The Internet is full of insecure applications that cost organizations money and time, while damaging their reputations when their systems are compromised. We need to build secure applications as never before, but most developers are not now-and never will be-security specialists. By incorporating security controls into the frameworks used to create applications, Tom Stiehm asserts that any organization can imbue security into its applications. Building security into a framework allows highly specialized security experts to create components that maximize your application security profile while reducing the need for your development teams to have specialized application security knowledge. Learn to pick the right places in your framework to insert security controls and then enforce their use. Join Tom to explore real-world security controls he's applied to commonly used application frameworks.

Mobile devices-connected to the world through the Internet, web, networks, and messaging-are everywhere and expanding rapidly in numbers, functionality, and, unfortunately, security threats. Not too many years ago, little attention was paid to mobile device security. Now, we hear reports almost daily of phone emails/messages being hacked, apps with worms, phishing via smart devices, and smart device fraud. People often have their records, personal data, and financial records on or accessible by the mobile device. In addition, organizations are using these devices to conduct critical business. Jon Hagar shares and analyzes case histories and examples of mobile application security failures. Based on this analysis, Jon summarizes these attacks and describes how to expose security bugs within these devices.

Although risk identification, analysis, and mitigation are critically important parts of any software project effort, agile projects require non-traditional techniques that are much quicker and easier to use than classical risk techniques. James McCaffrey focuses-not on theory-but on realistic risk analysis methods agile teams can readily implement with lightweight tools. James explains and demonstrates how you can employ taxonomy and storyboarding methods to recognize project meta-risks and identify product risks throughout the development lifecycle. Using “central moment” and “PERIL” techniques, you'll learn to analyze these risks and develop management and mitigation strategies dynamically, while the project is underway.

To ensure the quality and safety of Web applications, security testing is a necessity. So, how do you cover all the different threats-SQL injection, cross-site scripting, buffer overflow, and others? James Knowlton explains how Ruby combined with Watir-both freely available-makes a great toolset for testing Web application security. Testing many common security vulnerabilities requires posting data to a Web server via a client, exactly what Watir does. The Ruby side of Watir, a full-function programming language, provides the tools for querying the database, checking audit logs, and other test-related processing. For example, you can use Ruby to generate random data or large datasets to throw at a Web application. James describes common security attacks and demonstrates step-by-step examples of testing these attack types with Ruby and Watir.