:

OWASP SAMM 2.0 Introduction

Introduction Background OWASP Software Assurance Maturity Model has been designated as a “Flagship” project for several years, and I am excited to announce the second version of the model is finally ready to be released. This new model is a product of extensive efforts by a global team of application security professionals lead by Sebastian and Bart. While the general model ideals were preserved between versions 1.5 and 2.0, several notable changes mimic the evolution of application development methodologies and programming languages.

An Introduction to the Open Software Assurance Maturity Model (OpenSAMM) 1.0

Information security used to be all about networks and protecting the network perimeter. Today, however, applications are the new battleground for the protection of digital assets. While the concept of software security has been around for a long time, the evolution of mobile technologies and the universal accessibility of applications is requiring organizations to work on improving the maturity of their application security practices. To help with this initiative, many organizations developed their own methodologies.

Mobile Application Threat Modeling

Mobile Application Landscape As mobile applications have become an integral part of everyday life, it’s hard to believe just how young the platform really is. When considering that seven years ago nobody has ever heard of iPhone or Android, and the first iPad came on the market a little over four years ago, it’s truly remarkable how quickly the technology was adopted by individuals and enterprises alike. People trust the mobile platform with their most intimate information such as credit cards, passwords, and other sensitive information, closely followed by enterprises that allow use of mobile devices for every business functions where use of the mobile form-factor is practical.

Things not to overlook in the new PCI DSS 3.0

November 7th is tricky. Some years it rings of election news (at least in the US), while in others it has brought devastating earthquakes to places like Guatemala. Considerably less dramatic, this year it brought us the final version of PCI-DSS: the long-awaited 3.0. For a complete list of all changes in the new DSS, I recommend downloading and reviewing the PCI DSS 3.0 Summary of Changes which will take you through everything you need to know.

DEA Electronic Prescription of Controlled Substances – Certification Clarification

DEA Electronic Prescription of Controlled Substances – Certification Clarification On October 16th, 2011 the DEA released a series of clarifications regarding the requirements for Electronic Prescriptions of Controlled Substances (EPCS). While overall this clarification was very helpful and confirmed the comprehensive nature of the certification process, it did introduce / revive a concept that triggered several calls and inquiries. More specifically, DEA listed a company that has been certified to conduct DEA EPCS Certifications, which raised excellent questions: